1
In the text below, incompatible changes are labeled with the Postfix
2
snapshot that introduced the change. If you upgrade from a later
3
Postfix version, then you do not have to worry about that particular
6
The official Postfix release is called 2.1.x where 2=major release
7
number, 1=minor release number, x=patchlevel. Snapshot releases
8
are called 2.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
9
mm=month, dd=day). The mail_release_date configuration parameter
10
contains the release date (both for official release and snapshot
11
release). Patches are issued for the official release and change
12
the patchlevel and the release date. Patches are never issued for
15
Major changes - critical
16
------------------------
18
If you run Postfix 2.0 or earlier then you must stop Postfix before
19
upgrading. The master-child protocols have changed between Postfix
20
1.1 and 2.0, and version 2.1 sometimes writes queue files that the
21
2.0 and earlier queue managers complain about. If this happens move
22
the files from the corrupt directory to the maildrop directory and
23
give them another chance.
25
[Incompat 20021119] The Postfix upgrade procedure will add two new
26
services to your master.cf file: "trace" and "verify". These servers
27
can run inside a chroot jail, have no interaction with users, and
28
don't talk to the network. If Postfix complains that "trace" and
29
"verify" are not found, you made the error of copying your old
30
Postfix configuration files over the new ones. Execute "postfix
31
upgrade-configuration" to repair the Postfix configuration files.
33
[Incompat 20040331] Support for the non-standard Errors-To: message
34
header is removed. This also helps to stop potential attacks that
35
rely on bouncing mail to a destination that is not directly reachable
36
by the attacker. Specify "enable_errors_to = yes" to get the old
39
Queue files written by Postfix 2.1 may contain information that
40
is incompatible with older Postfix versions:
42
[Incompat 20040120] Queue files creates with "sendmail -v" are no
43
longer compatible with Postfix versions 2.0 and earlier. A new
44
record type, "killed", was introduced in order to avoid repeated
45
mail delivery reports from mail that could not be delivered due to
46
a temporary error condition.
48
[Incompat 20030125] This release adds a new queue file record type
49
for the address specified in "REDIRECT user@domain" actions in
50
access maps or header/body_checks. Queue files with these records
51
will be rejected by older Postfix versions.
53
[Feature 20040120] The new queue manager nqmgr has become the
54
default qmgr queue manager. For a limited time the old queue manager
55
remains available under the name oqmgr. The name nqmgr still works
56
but will cause a warning to be logged.
58
[Incompat 20040413] The Postfix SMTP server no longer accepts mail
59
from or to an address ending in "@", including address forms that
60
rewrite into an address that ends in "@"). Specify "resolve_null_domain
61
= yes" to get the old behavior.
63
[Incompat 20031226] Postfix no longer allows mail addresses with
64
bare numeric IP addresses (user@1.2.3.4). This is not configurable.
65
The form user@[ipaddress] is still allowed.
67
[Incompat 20031226] Bounce messages now have a separate queue life
68
time. This is controlled by the bounce_queue_lifetime parameter.
70
[Incompat 20031019] The authorized_verp_clients parameter was
71
renamed to smtpd_authorized_verp_clients, and the default value
72
was changed to disable this feature. You now have to turn it on
75
Major changes - build environment
76
---------------------------------
78
[Incompat 20030112] The Postfix build procedure now uses the
79
pcre-config utility (part of PCRE version 3) to find out the
80
pathnames of the PCRE include file and object library, instead of
81
probing /usr/include and/or /usr/lib. To build with PCRE version
82
2 support you will have to specify pathnames as described in
83
PCRE_README. To build without PCRE support, specify: make Makefiles
86
Major changes - documentation
87
-----------------------------
89
[Feature 20040331] Complete documentation rewrite. All parameters
90
are now described in postconf(5), and all commands and daemons are
91
shown in their proper context in the OVERVIEW document.
92
- All documents come as HTML and ASCII text.
93
- All HTML documents have hyperlinks for every parameter name,
94
for every Postfix manual page, and for every README file.
95
- All documents specify what feature is available in what release.
96
- The sample-*.cf configuration files no longer exist. The information
97
is now available in HTML documents, README files and UNIX man pages).
