In addition to the names listed below, the following people provided
useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
Apologies for any names omitted.
19980105
The compiled-in default value for resolve_smtp_sender was
wrong (from the days that it was a boolean), causing smtpd
to dump core when the variable was not set in main.cf.
The INSTALL instructions now have separate sections for
the three basic ways of running vmailer.
The INSTALL instructions now have discusses how to deal
with chrooted processes.
Ported to RedHat 5.0. My, these people have re-organized
their include files quite a bit, haven't they.
19980106
On RedHat Linux 4.2/5.0, when a FIFO listener opens the
FIFO with mode O_RDONLY, the FIFO remains forever readable
after the writer has closed it. Workaround: open the FIFO
mode O_RDWR.
Test program: util/fifo_rdonly_bug.c
Unfortunately, the above fix triggers a bug on BSD/OS 3.1
where opening the FIFO mode O_RDWR causes select() to claim
that the FIFO is readable even before any data is written
to it, causing read() to block or to fail.
Test program: util/fifo_rdwr_bug.c
printfck (check arguments of printf-like function calls)
found a missing argument in local/command.c
Miscellaneous Makefile cleanups that I didn't finish before
the first alpha release.
19980107
Sometimes the DNS will claim that a domain does not exist,
when in fact it does. Thus, it is a bad idea to reject mail
from apparently non-existent domains. I have changed the
smtpd so that it produces a soft error responses when a
resolve_smtp_sender test fails with HOST_NOT_FOUND. Note:
by default, this test is still disabled.
The DB and DBM read routines will now automagically figure
out if (key, value) pairs were written including a terminating
null byte or not. The DB and DBM write routines will use
this result to determine how to write, and will fall back
to per-system defaults otherwise.
Renamed the README to MUSINGS, and wrote up a README that
reflects the current status of the software.
Added -d (don't disconnect) and -c (show running counter)
option to te smtp-source test program. These tools are
great torture tests for the mail software, and for the
system that it runs on.
Turned down the process_limit parameter (# of parallel smtp
clients or servers) to avoid unpleasant surprises. You can
crank up the process_limit parameter in main.cf.
19980111
Feature: when run by the superuser, mailq now shows the
mail queue even when the mail system is down. To this end,
mailq (sendmail -bp) runs the showq program directly instead
of connecting to the UNIX-domain service socket, and drops
privileges etc. as usual.
19980119
Bugfix: Edwin Kremer spotted an oversight in the negated
host matching code (for name or address patterns prefixed
by !).
Bugfix: upon receipt of a SIGHUP signal, the master now
disconnects from its child processes, so that the current
generation of child processes commits suicide, and so that
the next generation of child processes will use the new
configuration settings.
Bugfix: the smtp server now skips the sender DNS domain
lookup test for foo@[address]
Bugfix: don't append the local domain to foo@[address]
19980120
Bugfix: old low-priority bug in some list walk code that
caused the master to drop core when a service was turned
off in master.cf.
Robustness: the mail system should be able to start up and
to accept local postings even while the naming service is
down. For this reason, the mail system no longer uses
gethostbyname() to look up its own machine name. Sites
that use short hostnames will have to specify their FQDN
in main.cf (this will eventually be done by the system
installation/configuration procedure). Should the config
language support backticks so one can say `domainname`? What
about $name stuff between the backtics?
Security: the master now creates FIFOs and UNIX-domain
sockets as the mail owner instead of as root, for better
protection against subverted mail systems. chmod() is
susceptible to race conditions. fchmod(), although safer,
often does not work on sockets.
Portability: anticipate that all major UNIXes will create
UNIX-domain sockets with permissions modified by the process
umask (required by POSIX). For this reason, we always
chmod() UNIX-domain sockets, unless the system allows us
to use the safer fchmod() instead.
Portability: the semi-resident servers now properly handle
EWOULDBLOCK returns from accept() in addition to EGAIN
(on some systems, EAGAIN and EWOULDBLOCK have different
values).
Bugfix: the semi-resident servers now properly handle EINTR
returns From accept().
Bugfix: Edwin Kremer found that mynetworks() would compute
(32 - mask) instead of mask.
19980121
Feature: /etc/vmailer/relocated is used by the local delivery
program and specifies what mail should be bounced with a
"user has moved to XXX" message. The main.cf configuration
parameter is "relocated_maps". Just like the "virtual_maps"
config parameter, this feature is off by default, and the
parameter can have values such as "files" or "files, nis"
(on hosts equipped with NIS).
19980123
Cleanup: virtual domain support moved from the queue manager
to the resolve service, where it belongs.
Feature: /etc/vmailer/canonical is used by the rewrite
service for all addresses, and maps a canonical address
(user@domain) to another address. Typical use is to generate
Firstname.Lastname@domain addresses, or to clean up dirty
addresses from non-RFC 822 mail systems. The main.cf
configuration parameter is "canonical_maps". Just like
the "virtual_maps" config parameter, this feature is off
by default, and the parameter can have values such as
"files" or "files, nis" (on hosts equipped with NIS).
19980124
HPUX10 port and many little fixes from Pieter Schoenmakers.
Bugfix: isolated an old mysterious bug that could make the
master deaf for new connections while no child process was
running. A typical result was that no pickup daemon would
be started after the previous one had terminated voluntarily.
Bugfix: the NIS lookup code did not mystrdup() the NIS map
name and would access free()d memory.
19980125
Bugfix: the vstream routines would sometimes ignore flushing
errors. The error would still be reported by vstream_fclose()
and vstream_ferror().
Feature: time limit on delivery to shell commands. Config
parameter: command_time_limit. Default value: 100 sec. The
idea is to prevent one bad .forward file or alias file
entry from slowly using up all local delivery process slots.
19980126
Code cleanup: in preparation for SMTP extensions such as
SIZE, allow an extended SMTP command to have a variable
number of options.
19980127
Bugfix: moved canonical map lookups away from the rewriting
module to the cleanup service, so that canonical map lookups
do not interfere with address rewriting on behalf of other
programs. Back to an older trivial-rewrite program version.
Bugfix: moved virtual map lookups away from the resolver
back to the queue manager, so that virtual domain lookup
does not interfere with address resolution on behalf of
other programs. Back to an older qmgr program version.
19980131
Feature: integrated and adapted Guido van Rooij's SIZE
option (RFC 1870), carefully avoiding potential problems
due to overflow (by multiplying large numbers) or unsigned
underflow (by subtracting numbers).
Code cleanup: cleaned up the code that parses the server
response to the HELO/EHLO command, so that we can more
reliably recognize what options a server supports.
19980201
Portability: integrated the IRIX 6 port by Oved Ben-Aroya.
Portability: the software now figures out by itself if a
server should open its FIFO read-write or read-only, to
avoid getting stuck with a FIFO that stays readable forever.
Bugfix: the cleanup service would terminate with a fatal
vstream_fseek() error when the queue file was too large.
Bugfix: the cleanup service could be killed by a signal
when the queue file became too large.
19980203
Portability: some systems have statfs(), some have statvfs(),
and the relevant include files are in a different place on
almost every system.
Portability: the makedefs script now nukes the -O compiler
flag when building on AIX with IBM's own compiler...
19980204
Portability: HP-UX 9.x support by Pieter Schoenmakers.
Portability: added SYSV-style ulimit() file size limit
support for HP-UX 9.x.
Portability: added some #includes that appeared to be
missing according to the Digital UNIX cc compiler.
Bugfix: sys_defs.h now correctly specifies NIS support for
LINUX2, HPUX9 and HPUX10.
Security: fixed a file descriptor leak in the local delivery
agent that could give shell commands access to the VMailer
IPC streams. This should not cause a vulnerability, given
the design and implementation of the mailer, but it would
be like asking for trouble.
Bugfix: the sendmail -B (body type) option did not take a
value.
19980205
Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
definition from util/sys_defs.h.
Bugfix (HPUX9): forgot to specify whether to use statfs()
or statvfs().
Bugfix (HPUX9): don't try to raise the file size ulimit.
Bugfix (HPUX9): must specify file size limit in 512-blocks.
19980207
Robustness: the master process now raises the file size
limit when it is started with a limit that is less than
VMailer's file size limit. File: util/file_limit.c.
Security: the dns lookup routines now screen all result
names with valid_hostname(). Bad names are treated as
transient errors.
Feature: qmail compatibility: when the home_mailbox parameter
is set, mail is delivered to ~/$home_mailbox instead of to
/var[/spool]/mail/username. This hopefully makes it easier
to lure people away from qmail :-)
Robustness: several testers by accident configured relayhost
the same as myhostname. The programs now explicitly check
for this mistake.
Bugfix: deliver_request_read() would free unallocated memory
when it received an incomplete delivery request from the
queue manager.
Robustness: local_destination_concurrency=1 prevents parallel
delivery to the same user (with possibly disastrous effects
when that user has an expensive pipeline in the .forward
or procmail config file). Each transport can have its own
XXX_destination_concurrency parameter, to limit the number
of simultaneous deliveries to the same destination.
19980208
Robustness: added "slow open" mode, to gradually increase
the number of simultaneous connections to the same site as
long as delivery succeeds, and to gradually decrease the
number of connections while delivery fails. Brad Knowles
provided the inspiration to do this.
This also solves the "thundering herd" problem (making a
bunch of connections to a dead host when it was time to
retry that host). Let's see when other mailers fix this.
Feature: Added $smtpd_banner and $mail_version, for those
who want to show the world what software version they are
running.
Bugfix: vmailer-script now properly labels each syslog
entry.
19980210
Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers
Bugfix: the local delivery program now checks that a
destination is a regular file before locking it.
19980211
Robustness: the local delivery agent sets HOME, LOGNAME,
and SHELL when delivering to a user shell command. PATH is
always set, and TZ is passed through if it is set.
19980212
Feature: mailq (sendmail -bp) now also lists the maildrop
queue (with mail that hasn't been picked up yet).
19980213
Feature: the smtpd now says: 502 HELP not implemented. This
should impress the heck out of the competition :-)
19980214
Feature: local delivery to configurable system-wide command
(e.g. procmail) avoids the need for per-user ~/.forward
shell commands. Config parameter: mailbox_command.
19980215
Performance: avoid running a shell when a command contains
no shell magic characters or built-in shell commands. This
speeds up delivery to all commands. File: util/exec_command.c.
Bugfix: the local delivery agent, after reading EOF from
a child process, now sends SIGKILL only when the child does
not terminate within a limited amount of time. This avoids
some problems with procmail. File: util/timed_wait.c.
19980217
Portability: folded in NetInfo support from Pieter
Schoenmakers.
19980218
Feature: new vmlock command to run a command while keeping
an exclusive lock on a mailbox.
Feature: with "recipient_delimiter = +", mail for local
address "user+foo" is delivered to "foo", with a "Delivered-To:
user+foo@domain" message header. Files: qmgr/qmgr_message.c,
local/recipient.c. This must be the cheapest feature.
19980219
Code cleanup: moved error handling into functions that
should always succeed (non_blocking(), close_on_exec()).
19980223
Bugfix: null pointer bug in the cleanup program after
processing a From: header with no mail address (or with
only a comment).
19980226
Robustness: now detects when getpwnam() returns a name that
differs from the requested name.
Feature: Added %p support to the vbuf_print formatting
module.
Code cleanup: revamped the alias/include/.forward loop
detection and duplicate suppression code in the local
delivery agent. This must be the fourth iteration, and
again the code has been simplified.
19980228
Robustness: don't treat anything starting with whitespace
as a header record. Instead, explicitly test for leading
whitespace where we permit it. Files: global/is_header.c,
bounce/bounce_flush_service.c, local/delivered.c.
19980301
Compatibility: the sendmail program now accepts the -N
command-line option (delivery status notification) but
ignores it entirely, just like many other sendmail options.
Bugfix: dns_lookup.c was too conservative with buffer sizes
and would incorrectly report "malformed name server reply".
19980302
Bugfix: the local delivery agent was not null-byte clean.
19980307
Feature: integrated Pieter Schoenmaker's code for transport
lookup tables that list (transport, nexthop) by destination.
19980309
Bugfix: delivery agents no longer rename corrupt queue
files, because programs might fall over each other doing
so. Instead, when a delivery agent detects queue file
corruption, it chmods the queue file, simulates a soft
error, and lets the queue manager take care of the problem.
Bugfix: the SMTP server implemented VRFY incorrectly.
Feature: first shot at a pipe mailer, which can be used to
extend VMailer with external mail transports such as UUCP
(provided that the remote site understands domain addressing,
because VMailer version 1 does not rewrite addresses).
Cleanup: extended the master/child interface so that the
service name (from master.cf) is passed on to the child.
The pipe mailer needs the service name so it can look up
service-specific configuration parameters (privilege level,
recipient limit, time limit, and so on).
19980310-12
Cleanup: factored out the pipe_command() code, so it can
be shared between pipe mailer and local delivery agent.
19980314
Compatibility: the sendmail program now parses each
command-line recipient as if it were an RFC 822 message
header; some MUAs specify comma-separated recipients in a
command-line argument; and some MUAs even specify "word
word
" forms as command-line arguments.
19980315
Bugfix: VMailer's queue processing randomization wasn't
adequate for unloaded systems with small backlogs.
Bugfix: smtpd now uses double-buffered stream I/O to prevent
loss of input sent ahead of responses.
19980316
Bugfix: the smtpd anti-relay code didn't treat all hosts
listed in $mydestinations as local, so it would accept mail
only for hosts listed in $relay_domains (default: my own
domain).
Bugfix: smtpd now replies with 502 when given an unknown
command.
19980318
Cleanup: resolve/rewrite clients now automatically disconnect
after a configurable amount of idle time (ipc_idle).
19980322
Tolerance: VRFY now permits user@domain, even though the
RFC requires that special characters such as @ be escaped.
19980325
Bugfix: a recipient delimiter of "-" could interfere with
special addresses such as owner-xxx or double-bounce.
Tolerance: the SMTP client now permits blank lines in SMTP
server responses.
Tolerance: the SMTP client now falls back to SMTP when it
apparently mistook an SMTP server as ESMTP capable.
Bugfix: eliminated strtok() calls in favor of mystrtok().
Symptom: master.cf parsing would break if $inet_interfaces
was more than one word.
19980328
Bugfix: user->addr patterns in canonical and virtual tables
matched only $myorigin, not hosts listed in $mydestination
or addresses listed in $inet_interfaces. The man pages
were wrong too. File: global/addr_match.c.
19980401
Robustness: FIFO file permissions now default to 0622. On
some systems, opening a FIFO read-only could deafen the
pickup daemon. Only the listener end (which is opened as
root) needs read access anyway, so there should not be a
loss of functionality by making FIFOs non-readable for
non-mail processes.
19980402
Compatibility: sendmail -I and -c options added.
19980403
Feature: virtual lookups are now recursive. File:
qmgr/qmgr_message.c
19980405
Implemented sendmail -bs (stand-alone) mode. This mode runs
as the user and therefore deposits into the maildrop queue.
19980406
The pickup service now removes malformed maildrop files.
19980407
The pickup service now guards against maildrop files with
time stamps dated into the future.
19980408
Bugfix: in the canonical and virtual maps, foo->address
would match foo@$myorigin only. This has been fixed to also
match hosts listed in main.cf:$mydestination and the
addresses listed in main.cf:$inet_interfaces.
Bugfix: added double buffering support to the VMailer SMTP
server. This makes the SMTP server robust against SMTP
clients that talk ahead of time, and should have been in
there from day one.
19980409
Bugfix: the VMailer SMTP client now recognizes its own
hostname in the SMTP greeting banner only when that name
appears as the first word on the first line.
19980410
Feature: smtpd now logs the local queue ID along with the
client name/address, and pickup now logs the local queue
ID along with the message owner.
Bugfix: still didn't do virtual/canonical lookups right
(code used the non-case-folded key instead of the case
folded one).
19980418
Bugfix: the SMTP server did not flush the "250 OK queued
as XXXX" message from the SMTP conversation history.
19980419
Bugfix: qmgr would not notice that a malformed message has
multiple senders, and would leak memory (Tom Ptacek).
19980421
Portability: in the mantools scripts, the expr pattern no
longer has ^ at the beginning, and the scripts now use the
expand program instead of my own detab utility.
19980425
NetBSD 1.x patch by Soren S. Jorvang.
19980511
Feature: the SMTP server now logs the protocol (SMTP or
ESMTP) as part of the Received: header.
Feature: smtpd now logs the last command when a session is
aborted due to timeout, unexpected EOF, or too many client
errors.
19980514
Bugfix: the queue manager did not update the counter for
in-core message structures, so the in-core message limit
had no effect. This can be bad when you have a large backlog
with many messages eligible for delivery.
Robustness: the queue manager now also limits the total
number of in-core recipient structures, so that it won't
use excessive amounts of memory on sites that have large
mailing lists.
19980518
Bugfix: the SMTP client did not notice that the DNS client
received a truncated response. As a result, a backup MX
host could incorrectly claim that it was the best MX host
and declare a mailer loop.
Added start_msg/stop_msg entries to the vmailer startup
script, for easy installation.
Cleanup: VMailer databases are now explicitly specified as
type:name, for example, hash:/etc/aliases or nis:mail.aliases,
instead of implicitly as "files", "nis" and so on. Test
program: util/dict_open. This change allowed me to
eliminate a lot of redundant code from mkmap_xxx.c, and
from everything that does map lookups.
19980525
Bugfix: local/dotforward.c compared the result of opening
a user's ~/.forward against the wrong error value.
19980526
Bugfix: the smtpd VRFY command could look at free()d memory.
