18248
18252
Bugfix: an error handler for smtp_tls_policy_maps lookups
18249
18253
was never invoked. File: smtp/smtp_session.c.
18257
Cleanup: logfile message formatting (X: subject_CN=X,
18258
issuer_CN=X, fingerprint=X, pkey_fingerprint=X). File:
18263
Feature: LMDB (memory-mapped persistent file) support by
18264
Howard Chu. This implementation has unexpected failure modes
18265
that don't exist with other Postfix databases, so don't
18266
just yet abandon CDB. See LMDB_README for details. Files:
18267
proto/postconf.proto, proto/LMDB_README.html,
18268
proto/DATABASE_README.html, proto/INSTALL.html util/dict_lmdb.[hc],
18269
util/dict_open.c, global/mkmap_lmdb.[hc], global/mkmap_open.c,
18270
postconf/postconf.c.
18274
Cleanup: new Postfix dictionary API flag to control the use
18275
of (LMDB) bulk database transactions. With this, LMDB
18276
databases no longer fail to commit any transactions with
18277
tlsmgr(8), and LMDB databases no longer perform glacially
18278
slow with postmap -i/postalias -i. Files: util/dict.h,
18279
util/dict_lmdb.c, postmap/postmap.c, postalias/postalias.c.
18283
Debugging: generalized setting of dictionary API flags.
18284
File: util/dict.[hc], util/dict_test.c.
18286
Robustness: Postfix programs can now recover from LMDB
18287
"database full" errors without requiring human intervention.
18288
When a program opens an LMDB file larger than lmdb_map_size/3,
18289
it logs a warning and uses a larger size limit instead.
18290
Files: util/dict_lmdb.c, proto/LMDB_README.html.
18294
Portability: botched #ifdef. File: util/dict_lmdb.c.
18298
Postfix support for LMDB databases is suspended due to the
18299
existence of a hard limit (an "out of storage" failure mode
18300
that cannot be resolved by increasing the database size).
18302
Postfix may support LMDB again when it no longer limits the
18303
size of Postfix transactions, whether the limit is built
18304
into LMDB itself, or implicit by requiring an unbounded
18305
amount of memory to handle a large transaction.
18309
Documentation: smtp_skip_5xx_greeting wording updated to
18310
reflect text in RFC 2821, which appears to say that a 554
18311
greeting is not a hard delivery error (note that RFC 2821
18312
was published later than smtp_skip_5xx_greeting). File:
18313
proto/postconf.proto.
18317
Workaround: MacOS 10.8 (Darwin 12) getrlimit(RLIMIT_NOFILE)
18318
incorrectly reports that rlim_max, the hard limit on the
18319
number of open files per process, is equal to RLIM_INFINITY
18320
(i.e. no limit is enforced). In reality, setrlimit(RLIMIT_NOFILE)
18321
rejects requests where rlim_cur, the current limit, contains
18322
any value > kern.maxfilesperproc. Axel Luttgens. File:
18325
Portability: MacOS 10.8 (Darwin 12) kqueue support works.
18326
Axel Luttgens. Files: makedefs.
18330
Support for anonymous certificates. Viktor Dukhovni. File:
18333
Feature: support for DNSSEC-validated lookups and TLSA
18334
RRsets. Viktor Dukhovni. Files: dns/Makefile.in, dns/dns.h,
18335
dns/dns_lookup.c, dns/dns_rr.c, dns/dns_strtype.c,
18336
dns/test_dns_lookup.c,
18338
Cleanup: the personality switch between "smtp" and "lmtp".
18339
This streamlines the switch in the SMTP/LMTP protocol, DNS
18340
MX lookups, and configuration parameter names in error
18341
messages. Viktor Dukhovni. Files: smtp/smtp.c, smtp/smtp.h,
18342
smtp/smtp_chat.c, smtp/smtp_connect.c, smtp/smtp_proto.c,
18343
smtp/smtp_rcpt.c, smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c,
18344
smtp/smtp_session.c, smtp/smtp_state.c.
18346
Feature: replace disable_dns_lookups with smtp_dns_support_level,
18347
enable secure DNSSEC lookups in the Postfix SMTP client,
18348
and use the DNSSEC-validated remote SMTP server name to
18349
select the SMTP and TLS policies. Viktor Dukhovni. Files:
18350
dns/Makefile.in, dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
18351
dns/dns_strtype.c, dns/test_dns_lookup.c.
18355
Portability: on MacOS X, use kqueue() for event handling
18356
but use select() instead of poll() for read/write timeouts
18357
(with a workaround to handle file decriptors >=FD_SETSIZE).
18358
Files: util/sys_defs.h, util/readable.c, util/writable.c,
18359
util/read_wait.c, util/write_wait.c.
18361
Portability: support for NetBSD 5.x, NetBSD 6.x and DragonFly
18362
BSD. Viktor Dukhovni. Files: makedefs, util/sys_defs.h.
18366
Cleanup: new module that consolidates all system-dependent
18367
code to enforce read/write timeouts. This includes a final
18368
workaround for MacOS X that uses poll() first, and select()
18369
if that fails. This makes their /dev/urandom workaround
18370
unnecessary. Files: util/poll_fd.c, util/iostuff.h. Removed:
18371
util/readable.c, util/writable.c, util/read_wait.c,
18374
Cleanup: refactor TLS digest functions, improved signature
18375
for TLS session cache. Viktor Dukhovni. Files: smtp/smtp.c,
18376
smtp/smtp_proto.c, smtpd/smtpd.c, tls/Makefile.in, tls/tls.h,
18377
tls/tls_client.c, tls/tls_fprint.c, tls/tls_level.c,
18378
tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c,
18379
tlsproxy/tlsproxy.c.