98
- The mumble_table example configuration files no longer exist.
100
[Incompat 20040413] The LMTP, Cyrus and Qmail related README files will
101
not be included in the Postfix version 2.1 distribution. They will
102
be made available via http://www.postfix.org/, and in Postfix 2.2
105
[Feature 20040413] You can install documentation in HTML format
106
besides the README files. Installation of README files is now
109
Major changes - access control
110
------------------------------
112
[Feature 20031215] Easier debugging of SMTPD access restrictions.
113
The SMTP command "xclient name=xxx addr=yyy" changes Postfix's idea
114
of the remote client name and address, so that you can pretend to
115
connect from anywhere on the Internet. Use of this command is
116
restricted to clients that match the list of names or addresses
117
specified with the smtpd_authorized_xclient_hosts parameter. By
118
default, XCLIENT is not accepted from anywhere. More details are
119
in the XCLIENT_README file.
121
[Feature 20030715] Support for multi-valued RBL lookup results.
122
For example, specify "reject_rbl_client foo.bar.tld=127.0.0.3" to
123
reject clients that are listed with a "127.0.0.3" address record.
124
More information is in the postconf(5) manual page.
126
[Feature 20030917] New "check_{helo,sender,recipient}_{ns,mx}_access
127
type:table" restrictions that apply the specified access table to
128
the NS or MX hosts of the host/domain given in HELO, EHLO, MAIL
129
FROM or RCPT TO commands. More information is in the postconf(5)
132
This can be used to block mail from so-called spammer havens (all
133
domains that are served by the same DNS server, all domains that
134
resolve to the same MX host), from sender addresses that resolve
135
to Verisign's wild-card mail responder, or from domains that claim
136
to have mail servers in reserved networks such as 127.0.0.1.
138
Note: OK actions are not allowed for security reasons. Instead of
139
OK, use DUNNO in order to exclude specific hosts from blacklists.
140
If an OK result is found for an NS or MX host, Postfix rejects the
141
SMTP command with "451 Server configuration error".
143
[Feature 20040413] Support for a "WARN text..." feature in SMTPD
144
access tables, just like the WARN feature in header/body_checks.
146
[Feature 20040122] New "PREPEND headername: headervalue" action in
147
Postfix access maps. Primarily intended for tagging mail by for
148
example, an external SMTPD policy server. See access(5).
150
[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks
151
maps. This action prepends a header or body line immediately before
152
the line that triggers the action. See header_checks(5) for details.
154
[Feature 20030125] New "REDIRECT user@domain" action for access
155
maps and header/body_checks that overrides all the originally
156
specified recipients of a message. Wietse would never recommend
157
that people use this to redirect (bounced) SPAM to the beneficiaries
158
of an advertisement campaign. See access(5) and header_checks(5).
160
[Feature 20031215] The reject_sender_login_mismatch feature (used
161
with SASL authenticated logins) is now implemented in terms of more
162
basic restrictions: reject_unauth_sender_login_mismatch (reject
163
mail when $sender_login_maps lists an owner for the sender address
164
but the SMTP client is not SASL authenticated) and
165
reject_auth_sender_login_mismatch (reject mail when the sender
166
address is not owned by the SASL authenticated user). The
167
sender_login_maps now support multiple owners per sender address.
168
See postconf(5) for details.
170
Major changes - address verification
171
------------------------------------
173
[Feature 20021119] Address verification blocks mail from or to
174
addresses that are not deliverable. This is turned on with the
175
reject_unverified_sender UCE restriction. Addresses are verified
176
by probing, that is, by sending mail that is not actually delivered
177
(SMTP interruptus). Detailed information is in the
178
ADDRESS_VERIFICATION_README file.
180
Address verification can follow a different route than ordinary
181
mail, typically to avoid sending probes to a relay host. To make
182
this possible, the address resolver supports multiple personalities.
183
For more detail see the ADDRESS_VERIFICATION_README file.
185
New "sendmail -bv" option. Postfix probes the specified recipient
186
addresses without actually delivering mail, and sends back an email
187
delivery report. This is useful for testing address rewriting and
188
address routing, and shows the final envelope and header addresses.
189
This feature currently does not access or update the sender address
190
verification database.