Robustness: the smtpd program had a fixed limit on the
number of token structures. The code now dynamically
allocates token structures.
Bugfix: the queue manager still used the deprecated parameter
name xxx_deliver_concurrency for concurrency control, but
the documentation talks about the preferred parameter name
xxx_destination_concurrency. Fix: try xxx_destination_concurrency
first, then fall back to xxx_deliver_concurrency.
19980621-19980702
Cleanup: the string read routines now report the last
character read or VSTREAM_EOF. This change is necessary
for the implementation of the long SMTP line bugfix.
Bugfix: the smtp server exited the DATA command prematurely
when the client sent long lines. Reason: the smtp server
did not remember that it broke long lines, so that '.'
could appear to be the first character on a line when in
fact it wasn't.
Bugfix: the queue manager made lots of stupid errors while
reading $qmgr_message_recipient_limit chunks of recipients
from a queue file. This code has been restructured.
19980706
Performance: the cleanup program now always adds return-receipt
and errors-to records to a queue file, so that the queue
manager does not have to plow through huge lists of
recipients.
Robustness: the initial destination concurrency now defaults
to 2, so that one bad message or one bad connection does
not stop all mail to a site. The configuration parameter
is called initial_destination_concurrency.
Performance: the per-message recipient limit is now enforced
by the queue manager instead of by the transport. Thus, a
large list of recipients for the same site is now mapped
onto several delivery requests which can be handled in
parallel, instead of being mapped onto one delivery request
that is sent to limited numbers of recipients, one group
after the other.
19980707
Cleanup: the queue manager now does an additional recipient
sort after the recipients have been resolved, so that the
code can do better aggregation of recipients by next hop
destination.
Feature: lines in the master.cf file can now be continued
in the same manner as lines in the main.cf file, i.e. by
starting the next line with whitespace.
Feature: the smtp client now warns that a message may be
delivered multiple times when the response to "." is not
received (the problem described in RFC 1047).
Cleanup: when the queue manager changes its little mind
after contacting a delivery agent (for example, it decides
to skip the host because a transport or host goes bad),
the delivery agent no longer complains about premature EOF.
File: global/deliver_request.c
19980709
Bugfix: when breaking long lines, the SMTP client did not
escape leading dots in secondary etc. line fragments. Fix:
don't break lines. This change makes VMailer line-length
transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c.
19980712
Cleanup: the queue manager to deliver agent protocol now
distinguishes between domain-specific soft errors and
recipient-specific soft errors. Result: many soft errors
with SMTP delivery no longer affect other mail the same
domain.
19980713
Feature: the file modification time stamp of deferred queue
files is set to the nearest wakeup time of their recipient
hosts, or if delivery was deferred due to a non-host problem,
the time stamp is set into the future by the configurable
minimal backoff time.
Bugfix: the SMTP client and the MAILQ command would report
as message size the total queue file size. That would
grossly overestimate the size of a message with many
recipients.
Bugfix: the 19980709 fix screwed up locally-posted mail
that didn't end in newline.
19980714
Robustness: the makedefs script now defaults to no optimization
when compiling for purify.
19980715
Robustness: the makedefs script now defaults to no optimization
when compiling with gcc 2.8, until this compiler is known
to be OK.
Workaround: when sending multiple messages over the same
SMTP connection, some SMTP servers need an RSET command
before the second etc. MAIL FROM command. The VMailer SMTP
client now sends a redundant RSET command just in case.
The queue manager now logs explicitly when delivery is
deferred because of a "dead" message transport.
19980716
Feature: mailq and mail bounces now finally report why mail
was deferred (the reason was logged to the syslog file
only). Changes were made to the bounce service (generalized
to be usable for defer logs), showq service (to show reasons)
and the queue manager.
As a result the defer directory (with one log per deferred
message) may contain many files; also, this directory is
accessed each time a message is let into the active queue,
in order to delete its old defer log. This means that hashed
directories are now a must.
19980718-20
Feature: configurable timeout for establishing smtp
connections. Parameter: smtp_connect_timeout (default 0,
which means use the timeout as wired into the kernel).
Inspired by code from Lamont Jones. For a clean but far
from trivial implementation, see util/timed_connect.c
Cleaned up the interfaces that implement read/write deadlines.
Instead of returning -2, the routines now set errno to
ETIMEDOUT; the readable/writable tests are now separate.
19980722
Feature: the default indexed file type (hash, btree, dbm)
is now configurable with the "database_type" parameter.
The default value for this parameter is system specific.
Feature: selectively turn on verbose logging for hosts that
match the patterns specified via the "debug_peer_list"
config parameter. Syntax is like the "bad_smtp_clients"
parameter (see global/peer_list.c). The verbose logging
level is specified with "debug_peer_level" (default 2).
Security: the local delivery agent no longer delivers to
files that have execute permission enabled.
19980723
Workarounds for Solaris 2.x UNIX-domain sockets: they lose
data when you close them immediately after writing to them.
This could screw up the delivery agent to queue manager
protocol.
19980724
Cleanup: spent most of the day cleaning up queue manager
code that defers mail when a site or transport dies, and
fixed a few obscure problems in the process.
19980726
Feature: the admin can now configure what classes of problems
result in mail to the postmaster. Configuration parameter:
"notify_classes". Default is backwards compatible: bounce,
policy, protocol, resource, and software.
19980726-28
Feature: the admin can now configure what smtp server access
control restrictions must be applied, and in what order.
Configuration parameters: smtpd_client_restrictions,
smtpd_helo_restrictions, smtpd_mail_restrictions and
smtpd_rcpt_restrictions. Defaults are intended to be
backwards compatible. The bad_senders and bad_clients lists
are gone and have become db (dbm, nis, etc) maps. Files:
smtpd/smtpd_check.c, config/main.cf.
19980729-31
Feature: hashed queues. Rewrote parts of the mail queue
API. Configuration parameters: "hash_queue_names" specifies
what queue directories will be hashed (default: the defer
log directory), "hash_queue_depth" specifies the number of
subdirectories used for hashing (default 2).
19980802
Bugfix: the pipe mailer should expand command-line arguments
with $recipient once for every recipient (producing one
command-line argument per recipient), instead of replacing
$recipient by of all recipients (i.e. producing only one
command-line argument). This is required for compatibility
with programs that expect to be run from sendmail, such as
uux. Thanks to Ollivier Robert for helping me to get this
right.
Code cleanup: for the above, cleaned up the macro expansion
code in dict.c and factored out the parsing into a separate
module, mac_parse.c.
19980803
"|command" and /file/name destinations in alias databases
are now executed with the privileges of the database owner
(unless root or vmailer). Thus, with: "alias_maps =
hash:/etc/aliases, hash:/home/majordomo/aliases", and with
/home/majordomo/aliases* owned by the majordomo account,
you no longer need the majordomo set-uid wrapper program,
and you no longer need root privileges in order to install
a new mailing list.
19980804
Added support for the real-time blackhole list. Example:
"client_restrictions = permit_mynetworks, reject_maps_rbl"
All SMTP server "reject" status codes are now configurable:
unknown_client_reject_code, mynetworks_reject_code,
invalid_hostname_reject_code, unknown_hostname_reject_code,
unknown_address_reject_code, relay_domains_reject_code,
access_map_reject_code, maps_rbl_reject_code. Default values
are documented in the smtpd/smtpd_check.c man page.
19980806-8
Code cleanup: after eye balling line-by line diffs, started
deleting code that duplicated functionality because it was
at the wrong abstraction level (smtp_trouble.c), moved
functionality that was in the wrong place (dictionary
reference counts in maps.c instead of dict.c), simplified
code that was too complex (password-file structure cache)
and fixed some code that was just wrong.
19980808
Robustness: the number of queue manager in-core structures
for dead hosts is limited; the limit scales with the limit
on the number of in-core recipient structures. The idea is
to not run out of memory under conditions of stress.
19980809
Feature: mail to files and commands can now be restricted
by class: alias, forward file or include file. The default
restrictions are: "allow_mail_to_files = alias, forward"
and allow_mail_to_commands = alias, forward". The idea is
to protect against buggy mailing list managers that allow
intruders to subscribe /file/name or "|command".
19980810-12
Cleanup: deleted a couple hundred lines of code from the
local delivery agent. It will never be a great program;
sendmail compatibility is asking a severe toll.
19980814
Cleanup: made the program shut up about some benign error
conditions that were reported by Daniel Eisenbud.
19980814-7
Documentation: made a start of HTML docs that describe all
configuration parameters.
Feature: while documenting things, added smtpd_helo_required.
19980817
Bugfix: at startup the queue manager now updates the time
stamps of active queue files some time into the future.
This eliminates duplicate deliveries after "vmailer reload".
Bugfix: the local delivery agent now applies the recipient
delimiter after looking in the alias database, instead of
before.
Documentation bugfixes by Matt Shibla, Tom Limoncelli,
Eilon Gishri.
19980819
GLIBC fixes from Myrdraal.
Bugfix: applied showq buffer reallocation workaround in
the wrong place.
Bugfix: can't use shorts in varargs lists. SunOS 4 has
short uid_t and gid_t. pipe_command() would complain.
Bugfix: can't use signed char in ctype macros. All ctype
arguments are now casted to unsigned char. Thanks, Casper
Dik.
19980820
Bugfix: save the alias lookup result before looking up the
owner. The previous alpha release did this right.
Cleanup: mail_trigger() no longer complains when the trigger
FIFO or socket is unavailable. This change is necessary to
shut up the sendmail mail posting program, so that it can
be used on mail clients that mount their maildrop via NFS.
Experiment: pickup and pipe now run as vmailer most of the
time, and switch to user privileges only temporarily.
Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
pickup/pickup.c. Is this more secure/ What about someone
manipulating such a process while not root? It still has
ruid == 0.
19980822
Portability: with GNU make, commands such as "(false;true)"
and "while :; do false; done" don't fail. Workaround: use
"set -e" all over the place. Problem found by Jeff Wolfe.
Feature: "check_XXX_access maptype:mapname" (XXX = client,
helo, sender, recipient). Now you can make recipient and
other SPAM restrictions dependent on client or sender access
tables lookup results.
19980823
Bugfix: smtpd access table lookup keys were case sensitive.
Added "permit" and "reject" operators. These are useful at
the end of SPAM restriction lists (smtpd_XXX_restrictions).
Added a first implementation of the permit_mx_backup SPAM
restriction. This permits mail relaying to any domain that
lists this mail system as an MX host (including mail for
the local machine). Thanks to Ollivier Robert for useful
discussions.
19980824
Bugfix: transport table lookup keys were case sensitive.
19980825
Portability: sa_len is some ugly #define on some SGI systems,
so we must rename identifiers (file util/connect.c).
Bugfix: uucp delivery errors are now sent to the sender.
Thanks, Mark Delany.
Bugfix: the pipe delivery agent now replaces empty sender
by the mailer daemon address. Mark Delany, again.
Portability: GNU getopt looks at all command-line arguments.
Fix: insert -- into the pipe/uucp definition in master.cf.
Bugfix: the smtp server command tokenizer silently discarded
the [] around [text], so that HELO [x.x.x.x] was read as
if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.
Bugfix: the HELO unknown hostname/bad hostname restrictions
would have treated [text] as a domain name anyway.
Bugfix: the $local_duplicate_filter_limit value was not
picked up by the local delivery agent. This means the local
delivery agent could run out of memory on large mailing
list deliveries.
19980826
Performance: mkmap/mkalias now run with the same speed as
sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte
of memory for DB lookups. File: util/dict_db.c.
19980902
Robustness: the reject_unknown_hostname restriction for
HELO/EHLO hostnames will now permit names that have an MX
record instead of an A record.
19980903
Feature: appending @$myorigin to an unqualified address is
configurable with the boolean append_at_myorigin parameter
(default: yes).
Feature: appending .$mydomain to user@host is configurable
with the boolean append_dot_mydomain parameter (default:
yes).
Feature: site!user is rewritten to user@site, under control
of the boolean parameter swap_bangpath (default: yes).
Feature: permit a naked IP address in HELO commands (i.e. an
address without the enclosing [] as required by the RFC), by
specifying "permit_naked_ip_address" as one of the restrictions
in the "smtpd_helo_restrictions" config parameter.
19980904
Code cleanup: when an SMTP client aborts a session after
sending MAIL FROM, the cleanup service no longer warns that
it is "skipping further client input". Files: cleanup/*.c.
Thanks, Daniel Eisenbud, for prodding.
Code cleanup: when an SMTP server disconnects in the middle
of a session, don't try to send QUIT over the non-existing
connection. Files: global/smtp_stream.c, smtp/smtp.c.
Thanks, Daniel Eisenbud, for prodding, again.
Code cleanup: the VMailer version number has moved from
mail_params.h (which is included by lots of modules) to a
separate file global/mail_version.h, so that a version
change no longer results in massive recompilation.
Bugfix: Errors-To was flagged as a sender address, so
the address never was picked up.
Code cleanup: support for Errors-To: headers completed.
19980905
Feature: per-message exponential delivery backoff, by
looking at the amount of time a message has been queued.
Thanks, Mark Delany.
19980906
Code cleanup: ripped out the per-host exponential backoff
code. It was broken by 19980818. It was probably a bad idea
anyway, because it required per-host, in-core, state kept
by the queue manager. All we do now is to keep state for
$minimal_backoff_time seconds, but only for a limited number
of hosts. Daniel Eisenbud spotted the problem.
Lost feature: the SMTP session transcripts now show who
said what. This feature was inadvertently dropped during
development. Thanks, Daniel Eisenbud, for reminding.
Documentation: the hard-coded rewriting process of the
trivial-rewrite program is described in html/rewrite.html.
Feature: the local delivery agent now does alias lookups
before and after chopping off the recipient subaddress.
This allows you to forward user-anything to another user,
without losing the ability to redirect specific user-foo
addresses.
19980909
Feature: the smtp client now logs a warning that a server
sends a greeting banner with the client's hostname, which
could imply a mailer loop.
19980910
Feature: separate canonical maps for sender and recipient
address rewriting, so that you can rewrite an ugly sender
address and still forward mail to that same ugly address
without creating a mailer loop. Files: cleanup_envelope.c,
cleanup_message.c, cleanup_rewrite.c.
19980911
Feature: virtual maps now support multiple addresses on
the right-hand side. In the case of virtual domains this
can eliminate the need for address expansion via local
aliases, making virtual domains much easier to administer.
This required that I moved the virtual table lookups from
the queue manager to the cleanup service, so that every
recipient has an on-disk status record. Files: qmgr.c,
qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c,
cleanup_virtual.c.
Feature: sendmail/mailq/newaliases pass on the -v flag to
the program that they end up running, to make debugging a
little easier.
19980914
Bugfix: some anti-spam measures didn't recognize some
addresses as local and would do too much work. File:
smtpd_check.c.
Bugfix: the smtp sender/recipient table lookup restriction
destroyed global data, so that other restrictions could
break. File: smtpd_check.c.
Bugfix: after vmailer reload, single-threaded servers could
exit before flushing unwritten data to the client. Example:
cleanup would exit before acking success to pickup, so the
message would be delivered twice. Bug reported by Brian Candler.
Cleanup: removed spurious error output from vmailer-script.
Reported by Brian Candler.
Tolerance: ignore non-numeric SMTP server responses. There's
lot of brain damage out there on the net.
19980915
Feature: the smtp-sink benchmark tool now announces itself
with a neutral name so that it can be run on the same
machine as VMailer, without causing Postfix to complain
about a mailer loop.
Robustness: on LINUX, vmailer-script now does chattr +S to
force synchronous directory updates. Fix developed with
Chris Wedgwood.
19980916
Bugfix: when transforming an RFC 822 address to external
form, there is no need to quote " characters in comments.
This didn't break anything, it just looked ugly. File:
global/tok822_parse.c
19980917
Workaround: with deliveries to /file/name, use fsync() and
ftruncate() only on regular files. File: local/file.c
Workaround: the plumbing code in master_spawn.c didn't
check if it was dup2()/close()ing a descriptor to itself
then closing it. Will have to redo the plumbing later.
19980918
Workaround: on multiprocessor Solaris machines, one-second
rollover appears to happen on different CPUs at slightly
different times. Made the queue manager more tolerant for
such things. Problem reported by Daniel Eisenbud.
Workaround: in preparation for deployment with a network-shared
maildrop directory. make pickup more tolerant against clock
drift between clients and servers.
19980921
New vstream_popen() module that opens a two-way channel
across a socketpair-based pipe. This module isn't being
used yet; it is here only to complete the vstream code.
19980922
Code cleanup: the xxx_server_main() interface for master
child processes now uses a name-value argument list instead
of an ugly and inflexible data structure.
Bugfix: moved the test if a non-interactive process is run
by hand, so that the "don't do this" error message can be
printed to stderr before any significant processing.
Bugfix: smtpd now can talk to unix-domain sockets without
bailing out on a peer lookup problem. Files: smtpd/smtpd.c,
util/peer_name.c.
Safety: by default, the postmaster is no longer informed
of protocol problems, policy violations or bounces.
Safety: the SMTP server now sleeps before sending a [45]xx
error response, in order to prevent clients from hammering
the server with a connect/error/disconnect loop. Parameter:
smtpd_error_sleep_time (default: 5).
Feature: the logging facility is compile-time configurable
(e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1").
19980923
Bugfix: changed virtual/canonical map search order from
(user@domain, @domain, user) to (user@domain, user, @domain)
so the search order is most specific to least specific.
File: global/addr_map.c, lots of documentation.
Bugfix: after the change of 19980910, cleanup_message
extracted recipients from Reply-To: etc. headers. Found
by Lamont Jones.