18383
Cleanup: final polish for MacOSX workarounds; replaced
18384
#ifdef MacOSX by feature test as required by PORTING document.
18385
Files: util/poll_fd.c, util/open_limit.c.
18387
Export tls_fprint() and tls_digest_encode() for use in DANE.
18388
Viktor Dukhovni. Files: tls/tls.h, tls/tls_fprint.c.
18392
Refactoring: TLS verification callback processing in
18393
preparation for DANE support. Viktor Dukhovni. Files:
18394
tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_verify.c.
18396
Refactoring: split off SMTP client per-session TLS policy
18397
data and code in preparation for DANE support. Viktor
18398
Dukhovni. Files: smtp/Makefile.in, smtp/smtp.h,
18399
smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_reuse.c,
18400
smtp/smtp_session.c, smtp/smtp_tls_sess.c.
18402
Cleanup: "zero time limit" corner case in read_wait() and
18403
write_wait() emulation. Files: util/poll_fd.c, util/iostuff.h.
18407
Refactoring: allow smtp_session_alloc() to fail gracefully
18408
and report an error.
18253
Bugfix (introduced: Postfix 2.3): don't reuse TCP connections
18254
when smtp_tls_policy_maps is specified. Victor Duchovni.
18255
Found during Postfix 2.11 code maintenance. File:
18412
Documentation: in smtpd.c, the comment that justifies the
18413
454 reply for "TLS unavailable" cited the wrong RFC.
18417
Human factors: warning when a main.cf parameter has multiple
18418
entries with different values. File: util/dict.c.
18422
Feature: the recipient_delimiter parameter can now specify
18423
a set of characters. A user name is now separated from its
18424
address extension by the first character that matches the
18425
recipient_delimiter set. Files: proto/postconf.proto,
18426
src/global/mail_addr_find.c, src/global/mail_params.c,
18427
src/global/split_addr.c, src/global/split_addr.h,
18428
src/global/strip_addr.c, src/global/strip_addr.h,
18429
src/global/strip_addr.ref, src/local/bounce_workaround.c,
18430
src/local/local.c, src/local/local_expand.c, src/local/recipient.c,
18431
src/local/resolve.c, src/oqmgr/qmgr_message.c, src/pipe/pipe.c,
18432
src/qmgr/qmgr_message.c, src/smtpd/smtpd.c,
18433
src/smtpd/smtpd_check.c, src/trivial-rewrite/transport.c,
18434
src/trivial-rewrite/trivial-rewrite.c.
18436
Feature: support for trust anchors, i.e. CA certificates
18437
or public keys that will be used instead of conventional
18438
root certificates, and revised fingerprint support. This
18439
can be used by itself, and this provides support for an
18440
upcoming DANE implementation. Victor Duchovni. Files:
18441
mantools/postlink, proto/TLS_README.html, proto/postconf.proto,
18442
global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
18443
smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
18444
smtp/smtp_session.c, smtp/smtp_state.c, smtp/smtp_tls_sess.c,
18445
tls/Makefile.in, tls/tls.h, tls/tls_client.c, tls/tls_dane.c,
18446
tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c,
18447
util/argv.c, util/argv.h.
18451
Documentation: pointers to other actions under "ACCEPT
18452
ACTIONS" and "REJECT ACTIONS". File: proto/access.
18456
Cleanup: more uniform permutation in dns_rr() by Victor
18457
Duchovni & Son. File: dns/dns_rr.c.
18461
Documentation: clarified text about result formats. Files:
18462
proto/canonical, proto/virtual.
18466
Cleanup: the SMTP client connection management code now
18467
maintains iterator state with a structure that contains
18468
next-hop, host name, address, port and other information.
18469
This iterator structure replaces random variables that were
18470
updated by add-hoc code, and replaces random function
18471
argument lists. The more structured approach is easier to
18472
maintain and has already paid off by exposing opportunities
18473
to improve SMTP connection cache usage. Wietse Venema.
18474
Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_session.c,
18477
Cleanup: eliminated minor false SMTP connection cache-sharing
18478
problems due to mis-aligned lookup keys for caches and
18479
lookup tables (for example some used the nexthop, and some
18480
the domain name). Information that is used in more than
18481
one lookup key is now generated by a centralized function.
18482
This replaces ad-hoc code in random places that was
18483
concatenating ad-hoc data to construct lookup keys. The
18484
more structured approach is easier to maintain and makes
18485
future cache-sharing issues easier to prevent. Wietse
18486
Venema. Files: smtp/smtp.h, smtp/smtp_connect.c, smtp_reuse.c,
18487
smtp_key.c, smtp_tls_sess.c.
18489
Cleanup and fix of non-production code: the trust anchor-digest
18490
code and smtp_sess_tls_required() function. Victor Duchovni.
18491
Files: smtp/smtp_connect.c, smtp/smtp_proto.c,
18492
smtp/smtp_tls_sess.c, tls/tls.h, tls/tls_client.c,
18493
tls/tls_dane.c, tls/tls_level.c, tls/tls_verify.c.
18497
Cleanup and fix of non-production code: add the SASL
18498
credentials or absence thereof to the connection cache
18499
endpoint label; better reuse of SASL-authenticated connections
18500
over UNIX-domains sockets, however unlikely these may be;
18501
a first step towards refinement of connection cache lookup
18502
by IP addres for plaintext or SASL-unauthenticated connections.