192
Major changes - content inspection
193
----------------------------------
195
[Feature 20030704] The Postfix SMTP server can be configured to
196
send all mail into a real-time content filter that inspects mail
197
BEFORE it is queued. See the SMTPD_PROXY_README file for details.
199
[Feature 20031022] Improved logging by Postfix daemons behind an
200
SMTP-based proxy filter. The logging now shows the remote client
201
name and address, instead of localhost[127.0.0.1]. This uses the
202
new SMTP command "XFORWARD addr=client-address name=client-hostname",
203
which specifies remote client information for logging purposes.
204
This command is restricted to clients that match the list of names
205
or addresses specified with the smtpd_authorized_xforward_hosts
206
parameter. By default, XFORWARD is not accepted from anywhere.
207
For an example, see the SMTPD_PROXY_README file.
209
[Feature 20030706] New receive_override_options parameter that
210
eliminates the need for different cleanup service instances before
211
and after an external content filter. One parameter controls what
212
happens before or after the content filter: rejecting unknown
213
recipients, canonical mapping, virtual alias expansion, masquerading,
214
automatic BCC recipients and header/body checks. See postconf(5)
215
for the fine details.
217
[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks
218
maps. This action prepends a header or body line immediately before
219
the line that triggers the action. See header_checks(5) for details.
221
[Feature 20030125] New "REDIRECT user@domain" action for access maps
222
and header/body_checks that overrides all the originally specified
223
recipients of a message. Wietse would never recommend that people
224
use this to redirect (bounced) SPAM to the beneficiaries of an
225
advertisement campaign. See header_checks(5) and access(5).
227
[Incompat 20030915] In header/body_checks actions, the OK action
228
is being phased out, and the DUNNO action is being phased in. Both
229
actions still work and do the same thing, but hopefully DUNNO causes
230
less confusion. See header_checks(5) for details.
232
Major changes - policy delegation
233
---------------------------------
235
[Feature 20030715] Support for SMTP access policy delegation to an
236
external server. Greylisting and SPF are provided as examples.
237
See the SMTPD_POLICY_README file for further information.
239
Major changes - client rate limiting
240
------------------------------------
242
Note: this feature is not included with Postfix 2.1, but it is
243
documented here so that the information will not be lost.
245
[Feature 20031111] Preliminary defense against SMTP clients that
246
hammer an SMTP server with too many connections. By default, the
247
number of simultaneous connections per client is limited to half
248
the default process limit, and no limit is imposed on the number
249
of successive connections per time unit that a client is allowed
252
The new anvil server maintains the connection statistics, and logs
253
the maximum connection count and connection rate per client every
254
anvil_status_update_time seconds (10 minutes), or when it terminates
255
(when there is no work to be done, or when "postfix reload" was
256
issued). Once you have an idea what the numbers look like, you can
257
clamp down the limits for your system.
259
The relevant main.cf configuration parameters are: smtpd_client-
260
connection_count_limit for the number of simultaneous connections
261
per client, and smtpd_client_connection_rate_limit for the number
262
of successive connections per unit time and client. The time unit
263
is specified with the anvil_rate_time_unit parameter, and is one
266
When Postfix rejects a client, it sends a 450 status code and
267
disconnects, and logs a warning with the client name/address and
268
the service name from master.cf. You can, for example, capture this
269
information with a logfile watching program that updates a firewall
270
rule (such a watcher program is not included with Postfix).
272
To avoid rejecting authorized hosts, the smtpd_client_connection-
273
limit_exceptions parameter takes a list of network/netmask expressions,
274
hostnames or .domain names that are excluded from these restrictions.
275
By default, all clients in $mynetworks are excluded; you will
276
probably want to use a more restrictive setting.
278
For further information, see: smtpd(8) and anvil(8).
280
Major changes - configuration management
281
----------------------------------------
283
[Feature 20040413] New postfix(1) command features:
285
- "postfix set-permissions" corrects Postfix file and directory
286
permissions and allows you to change mail_owner or setgid_group
287
settings after Postfix is installed.
289
- "postfix upgrade-configuration" fixes Postfix systems after people
290
copy over their old configuration files after installing a new
293
See postfix(1) for details.