19980925
Bugfix: the change in virtual/canonical map search order
broke @domain entries; they would never be looked up if
the address matched $myorigin or $mydestinations. Found
by Chip Christian who now regrets asking for the change.
Bugfix: cleanup initialized an error mask incorrectly, so
that it would keep writing to a file larger than the queue
file size limit, and so it would treat the error as a
recoverable one instead of sending a bounce. Thanks, Pieter
Schoenmakers.
Bugfix: the "queue file cleanup on fatal error" action was
no longer enabled in the sendmail mail posting agent.
Feature: the sendmail mail posting program now returns
EX_UNAVAILABLE when the size of the input exceeds the queue
file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN.
19980926
Code cleanup: the dotlock file locking routine is no longer
derived from Eric Allman's 4.3BSD port of mail.local.
Code cleanup: the retry strategy of the file locking routines
dot_lockfile() and deliver_flock() is now configurable
(deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale).
Code cleanup: the master.pid lock file is now created with
symlink paranoia, and is properly locked so that PID rollover
will not cause false matches.
Bugfix: the vbuf_print() formatting engine did not know
about the '+' format specifier.
Cleanup: replaced unnecessary instances of stdio calls by
vstream ones.
19980929-19981002
Compatibility: added support for "sendmail -q". This required
a change to the queue manager trigger protocol, and a code
reorganization of the way queue scans were done. The queue
manager socket now has become public.
10091002
SMTPD now logs "lost connection after end-of-message" instead
of "lost connection after DATA".
10091005
More bullet proofing: timeouts on all triggers.
19981006
Bugfix: make the number of cleanup processes unlimited, in
order to avoid deadlock. The number of instances needed is
one per smtp/pickup process, and an indeterminate number
per local delivery agent. Thanks, Thanks, David Miller and
Terry Lorrah for cleueing me in.
Bugfix: "sendmail -t" extracted recipients weren't subjected
to virtual mapping. Daniel Eisenbud strikes again.
19981007
Compatibility: if the first input line ends in CRLF, the
sendmail posting agent will treat all CRLF as LF. Otherwise,
CRLF is left alone. This is a compromise between sendmail
compatibility (all lines end in CRLF) and binary transparency
(some, but not all, lines contain CRLF).
19981008
Robustness: stop recursive virtual expansion when the
left-hand side appears in its own expansion.
19981009
Portability: trigger servers such as pickup and qmgr can
now use either FIFOs or UNIX-domain sockets; hopefully at
least one of them works properly. Trigger clients were
already capable of using either form of local IPC.
19981011
Feature: masquerading. Strip subdomains from domains listed
in $masquerade_domains. Exception: envelope recipients are
left alone, in order to not screw up routing.
19981015
Code cleanup: moved the recipient duplicate filter from
the user-level sendmail posting agent to the semi-resident
cleanup service, so that the filter operates on the output
from address canonicalization and of virtual expansion,
instead of operating on their inputs.
19981016
Bugfix: after kill()ing a bunch of child processes, wait()
sometimes fails before all children have been reaped, and
must be called again, or the master will SIGSEGV later.
Problem reported by Scott Cotton.
Workaround: don't log a complaint when an SMTP client goes
away without sending QUIT.
19981018
Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard
error (EINVAL) when the result buffer is not large enough.
This can happen on systems with many real or virtual
interfaces. File: util/inet_addr_local.c. Problem reported
by Scott Cotton.
Workaround: the optional HELO/EHLO hostname syntax check
now allows a single trailing dot.
Workaround: with UNIX-domain sockets, LINUX connect() blocks
until the server calls accept(). File: qmgr/qmgr_transport.c.
Terry Lorrah and Scott Cotton provided the necessary evidence.
19981020
Robustness: recursive canonical mapping terminates when
the result stops changing.
Code cleanup: reorganized the address rewriting and mapping
code in the cleanup service, to make it easier to implement
the previous enhancement.
19981022
Code cleanup: more general queue scanning programming
interface, in preparation for hashed queues. File:
qmgr/qmgr_scan.c.
Bugfix: a non-FIFO server with a process limit of 1 has a
too short listen queue. Until now this was not a problem
because only FIFO servers had a process limit of 1, and
FIFOs have no listen queue. Fix: always configure a listen
queue of proc_limit or more. File: master/master_listen.c.
19981023
Feature: by popular request, mail delay is logged when
delivering, bouncing or deferring mail.
19981024
Cleanup: double-bounce mail is now absorbed by the queue
manager, instead of the local delivery agent, so that the
mail system will not go mad when no local delivery agent
is configured.
19981025
Cleanup: moved the relocated table from the local delivery
agent to the queue manager, so that the table can also be
used for virtual addresses.
Code reorg: in order for the queue manager to absorb
recipients, the queue file has to stay open until all
recipients have been assigned to a destination queue.
19981026
vmlogger command, so that vmailer-script logging becomes
consistent with the rest of the VMailer system.
Code reorg: logger interface now can handle multiple output
handlers (e.g. syslog and stderr stream).
Bugfix: a first line starting with whitespace is no longer
treated as an extension of our own Received: header. Files:
smtpd/smtpd.c, pickup/pickup.c.
19981027
Bugfix: the bang-path swapping code went into a loop on an
address consisting of just a single !. Eilon Gishri had
the privilege of finding this one.
Workaround: the non-blocking UNIX-domain socket connect is
now enabled only on systems that need it. It may cause
kernel trouble on Solaris 2.x.
Bugfix: the resolver didn't implement bangpath swapping,
so that mail for site!user@mydomain would be delivered to
a local user named "site!user".
19981028
Cleanup: a VSTREAM can now use different file descriptors
for reading and writing. This was necessary to prevent
"sendmail -bs" and showq from writing to stdin. Eilon Gishri
observed the problem.
19981029
The RFC 822 address manipulation routines no longer give
special attention to 8-bit data. Files: global/tok822_parse.c,
global/quote_822_local.c.
Bugfix: host:port and other non-domain stuff is no longer
allowed in mail addresses. File: qmgr/qmgr_message.c.
Workaround: LINUX accept() wakes up before the three-way
handshake is complete, so it can fail with ECONNRESET.
Files: master/single_server.c, master/multi_server.c.
Feature: when delivering to user+foo, try ~user/.forward+foo
before trying ~user/.forward.
Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't
clean up when terminated by a signal.
Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should
not try to enforce spam controls because it cannot access
the address rewriting machinery.
Cleanup: the percent hack (user%domain -> user@domain) is
now configurable (allow_percent_hack, default: yes).
Bugfix: daemons in -S (stand-alone) mode didn't change
directory to the queue. This was no problem with daemons
run by the sendmail compatibility program.
19981030
Feature: when virtual/canonical/relocated lookup fails for
an address that contains the optional recipient delimiter
(e.g., user+foo@domain), the search is done again with the
unextended address (e.g., user@domain). File: global/addr_find.c.
Code reorg: the address searching is now implemented by a
separate module global/addr_find.c, so that the same code
can be used for both (non-mapping) relocated table lookups
and for canonical and virtual mapping. The actual mapping
is still done in the global/addr_map.c module.
Robustness: the SMTP client now skips hosts that don't send
greeting banner text. File: smtp/smtp_connect.c
Feature: preliminary support to disable delivered-to. This
is desirable for mailing list managers that don't want to
advertise internal aliases.
Generic support: when the recipient_feature_delimiter
configuration parameter is set, the local delivery agent
uses it to split the recipient localpart into fields. Any
field that has a known name such as "nodelivered" enables
the corresponding delivery feature.
19981031
Code reorg: address splitting on recipient delimiter is
now centralized in global/split_addr.c, which knows about
all reserved names that should never be split.
Robustness: when a request for an internal service cannot
be satisfied because the master has terminated, terminate
instead of trying to reach the service every 30 seconds.
Safety: the local delivery agent now runs as vmailer most
of the time, just like pickup and pipe. Files: local/local.c,
local/mailbox.c
19981101
Compatibility: the tokenizer for alias/forward/etc.
expansion now updates an optional counter with the number
of destinations found; If no destinations is found in a
.forward file, deliver to the mailbox instead. Thanks,
Daniel Eisenbud, for showing the way to go.
Robustness: the pickup daemon should always include a
posting-time record, even when the sendmail posting agent
didn't. However, just like before, user-provided posting
times will be ignored. Ollivier Robert found this one.
Robustness: duplicate entries in aliases or maps now cause
a warning instead of a fatal error (and an incomplete file).
Robustness: mkmap now prints a warning when an entry is
in "key: value" format, which is the format expected for
alias databases, not for maps.
Portability: on LINUX, prepend "+" to the getopt() options
string so that getopt() will stop at the first non-option
argument. Suggestion by Marco d'Itri.
19981103
Cleaned up the set_eugid() and open_as() implementations,
and added stat_as() and fstat_as() so that the local delivery
agent would look up include files and .forward files with
the right privileges.
19981104
Bugfix: the :include: routine now stat()s/open()s files
included by root-owned aliases as root, not as nobody.
Bugfix: the master crashed when a service with wakeup timer
was disabled or renamed. Fix: eliminate some pathological
coupling between process management and wakeup management.
Feature: partial implementation of ETRN (causes a full
deferred queue scan). Thanks Lamont Jones for reminding me
that things can be useful already before they are perfect.
Cleanup: simplified the SMTPD tokenizer.
Bugfix: sendmail -bs didn't properly notify the mail system
of new mail.
Compatibility: the MAIL FROM and RCPT TO commands now accept
the most common address forms without enclosing <>. The <>
is still needed for addresses that contain a "string", an
[address], or a colon (:).
19981105
Bugfix: "master -t" would claim that the master runs when
in fact the pid directory does not exist, causing trouble
with first time startup (reported by several).
Portability: added a sane_accept() module that maps all
beneficial accept() error results to EAGAIN. According to
private communication with Alan Cox, Linux 2.0.x accept()
can return a variety of error conditions, so we play safe
and allow for any error that may happen because SYN+ACK
could not be sent.
Portability: NETBSD1 uses dotlock files (Perry Metzger).
Bugfix: the local delivery agent did not canonicalize
owner-foo sender addresses, so that local users would see
owner-foo instead of owner-foo@$myorigin (Perry Metzger).
OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda).
19981106
Portability: the master startup would take a long time on
AIX because AIX has a very large per-process open file
limit. Fix is to check the status of only the first couple
hundred file descriptors instead. File: master/master.c.
Bugfix: mail to user@[net.work.addr.ess] was broken because
of a reversed test. File: qmgr/qmgr_message.c.
19981107
Compatibility: don't clobber the envelope sender address
when an alias has no owner-foo alias (problem diagnosed by
Christophe Kalt).
Bugfix: mail to local users in include files would be
delivered directly if the alias didn't have an owner-foo
alias, and if the alias database and include file were
owned by root.
Feature: with user+foo addresses, any +foo address extension
that is not explicitly matched in canonical, virtual or
alias databases is propagated to the table lookup result.
19981108
Bugfix: minor memory leak in the user+foo table lookup code.
Configurability: specify virtual.domain in the virtual map,
and mail for unknown@virtual.domain will bounce automatically.
The $relay_domains default value now includes $virtual_maps,
so the SMTP server will accept mail for the domain. Marco
d'Itri put me on the right track.
Configurability: The mydestinations configuration parameter
now accepts /file/name expressions and type:name lookup tables.
Code cleanup: in order to make the previous two enhancements
possible, revised the string/host/address matching engine
so it can handle any mixture of strings, /file/name patterns
and type:name lookup tables. Files: util/match_{list,ops}.c,
global/{domain,namadr,string}_list.c.
19981110
Code cleanup: replaced remaining isxxx() calls by ISXXX().
19981111
Bugfix: the "bounce unknown virtual user" code was in the
wrong place. Problem tackled with help of Chip Christian.
Portability: reportedly, Solaris 2.5.1 can hang waiting
for a UNIX-domain connection to be accepted, so it gets
the same workaround that was designed for LINUX. Problem
reported by Scott Cotton.
19981112
Management: "vmailer stop" now allows delivery agents to
finish what they are doing, like "vmailer reload".
Management; "vmailer abort" causes immediate termination.
Workaround: zombie processes pile up with HP-UX. Reason:
select() does not return upon SIGCHLD when SA_RESTART is
specified to sigaction(). Workaround: shorten the select()
timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS.
Thanks, Lamont Jones.
19981117
Rename: VMailer is now Postfix. Sigh.
19981118
Cleanup: generalized the safe_open() routine so that it is
no longer limited to mailbox files, lock files, etc.
Bugfix (found during code review): vstream*printf() could
run off the end of a stream buffer after an I/O error,
because vbuf_print() ignored the result from VBUF_SPACE().
Bugfix (found during code review): resolve_local() could
clobber its argument, but the docs didn't say so.
19981121
Cleanup: the is_header() routine now allows 8-bit data in
header labels.
19981123
Bugfix (found during code review): the mail_queue_enter()
path argument wasn't optional. File: global/mail_queue.c
19981124
Cleanup: eliminated redundant tests for a zero result from
vstream_fdopen(). Unlike the stdio fdopen() routine, the
vstream_fdopen() routine either succeeds or never returns.
Bugfix: the queue manager now looks at the clock before
examining a file time stamp, to avoid spurious complaints
about time warps on busy machines. File: qmgr/qmgr_active.c.
19981125
Compatibility: allow trailing dot at the end of user@domain.
Address canonicalization now strips it off. Issue brought
forward by Eilon Gishri. File: trivial-rewrite/rewrite.c.
Robustness: changed DNS lookup order of MAIL FROM etc.
domains from MX then A to A then MX, just in case the MX
lookup fails with a server error.
Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat,
postlock, postlog, postkick. Also renamed mkmap and mkalias
to postmap and postalias.
19981126
Workaround: Lamont Jones found a way for HP-UX to terminate
select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN.
Files: util/sys_defs.h, master/master_sig.c.
Bugfix: the Delivered-To: loop detection code had stopped
working, when long ago the is_header() routine was changed.
File: local/delivered.c.
19981128
Bugfix: postcat opened queue files read-write, where only
read access was needed. File: postcat/postcat.c.
19981129
Safety: added a sleep(1) to all fatal and panic exits.
File: util/msg.c.
19981201
Robustness: postcat now insists that a file starts with a
time record.
Consistency: added "-c config_dir" command-line options
where appropriate.
19981202
Man pages, on-line version.
19981203
Man pages, html version; overview documentation.
19981206
Sendmail silently accepted the unsupported -qRsite and
-qSsite options. It now prints an error message and
terminates.
Separated the contributed tree from the IBM code; moved
the LDAP and NEXTSTEP/OPENSTEP code to the contributed
source tree because obviously I didn't write it.
19981206-9
Had to write a postconf configuration utility in order to
reliably find out about all configuration parameters and
their defaults.
Documentation bugfixes by Matt Shibla, Scott Drassinower,
Greg A. Woods.
19981209
On machines with short hostnames, postconf -d cored while
reporting a fatal error. It should not report that error
in the first place. Thanks, Eilon Gishri.
Changed the FAQ entry about rejecting mail for *.my.domain
on a firewall. Chip Christian was right, I was wrong.
19981214
Portability: with GNU getopt, optind is not initially 1,
breaking an assumption in sendmail/sendmail.c. Liviu Daia.
Annoyance: on non-networked systems, don't warn that only
one network interface was found. File: global/inet_addr_local.c.
Reported by several.
Bugfix: on non-networked systems, the smtp client assumed
that it was running in virtual host mode, and would bind
to the loopback interface. File smtp/smtp_connect.c. Liviu
Daia, again.
19981220
Robustness: when looking up an A or MX record, do not give
up when the A query fails because of a server error. File
dns/dns_lookup.c. Reported by Scott Drassinower.
19981221
Bugfix: "bounce mail for non-existent virtual user" didn't
work when a non-default relay host was configured in main.cf
or in the transport table. File: qmgr/qmgr_message.c.
Bugfix: the maildrop directory should not be world-readable.
Files: conf/postfix-script, showq/showq.c.
Documentation: fixed several omissions and errors.
Documentation: removed references to the broken recipient
feature delimiter configuration parameter.
Bugfix: write mailbox file as the recipient, so that file
quota work as expected.
Bugfix: pickup would die when it tried to remove a non-file
in the maildrop directory (Jeff Wolfe).
19981222
Sendmail no longer logs the queue ID when it is unable to
notify the pickup daemon. This is a late addition to the
"unreadable maildrop queue" patch.
user.lock files are now created as root, so that postfix
needs no group directory write permission.
19981224
Security: allow queue file link counts > 1, to avoid
non-delivery of maildrop files with links to a non-maildrop
directory. Files: global/mail_open_ok.c, and anything
that calls this code (qmgr, pickup, showq). If multiple
hard links are a problem, see the set-gid "postdrop" utility
below.
19981225
Robustness: the queue manager no longer aborts when a queue
file suddenly disappears (e.g. because the file was removed
by hand).
Feature: when a writable maildrop directory is a problem,
sites can make the new "postdrop" utility set-gid. This command
is never used when the maildrop directory is world-writable.
Robustness: make the queue file creation routine more
resistant against denial of service race attack. File:
global/mail_queue.c
19981226
New suid_priv module to enable/disable privileges in a
set-uid/gid program. In the end I decided to not use it.
19981228
Robustness: make the pickup daemon more resistant against
non-file race attack.
Cleanup: generic mail_stream.c interface for writing queue
file streams to files, daemons or commands. This simplifies
the code in smtpd and in sendmail that must be able to pipe
mail through the postdrop command. The cleanup daemon has
been modified to use the same interface. Result: less code.