18503
Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c,
18504
smtp/smtp_key.c, smtp/smtp_tls_sess.s.
18508
Cleanup: configurable field delimiter and optional "not
18509
available" field place holder for cache and table lookup
18510
keys; automatic base64 encoding for key fields that contain
18511
these. Files: smtp/smtp_key,c, smtp/smtp_reuse.c,
18512
smtp/smtp_proto.c, smtp/smtp_tls_sess.c.
18516
Documentation: "dane" TLS security level and parameters.
18517
Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
18518
proto/postconf.proto.
18520
Feature: implemented and enabled DNS-based DANE security
18521
level. Viktor Dukhovni. Files: global/mail_params.h,
18522
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
18523
smtp/smtp_proto.c, smtp/smtp_tls_sess.c, tls/tls.h,
18524
tls/tls_client.c, tls/tls_dane.c, tls/tls_fprint.c,
18525
tls/tls_level.c, tls/tls_misc.c, util/Makefile.in,
18526
util/ctable.c, util/ctable.h, util/timecmp.c, util/timecmp.h.
18528
Cleanup: rename (unchanged) smtp_tls_sess.c to smtp_tls_policy.c.
18529
Viktor Dukhovni. Files: smtp/Makefile.in, smtp/smtp_tls_policy.c,
18530
smtp/smtp_tls_sess.c.
18532
Portability: OpenSSL workarounds for versions before 0.9.7
18533
are removed from the source code. Viktor Dukhovni. Files:
18534
tls/tls.h, tls/tls_bio_ops.c, tls/tls_client.c.
18536
Non-production fixes: when falling back from opportunistic
18537
TLS to plaintext, don't modify the cached TLS policy "retry
18538
as plaintext" and "level" members. Files: smtp/smtp_session.c.
18540
Non-production fixes: move TLS policy lookup to the main
18541
connection iterator loop, so that the policy is known before
18542
attempting connection reuse and before SMTP connection
18543
creation. Temporarily link session->tls to state->tls.
18544
Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_reuse.c,
18545
smtp/smtp_tls_policy.c.
18549
Feature: smtptls-finger test program for SMTP over TLS.
18550
Viktor Dukhovni. Files: Makefile.in, html/Makefile.in,
18551
man/Makefile.in, mantools/postlink, posttls-finger/.indent.pro,
18552
posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
18553
posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h,
18554
tls/tls.h, tls/tls_misc.c.
18303
TLS Performance: the Postfix SMTP server TLS session cache
18304
was ineffective because recent OpenSSL versions enable
18305
session tickets by default, resulting in a different ticket
18306
encryption key for each smtpd(8) process. The workaround
18307
turns off session tickets. In 2.11 we'll enable session
18308
tickets properly. Viktor Dukhovni. File: tls/tls_server.c.
18734
Workaround: The Postfix SMTP server TLS session cache was
18735
broken because OpenSSL now enables session tickets by
18736
default, resulting in different ticket encryption key for
18737
each smtpd(8) process. the workaround turns off session
18738
tickets. In 2.11 we'll enable session tickets properly.
18739
Viktor Dukhovni. File: tls/tls_server.c.
18741
Updated DANE support (trust in DNS instead of PKI). With
18742
OpenSSL 1.0.2 (under development) trusted certificates don't
18743
need to be self-signed roots. Otherwise we use an ephemeral
18744
root certificate to sign the trust anchor. Viktor Dukhovni.
18745
Files: posttls-finger/posttls-finger.c, smtp/smtp_proto.c,
18746
smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
18747
tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c,
18752
Documentation: troff lint. Patch by ES Raymond's bot. File:
18753
proto/header_checks.
18755
Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY
18756
commands. File: smtpd/smtpd.c.
18760
Bugfix: typo in the 20130613 smtpd_relay_restrictions default
18761
setting. File: global/mail_params.h.
18765
Cleanup: configurable tlsmgr(8) service name. Files:
18766
mantools/postlink, proto/postconf.proto, tls/tls_mgr.c,
18767
tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c,
18772
Cleanup: documentation. Files: proto/CONNECTION_CACHE_README.html,
18773
proto/SCHEDULER_README.html.
18777
Cleanup: postscreen_upstream_proxy_protocol setting. Files:
18778
global/mail_params.h, postscreen/postscreen_endpt.c.
18782
Cleanup: qmgr documentation clarification by Patrik Rak.
18783
Files: proto/SCHEDULER_README.html, qmgr/qmgr_job.c.
18785
Cleanup: re-indented code. File: qmgr/qmgr_job.c.
18787
Logging: minimal DNAME support. Viktor Dukhovni. dns/dns.h,
18788
dns/dns_lookup.c, dns/dns_strtype.c, dns/test_dns_lookup.c.
18792
Workaround: smtp_connection_reuse_count_limit (default 0,
18793
i.e. unlimited) for sites that must deal with hostile
18794
connection reuse policies. The documentation comes with a
18795
warning that this feature introduces a "fatal attractor"
18796
failure mode. Files: global/mail_params.h, mantools/postlink,
18797
proto/postconf.proto, smtp/smtp.c, smtp/smtp_params.c,
18798
smtp/lmtp_params.c, smtp/smtp.h.
18800
Workaround: FreeBSD9 nroff outputs ANSI escape sequences
18801
instead of overstrike sequences. To make matters worse, it
18802
uses the ESC[0m sequence sometimes for end-of-bold and
18803
sometimes for end-of-italic. File: mantools/man2html.