295
[Incompat 20040120] The format of the postfix-files file has changed.
296
There is a new type for hard links. With hard or symbolic link
297
entries, the first field is now the destination pathname and the
298
"owner" field is now the origin pathname, while "group" and
299
"permissions" are ignored.
301
Major changes - core functionality
302
----------------------------------
304
[Feature 20030704] New enable_original_recipient parameter (default:
305
yes) to control whether Postfix keeps track of original recipient
306
address information. If this is turned off Postfix produces no
307
X-Original-To: headers and ignores the original recipient when
308
eliminating duplicates after virtual alias expansion. Code by Victor
311
[Feature 20030417] Automatic BCC recipients depending on sender or
312
recipient address. The configuration parameters in question are
313
"sender_bcc_maps" and "recipient_bcc_maps". See postconf(5).
315
[Incompat 20030415] Too many people mess up their net/mask patterns,
316
causing open mail relay problems. Postfix processes now abort when
317
given a net/mask pattern with a non-zero host portion (for example,
318
168.100.189.2/28), and suggest to specify the proper net/mask
319
pattern instead (for example, 168.100.189.0/28).
321
[Feature 20030415] Workaround for file system clock drift that
322
caused Postfix to ignore new mail (this could happen with file
323
systems mounted from a server). Postfix now logs a warning and
324
proceeds with only slightly reduced performance, instead of ignoring
327
Major changes - database support
328
--------------------------------
330
Liviu Daia took the lead in a revision of the LDAP, MySQL and
331
PostgreSQL clients. Credits also go to Victor Duchovni and to
334
[Feature 20030915] LDAP parameters can now be defined in external
335
files. Specify the LDAP maps in main.cf as
336
ldap:/path/to/ldap.cf
337
and write the LDAP parameters in /path/to/ldap.cf, without the
338
"ldapsource_" prefix. This makes it possible to securely store
339
bind passwords for plain auth outside of main.cf (which must be
340
world readable). The old syntax still works, for backwards
343
[Feature 20030915] Support for LDAP URLs in the LDAP parameter
344
"server_host", if Postfix is linked against OpenLDAP. LDAP hosts,
345
ports, and connection protocols to be used as LDAP sources can be
346
specified as a blank-separated list of LDAP URLs in "server_host".
347
As with OpenLDAP, specifying a port in a LDAP URL overrides
348
"server_port". Examples:
349
server_host = ldap://ldap.itd.umich.edu
350
server_host = ldaps://ldap.itd.umich.edu:636
351
server_host = ldapi://%2Fsome%2Fpath
353
[Feature 20030915] The LDAP SSL scheme ldaps:// is available if
354
OpenLDAP was compiled with SSL support. New parameters "tls_ca_cert_dir",
355
"tls_ca_cert_file", "tls_cert", "tls_key", "tls_require_cert",
356
"tls_random_file", "tls_cipher_suite" control the certificates,
357
source of random numbers, and cipher suites used for SSL connections.
358
See LDAP_README for further information.
360
[Feature 20030915] Support for STARTTLS command in LDAP, if Postfix
361
is linked against OpenLDAP and OpenLDAP was compiled with SSL
362
support. STARTTLS is controlled by the "start_tls" parameter.
363
The above parameters for certificates, source of random numbers,
364
and cipher suites also apply. See LDAP_README for further information.
366
[Incompat 20030704] Support for client side LDAP caching is gone.
367
OpenLDAP 2.1.13 and later no longer support it, and the feature
368
never worked well. Postfix now ignores cache controlling parameters
369
in an LDAP configuration file and logs a warning.
371
[Feature 20030415] PostgreSQL table lookups. Specify "pgsql:/file/name"
372
where "/file/name" defines the database. See "man pgsql_table" for
373
examples, and the PGSQL_README file for general information.
375
Major changes - internals
376
-------------------------
378
[Incompat 20040120] The format of the postfix-files file has changed.
379
There is a new type for hard links. With hard or symbolic link
380
entries, the first field is now the destination pathname and the
381
"owner" field is now the origin pathname, while "group" and
382
"permissions" are ignored.
384
[Incompat 20040120] The LDAP and SQL client source code is moved
385
to the global directory in order to eliminate reversed dependencies.