Feature: smtpd now logs the only recipient in Received:
headers.
Feature: separate command and daemon directories. Both
default to $program_directory. Install conf/postfix-script
if you want to use this feature.
19981230
Patch to avoid conflict with non-writable top-level Makefile
(Lamont Jones).
19981231
Portability: port to UnixWare 7 by Ronald Joe Record, SCO.
19990104
Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions
Ltd.) Files: quote_82[12]_local.c.
Bugfix: wrong default for relay_domains (Juergen Kirschbaum,
Bayerische Landesbank). File: mail_params.h.
Bugfix: changed 5xx response for "too may recipients" to
4xx. File: smtpd.c.
19990106
Feature: defer_transports specifies the names of transports
that should be used only when "sendmail -q" (or equivalent)
is issued. For example, "defer_transports = smtp" is useful
for sites that are disconnected most of the time. File:
qmgr_message.c.
19990107
Feature: local_command_shell specifies a non-default shell
for delivery to command by the local delivery agent. For
example, "local_command_shell = /some/where/smrsh -c"
restricts what may appear in "|command" destinations.
File: global/pipe_command.c.
19990112-16
Feature: SMTP command pipelining support based on an initial
version by Jon Ribbens, Oaktree Internet Solutions Ltd.
This one took several days of massaging before I felt
comfortable about it. Files: smtp.c, smtp_proto.c.
Bugfix: the SMTP server would flush responses one-by-one,
which caused suboptimal performance with pipelined clients.
The vstream routines now flush the write buffer when the
read() routine is called, instead of flushing when the
application changes from writing to reading. Delayed flush
prevents the SMTP server from flushing responses one-by-one
and thus triggering Nagle's algorithm. File: util/vstream.c.
19990117
Bugfixes and enhancements to the smtpstone tools by Drew
Derbyshire, Kendra Electronic Wonderworks: send helo command,
send message headers, format the message content to lines
< 80, work around NT stacks, make "." recognition more
robust. Files: smtp-source.c, smtp-sink.c.
Strategy: look at the deferred queue only when the incoming
queue is empty; limit the number of recipients read from
a queue file depending on the number of recipients already
in core. Files: qmgr.c, qmgr_message.c.
Feature: postponed anti-UCE restrictions. The decision to
reject junk mail on the basis of the client name/address,
HELO hostname or sender address can now be postponed until
the RCPT TO command (or HELO or MAIL FROM if you like).
File: smtpd_check.c.
19990118
Feature: incremental updates of alias databases and of
other lookup tables. Both postalias and postmap now take
a -i option for incremental updates from standard input.
Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c.
Compatibility: newaliases can now update multiple alias
databases: list them in the "alias_database" parameter in
main.cf. By the same token, postalias can now update multiple
maps in one command. Files: post{map,alias}/post{map,alias}.c
Feature: mail to <> is now sent to the address specified
with the "empty_address_recipient" configuration parameter
which defaults to MAILER-DAEMON (idea by Lamont Jones,
Hewlett-Packard). File: cleanup/cleanup_envelope.c.
Compatibility: the transport table now uses .domain.name
to match subdomains, just like sendmail mailer tables
(patch by Lamont Jones, Hewlett-Packard).
Feature: mailq now ends with a total queue size summary
(Eilon Gishri, Israel Inter University Computation Center).
19990119
Feature: address masquerade exceptions for user names listed
in the "masquerade_exceptions" configuration parameter.
File: cleanup/cleanup_masquerade.c.
Feature: qmail-style maildir support, based on initial code
by Kevin W. Brown, Quantum Internet Services Inc.
Workaround: Solaris 2.something connect() fails with
ECONNREFUSED when the system is busy (Chris Cappuccio,
Empire Net). File: global/mail_connect.c.
Feature: the cleanup service now adds a Return-Path: header
when none is present. This header is needed for some mail
delivery programs (see below). File: cleanup_message.c.
Feature: the pipe mailer now supports $user, $extension
and $mailbox macros in command-line expansions. This, plus
the Return-Path: header (see above), should be sufficient
to support cyrus IMAP out of the box. Based on initial
code by Joerg Henne, Cogito Informationssysteme GMBH.
File: pipe/pipe.c.
Bugfix: with address extensions enabled, canonical and
virtual lookups now are done in the proper order:
user+foo@domain, user@domain, user+foo, user, @domain.
File: global/mail_addr_find.c.
19990119
Feature: the local mailer now prepends a Received: message
header with the queue ID to forwarded mail, in order to
make message tracing easier. File: local/forward.c.
Cleanup: after "postfix reload", no more broken pipe
complaints from resolve/rewrite clients.
19990121
Feature: pickup (again) logs uid and sender address.
On repeated request by Scott Cotton, Internet Consultants
Group, Inc.
Portability: doze() function for systems without usleep().
Cleanup: clients are now consistently logged as host[address].
19990122
Maildir support changed: specify "home_mailbox = Maildir/".
The magic is the trailing /. Suggested by Daniel Eisenbud,
University of California at Berkeley.
Maildir support from aliases, :include: and .forward files.
Specify /file/name/ - the trailing / is required. Suggested
by Daniel Eisenbud, University of California at Berkeley.
Workaround: watchdog timer to prevent the queue manager
from locking up on some systems.
Bugfix: in Received: headers, the "for "
information was in the wrong place. Pointed out by Jon
Ribbens, Oaktree Internet Solutions Ltd.
19990124
Portability: more workarounds for GNU getopt() by Liviu
Daia, Institute of Mathematics, Romanian Academy. File:
sendmail/sendmail.c.
19990125
Bugfix: Postfix should not masquerade recipient addresses
extracted from message headers. Problem reported by David
Blacka, Network Solutions. File: cleanup/cleanup_message.c.
19990126
Feature: smtpd_etrn_restrictions parameter to restrict who
may use ETRN and what domains may be specified. Example:
"smtpd_etrn_restrictions = permit_mynetworks, reject".
Requested by Jon Ribbens, Oaktree Internet Solutions Ltd.
File: smtpd/smtpd_check.c.
19990127
Bugfix: in an attempt to shave some cycles, the anti junk
mail routines would use the wrong resolved address. This
"optimization" is now turned off. Problem reported by Sam
Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c.
Feature: BIFF notifications. For compatibility reasons
this feature is on by default. This "protocol" can be a
real performance pig. Specify "biff = no" in main.cf if
your machine has lots of shell users. Feature requested by
Dan Farmer - it's one of the things one does for friends.
Files: local/mailbox.c, local/biff_notify.c.
Bugfix: another case sensitivity problem, this time with
virtual lookups to recognize unknown@virtual.domain.
Problem reported by Bo Kleve, Linkoping University. File:
qmgr/qmgr_message.c.
19990128
Feature: with "soft_bounce = yes", defer delivery instead
of bouncing mail. This is a safety net for configuration
errors with delivery agents. It has no effect on errors in
virtual maps, canonical maps, or in junk mail restrictions.
Feature requested by Bennett Todd. File: global/bounce.c.
19990129
Compatibility: the qmail maildir.5 documentation prescribes
maildir file names of the form time.pid.hostname, which is
wrong because Postfix processes perform multiple deliveries.
Elsewhere the qmail author has documented how maildir files
should be named under such conditions. Postfix has been
changed to be conformant. File: local/maildir.c.
19990131
Feature: special treatment of owner-foo and foo-request
can be turned off. Specify "owner_request_special = no".
Requested by Matthew Green and others. Files: local/alias.c,
global/split_addr.c. This affects canonical, virtual and
alias lookups.
19990204
Portability: signal handling for HP-UX 9 by Lamont Jones
of Hewlett Packard. File: master/master_sig.c.
Robustness: disable random walk inside a per-site queue to
avoid message starvation under heavy load. File: qmgr_entry.c.
Robustness: under some conditions the queue manager could
declare a host dead after just one delivery failure. File:
qmgr_queue.c.
19990212
Feature: skip SMTP servers that greet us with a 4XX status
code. Example: "smtp_skip_4xx_greeting = yes". By default,
the Postfix SMTP client defers delivery when a server
declines talking to us. File: smtp/smtp_connect.c.
Robustness: upon startup the queue manager now moves active
queue files to the incoming queue instead of the deferred
queue, to avoid anomalous delivery delays on systems that
have a huge incoming queue. Files: qmgr/qmgr.c,
qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script*
19990213
Robustness: added watchdog timers to avoid getting stuck
on systems with broken select() socket implementations.
File: qmgr_transport.c, qmgr_deliver.c.
19990218
Feature: NFS-friendly delivery to mailbox by avoiding the
use of root privileges as much as possible. With input by
Mike Muus, Army Research Lab, USA.
Feature: the smtp-sink test server now supports SMTP command
pipelining. To this end we had to generalize the timer and
vstream support. Poor performance is fixed 19990222.
Cleanup: timer event routines now have the same interface
as read/write event routines (event type + context). File:
util/events.c.
Feature: new vstream_peek() routine to tell how much unread
data is left in a VSTREAM buffer. This is the vstream
variant of the peekfd() routine for kernel read buffers.
File: util/vstream.c.
Feature: directory scanning support for hashed mail queue
directories. So far the results are disappointing: with
depth = 2 (16 directories with 16 subdirectories), mailq
takes 5 seconds with an empty queue unless all directories
happen to be cached in memory. We need a bit map before
hashed queue directories become practical. Depth=1 hashing
doesn't slow down mailq much, but doesn't help much either.
Files: util/scan_dir.c, global/mail_scan_dir.c.
19990221
Workaround: with "ignore_mx_lookup_error = yes", the SMTP
client always performs an A lookup when an MX lookup could
not be completed, rather than treating MX lookup failure
as a temporary error condition. Unfortunately there are
many broken DNS servers on the Internet. File: smtp/smtp_addr.c.
19990222
Performance: rewrote the guts of the smtp-sink test server
so it can do pipelining without losing performance.
19990223
Workaround: hotmail.com sometimes drops the connection
after "." (causing misleading diagnostics to be logged) or
waits minutes after receiving QUIT. Solution: do not wait
for the response to QUIT. File: smtp/smtp_proto.c. This
is turned off with: "smtp_skip_quit_response = no".
19990224
Feature: the pipe mailer accepts user=username:groupname,
based on code submitted by Philip A. Prindeville, Mirapoint,
Inc., USA. File: pipe/pipe.c.
Workaround: use file locking to prevent multiple processes
from select()ing on the same socket. This causes performance
problems on large BSD systems. Files: master/*_server.c.
19990225
Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to
the loopback interface. Problem reported by Steve Bellovin
of AT&T. File: smtp/smtp_addr.c.
Feature: "postsuper" command to remove stale queue files
to update queues after changes to the queue structure
parameters (hash_queue_names, hash_queue_depth). This
command is to be run from the postfix-script maintenance
shell script.
19990301
Feature: new postconf -h (suppress `name = ' in output)
option to make the program easier to use in, e.g., shell
scripts.
Feature: dict_unix module so you can add the UNIX passwd
table to the SMTPD access control list.
19990302
Feature: "luser_relay = destination" captures mail for
non-existent local recipients. This works only when the
local delivery agent does mailbox delivery (including
delivery via mailbox_command), not when mailbox delivery
is delegated to another message transport.
Feature: new reject_non_fqdn_{hostname,sender,recipient}
restrictions to require fully.qualified.domain forms in
HELO, MAIL FROM and RCPT TO commands (while still allowing
the <> sender address).
19990304
Bugfix: backed out the 19990119 change to always insert
Return-Path: if that header is not present. The pipe and
local agents now are responsible for prepending Return-Path:.
Files: cleanup/cleanup_message.c, global/mail_copy.[hc],
pipe/pipe.c, global/header_opts.c. This causes an incompatible
change to the pipe flags parameter, because Return-Path:
now must be requested explicitly.
19990305
Bugfix: showq (the mailq server) incorrectly assumed that
all recipients of a deferred message are listed in the
corresponding defer logfile. It now lists all recipients.
Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure
that sender records always precede recipient records).
Cleanup: smtpd HELO restrictions validate [numerical] forms.
Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial
code by Philip A. Prindeville, Mirapoint, Inc., USA.
19990306
Cleanup: re-vamped the valid_hostname module, and added a
maximal label length (63) requirement.
Feature: fallback_relay parameter to specify extra backup
hosts in case the regular relay hosts are not found or not
available. Files: smtp/smtp_addr.c.
Feature: "always_bcc = address" specifies where to send a
copy of each message that enters he system. However, if
that copy bounces, the sender will be informed of the
bounce. Files: smtpd/smtpd.c, pickup/pickup.c
Compatibility: the transport map will now route on top-level
domains, so you can dump all of .bitnet to a bitnet relay.
19990307
Feature: LDAP lookups, updated by Jon Hensley, Merit
Network, USA.
Feature: regular expression (PCRE) support by Andrew
McNamara, connect.com.au Pty. Ltd., Australia. In order to
use this code specify pcre:/file/name. You can use this
anywhere you would use a DB or DBM file, NIS or LDAP.
See: PCRE_README for how to enable this code.
Feature: "delay_warning_time = 4" causes Postfix to send
a "your mail is delayed" notice after approx. 4 hours.
Daniel Eisenbud, University of California at Berkeley.
Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster
notices for delayed mail are disabled by default. In order
to receive postmaster notices, specify "notify_classes =
... delay ...".
Cleanup: do not send undeliverable bounced mail to postmaster.
This was causing lots of pain with junk mail from bogus
sender addresses to non-existent recipients. This change
was reversed 19990311.
19990308
Bugfix: the dotforward routine was too eager with throwing
away extension information, so that the Delivered-To: info
would differ for \mailbox and |command. Problem reported
by Rafi Sadowski, Open University, Israel.
Bugfix: seems I never got around to fix the btree access
method. I finally did. Problem reported by: Matt Smith,
AvTel Communications Inc., USA.
19990311
Back by popular demand: with "notify_classes = 2bounce ..."
Postfix will send undeliverable bounced mail to postmaster.
The default is to not send double bounces. This change
reverses a change made on 19990307.
19990312
Feature: configurable exit handler for server skeletons.
Philip A. Prindeville, Mirapoint, Inc., USA. Files:
master/*server.c.
Feature: mail_spool_directory configuration parameter to
specify the UNIX mail spool directory. The default setting
is system dependent.
19990313
Cleanup: share file descriptors for resolve and rewrite
client connections. This puts less strain on the trivial-rewrite
service.
Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov,
Nizhny Novgorod City Health Emergency Station.
Feature: configurable delays in the smtpstone test programs.
With input by Philip A. Prindeville, Mirapoint, Inc., USA.
Files: smtpstone/*.c.
Bugfix: a "signal 11" problem in the trivial-rewrite program
that would occasionally happen after "postfix reload".
Reason: some rewrite clients would clobber their input,
and when they had to retransmit the query, the input would
be a zero-length string, which trivial-rewrite isn't supposed
to receive.
19990314
Feature: "mailbox_transport = cyrus" delegates all local
mailbox delivery to a master.cf entry called "cyrus" (the
same trick for procmail), including users not found in the
UNIX passwd database. This gives the flexibility of $name
expansions by the pipe mailer, without losing local aliases
and ~/.forward processing. Result of discussions with Rupa
Schomaker, RS Consulting.
19990315
Feature: the mydestination parameter can now be an empty
string, for hosts that don't receive any mail locally. Be
sure to specify a default route for mail that comes to the
machine or mail will loop.
19990316
Bugfix: the SMTPD check scaffolding didn't apply the same
sanity checks as the production code. Problem reported by
Alain Thivillon, Herve Schauer Consultants, France. File:
smtpd/smtpd_check.c.
Portability: some systems can have more than 59 seconds in
a minute. Based on a fix by Liviu Daia, Institute of
Mathematics, Romanian Academy. File: global/mail_date.c.
Enhancement: include the client network address in the
rejected by RBL response. Lamont Jones, Hewlett-Packard.
Workaround: use fstat() to figure out if the maildrop is
world-writable. access() uses the real uid, which stinks.
Robustness: don't do partial address lookups (user@, domain,
user, @domain) with regexp-style tables.
Security: don't allow regexp-style tables to be used for
aliases. It would be too easy to slip in "|command" or
:include: or /file/name.
19990317
Feature: "fallback_transport = cyrus" delegates non-UNIX
recipients to a master.cf entry called "cyrus", allowing
you to have both UNIX and non-UNIX mailboxes side by side.
19990319
Workaround: on 4.4 BSD derivatives, fstat() can return
EBADF on an open file descriptor. Now, that was a surprise.
This caused std{out,err} from cron commands to not be
delivered.
Bugfix: "local -v" stopped working.
Workaround: more watchdog timers for postfix-unfriendly
systems. By now every Postfix daemon has one. Call it life
insurance.
Robustness: increased the maximal time to receive or deliver
mail from $ipc_timeout (default: 3600 seconds) to the more
generous $daemon_timeout (default: 18000 seconds). We don't
want false alarms.
Portability: IRIX 5.2 does not have usleep().
19990320
Bugfix: \username was broken. Frank Dziuba was the first
to notice.
19990321
Workaround: from now on, Postfix on Solaris uses stream
pipes instead of UNIX-domain sockets. Despite workarounds,
the latter were causing more trouble than anything else on
all systems combined.
19990322
Portability: the makedefs would mis-identify IRIX 6.5.x as
IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller
Institute for Production Technology, Denmark.
Feature: reject_unknown_recipient_domain restriction for
recipient addresses. For the sake of symmetry, we now also
have reject_unknown_sender_domain. This means the old
reject_unknown_address restriction is being phased out.