18807
Cleanup: added smtpd_relay_restrictions entries to the
18808
default master.cf file, so that main.cf settings won't
18809
affect the submission and smtps services. Simon Matter.
18810
File: conf/master.cf.
18814
Cleanup: wrong function name in error message. John Fawcett.
18815
File: util/vstring_vstream.c.
18819
Cleanup: with ``make makefiles CCARGS="-DHAS_DB...'', the
18820
makedefs script no longer tries to locate the Linux Berkeley
18821
DB include and library files. Instead it assumes that the
18822
locations are given on the command line, as shown in the
18823
DB_README examples. Leo Baltus. File: makedefs.
18827
Documentation: clarified reject_non_fqdn_helo_hostname.
18828
File: proto/postconf.proto.
18832
Cleanup: the lmdb_map_size parameter is now a long integer.
18833
Howard Chu. Files: global/mail_params.[hc].
18837
Documentation: added pointer to Dovecot 2 configuration.
18838
File: proto/SASL_README.html
18842
Update: LMDB client updated to LMDB 0.9.7, which hopefully
18843
fixes the unrecoverable "transaction full" error. With a
18844
new MDB_MAP_FULL workaround by Howard Chu that ensures that
18845
postfix will make progress as long as the disk is not full.
18846
File: util/dict_lmdb.c.
18850
The status of LMDB databases is "not recommended". Unlike
18851
other Postfix databases, LMDB does not grow beyond a specified
18852
limit even when the file system has room. This show-stopper
18853
bug breaks applications whose requirements grow with load:
18854
postscreen(8), greylisting, tlsmgr(8) and verify(8).
18858
Bitrot: Arrange for shared keys in SMTP server session
18859
tickets. Otherwise, with clients that enable session
18860
tickets, the SMTP session cache is per-process and largely
18861
ineffective. Older releases should add SSL_OP_NO_TICKET
18862
to the SSL options bit mask in the SMTP server only. The
18863
session ticket key validity interval (sum of initial issuing
18864
and retired key validation intervals) must not exceed the
18865
SSL session lifetime. Otherwise, clients may send valid
18866
tickets for expired sessions, which the OpenSSL server code
18867
mishandles (does not send a replacement ticket, patch
18870
We set the session lifetime to 2 times the configured cache
18871
lifetime which is also the ticket issuing and retired
18872
validation lifetime, so ticketed sessions last 1 to 2 times
18873
the configured session lifetime and never longer than a
18874
session's expiration time.
18876
Code by Viktor Dukhovni. Files: .indent.pro, mantools/postlink,
18877
proto/TLS_README.html, proto/postconf.proto, global/mail_params.h,
18878
posttls-finger/posttls-finger.c, posttls-finger/tlsmgrmem.c,
18879
smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_mgr.c,
18880
tls/tls_mgr.h, tls/tls_scache.c, tls/tls_scache.h,
18881
tls/tls_server.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.
18883
Robustness: Search for TLSA RRs at the resolved server name
18884
(rname) and failing that request server name (qname), and
18885
use whichever was found as the TLSA base domain for certificate
18888
When we find a DNSSEC validated MX RRset, and the initial
18889
next-hop domain is a CNAME, include both the initial and
18890
final (the one with the actual MX RRs) domains in the list
18891
of valid server certificate names.
18893
When we find no MX records, then the initial next-hop domain
18894
is obtained securely from the recipient domain or transport
18895
next-hop. Without MX records, this is a destination hostname,
18896
so we should generally do a TLSA lookup. If however the
18897
address lookup yields an insecure result, and its rname is
18898
equal to its qname (no CNAMEs), we reasonably assume that
18899
the its child "_port._tcp" sub-domain is likewise insecure
18900
(security here would require DLV just for this sub-domain).
18901
This allows us to skip futile TLSA queries for most non-MX
18902
destinations (those that are in insecure zones and are not
18903
CNAMEs). This heuristic can be disabled by setting the new
18904
main.cf parameter smtp_tls_force_insecure_host_tlsa_lookup
18905
to "yes", the default is "no".
18907
Finally, with MX hostnames, if the MX RRset is secure, we
18908
look for TLSA RRs at the qname only when the MX host is an
18909
alias with an insecure rname. If both the qname and the
18910
rname are secure, as before we prefer the rname, but when
18911
nothing is found there, fall back to the qname.
18913
Code by Viktor Dukhovni. Files: mantools/postlink,
18914
proto/postconf.proto, src/global/mail_params.h,
18915
src/posttls-finger/posttls-finger.c, src/smtp/lmtp_params.c,
18916
src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c,
18917
src/smtp/smtp_addr.h, src/smtp/smtp_connect.c,
18918
src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c,
18919
src/tls/tls.h, src/tls/tls_dane.c.
18923
Documentation: re-ordered STRESS_README, now that all
18924
supported releases have stress-adaptive behavior built in.
18925
File: proto/STRESS_README.html.
18929
Cleanup: made the default_database_type compile-time
18930
configurable. Files: util/sys_defs.h, makedefs, proto/INSTALL.
18934
Feature: reject_known_sender_login_mismatch, which applies
18935
reject_sender_login_mismatch only to MAIL FROM addresses
18936
that are known in $smtpd_sender_login_maps. Viktor & Wietse.
18937
Files: mantools/postlink, proto/SASL_README.html,
18938
proto/postconf.proto, global/mail_params.h, smtpd/smtpd_check.c.