387
[Feature 20030606] Complete rewrite of the queue file record reading
388
loops in the pickup, cleanup and in the queue manager daemons. This
389
code had deteriorated over time. The new code eliminates an old
390
problem where the queue manager had to read most queue file records
391
twice in the case of an alias/include file expansion with more than
392
qmgr_message_recipient_limit recipients.
394
[Feature 20030125] Code cleanup up of queue manager internals.
395
Queue names are no longer mixed up with the next-hop destination,
396
and the address resolver loop is now easier to understand.
398
[Feature 20030104] Multi-server daemons (servers that accept
399
simultaneous connections from multiple clients) will now stop
400
accepting new connections after serving $max_use clients. This
401
allows multi-server daemons to automatically restart even on busy
404
[Feature 20030104] Clients of multi-server daemons such as
405
trivial-rewrite and the new proxymap service now automatically
406
disconnect after $ipc_ttl seconds of activity (default: 1000s).
407
This allows multi-server daemons to automatically restart even on
410
[Incompat 20021119] The file format of bounce/defer logfiles has
411
changed from the old one-line ad-hoc format to a more structured
412
multi-line format. For backwards compatibility, Postfix now creates
413
bounce/defer logfile entries that contain both the old and the new
414
format, so that you can go back to an older Postfix release without
415
losing information. Old Postfix versions will warn about malformed
416
logfile entries, but should work properly. To disable backwards
417
compatibility specify "backwards_bounce_logfile_compatibility =
420
[Feature 20021119] Both "sendmail -bv" and "sendmail -v" use the
421
new "trace" daemon that is automatically added to master.cf when
424
Major changes - logging
425
-----------------------
427
[Incompat 20040413] The postmap and postalias commands now report
428
errors to syslogd in addition to reporting them to the standard
429
error output. This makes logfile analysis easier.
431
[Incompat 20031203] Many SMTPD "reject" logfile entries now show
432
NOQUEUE instead of a queue ID. This is because Postfix no longer
433
creates a queue file before the SMTP server has received a valid
436
Major changes - lookup table support
437
------------------------------------
439
[Feature 20030704] New CIDR-based lookup table, remotely based on
440
code by Jozsef Kadlecsik. For details and examples, see "man
443
[Feature 20030704] The TCP-based table lookup protocol is finished.
444
For details and examples, see "man tcp_table". This will allow you
445
to implement your own greylisting, or to do your own open proxy
446
tests before accepting mail. This table will not be included with
447
Postfix 2.1 because the protocol is obsoleted by the policy delegation
448
(see elsewhere in this document) which does a much better job.
450
[Feature 20030704] Support for !/pattern/ (negative matches) in
451
PCRE lookup tables by Victor Duchovni. See "man pcre_table" and
452
"man regexp_table" for more.
454
Major changes - resource control
455
--------------------------------
457
[Incompat 20031022] The Postfix SMTP server no longer accepts mail
458
when the amount of free queue space is less than 1.5 times the
459
message_size_limit value.
461
Major changes - security
462
------------------------
464
[Incompat 20040413] The Postfix SMTP server no longer accepts mail
465
from or to an address ending in "@", including address forms that
466
rewrite into an address that ends in "@"). Specify "resolve_null_domain
467
= yes" to get the old behavior.
469
[Incompat 20040331] Support for the non-standard Errors-To: message
470
header is removed. This also helps to stop potential attacks that
471
rely on bouncing mail to a destination that is not directly reachable
472
by the attacker. Specify ""enable_errors_to = yes" to get the old
475
[Incompat 20040331] Tarpit delays are reduced. The Postfix SMTP
476
server no longer delays responses until the client has made
477
$smtpd_soft_error_limit errors, and the delay is fixed at
478
$smtpd_error_sleep_time seconds. Postfix still disconnects after
479
$smtpd_hard_error_limit errors.
481
[Incompat 20040120] The SMTP server can reject non-existent sender
482
addresses in a local, virtual or relay domain; specify
483
"reject_unlisted_sender=yes" in order to require that a sender
484
address passes the same "user unknown" test as a recipient would
485
have to pass. This is optional in Postfix 2.1, likely to be turned
486
on by default in Postfix 2.2.