Suggested by Rask Ingemann Lambertsen, Denmark Technical
University.
Feature: unknown sender/recipient domain restrictions now
distinguish between soft errors (always: 450) and hard
errors (configurable with the unknown_address_reject_code
parameter, default: 450; use 550 at your own risk).
Feature: no HELO junk mail restrictions means that no syntax
check will be done on HELO/EHLO hostname arguments.
Bugfix: the initial Solaris workaround for UNIX-domain
sockets could cause the queue manager to block if Postfix
ran into a delivery agent process limit. After another code
rewrite that problem is eliminated. Thanks to Chris
Cappuccio, Empire Net, for assistance with testing.
19990323
Bugfix: too much forwarding when users list their own name
in their .forward file (e.g. mail to user@localhost would
go through .forward, would be forwarded to user@$myorigin,
and would go through .forward again). Problem reported by
Roman Dolejsi, Prague University of Economics.
19990324
Bugfix: missing map name in check_xxx_access restrictions
could cause a segmentation error. Lamont Jones, Hewlett-
Packard.
Feature: forward_path configuration parameter (default:
$home/.forward$recipient_delimiter$extension,$home/.forward).
Based on initial code by Philip A. Prindeville, Mirapoint,
Inc., USA. Files: local/dotforward.c.
19990325
Workaround: Solaris NIS alias maps need special entries
(YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal
keys/values include a null byte at the end, but the YP_XXX
ones don't. Problem reported by Walcir Fontanini, state
university of Campinas, Brazil. File: postalias/postalias.c.
Compatibility: Solaris NIS apparently does include a null
byte at the end of keys and values. File: util/sys_defs.h.
Feature: library support for config parameters that are
not $name expanded at program start-up. This was needed
for forward_path, and will also be needed to make message
headers customizable.
Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett-
Packard. File: util/dict_pcre.c.
19990326
Compatibility: Postfix now puts two spaces after the sender
in a "From sender date..." header. Found by John A. Martin,
fixed by Lamont Jones, Hewlett-Packard.
Bugfix: when a recipient appeared multiple times in a local
alias or include expansion, the delivery status could be
left uninitialized, causing the mail to be deferred and
delivered again. File: local/recipient.c.
19990327
Cleanup: the dictionary routines now take an extra flag
argument to control such things as warning about duplicates,
and appending null bytes to key/value. The latter was needed
for a clean implementation of NIS master alias maps support.
Feature: POSIX regular expressions by Lamont Jones. See
config/sample-regexp.c. Right now, enabled on *BSD and
LINUX only.
19990328
Code cleanup: dictionaries now have flags that say whether
lookup keys are fixed strings or whether keys are subjected
to pattern matching. This is needed to avoid passing partial
addresses to regexp-based lookup tables (user, @domain,
user@, domain). Files: util/dict*.c.
Bugfix: fixed memory leaks and core dumps in the regexp
and pcre routines (neither handled an empty pattern file).
19990329
Code cleanup: the dictionary I/O routines now do their own
locking depending on dictionary flag settings. This means
that the low-level dict_get() interface can now be used
for safe dictionary lookups. This is needed for 19990328's
partial lookup key support. Files: util/dict*.c. global/maps.c.
Feature: regular expression matches are no longer limited
to user@domain address forms in access/canonical/virtual
maps, but can also be used for domains in transport maps.
This needed the partial lookup key support to avoid passing
partial addresses to regexp-based lookup tables (user,
@domain, user@, domain). Files: global/maps.c
global/mail_addr_find.c.
Feature: new dictionary types can be registered with
dict_open_register(). File: util/dict_open.c.
19990330
Bug fix: match_list membership dictionary lookups were case
sensitive when they should not. Patch by Lutz Jaenicke,
BTU Cottbus, Germany.
19990402
Feature: $domain macro support in forward_path. Philip A.
Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c.
Feature: if an address extension (+foo) is explicitly
matched by the .forward+foo file name, do not propagate
the extension to recipient addresses. This is more consistent
with the way aliases are expanded. File: local/dotforward.c.
19990404
Bugfix: after receiving mail, the SMTP server didn't reset
the cleanup error flag, so that multiple deliveries over
the same SMTP session could fail due to errors with previous
deliveries. Found by Lamont Jones, Hewlett-Packard.
19990405
Feature: MIME-encapsulated bounces. Philip A. Prindeville,
Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c
Cleanup: vstreams now properly look at the EOF flag before
attempting to read, eliminating the need for typing Ctrl-D
twice to test programs; the EOF flag is reset after each
unget or seek operation. Files: util/vstream.c, util/vbuf.c.
Feature: in preparation for configurable message headers
the mac_parse() routine now balances the parentheses in
${name} or $(name). We need this in order to support
conditional expressions such as ${name?text} where `text'
contains other ${name} expressions.
19990406
Cleanup: changed MIME header information to make bounces
more RFC 1892 compliant.
19990407
Feature: "best_mx_transport = local" delivers mail locally
if the local machine is the best mail exchanger (by default,
mail is bounced with a "mail loops back to myself" error).
Config: in order to make feature tracking easier the source
code distribution now has a copy of the default settings in
conf/main.cf.default.
Feature: separate configurable postmaster addresses for
single bounces (bounce_notice_recipient), double bounces
(2bounce_notice_recipient), delayed mail (delay_notice_recipient),
and for other mailer errors (error_notice_recipient). The
default for all is "postmaster".
19990408
Workaround: on Solaris 2.x, the master appears to lose its
exclusive lock on the master.pid file, so keep grabbing
the lock each time the master wakes up from select().
Robustness: don't flush VSTREAM buffers after I/O error.
This prevents surprises when calling vstream_fclose() after
truncating a mailbox to its original size.
Portability: on LINUX systems, if exists, don't
look for .
Workaround: specify "sun_mailtool_compatibility = yes" to
avoid clashes with the mailtool application. This disables
kernel locks on mailbox files. Use only where needed.
Portability: renamed readline to readlline, to avoid clashes
with mysql.
19990409
Bugfix: ignore temp queue files that aren't old enough.
Problem reported by Vivek Khera, Khera Communications, Inc.
Bugfix: fixed typo in dict_db.c that caused processes to
not release DB shared locks.
Feature: auto-detection of changes to DB or DBM lookup
tables. This avoids the need to run "postfix reload" after
change to the smtp access table and other tables.
Feature: regular expression checks for message headers.
This requires support for POSIX or for PCRE regular
expressions. Specify "header_checks = regexp:/file/name"
or "header_checks = pcre:/file/name", and specify
"/^header-name: badstuff/ REJECT" in the pattern file
(patterns are case-insensitive by default). Code by Lamont
Jones, Hewlett-Packard. It is to be expected that full
content filtering will be delegated to an external command.
19990410
Bugfix: auto-detection of changes to DB or DBM lookup
tables wasn't done for TCP connections.
19990410
Feature: $recipient expansion in forward_path. Philip A.
Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c
Feature: the smtp client consistently treats a numerical
hostname as an address. File: smtp/smtp_addr.c.
19990414
Compatibility: support comment lines starting with # in
$mydestination include files. This makes Postfix more
compatible with sendmail.cw files. File: util/match_list.c.
Feature: if your machines have short host names, specify
"mydomain = domain.name", and you no longer have to specify
"myhostname = host.domain.name". Files: global/mail_params.c,
postconf/postconf.c.
19990420
Cleanup: bounce mail when a mailbox goes over file quota,
instead of deferring delivery. File: local/mailbox.c.
19990421
Feature: auto-detection of changes to DB or DBM lookup
tables now includes the case where a file is unlinked.
Philip A. Prindeville, Mirapoint, Inc., USA. File:
util/dict.c.
19990422
Robustness: Lotus mail sends MAIL FROM: <@> instead of <>.
Problem reported by Erik Toubro Nielsen, IFAD, Denmark.
Files: trivial-rewrite/rewrite.c (@ becomes empty address)
and global/rewrite_clnt.c (allow empty response).
Bugfix: showq could segfault when writing to a broken pipe.
Problem reported by Bryan Fullerton, Canadian Broadcasting
Corporation. Files: util/vbuf_print.c.
Cleanup: got rid of the "fatal: write error: Broken pipe"
message when mailq output is piped into a program that
terminates early.
Cleanup: bounce messages are multipart/mixed with the error
report as part of the first message segment, because users
had trouble extracting the delivery error report from the
attachment.
19990423
Cleanup: the default junk mail reject code is now 554
(service unavailable) rather than 550 (user unknown).
Folded in the updated dict_ldap.c module by John Hensley,
Merit Network, USA.
Folded in the vstream_popen.c updates by Philip A.
Prindeville, Mirapoint, Inc., USA. This copies a lot of
code from pipe_command(); the next step is to trim that
module.
19990425
Workaround: renamed config.h to mail_conf.h etc. in order
to avoid name collisions with LINUX (yes, they have a system
include file called config.h). For compatibility with people
who have written software for Postfix, there's a config.h
that aliases the old names to the new ones. That file will
go away eventually.
19990426
Feature: error mailer, in order to easily bounce mail for
specific destinations. In the transport table, specify:
"host.domain error:host.domain is unavailable". Too bad
that the transport table triggers on destination domain
only; it would be nice to bounce specific users as well.
19990427
Cleanup: "disable_dns_lookups = yes" now should disable
all DNS lookups by the SMTP client.
19990428
Bugfix: with DBM files, Postfix was watching the "dir" file
modification time for changes. It should be watching the
"pag" file instead.
19990429
Cleanup: all callbacks in the master to server API now pass
on the service name and the application-specific argument
vector. Files: master/*server.c.
19990504
Feature: conditional macro expansion. ${name?text} expands
to text when name is defined, otherwise the result is empty.
${name:text} expands to text when name is undefined,
otherwise the result is empty. File: util/mac_expand.c.
Feature: conditional macro expansion of the forward_path
configuration parameters of $user, $home, $shell, $recipient,
$extension, $domain, $mailbox and $recipient_delimiter.
Files: local/dotforward.c, local/local_expand.c.
19990506
Cleanup: eliminated misleading warnings about unknown HELO
etc. SMTPD restrictions when the HELO etc. information is
not available. File: smtpd/smtpd_check.c.
19990507
Feature: all smtpd reject messages now contain the MAIL
FROM and RCPT TO addresses, if available.
19990508
Feature: conditional macro expansion of the luser_relay
configuration parameter. It is no longer possible to specify
/file/name or "|command" destinations. File: local/unknown.c.
Cleanup: changed the mac_parse interface so that the
application callback routine can return status information.
Updated the dict_regexp and dict_pcre modules accordingly.
Cleanup: changed the mac_expand interface so that the caller
provides an attribute lookup routine, instead of having to
provide a copy of all attributes upfront. Files:
util/mac_expand.c, local/local_expand.c.
Feature: control over how address extensions are propagated
to other addresses. By default, propagation of unmatched
address extensions is now restricted to canonical and
virtual mappings. Specify "propagate_unmatched_extensions
= canonical, virtual, alias, forward, include" to restore
previous behavior.
19990509
Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address)
and MAILBOX (address localpart) environment variables are
exported to shell commands (including mailbox_command).
Feature: new command_expansion_filter parameter to control
what characters may appear in message attributes that are
exported via environment variables.
Cleanup: SMTPD reject messages are more informative, and
more complete sender/recipient information is logged for
the local sysadmin.
19990510
Bugfix: missing MIME header in postmaster bounce notices.
Found by Samuel Tardieu, Ecole Nationale Superieure des
Telecommunications, France.
Feature: UCE restrictions are always delayed until RCPT
TO, VRFY or ETRN. To change back to the default specify
"smtpd_delay_reject = no" in /etc/postfix/main.cf.
Bugfix: missing duplicate filter call. This caused too many
deliveries when a user is listed multiple times in an alias.
Reported by Hideyuki Suzuki, School of Engineering, University
of Tokyo. Backed out on 19990512 because it caused problems.
Fixed 19990513 but needs further study.
Feature: it is now possible to move queue files back into
the maildrop queue, so that they can benefit from changes
in canonical and virtual mappings. In order to make this
possible, some restrictions on queue file contents were
relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c.
Feature: made a start with integrating Joerg Henne's
dictionary extensions to remove entries and to iterate over
entries. That code is almost four months old by now.
19990511
Feature: added a "undeliverable postmaster notification
discarded" warning when mail is dropped on the floor.
Requested by Michael Hasenstein, SuSE, Germany.
19990517
Bugfix: reject_non_fqdn_sender/recipient would pass
user@[ip_address] regardless of destination. Eric Cholet
had the honor of suffering from this one.
19990527
More SMTP client logging for easier debugging: the smtp
client now logs hostname[ip.addr], and logs every failed
attempt to reach an MX host, not just the last one.
19990601
Bugfix: emit a blank line before a MIME boundary; the line
is part of the boundary. File: bounce/bounce_notify_service.c.
Wolfgang Segmuller, IBM Research.
19990610
Bugfix: the "is this the loopback interface" test was
broken. Reported by Claus Fischer @microworld.com.
File: smtp/smtp_connect.c.
Usability: added helpful warnings about restrictions that
are being ignored after check_relay_domains, etc.
Portability: Reliant Unix support by Gert-Jan Looy, Siemens,
the Netherlands.
19990611
Robustness: the postfix-script start-up procedure now
detects a missing master program, avoiding misleading
warnings that the mail system is already running. Fix
suggested by David E. Smith @technopagan.org.
Portability: Mac OS X Server Port by Mark Miller @swoon.net.
Feature: on systems that use dotlock files for mailbox
locking, the local delivery agent now will attempt to use
dotlock files when delivering to user-specified files.
Dotlock files for user-specified destinations are created
with the privileges of the user. For backwards compatibility,
Postfix will attempt to create dotlocks for user-specified
destinations only when the user has parent directory write
permission.
Feature: specify "expand_owner_alias = yes" in order to
use the right-hand side of an owner- alias, instead of
using the left-hand side address. Needed by Juergen Georgi.
19990622
Bugfix: the local delivery agent did not set user attributes
when delivering to root, so that forward_path did not expand
properly. Found by Jozsef Kadlecsik, KFKI Research Institute
for Particle and Nuclear Physics, Hungary. File:
local/dotforward.c.
Bugfix: the unix:passwd.byname mechanism is not suitable
for smtpd access control - the user name would have to end
in @, or the access control software would have to be
changed. Removed the example from the RELEASE_NOTES file.
19990623
Bugfix: the smtp server did not reset the error flag after
".". Found by James Ponder, Oaktree Internet Solutions Ltd.
File: smtpd/smtpd.c.
Bugfix: fencepost error in the doze() routine (an usleep()
replacement for systems without one). Found by Simon J Mudd.
File: util/doze.c.
19990624
Portability: support for AIX 3.2.5 (!) by Florian Lohoff
@rfc822.org.
Portability: Ultrix 4.3 support by Christian von Roques
@pond.sub.org.
Feature: mysql support by Scott Cotton and Joshua Marcus,
Internet Consultants Group, Inc. Files: util/dict_myqsl.*.
19990627
Bugfix: Postfix is now distributed under the new IBM Public
License (version 1, dated June 14, 1999).
Feature: the Delivered-To: header can be turned off for
delivery to command or file/mailbox. The default setting
is: "prepend_delivered_header = command, file, forward".
Turning off the Delivered-To: header when forwarding mail
is not recommended.
19990628
Feature: the postlock command now returns EX_TEMPFAIL
when the destination file is locked by another process.
19990705
Workaround: in the SMTP client, move the "mail loops back
to myself test" from the 220 greeting to the HELO response.
This change does not weaken the test, and makes Postfix
more robust against broken software that greets with the
client hostname.
19990706
Workaround: in the INSTALL file, use `&&' instead of `;'
in (cd path; tar ...) pipelines because some UNIX re-invented
shells don't bail out when cd fails. Matthias Andree
@stud.uni-dortmund.de.
19990709
Bugfix: $user was not set when delivering to a non-user.
Found by Vladimir Ulogov @ rohan.control.att.com when
configuring a luser_relay that contained $user.
19990714
Robustness: add PATH statement to Solaris2 chroot setup
script to avoid running the ucb commands. Problem found
by Panagiotis Astithas @ ece.ntua.gr.
19990721
Bugfix: don't claim a "mail loops to myself" error when
the best MX host was not found in the DNS. Found by Andrew
McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c.
19990810
Feature: added "-c config_dir" support to the postconf
command. This probably means that "-f file" will never be
implemented.
19990812
Bugfix: showq didn't print properly when listing a maildrop
file. Fix by: Andrew McNamara, connect.com.au Pty Ltd.
File: showq/showq.c.
Feature: added SENDER to the list of parameters exported
to external commands. File: local/command.c. Code by: Lars
Hecking, National Microelectronics Research Centre, Ireland.
19990813
Bugfix: sendmail -t (extract recipients from headers) did not
work when the always_bcc feature was turned on. Reported
by: Denis Shaposhnikov @ neva.vlink.ru.
19990813
Bugfix: "sendmail -bd" returns a bogus exit status (the child
process ID). Fix by Lamont Jones of Hewlett-Packard. File:
sendmail/sendmail.c.
19990824
Bugfix: null pointer dereference while rejecting VRFY before
MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net.
19990826
Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP
code that had been removed for the first public beta release;
NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases
database. Submitted by Gerben Wierda.
Portability: workaround for a FreeBSD 3.x active network
interface without IP address by Pierre Beyssac @ enst.fr.
File: inet_addr_local.c.
19990831
Workaround: sendmail now prints a warning when installed
set-uid or when run by a set-uid command. Reportedly, the
linuxconf software turns on the set-uid bit, which could
open up a security loophole. File: sendmail/sendmail.c.