18942
Cleanup: no more LMDB "database full" errors. Postfix now
18943
requires LMDB >= 0.9.8 which supports on-the-fly database
18944
resizing. When a database becomes full, its size limit is
18945
automatically doubled, and other processes automatically
18946
pick up the new database size limit. Files: util/dict.h,
18947
util/dict_open.c, util/dict_alloc.c, util/dict_lmdb.c,
18948
postmap/postmap.c, postalias/postalias.c, proto/LMDB_README.html,
18949
proto/postconf.proto.
18953
Cleanup: the lmdb_max_readers property is now configurable.
18954
This is a hard limit built into the OpenLDAP library that
18955
causes requests to fail when the number of open read
18956
transactions exceeds the limit. When this happens the LMDB
18957
client logs an MDB_READERS_FULL warning and continues with
18958
reduced performance. Files: util/dict_lmdb.c, util/dict_lmdb.h,
18959
global/mail_params.h, global/mail_params.c, proto/postconf.proto,
18960
proto/LMDB_README.html.
18964
Security violation: LMDB opens files with read/write access
18965
for lock management purposes. This gives unprivileged
18966
daemon processes read/write file handles for root-owned
18967
files under /etc/postfix. This also breaks when a non-root
18968
process needs to access a root-owned database. Even if
18969
LMDB lock files were world-writable, and kept in a dedicated
18970
directory, they would still violate the principle of least
18971
privilege. For all these reasons, support to create LMDB
18972
files is removed from the postmap and postalias commands.
18973
LMDB files can still be created by unprivileged Postfix
18974
daemon processes under the postfix-owned data_directory.
18975
Files: proto/LMDB_README.html, global/mkmap.c.
18979
Cleanup: LMDB support is forbidden due to problems with
18980
LMDB lock management. These problems hinder error recovery
18981
in multi-programmed systems, and prohibit database sharing
18982
between privileged writer processes and unprivileged reader
18987
Documentation: inet_protols description was not updated
18988
when smtp_address_preference was added. File: proto/postconf.proto
18992
Documentation: why postscreen(8) uses hash-table lookups
18993
instead of direct pointers to find the DNSBL lookup result
18994
for a specific session. File: postscreen/postscreen_early.c.
18998
Cleanup: add more &code; to postconf2man. Someone has been
18999
writing documentation without checking the result, File:
19000
mantools/postconf2man.
19002
Documentation: in the discard(8) manpage, the reason is not
19003
a host or domain name. File: discard/discard.c.
19007
Documentation: specify the expected result format with
19008
"list" tables. File: proto/DATABASE_README.html.
19012
Future proofing: API changes in the PCRE library. File:
19017
Feature: check_sasl_access to block hijacked logins. Files:
19018
mantools/postlink, proto/postconf.proto, global/mail_params.h,
19019
smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h.
19023
Cleanup: slmdb(3) simplified LMDB API that hides recoverable
19024
LMDB errors from applications so that they can focus on
19025
their own job. Files: util/slmdb.[hc].
19027
Cleanup: LMDB functionality restored, after elimination of
19028
1) world-writable lockfiles, 2) hard limits on the number
19029
of concurrent readers, and 3) hard-coded database file inode
19030
numbers in lockfiles that can prevent automatic crash
19031
recovery. Files: proto/LMDB_README.html, proto/postconf.proto,
19032
mantools/postlink, util/dict_lmdb.c.
19036
Cleanup: restore ability to build without LMDB support;
19037
further slmdb API streamlining. Files: util/slmdb.[hc],
19040
Bugfix: uninitialized variable. File: util/slmdb.c.
19042
Documentation: added SASL_README example for check_sasl_access.
19043
File: proto/SASL_README.html.
19047
Security violation: by default, LMDB 0.9.9 writes uninitialized
19048
heap memory to a world-readable database file, as chunks
19049
of up to 4096 bytes. This is a huge memory disclosure
19050
vulnerability: memory content that a program does not intend
19051
to share ends up in a world-readable file. The content of
19052
uninitialized heap memory depends on program execution
19053
history. That history includes code execution in other
19054
libraries that are linked into the program.
19056
This is a problem whenever the user who writes the database
19057
file differs from the user who reads the database file. For
19058
example, a privileged writer and an unprivileged reader.
19059
In the case of Postfix, the postmap(1) and postalias(1)
19060
commands would leak uninitialized heap memory, as chunks
19061
of up to 4096 bytes, from a root-privileged process that
19062
writes to a database file, to unprivileged processes that
19063
read from that database file.
19065
To work around this problem the postmap(1) and postalias(1)
19066
commands disable the use of malloc() in LMDB. However, that
19067
does not address several disclosures of stack memory. Other
19068
Postfix databases do not need this workaround: those databases
19069
are maintained by Postfix daemon processes, and are accessible
19070
only by the postfix user. File: util/dict_lmdb.c.
19074
Cleanup: expand TAB characters when generating documentation.
19075
This was primarily an issue with non-HTML output, but it does
19076
not hurt to do this also for HTML. Files: proto/Makefile.in,
19077
proto/MULTI_INSTANCE_README.html.
19081
Feature: ${queue_id} macro support for the pipe(8) delivery
19082
agent by Andreas Schulze. File: pipe/pipe.c.
19086
Cleanup: after 16 years the SKIP() and TRIM() macros were
19087
triggering compiler warnings. Files: global/mail_params.c,
19088
smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c.