488
[Incompat 20031226] Postfix no longer allows mail addresses with
489
bare numeric IP addresses (user@1.2.3.4). This is not configurable.
490
The form user@[ipaddress] is still allowed.
492
[Incompat 20030305] Postfix truncates non-address information in message
493
address headers (comments, etc.) to 250 characters per address, in
494
order to protect vulnerable Sendmail systems against exploitation
495
of a remote buffer overflow problem (CERT advisory CA-2003-07).
497
[Incompat 20030227] The smtpd_hard_error_limit and smtpd_soft_error_limit
498
values now behave as documented, that is, smtpd_hard_error_limit=1
499
causes Postfix to disconnect upon the first client error. Previously,
500
there was an off-by-one error causing Postfix to change behavior
501
after smtpd_hard/soft_error_limit+1 errors.
503
Major changes - smtp client
504
---------------------------
506
[Incompat 20031223] The SMTP client now tries to connect to an
507
alternate MX address when a delivery attempt fails **after the
508
initial SMTP handshake**. This includes both broken connections
509
and 4XX SMTP replies. To get the old behavior, specify
510
"smtp_mx_session_limit = 1" in main.cf.
512
[Feature 20031223] The SMTP client now tries to connect to an
513
alternate MX address when a delivery attempt fails after the
514
initial SMTP handshake. This includes both broken connections
515
and 4XX SMTP replies.
517
As a benefit, fallback_relay now works as promised, not just for
518
sessions that fail during the initial handshake.
520
The new SMTP client connection management is controlled by two new
521
configuration parameters:
523
- smtp_mx_address_limit (default unlimited): the number of MX (mail
524
exchanger) IP addresses that can result from mail exchanger
527
- smtp_mx_session_limit (default 2): the number of SMTP sessions
528
per delivery request before giving up or delivering to a fall-back
529
relay, ignoring IP addresses that fail to complete the SMTP
532
[Incompat 20031022] Postfix no longer retries delivery when no MX
533
host has a valid A record, for compatibility with many other MTAs.
534
This change is made in anticipation of a possible Verisign "wild-card
535
MX record without A record" for unregistered domains. To get the
536
old behavior, specify "smtp_defer_if_no_mx_address_found = yes".
538
[Incompat 20031022] The Postfix SMTP client no longer looks in
539
/etc/hosts by default. To get the old behavior, specify
540
"smtp_host_lookup = dns, native".
542
[Feature 20030417] Support for sending mail to hosts not in the
543
DNS, without having to turn off DNS lookups. The "smtp_host_lookup"
544
parameter controls how the Postfix SMTP client looks up hosts. In
545
order to use /etc/hosts besides DNS, specify "smtp_host_lookup =
546
dns, native". The default is to use DNS only.
548
Major changes - user interface
549
------------------------------
551
[Incompat 20040418] The non-delivery report format has changed.
552
The "sorry" message and the DSN formatted report now include the
553
original recipient address, when that address is different from
554
the final recipient address. This makes it easier to diagnose some
555
mail delivery problems that happen after mail forwarding.
557
[Incompat 20031223] In mailq (queue listing) output, there no longer
558
is space between a short queue ID and the "*" (delivery in progress)
559
or ! (mail on hold) status indicator. This makes the output easier
562
[Incompat 20030417] "sendmail -t" no longer complains when recipients
563
are given on the command line. Instead, it now adds recipients from
564
headers to the recipients from the command-line.
566
[Incompat 20030126] The maildir file naming algorithm has changed
567
according to an updated version of http://cr.yp.to/proto/maildir.html.
568
The name is now TIME.VdevIinum.HOST
570
[Incompat 20021119] The behavior of "sendmail -v" has changed. One
571
-v option now produces one email report with the status of each
572
recipient. Multiple -v options behave as before: turn on verbose
573
logging in the sendmail and postdrop commands.
575
[Feature 20021119] New "sendmail -bv" option. Postfix probes the
576
specified recipient addresses without actually delivering mail,
577
and sends back an email delivery report. This is useful for testing
578
address rewriting and address routing of both envelope and header
579
addresses. This feature currently does not access or update the
580
sender address verification database.