Bugfix: Postfix daemons now temporarily lock DB/DBM files
while opening them, in order to avoid "invalid argument"
errors because some other process is changing the file.
Files: util/dict_db.c, util/dict_dbm.c.
Robustness: Postfix locks queue files during delivery, to
prevent duplicate delivery when "postfix reload" is
immediately followed by "sendmail -q". This involves a
change of the deliver_request interface: delivery agents
no longer need to open and close queue files explicitly.
Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c,
local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c.
Feature: reject_unauth_destination SMTP recipient restriction
that rejects destinations not in $relay_domains. By Lamont
Jones of Hewlett-Packard. File: smtpd/smtpd_check.c.
Security: do not allow weird characters in the expansion
of $names that appear in $forward_path. Just like with
shell commands, replace bad characters in expansions by
underscores. Configuration parameter: forward_expansion_filter.
19990902
Documentation: added a sample postfix alias to the examples
in the INSTALL document and in the conf/aliases file.
Reminded by Simon J. Mudd @ alltrading.com.
19990903
Bugfix: in case of some error conditions the pickup daemon
could leak small amounts of memory.
19990905
Bugfix: no more "skipping further client input" warnings
when a message header is rejected.
Feature: reject_unauth_pipelining SMTP restriction that
rejects mail from clients that improperly use SMTP command
pipelining.
Robustness: the LDAP client by default no longer looks up
names containing "*". See the lookup_wildcards feature in
LDAP_README. Update by John Hensley.
Documentation: address masquerading with exceptions FAQ by
Jim Seymour @ jimsun.LinxNet.com.
Bugfix: mysql reconnect after disconnect by Scott Cotton
Internet Consultants Group, Inc. File: util/dict_myqsl.c.
Portability: the Postfix to PCRE interface now expects
version 2.08. Postfix is no longer compatible with PCRE
versions before 2.6.
19990906
Feature: INSTALL.sh script that makes Postfix installation
a bit less painful. This script can be used for installing
and for upgrading Postfix. It replaces files instead of
overwriting them, and leaves existing configuration and
queue files intact.
19990907
Bugfix: reject_non_fqdn_sender used the wrong test to see
if a sender address was given and could dump core. This
must have been broken ever since the UCE tests were moved
to the RCPT TO stage in 19990510.
Bugfix: check_sender_access was recognized as a valid
restriction name only if a sender had been specified.
19990908
Portability: Unixware has only after sendmail
is installed. Changed postlock.c to use global/sys_exits.h.
19990909
Performance: added one-entry cache to the address rewriting
client and to the address resolving client. This is because
UCE restrictions tend to produce the same query repeatedly.
Files: global/rewrite_clnt.c, global/resolve_clnt.c.
Feature: the UCE restrictions are now fully recursive so
you can have per-client/helo/sender/recipient restrictions.
Instead of OK, REJECT or [45]xx, you can specify a sequence
of restrictions on the right-hand side of an SMTPD access
table. This means you can no longer use canonical/virtual/alias
maps as SMTPD access tables. But the loss is compensated
for. File: smtpd/smtpd_access.c.
Feature: restriction classes, essentially a short-hand for
restriction lists. These short hands are useful mostly on
the right-hand side of SMTPD access tables. You must use
restriction classes in order to have lookup tables on the
right-hand side of an SMTPD access table. File:
smtpd/smtpd_access.c.
Feature: "permit_recipient_map maptype:mapname" permits a
recipient address when it matches the specified table.
Lookups are done just as with canonical/virtual maps. With
this, you can also use passwd/aliases as SMTPD access maps.
File: smtpd/smtpd_access.c.
19990910
Changed "permit_address_map" into "permit_recipient_map"
and added a test for the case that they specify a lookup
table on the right-hand side of an SMTPD access map.
File: smtpd/smtpd_access.c.
Cleanup: removed spurious sender address checks for <>.
File: smtpd/smtpd_check.c.
Cleanup: the smtp client now consistently logs host[address]
for all connection attempts.
19990919
Feature: in an SMTPD access map, an all-numeric right-hand
side now means OK, for better cooperation with out-of-band
authentication mechanisms.
19990922
Security: recipient addresses must not start with '-', in
order to protect external commands. The old behavior is
re-instated when main.cf specifies: "allow_min_user =
yes". Credits to Mads Kiilerich @ Kiilerich.com. File:
qmgr/qmgr_message.c.
Bugfix: after 19990831, the queue manager would throw away
defer logs after deferring mail to known-to-be-dead hosts
or message transports. This means that in some cases, mailq
would not show why mail is delayed, and that delayed mail
could be sent back with recipients missing from the error
report. Reported by Giulio Orsero @ tiscalinet.it.
19990923
Bugfix: the above bugfix broke bounces of mail with bad
address syntax and relocated users. Problem diagnosed by
Dick Porter @ acm.org.
Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF
INSTEAD notices to the sample-xxx.cf files.
19991007
Compatibility: ignore the sendmail -U (initial user
submission) option. Thomas Quinot @ cuivre.fr.eu.org.
19991103
Code cleanup: don't send postmaster notifications when an
SMTP client sends a DATA command while no recipients were
accepted. This can happen when a pipelined client runs
into an UCE block. File: smtpd/smtpd.c.
19991104
Robustness: do not apply UCE header checks to mail that is
generated by Postfix (bounces, forwarded mail etc.). Files:
smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c.
Robustness: new generic watchdog module that can deal with
clocks that jump occasionally. Files: util/watchdog.c,
master/master.c, master/{single,multi,trigger}_server.c.
This hopefully ends the false watchdog alarms that happen
when clocks are set or when laptops are resumed.
Code cleanup: BSMTP requires dot quoting as per RFC 821.
Based on code by Florian Lohoff @ rfc822.org. Files:
global/mail_copy.[hc], pipe/pipe.c.
19991105
Bugfix: the crufty code in inet_addr_local() did not find
IP aliases. File: util/inet_addr_local.c.
Portability: the INSTALL.sh utility did not find users or
groups in NIS or Netinfo tables. The script no longer
searches the /etc/passwd and /etc/group files. Instead it
now queries the unix:passwd.byname and unix:group.byname
maps. For this, a -q (query) option was added to postmap
(and to postalias, for symmetry). Files: util/dict_unix.c,
postalias/postalias.c, postmap/postmap.c, INSTALL.sh.
Bugfix: LDAP lookup timeout settings were ignored. Patch
by John Hensley. File: util/dict_ldap.c.
19991108
Bugfix: when doing a fresh install, INSTALL.sh didn't set
main.cf:mail_owner properly (Simon J. Mudd).
19991109
Bugfix: when doing a fresh install, INSTALL.sh no longer
worked (missing main.cf file). Fix: add "-c" argument to
the postmap commands (Lars Hecking @ nmrc.ucc.ie).
Documentation: removed spurious "do not edit" comments from
the sample pcre and regexp configuration files.
19991110-13
Code cleanup: greatly simplified the SMTPD command parser
and somewhat simplified the code that groks RFC 822-style
address syntax in MAIL FROM and RCPT TO commands.
New parameter: strict_rfc821_envelopes (default: no) to
reject RFC 822 address forms (with comments etc.) in SMTP
envelopes. By default, the Postfix SMTP server only logs
a warning.
19991113
Oops, also updated the SMTP VRFY code in the light of
changes to the SMTPD command parser.
Cleanup: the local delivery agent now explicitly rejects
recipients with an empty username.
19991114
Workaround: with some gawk versions, postconf/extract.awk
reportedly returns a non-zero exit status upon success.
Added an explicit exit(0) statement.
19991115
Feature: DNS TXT record lookup support, based on initial
code by Simon J Mudd. File: dns/dns_lookup.c.
Feature: RBL TXT record lookups, based on initial code by
Simon J Mudd. File: smtpd/smtpd_check.c.
Feature: permit_auth_destination restriction based on code
by Jesper Skriver @ skriver.dk.
Code cleanup: the transport table now can override all
deliveries, including local ones.
19991116
Code cleanup: a new "local_transports" configuration
parameter explicitly lists all transports that deliver mail
locally. The first name listed there is the default local
transport. This is the end of the "empty next-hop hostname"
hack to indicate that a destination is local. Files:
trivial-rewrite/resolve.c, global/local_transport.[hc]
Feature: "postconf -m" shows what lookup table types are
available. Code by Scott Cotton, Internet Consultants
Group, Inc.
Feature: "postconf -e" edits any number of main.cf parameters.
The edit is done on a copy, and the copy is renamed into
the place of the original. File: postconf/postconf.c,
util/readlline.[hc].
19991117
Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c.
Feature: on systems with h_errno, the "reject_unknown_client"
restriction now distinguishes between soft errors (always
reply with 450) and hard errors (use the user-specified
reply code). This should lessen the load by broken mailers
that re-connect once a minute.
Feature: forward/reverse name/address check for SMTP client
hostnames. This fends off some hypothetical attacks by
spammers who are in control of their own reverse mapping.
Robustness: postconf no longer aborts when it can't figure
out the local domain name; it prints a warning instead.
This allows you to use "postconf -e" to fix the problem.
19991118
Bugfix: the RFC822 address parser would misparse a leading
\ as an atom all by itself. Problem reported by Keith
Stevenson @ louisville.edu. File: global/tok822_parse.c.
19991119
Bugfix: tiny memory leak in pipe_command() when fork()
fails. File: global/pipe_command.c.
19991120
Bugfix: reversed test for all-numerical results in SMTPD
access maps. File: smtpd/smtpd_check.c.
19991121
Robustness: INSTALL.sh no longer uses postmap for sanity
checks.
Feature: INSTALL.sh now has an install_root option.
Bugfix: INSTALL.sh now installs manual pages with proper
permissions and ownership.
Bugfix: the LDAP client did not properly escape special
characters in lookup keys (patch by John Hensley). File:
util/dict_ldap.c.
19991122
Bugfix: missing absolute path in INSTALL.sh broke fresh
install.
19991124
Bugfix: the local delivery agent's recipient duplicate
filter did not work when configured to use unlimited memory
(which is not a recommended setting). Patrik Rak @raxoft.cz.
19991125
Bugfix: postconf didn't have an umask(022) call at the
beginning (problem experienced by Matthias Andree).
19991126
Bugfix: DNS TXT records now have string lengths before text
(Mark Martinec @ nsc.ijs.si).
19991127
Update: the LDAP client code now supports escapes as per
RFC2254 (John Hensley).
19991207
Performance: one message with many recipients no longer
stops other mail from being delivered. The queue manager
now frees in-memory recipients as soon as a message is
delivered to one destination, rather than waiting until
all in-memory destinations of that message have been tried.
Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c,
qmgr/qmgr_message.c.
Performance: when delivering mail to a huge list of
recipients, the queue manager now reads more recipients
from the queue file before delivery concurrency drops too
low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c.
19991208
Updated LDAP client code by John Hensley with escape
sequences as per RFC 2254. File: util/dict_ldap.c.
Updated MYSQL client code by Scott Cotton. File: dict_mysql.c.
Feature: added -N/-n options to include/exclude terminating
nulls in keys and values in postmap/postalias DB or DBM
files. Normally, Postfix uses whatever is appropriate for
the host system. A non-default setting can be necessary
for inter-operability with third-party software.
Bugfix: the local delivery agent would deliver to the user
instead of the .forward file when the .forward file was
already visited via some non-recursive path. Patch by Patrik
Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c.
Robustness: attempt to deliver all addresses in the expansion
of an alias or .forward file, even when some addresses must
be deferred. File: local/token.c.
19991211
Performance: qmgr_fudge_factor controls what percentage of
delivery resources Postfix will devote to one message.
With 100%, delivery of one message does not begin before
delivery of the previous message is completed. This is good
for list performance, bad for one-to-one mail. With 10%,
response time for one-to-one mail improves much, but list
performance suffers. In the worst case, people near the
start of a mailing list get a burst of postings today,
while people near the end of the list get that same burst
of postings a whole day later. Files: qmgr/qmgr_message.c,
qmgr/qmgr_entry.c.
Bugfix: address rewriting would panic on a lone \ at the
end of a line where an address was expected. Jason Hoos @
thwack.net. File: global/rewrite_clnt.c.
19991215
Bugfix: the strict RFC821 envelope address check should
not be applied to VRFY commands. File: smtpd/smtpd.c.
Cleanup: permit_recipient_maps is gone, because that could
only be used inside UCE restrictions.
19991216
Feature: allow an empty inet_interfaces parameter, just
like an empty mydestination parameter. It's needed for true
null clients and for firewalls that deliver no local mail.
Feature: "disable_vrfy_command = yes" disables some forms
of address harvesting used by spammers.
Workaround: added the alias map parameter definition to
the smtpd code. This is a symptom of a general problem
with parameters that have non-empty default values: unless
a program explicitly defines such a parameter, the parameter
defaults to the empty string when used in other parameters.
There's also a problem with evaluation order.
Feature: the SMTP server rejects mail for unknown users in
virtual domains that are defined by Postfix virtual domain
files. File: smtpd/smtpd_check.c.
Feature: reject mail for unknown local users at the SMTP
port. The local_recipient_maps configuration parameter
specifies maps with all addresses that are local with
respect to $mydestination or $inet_interfaces. Example:
"local_recipient_maps = $alias_maps unix:passwd.byname".
This feature is disabled by default. You may have to copy
the passwd file into the chroot jail. File: smtpd/smtpd_check.c.
Feature: the sendmail -f option now understands ''
and even understands address forms with RFC 822-style
comments.
19991217
Cleanup: no more UCE checks for VRFY commands. It still
reports unknown local/virtual users. File: smtpd/smtpd_check.c.
Robustness: upon Postfix startup, report discrepancies
between system files inside and outside the chroot jail.
Files: conf/postfix-script-nosgid, conf/postfix-script-sgid.
19991218
Cleanup: INSTALL.sh produces relative symlinks, which is
necessary when install_root is not /.
19991219
Documentation: completely reorganized the FAQ and added
many new entries. Rewrote the UCE html documentation.
Cleanup: INSTALL.sh uses a configurable directory for
scratch files, so that it can install from a file system
that is not writable by the super-user.
Cleanup: INSTALL.sh gives helpful hints when the "mv"
command is unable to move symlinks across file system
boundaries.
19991220
Cleanup: it is no longer necessary to list $virtual_maps
as part of the relay_domains definition. The SMTP server
now by default accepts mail for destinations that match
$inet_interfaces, $mydestination or $virtual_maps, whether
or not these are specified in relay_domains. We still need
the ugly "virtual.domain whatever" hack in the virtual
maps. Files: smtpd/smtpd_check.c and lots of documentation
and sample config files.
19991221
Removed cyrus -q flag (ignore quotas) from the sample
master.cf file.
19991223
Bugfix: smtpd should not check for unknown users when
running in stand-alone (sendmail -bs) mode. Problem
experienced by Chuck Mead. File: smtpd/smtpd.c.
Retraction: the "local_transports" configuration parameter
is gone. Adjusted code and documentation accordingly.
Instead, use just one "local_transport" parameter with the
name of the default local transport. Files: smtpd/smtpd_check.c,
qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c.
Feature: Postfix SMTPD now insists that the smtpd recipient
restrictions contain at least one restriction that by
default rejects mail. This should make it much more difficult
to change Postfix into an open relay. File: smtpd/smtpd_check.c.
Retraction: null-length inet_interfaces is too confusing.
19991224
Bugfix: the relative symlink code in INSTALL.sh computed
the ../ prefix from the wrong pathname.
1999122[5-7]
Feature: "allow_untrusted_routing = no" (default) prevents
forwarding of source-routed mail from untrusted clients to
destinations that are blessed by the relay_domains parameter
(example: user@domain2@domain1 etc.). This plugs a mail
relay loophole where a backup MX host forwards junk mail
to a primary MX host which forwards the junk to the Internet.
Files: global/quote_822_local.c, smtp/quote_821_local.c,
trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
smtp/smtpd_check.c.
In order to make this possible, the Postfix resolver data
structure and protocol has changed, so that all resolver
clients need to be re-compiled.
Side effect from the above change: from now on, an address
with @ in the recipient localpart no longer bounces with
"user unknown" but instead is rejected with "relay access
denied" or "source-routed relay access denied".
19991227
Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands
misbehave on boundary cases: directory exists or file does
not exist. Those who re-invent...
19991229
Added the no source routing info requirement to addresses
accepted by the permit_mx_backup UCE restriction.
19991230
Added a spawn daemon (not compiled and installed by default)
to enable LMTP delivery over UNIX-domain sockets. The goal
is to simplify the experimental LMTP delivery agent by
ripping out the privileged code that forks the LMTP server.
20000102
Clarified documentation after early feedback on the 19991231
release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar.
Sanity check: a common error is to list Postfix virtual
domains in the mydestination parameter. This causes the
new optional local_recipient_maps feature to reject mail
for virtual users. The SMTP server now explicitly tests
for this common error and logs a warning instead of refusing
the mail. File: smtpd/smtpd_check.c.
20000104
Bugfix: a case sensitivity bug had slipped through in the
anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN
to be rejected with "relay access denied". This was found
by Jim Maenpaa @ jmm.com.
Questionable feature: set "smtp_skip_5xx_greeting = yes"
to make Postfix more sendmail compatible, even though this
is wrong, IMNSHO. File: smtp/smtp_connect.c.
Portability: Ultrix patch from Simon Burge @ thistledown.com.au.
Portability: Siemens Pyramid (dcosx) patch by Thomas D.
Knox @ vushta.com.