19092
Bugfix (introduced Oct 26 1997): don't clobber errno before
19093
expanding %m. File: util/vbuf_print.c.
19097
Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP
19098
workaround to avoid heap memory information leaks. File:
19103
Cleanup: Coverity found a harmless memory leak in the
19104
postconf master.cf parser. Reported by Christos Zoulas,
19105
NetBSD. File: postconf/postconf_master.c.
19107
Cleanup: graceful degradation after database open() error.
19108
Several instances of that code introduced a harmless memory
19109
leak, and Coverity complained about one of them (Christos
19110
Zoulas, NetBSD). Instead of adding random code in random
19111
places, restructured dict_foo_open() routines with consistent
19112
code to dispose of memory or file handles. Files: dict_thash.c,
19113
dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
19114
dict_dbm.c, dict_cidr.c, dict_cdb.c.
19116
Cleanup: warning message after canonical/virtal/etc.
19117
table lookup error. Files: cleanup/cleanup_addr.c,
19118
cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
19119
cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
19120
cleanup/cleanup_milter.c.
19124
Feature: MySQL client support for option_file, option_group,
19125
tls_cert_file, tls_key_file, tls_CAfile, tls_CApath,
19126
tls_verify_cert. See mysql_table(5). Code by Gareth Palmer.
19127
Files: proto/mysql_table, global/dict_mysql.c.
19129
Cleanup: DANE support. Keep the attributes of TA certificates
19130
obtained via "IN TLSA 2 0 X" RRs, while continuing to only
19131
use the key from "IN TLSA 2 1 X" RRs. This means in the
19132
"2 0 X" case that we re-sign the TA certificate in place,
19133
rather than synthesize a vanilla cert around just the key.
19134
Viktor Dukhovni. File: tls/tls_dane.c.
19136
Bugfix: posttls-finger parsing of destination and optional
19137
match values. Viktor Dukhovni. File:
19138
posttls-finger/posttls-finger.c.
19140
Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day),
19141
we don't have to sign trust anchors, and don't generate a
19142
key to do so. Thus don't attempt to re-sign trust-anchor
19143
certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni.
19144
File: tls/tls_dane.c.
19146
Feature: configurable DANE digest algorithm priority. Use
19147
only the most-preferred, shared, digest algorithm for any
19148
give (usage, selector) combination. Viktor Dukhovni.
19149
mantools/postlink, proto/postconf.proto, global/mail_params.h,
19150
tls/tls_dane.c, tls/tls_misc.c.
19152
Bugfix: FreeBSD nroff workaround messed up. File:
19157
Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in,
19160
Cleanup: the smtpd_proxy_filter client now sends QUIT before
19161
closing the connection to a content filter. Files:
19162
smtpd/smtpd_proxy.c, smtpd/smtpd.c.
19164
Portability: C99 va_copy() compatibility, in case some
19165
implementation does not permit multiple va_start() calls
19166
on the same argument list. Files: global/memcache_proto.c,
19167
milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c,
19168
util/concatenate.c, util/dict_surrogate.c, util/netstring.c,
19169
util/compat_va_copy.h.
19171
Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h.
19173
Cleanup: removed redundant sort operation. Viktor Dukhovni.
19174
File: tls/tls_dane.c.
19178
Feature: a Postfix LMDB database can now be used as shared
19179
persistent cache with multiple postscreen(8) or verify(8)
19180
daemons (but not both), without the need for a shared
19181
proxymap server. Files: util/dict.h, util/dict_alloc.c,
19182
util/dict_open.c, util/dict_lmdb.c.
19184
Internal: DNS client support to report reply RCODE information,
19185
in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc.
19186
Portability note: this requires the C99 __VA_ARGS__ feature.
19187
Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c.
19191
Cleanup: reduced the code footprint for the LMDB < 0.9.10
19192
heap-to-file information leak workaround, and simplified
19193
the implementation to "good enough". Files: util/dict.h,
19194
util/dict.c, util/dict_lmdb.c, postalias/postalias.c,
19197
Cleanup: reduced the code footprint for the handling of
19198
multi-writer safe maps. A map only needs to assert that it
19199
is multi-writer safe, and the rest just happens. Files:
19200
util/dict.h, util/dict_open.c, util/dict_lmdb.c,
19201
global/dict_memcache.c.
19203
Cleanup: Postfix daemons no longer restart when a multi-writer
19204
safe map is updated. File: util/dict.c.
19206
Documentation: sharing an LMDB cache between multiple
19207
verify(8) or postscreen(8) servers (but not both). Files:
19208
proto/ADDRESS_VERIFICATION_README.html,
19209
proto/POSTSCREEN_README.html.
19211
Cleanup: improve suppression of TLSA lookups in insecure
19212
zones. This is now applied not only to non-MX destinations,
19213
but also to each MX record. Viktor Dukhovni. Files:
19214
src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c,
19215
src/tls/tls.h, src/tls/tls_dane.c.
19217
Workaround: increased the 5s connection timeout to 30s.
19218
Viktor Dukhovni. File: posttls-finger/posttls-finger.c.
19222
Documentation: new socketmap_table(5) and lmdb_table(5)
19223
manpages. Files: mantools/postlink, conf/postfix-files,
19224
html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html,
19225
postconf/postconf.c, proto/socketmap_table, proto/lmdb_table.
19229
Documentation: missing database hyperlinks, refined text
19230
about partial lookup keys. Files: mantools/postlink,
19231
proto/DATABASE_README.html, proto/lmdb_table,
19232
proto/socketmap_table.