Performance: FreeBSD has bidirectional pipes that are faster
than socketpairs. Anticipating on more platform-specific
optimizations, all duplex pipe plumbing is now isolated in
a duplex_pipe.c module that provides a system-independent
interface.
20000105
Cleanup: the INSTALL.sh script now updates the sample files
in /etc/postfix even when main.cf exists.
20000106
Bugfix: the SMTP server should consult the relocated map
for virtual destinations (Denis Shaposhnikov). Files:
smtpd/smtpd.c smtpd/smtpd_check.c.
20000108
Workaround: rename() over NFS can fail with ENOENT even
when the operation succeeds (Graham Orndorff @ WebTV). This
is not news. Any non-idempotent operation can fail over
NFS when the NFS server's acknowledgment is lost and the
NFS client code retries the operation (other examples are:
create, symlink, link, unlink, mkdir, rmdir). Postfix has
workarounds for the cases where this is most likely to
cause trouble. Files: util/sane_{rename,link}.[hc]. If
you want reliable mail system, do not use NFS.
20000115
Workaround: better detection of bad hardware. Added SIGBUS
to the list of signals that the master will log before
exiting.
20000122
Portability: preliminary SCO5 port Christopher Wong @
csports.com. This still needs to a workaround for "find"
not supporting "-type s" (actually, UNIX-domain sockets
have no unique representation in the file system and show
up as FIFOs).
20000115-22
Bugfix: in case of a too long message header, don't extract
recipients from message headers. With the previous behavior,
Bcc information could be left in the message body, as one
person found out the hard way. Files: cleanup/cleanup.c,
cleanup/cleanup_extracted.c, global/cleanup_user.h.
20000124
Whatever: RFC 1869 amends RFC 821 and specifies that code
555 is to be used when a MAIL FROM or RCPT TO parameter is
not implemented or not recognized. Russ Allbery @stanford.edu.
This reply code is added to the list of reply codes that
cause the Postfix SMTP client to mail a transcript to the
postmaster. File: smtp/smtp_trouble.c.
20000126
Emergency feature: qmgr_site_hog_factor (default: 90 percent)
limits the amount of resources that Postfix devotes to a
single destination. With less than 100, Postfix defers the
excess mail so that one site with a large backlog does not
block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
20000128
Cleanup: the queue manager no longer replaces the nexthop
field by the recipient localpart when a destination matches
$mydestination/$inet_interfaces. The price is the introduction
of a new parameter local_destination_recipient_limit which
defaults to 1 in order to maintain backwards compatibility.
Files: qmgr/qmgr.c, qmgr/qmgr_message.c.
20000129
Bugfix: extracted recipients were misfiled when a message
was moved back to the maildrop queue. But they still worked
due to a coincidence.
Feature: bounce_recip() bounces a recipient immediately
without accessing a bounce logfile. This is necessary for
VERP bounces, for bounces by delivery agents that change
the sender address, and for bounces that for some reason
must not use temporary logfiles. Files: global/bounce.c,
bounce/bounce_recip_service.c.
20000130
Bugfix: the too long header fix of 20000115-22 lost mail
with too long headers that didn't need to extract recipients
from message headers.
Bugfix: the too long header fix of 20000115-22 lost mail
without (blank line + message body).
Code rewrite: reorganized the cleanup daemon source code
so that the cleanup service can be called one record at a
time (see cleanup/cleanup_api.c); also got rid of the global
state variables and fixed a couple bugs that were introduced
with 20000115-22.
20000204
Feature: in daemon mode, the MAIL FROM size check can be
postponed until RCPT TO so that Postfix can log sender and
recipient. Simon J Mudd. Files: smtpd/smtpd.c
Robustness: limit the number of recipient addresses that
can be extracted from message headers. Parameter:
extract_recipient_limit (default: 10240). Files:
cleanup/cleanup_message.c, cleanup/cleanup_extracted.c.
Cleanup: the message header reject logging now includes
sender and recipient address (if possible), so that the
logging looks more like the other reject logging. File:
cleanup/cleanup_message.c.
Documentation: added sections on regular expression tables
to the access, canonical, virtual, transport and relocated
man pages, and write new man pages that are specific to
regular expressions: pcre_table.5 and regexp_table.5.
20000214
Bugfix: postconf reported some parameters more than once
because the parameter extracting script didn't recognize
lines that differ in whitespace only. File: postconf/extract.awk.
Reported by Kenn Martin.
20000221
Logging: the SMTP client now logs log host+port when it is
unable to connect to a non-MX host, just like it logs
host+port when unable to connect to an MX host.
20000226
Bugfix: the SMTP server's "User unknown" test didn't notice
LDAP etc. dictionary access errors. The code now reports
a 450 status (try again instead of bounce) if the reply is
not definitive. File: smtp/smtpd_check.c.
Robustness: the smtp-source program could stall when making
hundreds of parallel connections to a Postfix system with
only one SMTP server process. The fix is to use non-blocking
connect() calls, very carefully. File: smtpstone/smtp-source.c.
20000303
Feature: with smtp_always_send_ehlo the SMTP client will
send EHLO regardless of the content of the SMTP server's
greeting. File: smtp/smtp_proto.c.
20000304
Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary
updates, if supported by the underlying mechanism. Files:
util/dict.h, util/dict_open.c, util/dict_db.c.
20000307
Cleanup: the manual pages in Postfix configuration files
no longer contain troff formatting codes. The text is now
generated from prototype files in a new "proto" subdirectory.
Requested by Matthias Andree @ stud.uni-dortmund.de.
20000308
Bugfix: the unused db and dbm "delete" routines would
clobber the per-dictionary flags when called before reading
or writing the table. Files: util/dict_dbm.c, util/dict_db.c.
Lutz Jaenicke @ aet.TU-Cottbus.DE.
Bugfix: the SMTP server would produce a cryptic message
when a queue file write error happened before it had written
any recipients. Keith Stevenson. File: smtpd/smtpd.c.
Robustness: the db and dbm "delete" routines didn't adjust
to dictionaries with/without one trailing null in lookup
keys and values. Did a complete rewrite of the routines.
Files: util/dict_db.c, util/dict_dbm.c.
Feature: specify "-d key" to postalias or postmap in order
to remove one key. This still needs to be generalized to
multi-key removal (read stdin?). Files: postmap/postmap.c,
postalias/postalias.c.
Test: added test targets for the dictionary delete operations.
Files: util/Makefile.in, util/dict_test.{c,in,ref}.
Feature: added data offset and recipient count fields to
the first queue file record output from the cleanup daemon.
The recipient counts provides an initial estimate for a
more advanced queue manager scheduling algorithm. Files:
cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c.
20000311
Portability: HP-UX awk can't handle bare { in regexps
(Lamont Jones. HP). File: postconf/extract.awk.
Compatibility: sendmail now recognizes '.' as end of input.
File: sendmail/sendmail.c.
20000313
Compatibility: dtcm (CDE desktop calendar manager) leaks
a file descriptor into its child process, and requires that
sendmail closes the descriptor, otherwise mail notification
will hang. These GUI programmers never figured out that
the child process must close the writing end of a pipe.
File: sendmail/sendmail.c.
20000314
Feature: SASL authentication in the SMTP server and client.
Based on code contributed by Till Franke, SuSE. Specify:
"smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable
= yes". The "permit_sasl_authenticated" UCE restriction
gives special treatment to authenticated clients.
20000315
Workaround: added -blibpath option for AIX 4.x, to close
hole in case postdrop needs to be set-gid.
20000320
Portability: FreeBSD 5.x added to the list of supported
systems (Mark Huizer).
20000323
Portability: INSTALL.sh looks if sendmail is in /usr/lib
rather than in /usr/sbin.
20000326
Bugfix: settings in one mysql configuration file would act
as the implicit defaults for the next one, which could be
confusing. Patch by Scott Cotton. File: util/dict_mysql.c.
Robustness: limit the number of "junk" commands that can
be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET).
Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files:
global/mail_params.h, smtpd/smtpd.c.
20000413
Portability: more MacOS X patches by Gerben Wierda.
Bugfix: RFC 822 requires the presence of at least one
destination message header. The cleanup daemon now generates
a generic "To: undisclosed-recipients:;" message header
when no destination header is present. The header content
is specified with the undisclosed_recipients_header parameter.
Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping
Project-Resource Centre.
20000416
Workaround: allow <(comment)> as SMTP MAIL FROM address.
20000417
The SASL authentication in the SMTP server and client works,
but only on Linux and Solaris, neither of which I wish to
run on my laptop.
20000418
Added LMTP support to the smtp-source and smtp-sink utilities
so that I don't have to install Cyrus IMAP just to test
LMTP.
20000419
Bugfix: removed the () from the tokenized representation
of RFC 822 comments, so that comments with \( or \) can be
unparsed correctly. Problem reported by Bodo Moeller.
20000423
Bugfix: mail_copy() could prepend > or . in the middle of
long lines. Found by code inspection.
20000427
New code: unescape module that translates C escape sequences
into their equivalent character values. File: util/unescape.c.
Feature: the pipe mailer now has a way to specify the output
record delimiter (for example, eol=\r\n). This is necessary
for transports that require CRLF instead of UNIX-style LF.
20000502
In order to support timeouts more conveniently, VSTREAMs
now have built into them the concept of timeout. Instead
of calling read() and write(), the low-level VSTREAM
interface now by default uses timed_read() and timed_write()
which receive a timeout parameter; vstream_ctl(stream,
VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a
stream, and vstream_ftimeout(stream) queries a stream for
timeout errors. This change simplified timeout handling
considerably. Files: util/vbuf.h, util/vstream.[hc],
global/smtp_stream.c, global/timed_ipc.c.
20000504
Added application context to VSTREAMs, which is passed on
transparently to application-provided read/write routines.
vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context.
Files: util/vstream.[hc].
Added vstream_setjmp() and vstream_longjmp() support to
make exception handling more convenient. Turn on exception
handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...).
Files: util/vstream.[hc].
Cleaned up the smtp_stream module further and got rid of
the global state that limited the use of this module to
one stream per process. Files: global/smtp_stream.[hc].
20000505
Bugfix: the SMTP server now flushes unwritten output before
tarpit delays, to avoid protocol timeouts in pipelined
sessions when a client causes lots of errors. Found by
Lamont Jones, HP. File: smtpd/smtpd_chat.c.
Finished the LMTP client, which is based on a modified
version of the SMTP client by Philippe Prindeville, Mirapoint,
Inc., later modified by Amos Gouaux, UTDallas, and then
Wietse ripped it all up again. Currently this talks LMTP
over TCP only.
Feature: override main.cf parameters in master.cf. Specify
"-o parameter=value" after the program name. This allows
you to selectively override myhostname etc. See also the
new smtp_bind_address parameter below.
20000506
Convenience: the LMTP and SMTP clients now append the local
domain to unqualified nexthop destinations. This makes it
more convenient to set up transport maps. Files:
lmtp/lmtp_addr.c, smtp/smtp_addr.c.
Sendmail compatibility: the Postfix SMTP client now skips
servers that greet the client with a 4xx or 5xx status
code. To disable, set both smtp_skip_4xx_greeting and
smtp_skip_5xx_greeting to "no".
20000507
Portability: NetBSD has migrated to /etc/mail/aliases. We
can expect to see this happen more often when systems start
shipping Sendmail 8.10. File: util/sys_defs.h
Updated LDAP code by John Hensley, with support for
dereferencing of LDAP aliases, which have nothing to do
with Postfix aliases.
Feature: "smtp_bind_address=x.x.x.x" specifies the source
IP address for SMTP client connections. Specify in master.cf
as "smtp -o smtp_bind_address=x.x.x.x" in order to give
different delivery agents different source addresses.
20000510
Cleanup: mailbox_transport did not work with the lmtp
delivery agent. This dates back to when Postfix used empty
nexthop information to indicate that a destination was
local. File: global/deliver_pass.c.
Bugfix: configuration parameters for one mysql dictionary
would become default settings for the next one. File:
dict_mysql.c. This patch was merged into Postfix a while
back but apparently that Postfix version was nuked when
other parts were redesigned. Update by Scott Cotton.
Bugfix: some Postfix delivery agents would abort on addresses
of the form `stuff@.' which could be generated only locally.
Found by Patrik Rak. File: trivial-rewrite/resolve.c.
Third-party Berkeley DB support for HP-UX by Lamont Jones.
File: makedefs.
20000511
Bugfix: Postfix would incorrectly reject domain names with
adjacent - characters. File: util/valid_hostname.c.
Bugfix: the 20000505 pipeline tarpit delay flush was wrong
and caused the client and server to get out of phase. Yuck!
20000513
Feature: VSTREAMs now have the concept of last fill/flush
time, which is needed to prevent timeouts with pipelined
SMTP sessions as detailed in the next item.
Bugfix: delayed SMTP command/reply flushing to prevent
sender delays from accumulating too much and causing timeouts
with pipelined sessions. For example, client-side delays
happen when a client does DNS lookups to replace hostname
aliases in MAIL FROM or RCPT TO commands; server-side delays
happen when an UCE restriction involves a time-consuming
DNS lookup, or when a server generates tarpit delays.
Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c.
Portability: define ANAL_CAST for compilation environments
that reject explicit casts between pointers and integral
types. File: util/sys_defs.h, master/*server.c. Upon closer
investigation, this turned out to be the result of someone's
compiler configuration preferences. Therefore the change
is likely to go away after a code cleanup.
20000514
Feature: mysql client support for multi-valued queries
(select email, email2 from aliastbl where username='$local')
By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c.
Finalized the delayed SMTP command/reply flushing code in
the SMTP and LMTP clients after lots of testing and review.
20000520
Robustness: upon receipt of mail, map the mailer-daemon
sender address back into the magic null string. File:
cleanup/cleanup_envelope.c.
20000524
Bugfix: the code for masquerade_exceptions was case sensitive.
Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c.
20000526
Feature: experimental queue manager by Patrik Rak with a
fancy pre-emptive scheduling algorithm that improves delivery
performance of mail with few recipients. This queue manager
is made available as "nqmgr".
20000528
Feature: the SMTP client SASL password file can contain
entries for destination domain names (the address remote
part) not just mail server hostnames. File: smtp_sasl_glue.c.
Feature: smtpd_sasl_local_domain parameter (default:
$myhostname) to specify the local SASL authentication realm.
File: smtpd_sasl_glue.c.
Feature: specify "body_checks=regexp:/file/name" for a very
crude one line at a time message body content filter. This
feature uses the same filtering syntax as the header_checks
feature. File: cleanup/cleanup_message.c. See also the
conf/sample-filter.cf file.
20000530
Feature: full content filtering through external software.
This uses existing interfaces for sending mail to the
external content filter and for injecting it back into
Postfix. Details in FILTER_README. Files: pickup/pickup.c,
smtpd/smtpd.c, qmgr/qmgr_message.c.
20000531
More SASL feedback by Liviu Daia, regarding the use of
authentication realms. File smtpd/smtpd_sasl_glue.c.
Added a simple shell-script based content filtering example
to the FILTER_README file.
Content filtering support for nqmgr by Patrik Rak. File:
nqmgr/qmgr_message.c.
Renamed "content inspection" etc. to "content filtering"
in anticipation of a new hook for content inspection that
only inspects mail without re-injecting it into Postfix.
20000601
Feature: limit the size of pipe mailer deliveries with the
size=nnn command-line attribute. Patch by Andrew McNamara.
20000603
Bugfix: don't try to do SASL authentication when running
in stand-alone (sendmail -bs) mode. Fix by Liviu Daia.
Bug: the unauthorized pipelining test fails with single
recipient mail when smtpd_delay_reject = yes.
20000617
Bugfix: conf/sample-ldap.cf was no longer up to date with
reality. Patch by Lamont Jones, HP.
Bugfix: the maildir delivery routine left temporary files
lying around after unsuccessful delivery (problem reported
by Brian Laughton @ Corp.Axxent.Ca).
20000621
AIX 4.x had POSIX regular expression support all the time
I was working on Postfix. Better find out late than never.
20000623
Bugfix: the SMTP server did not reset the so-called junk
command counter after successful delivery (Mark Hoffman
@ wallst.com). File: smtpd/smtpd.c.
20000625
Cleanup: remove Content-Length from incoming mail. The
sender has no authority over the format of mail as stored
by the receiving system. File: global/header_opts.h.
Feature: rewrite Mail-Followup-To: as sender. Files:
global/header_opts.[hc].
Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as
sender, so that address masquerading works as expected.
Files: global/header_opts.c.
Feature: specify "require_home_directory = yes" to prevent
mail from being delivered to a user whose home directory
is not mounted. File: local/dotforward.c.
Cleanup: the pipe deliver agent no longer appends a blank
line when the F flag (prepend From_ line) is specified.
Specify the B flag if you need that blank line. The local
delivery agent no longer appends a blank line to mail that
is delivered to external command. Files: pipe/pipe.c,
global/mail_copy.[hc].
20000708
Portability: support for NEXT/OPENSTEP requires extra
include file in util/watchdog.c (Masaki Murase).
20000715
Added macros to turn on vstream/vstring/etc. format string
checking by gcc, in addition to the checking that was
already implemented with printfck. File: util/sys_defs.h,
the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike
the printfck tool, gcc finds format argument type mismatches
only in code that isn't #ifdef-ed out.
20000718
Robustness: make_dirs() now continues when a missing
directory is created by another process.
20000720
Feature: the queue manager now logs the number of recipients
when opening a queue file (a zero recipient count is logged
with older queue files). File: global/opened.c.
20000726
Robustness: added watchdog_pat() routine to keep the watchdog
quiet if a client stays connected for a lot of time. Files:
util/watchdog.[hc], smtpd/smtpd.c.