19236
Feature: support for NOTIFY parameter in the Milter
19237
SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer.
19238
Wietse added support for ORCPT. Files: cleanup/cleanup.h,
19239
cleanup/cleanup_milter.c, cleanup/cleanup_state.c,
19240
global/xtext.c, global/xtext.h, milter/test-milter.c.
19244
Feature: "postconf -Fe service/type/attribute = value" edits
19245
master.cf attribute values. The -e is optional. Example:
19246
use "postconf -F "*/*/chroot = n" to turn off chroot on all
19247
master.cf services. Files: postconf/postconf.h,
19248
postconf/postconf.c, postconf/postcof_master.c,
19249
postconf/postconf_edit.c.
19253
Cleanup: remove extra blank line from ccformat output,
19254
making it compatible with the script that Wietse actually
19255
uses (this line was part of a test to detect file truncation,
19256
but it is now obsolete). File: mantools/ccformat.
19258
Feature: master.cf parameter namespace. "postconf -P" shows
19259
master.cf parameter settings as "service/type/parameter =
19260
value". This is applicable only to parameter settings in
19261
master.cf. Files: postconf/postconf.h, postconf/postconf.c,
19262
postconf/postcof_master.c, postconf/postconf_print.c.
19264
Incompatibility: the master_service_disable syntax has
19265
changed: use "service/type" instead of "service.type". The
19266
new form is consistent with master.cf parameter namespaces.
19267
The old form is still supported to avoid breaking existing
19268
configurations. Files: global/master_service.c,
19269
master/master_ent.c.
19273
Feature: change, add or delete "-o parameter=value" setting
19274
in master.cf. Examples: "postconf -P smtp/inet/parameter=value"
19275
(add or modify "-o name=value" setting) and "postconf -P
19276
smtp/inet/parameter" (delete "-o parameter=value" setting).
19277
Files: util/argv.[hc], postconf/postconf.h,
19278
postconf/postconf_edit.c, postconf_master.c.
19282
Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni.
19283
Files: proto/TLS_README.html proto/postconf.proto
19286
Cleanup: DANE support: Drop support for usage 0. It SHOULD
19287
NOT be supported in DANE with SMTP, and we already don't
19288
support digest TLSA RRs in this case, while full content
19289
TLSA RRs are not recommended for DNS bloat reasons. Viktor
19290
Dukhovni. Files: proto/postconf.proto src/global/mail_params.h
19291
src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c.
19293
Feature: TLS support: Support future digest algorithms
19294
without re-compilation. Viktor Dukhovni. Files: .indent.pro
19295
proto/postconf.proto src/tls/tls_dane.c.
19297
Feature: DNS support: New configurable digest agility.
19298
Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html
19299
proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c
19300
src/tls/tls_misc.c.
19304
Bugfix (introduced: 20090106): the postconf '-#' option
19305
erased prior options. File: postconf/postconf.c.
19309
Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
19310
Dukhovni. File: proto/MULTI_INSTANCE_README.html.
19314
Cleanup: simplify fingerprint security level implementation
19315
in new DANE code. Viktor Dukhovni. Files: src/tls/tls.h
19316
src/smtp/smtp_tls_policy.c src/tls/tls_dane.c
19317
src/posttls-finger/posttls-finger.c.
19321
Cleanup: safe_strtoul() did not report an error for empty
19322
or all-space input (the code to report this was in the wrong
19323
place). This was not a problem as long as safe_strtoul()
19324
was used only for output from safe_ultostr(). Files:
19325
global/safe_ultostr.c, global/safe_ultostr.in,
19326
global/safe_ultostr.ref.
19330
Documentation: updated description of SSL protocol controls.
19331
In particular, enabled protocols are part of a contiguous
19332
range. Viktor Dukhovni. Files: proto/TLS_README.html,
19333
proto/postconf.proto.
19335
Bugfix: DANE support: handle OpenSSL memory allocation
19336
error. Viktor Dukhovni. File: tls/tls_dane.c.
19338
Cleanup: LMDB_README was not installed. File: conf/postfix-files.
19342
Portability: on some platforms posttls-finger now requires
19343
explicitly linking libdl. File: posttls-finger/Makefile.in.
19345
Cleanup: DANE support: extension gymnastics. Viktor Dukhovni.
19346
File: tls/tls_dane.c.
19348
Bugfix: DANE support: the wrap_cert() and wrap_key() calls
19349
should never fail, but some callers ignored the return
19350
value. The only failure is for lack of memory, so we use
19351
msg_fatal() internally and change wrap_cert() and wrap_key()
19352
to return void. Viktor Dukhovni. File: tls/tls_dane.c.
19354
Bugfix: DANE support: avoid making DANE certificates with
19355
replaced public-keys appear as if they were self-signed.
19356
Viktor Dukhovni. File: tls/tls_dane.c.
19358
Cleanup: DANE support: simplify grow_chain() to always apply
19359
trust consistently. Viktor Dukhovni. File: tls/tls_dane.c.
19361
Bugfix: DANE support: backport fixes from OpenSSL DANE
19362
testing. Discard errors generated by raw TA key signature
19363
checks. Record the tadepth as zero with self-signed depth
19364
0 TAs. Robustness: Though it should never happen, don't
19365
update the tadepth if already set. Viktor Dukhovni. Files:
19366
tls/tls_dane.c, tls/tls_server.c.
19370
Cleanup: OpenSSL "const" declarations have changed over
19371
time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c,
19372
src/tls/tls_dane.c, src/tls/tls_server.c.
19376
Cleanup: TLS support. Eliminate calls of deprecated functions
19377
before they are removed from OpenSSL. CRYPTO_thread_id is
19378
deprecated and we don't need it. Replace the deprecated
19379
ERR_remove_state() call with ERR_remove_thread_state(), and
19380
use RSA_generate_key_ex(). Viktor Dukhovni. Files:
19381
posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.
19383
Cleanup: DANE support: Reduce #ifdef clutter to improve
19384
redability and maintability. Viktor Dukhovni. File:
19387
Future proofing: Tolerate disappearance of named bug-workaround
19388
bits without invalidating user configurations. When support
19389
for a bug workaround is removed from OpenSSL, the corresponding
19390
bit is defined as zero (i.e. NOOP) intstead of causing
19391
programs to break. Viktor Dukhovni. File: tls/tls_misc.c.
19395
Portability: RSA_generate_key_ex() is not available on all
19396
supported platforms, so this change is made conditional.
19397
Enforce that this function will be used only for creating
19398
a 512-bit ephemeral RSA key. Viktor Dukhovni. File:
19403
Documentation: new document FORWARD_SECRECY_README that
19404
describes how different versions of Postfix >= 2.2 implement
19405
"perfect" forward secrecy. Viktor Dukhovni. File:
19406
proto/FORWARD_SECRECY_README.html, proto/Makefile.in,
19407
conf/postfix-files, html/index.html.
19411
Cleanup: renamed postconf(1) internal identifiers according
19412
to a consistent scheme, to avoid future name conflicts as
19413
Postfix evolves. This is a no-feature change. Files:
19414
postconf/*.[hc], postconf/extract.awk.
19416
Documentation: linearized the order of exposition in
19417
FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html.
19421
Bugfix: DANE support: segfault. Viktor Dukhovni. File:
19424
Documentation: typo in SASL_README. Patrick Ben Koetter.
19425
File: proto/SASL_README.html.
19427
Documentation: increased the *.[0-9].html manpage width
19428
from the historical 65 columns to the more contemporary 78
19429
columns, and future-proofed the pattern that eliminates
19430
redundant text from the "README FILES" section. Files:
19431
mantools/postlink, mantools/man2html, man/Makefile.in.
19433
Documentation: misc manual page cleanups. Files:
19434
postconf/postconf.c, postmulti/postmulti.c.
19438
Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in,
19439
tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro.
19441
Documentation: added section on how to verify that forward
19442
secrecy works. File: proto/FORWARD_SECRECY_README.html.
19446
Documentation: forward secrecy, with feedback from Adam
19447
Shostack. Viktor Dukhovni and Wietse Venema. File:
19448
proto/FORWARD_SECRECY_README.html.
19452
Feature: smtpd_sasl_service (until now, this was hard-coded
19453
internally as "smtp"). On request by Michal (sksoft.cz).
19454
Files: global/mail_params.h, proto/postconf.proto,
19455
mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
19457
Documentation: updated example to Dovecot version 2 syntax.
19458
File: proto/SASL_README/html.
19462
Cleanup: DANE support: test script. Viktor Dukhovni. File
19465
Debugging: test driver for LMDB debugging and stress testing.
19466
Shockingly, LMDB terminates the postscreen daemon without
19467
logfile record. File: util/dict_cache.c.
19471
Bugfix: close the LMDB database cursor's read transaction
19472
before writing with MDB_NOLOCK and before changing the
19473
database memory map size. File: util/slmdb.c.
19477
Cleanup: eliminated data duplication from the new SMTP_ITERATOR
19478
structure to the old SMTP_SESSION structure. The SMTP_ITERATOR
19479
structure now maintains the sole copy. Files: smtp/smtp.h,
19480
smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c,
19481
smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c,
19486
Feature: support for optional configuration files
19487
"$daemon-directory/postfix-files.d/*". These are processed
19488
in sorted order after "$daemon-directory/postfix-files",
19489
This avoids breaking "postfix set-permissions" etc. when a
19490
Postfix distribution comes in multiple packages. File:
19495
Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB
19496
error message, instead of falling out of the sky without
19497
any notification. Files: util/slmdb.[hc], util/dict_lmdb.c.
19501
Bugfix: every Postfix LMDB transaction is now protected by
19502
an external lock for its entire life time. File: util/slmdb.c.
19506
Cleanup: turn off DNSSEC lookup after CNAME redirection to
19507
an insecure zone. This is an optimization for resolvers
19508
that do not automatically resolve CNAME chains. Viktor
19509
Dukhovni. File: dns/dns_lookup.c.
19511
Cleanup: do not salt the SMTP TLS policy lookup cache key
19512
with the DNSSEC status. The DNSSEC status will not change
19513
when the same nexthop/host pair is looked up repeatedly.
19514
Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
19516
Robustness: Suppress TLSA lookups only when the qname zone
19517
is insecure, not just because the rname zone is insecure.
19518
This requires an extra T_CNAME lookup for the qname, since
19519
nameservers are often "too helpful" and report CNAME records
19520
together with the CNAME targets. When the targets are
19521
insecure the whole reply is marked as insecure. Viktor
19522
Dukhovni. File: tls/tls_dane.c.
19524
Cleanup: Unify/simplify reporting of configuration or other
19525
conditions that prevent DANE security. Viktor Dukhovni.
19526
Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c.
19530
Miscellaneous documentation cleanups.