20000729
Robustness: if relayhost is specified but the host does
not exist, defer mail instead of bouncing it (which would
lose the mail if the bounce would have to be delivered to
that same non-existent relayhost). Problem reported by
Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c.
20000821
Feature: added -r (replace key+value) option to postalias
and postmap.
Cleanup: smtpd now replies with 555 when the client sends
unrecognized RCPT TO parameters, as required by RFC 1869
(problem report by Robert Norris @ its.monash.edu.au).
File: smtpd/smtpd.c.
20000822
Logging: the SMTP server's SASL code logs the authentication
method along with an authentication failure. Suggested by
Ronald F. Guilmette @ monkeys.com.
Workaround: some systems have file size resource limits
that cannot be represented with the off_t type that is used
by standard functions such as lseek(2). Problem reported
by Blaz Zupan @ amis.net.
20000823
Feature: all this discussion about when to reject mail and
when not made me decide to implement a TCP-based map type
so that it becomes relatively simple to implement dynamic
access controls, for example, hold off mail from an unknown
client or sender until we have completed some investigation,
after which we will either reject or accept.
However, this code is turned off until it is finished.
20000905
Robustness: the dns client now rejects malformed domain
names rather than depending on the DNS to report that the
name does not exist. Linux returns a rather misleading
server failure code as found out by Patrik Rak. File:
dns/dns_lookup.c.
20000911
Feature: added IGNORE keyword to header_checks and body_checks
to pretend that certain data does not exist. File:
cleanup/cleanup_message.c.
20000911
Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender
without prior authentication. The RFC allows this, although
one wonders what the reasoning behind this is. File:
smtpd/smtpd_sasl_proto.c.
20000913
Bugfix: the rmail script did not handle remote UUCP systems
that send a from_ line with unqualified envelope sender.
Reported by Luciano Mannucci.
Compatibility: don't insert Sender: header lines. Sendmail
has not done so for at least 10 years, if it ever did.
Problem reported by Brad Knowles. File: cleanup/cleanup_message.c.
20000916
Bugfix: when propagating an address extension in a virtual
or canonical mapping, cleanup accesses memory that is no
longer allocated. This can happen when the result address
length is more than 100 characters. Problem reported by
Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c.
Bugfix: fixed a misleading error message when the cleanup
server reaches the queue file size limit. Fix by Robby
Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c.
20000917
Bugfix: postalias -i would complain about duplicate entries
for the Sendmail-compatible @ entry and for the NIS-compatible
YP_LAST_MODIFIED and YP_MASTER_NAME entries.
20000918
Gross hack: prevent looping on a bad recipient by always
forwarding recipients in :include: files to a new mail
delivery request, even when owner-listname is not set.
File: local/recipient.c.
20000919
Convenience: INSTALL.sh now imports default settings from
the process environment, in order to make scripting easier.
Robustness: INSTALL.sh now systematically skips over CVS,
RCS and SCCS cruft.
Portability: another fix for NEXTSTEP (Masaki MURASE).
File: util/spawn_command.h.
20000920
Cleanup: in a transport table entry, do not ignore port
numbers specified as [host]:port. In fact, this is now
becoming the preferred form, in order to avoid parsing
problems with IPV6 addresses. Postfix supports both forms,
but future versions will print a warning for the old form.
Problem reported by Claus Fischer @ werhats.at
Bugfix: missing initialization for state->sasl_method can
cause permit_sasl_authenticated to always succeed. Report
and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE.
FAQ: added notes about how to delete, copy or restore queue
files in a safe manner.
20000921
File reorganization. No code change except Makefiles. All
sources are pushed down by one directory level to keep file
listings usable. Released as 20000922, so that I have a
reference to run "diff -cr against.
Bugfix: the spawn service was installed without man pages.
Portability: MacOSX hints and tips by Joe Block, University
of Central Florida School of Optics/CREOL
Portability: The MacOSX gcc compiler does not understand
the new printf_like/scanf_like attributes. File: util/sys_defs.h.
20000922
nqmgr update from Patrik Rak for the changed queue manager
to delivery agent protocol.
Lame feature: syslog_facility parameter to control where
syslogd sends Postfix logging (default: syslog_facility =
mail). However, errors during command-line parsing are
still logged with the default syslog facility, as are errors
while processing the main.cf file (surprise). Based on
code by Andrew McNamara.
20000923
Cleanup: new bounce logfile API so that Postfix can change
to an extensible bounce logfile format with per-recipient
sender addresses (needed for VERP and for reporting local
list delivery problems to the list owner) and other
attributes. File: global/bounce_log.[hc].
Cleanup: replaced the ad-hoc logfile parsing code in showq
by something that uses the generic bounce logfile API.
20000924
Feature: Postfix bounced mail and delayed mail notifications
now have the standard RFC 1894 form (DSN). The bounce
service now uses the generic bounce logfile API. File:
bounce/bounce_notify_service.c, bounce/bounce_notify_util.c.
Cleanup: deleted the per-recipient bounce protocol. Future
bounce logfiles will support per-recipient bounce addresses.
Files: global/bounce.c, bounce/bounce_recip_service.
20000925
Workaround: sendmail allows MAIL FROM and RCPT TO envelope
addresses like > so we will never get
rid of them. To disallow, specify "strict_rfc821_envelopes
= yes". File: smtpd/smtpd.c.
20000926-20001003
Feature: a "flush" server that keeps per-destination records
of deferred mail. It is the basis of a faster ETRN and
"sendmail -qRsite" implementation. This code was rewritten
half a dozen times.
20000928
Bugfix: the stricter dns_lookup() argument checks revealed
that Postfix was doing DNS lookups for domain literals
([ip.address]) when expanding aliases in MAIL FROM and RCPT
TO address parameters. Reported by Jim Littlefield. File:
smtp/smtp_unalias.c.
Documentation: added text on the biff=yes/no parameter to
conf/sample-local.cf (text provided by Paul Wagland,
relational-consultancy.com.
Robustness? Log errors from SASL library code as warnings
not as fatal errors. Files: smtp*/*glue.c.
20001001
Feature: in master.cf, specify ? after wakeup time to avoid
waking up services that aren't being used.
20001003
Feature: the fast flush refresh and purge time interval
parameters can now be specified in user-specified units by
providing an appropriate suffix: s (seconds), m (minutes),
h (hours), d (days), w (weeks). unit. This was needed so
that I could test the flush server code in a reasonable
way (its timeouts are normally specified in days or hours,
and I don't have that much time for testing). Other Postfix
time interval parameters will be migrated as time permits.
Files: conf/sample-flush.cf, global/mail_conf_time.c,
postconf/postconf.c.
Unfeature: qmgr_hog_factor is now disabled by default. It
was just too confusing. If you don't know what this means,
do not worry.
20001005
Cleanup: after "postfix reload" do not penalize mail that
was in the active queue, but make it ready for immediate
delivery so that ETRN etc. works as intended. Files:
*qmgr/qmgr.c, *qmgr/qmgr_active.c.
Portability: Redhat 7 library interfaces have changed
incompatibly, which breaks existing software. File makedefs.
Consistency: the fallback_relay parameter did not understand
the [] or host:port syntax, and there was no way to suppress
MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c.
Convenience: you can now specify multiple SMTP destinations
in the relayhost or fallback_relay configuration parameters.
The specified destinations will be tried in the specified
order. File: smtp/smtp_connect.c.
Many typographical corrections by Matthias Andree.
20001024
Documentation: the canonical, virtual etc. manual pages
did not document the effect of leading whitespace.
20001025
Bugfix: virtual map expansion stopped too early with
self-referential aliases. Reported by Michael Douglass
@ datafoundry.net. File: cleanup/cleanup_map1n.c.
20001026
Horror: postmap and postalias (newaliases) silently lose
the file lock while building a lookup table with Berkeley
DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE.
The result is that table lookups fail while the table is
being built, so that mail is lost. In order to avoid this
misbehavior one has to use an undocumented feature that is
NOT available with the DB1.85 compatibility interface.
Therefore, Postfix now supports three Berkeley DB programming
interfaces of increasing complexity. File: util/dict_db.c.
Bugfix: some character manipulations were not portable for
signed/unsigned characters. Files: global/quote_821_local.c,
global/quote_822_local.c.
Workaround: apparently, some software sends SMTP mail that
begins with "From sender time-stamp". Sendmail silently
ignores such RFC violating garbage, and therefore Postfix
needs to jump another hoop. File: smtpd/smtpd.c.
20001028
Bugfix: the flush server tried to access config files after
going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE.
File: flush/flush.c.
Update: revised LDAP module from primary maintainer John
Hensley, with contributions from many other people. Files:
util/dict_ldap.c, LDAP_README.
Update: LINUX2 chroot setup script by Matthias Andree,
uni-dortmund.de.
Feature: specify unix:/path/name for LMTP connections over
UNIX-domain sockets, and specify inet:host or inet:host:port
for IPV4. If no unix: or inet: is specified, IPV4 is assumed.
File: lmtp/lmtp_connect.c.
Feature: added UNIX-domain support to the smtpstone test
programs in order to test the LMTP client UNIX-domain
support.
20001030
Bugfix: further testing in preparation for 19991231-pl10
revealed that the DB map code was now broken for every
platform.
20001031
Performance: the slow start (gradually increase number of
parallel connections to the same site) was too gentle and
Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
and nqmgr/qmgr_queue.c.
20001101
FAQ update by Ralph Hildebrandt.
20001104
Portability: RedHat Linux has changed incompatibly, again.
Fixed with the help of Matthias Andree. File: makedefs.
20001109
Cleanup: changed prototype of internal function that did
not return a useful result. File: src/util/vstream_popen.c.
20001110
Workaround: the Debian post install script passes an open
file descriptor into the master server and waits forever.
Reported by Lamont Jones. File: master/master.c.
20001114
Compatibility: added sendmail -G (gateway submission) option
for compatibility with the sendmail rmail command. Requested
by David Gilbert, Velocet Communications.
20001116
Documentation: added MAILER-DAEMON to the list of sample
masquerade_exceptions settings in conf/sample-rewrite.cf.
Suggested by Karl O. Pinc, pop.artic.edu.
Performance: the slow start (gradually increase number of
parallel connections to the same site) was too gentle and
Postfix would back off too quickly. Files: qmgr/qmgr_queue.c
and nqmgr/qmgr_queue.c. Yup, changed the same code, again.
We now allow for a margin above the actual concurrency,
with the size of the initial destination concurrency.
Final solution by Patrik Rak.
Bugfix: the recipient home directory test broke mailbox_transport
support for non-UNIX recipients. File: local/recipient.c.
20001117
Robustness: additional integrity tests for the nqmgr by
Patrik Rak. File: nqmgr/qmgr_message.c.
20001118
Bugfix: the new LDAP client code did not work properly if
the new ldap_domain parameter was not specified. LaMont
Jones, HP. File: util/dict_ldap.c.
Feature: the soft_bounce safety net is extended to the SMTP
server. With "soft_bounce = yes", The SMTP server changes
all 5xx (reject) replies into 4xx (try again) replies.
Documentation: the virtual(5) man page now documents both
Postfix-style virtual domains and Sendmail-style virtual
domains, including their interaction with local usernames,
aliases and mailing lists. Hopefully, this ends some of
the confusion surrounding virtual domain support. Updated
several FAQ entries concerning virtual domain support.
Documentation: added FAQ entry for the biff service.
20001119
Bugfix: per-destination queue names were case sensitive so
that the same site could have multiple queues. Reported
by Patrik Rak. Files: *qmgr/qmgr_message.c.
20001120
Bugfix: per-destination deferred mail logfiles were case
sensitive so that the same site could have multiple deferred
mail logfiles, so that not all mail would be flushed with
ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c.
Portability: added (int) casts to printf-like arguments
that specify the width of %*letter conversions. On some
systems, sizeof and pointer difference expressions are
wider than an int. Reported by Valentin Nechayev @ lucky.net.
20001121:
Compatibility: Postfix now retries delivery when an external
command is killed by a signal, because people expect such
behavior from Sendmail. File: global/pipe_command.c.
20001123-30
Feature: mailbox locking is now configurable. The configuration
parameter name is "mailbox_delivery_lock". Depending on
the operating system one can specify one or more of "flock",
"fcntl" and "dotlock". Use "postconf -l" to find out what
locking methods Postfix supports. The default setting is
system dependent. All mailbox file opens are now done by
one central mbox_open() routine. This affects the operation
of the postlock command, and of local delivery to mailbox
or /file/name. Files: util/safe_open.c, util/myflock.c,
global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c.
local/mailbox.c, local/file.c, postlock/postlock.c.
Compatibility: the old sun_mailtool_compatibility parameter
is being phased out. It still works (by turning off
flock/fcntl locks), but logs a warning as a reminder that
it will go away.
Compatibility: when delivering to /file/name, the local
delivery agent now logs a warning when it is unable to
create a /file/name.lock file, and then delivers the mail
(older Postfix versions would silently deliver).
20001202
Feature: specify "smtp_never_send_ehlo = no" to disable
ESMTP. Someone asked for this long ago. Files: smtp/smtp.c,
smtp/smtp_proto.c.
Feature? Bugfix? The smtp client now skips server replies
that do not start with "CODE SPACE" or with "CODE HYPHEN",
and flags them as protocol errors. Older versions silently
treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c.
20001203
Documentation: postmap(1) and postalias(1) did not document
the process exit status for "-q key".
20001204
Bugfix: the Postfix master daemon no longer imported
MAIL_CONF and some other necessary environment parameters.
Postfix now has explicit "import_environment" and
"export_environment" configuration parameters that control
what environment parameters are shared with non-Postfix
processes. Files: util/clean_env.c, util/spawn_command.c,
util/vstream_popen.c, global/pipe_command.c, and everything
that invokes this code.
20001208
Bugfix: while processing massive amounts of one-recipient
mail, qmgr could deadlock for 10 seconds while sending a
bounce message. All queue manager bounce send requests are
now implemented asynchronously. Files: global/abounce.[hc]
(asynchronous bounce client), qmgr/qmgr_active.c. Problem
reported by El Bunzo (webpower.nl) and Tiger Technologies
(tigertech.com).
20001209
Feature: mailbox_transport and fallback_transport can now
have the form transport:nexthop, with suitable defaults
when either transport or nexthop are omitted, just like in
the Postfix transport map. This allows you to specify for
example, "mailbox_transport = lmtp:unix:/file/name". File:
global/deliver_pass.c.
20001210
Bugfix: the local_destination_concurrency_limit paramater
no longer worked as per-user concurrency limit but instead
worked as per-domain limit, so that the limit of "2" in
the default main.cf files resulted in poor local delivery
performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c.
Problem reported by David Schweikert (ee.ethz.ch) and Dallas
Wisehaupt (cynicism.com).
20001210
Feature: support for MYSQL connections over UNIX-domain
sockets by Piotr Klaban. Files: util/dict_mysql.c,
MYSQL_README.
20001211
Small dirt: postconf -m produced too much output due to a
missing "else", and the optional SASL code needed a fix
for the changed name_mask API.
20001212
Workaround: due to an error, record type L for "filter
transport name" was the same as that for the already existing
record type L for "record not ending in newline", causing
the pickup daemon to discard all records not ending in
newline. The code cannot be changed without breaking
compatibility with queued mail, so the pickup server is
changed to discard type L records only from the message
envelope, not from the content. File: pickup/pickup.c.
20001213
Bugfix: dict_ldap did not properly initialize a handle
after connection timeout. Problem reported by Alain Thivillon.
File: util/dict_ldap.c.
20001214
Feature: local_transport and default_transport now also
understand the transport[:destination] notation, so that
all transport config parameters are similar again. File:
trivial-rewrite/resolve.c, trivial-rewrite/transport.c.
Code cleanup: mailbox_transport and fallback_transport no
longer allow the user to omit the transport part of a
transport:destination specification. That just did not make
any sense at all. The :destination part is still optional.
File: global/deliver_pass.c.
Feature: most time-related configuration parameters take
a one-letter suffix that specifies the time unit: s
(second), m (minutes), h (hours), d (days), w (weeks).
"postconf -d" output includes the default time unit. Files:
many.
Code cleanup: in a CONFIG_TIME_TABLE, the default time unit
is now always the last character of a default time value.
It is no longer necessary to specify the default time unit
separately. This change means that it will not be possible
to specify default values in the form of function calls,
but that was unused anyway. Files: global/mail_conf_time.c,
and user code.
20001217
Bugfix: reorganized some code in the MYSQL client to end
a number of memory allocation/deallocation problems.
This code needs more work. File: dict_mysql.c.
20001218
Bugfix: the MYSQL client did not provide function pointers
for unimplemented operations, causing "postmap -d" to dump
core instead if issuing an error message. This is what I
get for accepting code that I cannot test myself.
20001221
Code cleanup: configuration parameters that are $name
expanded at run-time now have their own data type hierarchy
instead of being piggy-backed on top of strings that are
$name expanded at program initialization time. Files:
global/mail_conf.h, global/mail_conf_raw.c, and code that
calls it.
20001230
Update: replaced the default rbl.maps.vix.com setting by
the current blackholes.mail-abuse.org.
20010102
Code cleanup: the queue manager is a bit greedier with
allocating a delivery agent. Problem pointed out by Patrik
Rak. All bugs in the solution are mine. Files:
*qmgr/qmgr_active.c.
20010105
Bugfix: the FILTER_README shell script example did not
correctly pass exit status to the parent.
Bugfix: soft errors in client hostname lookups would be
treated as hard errors. Fix by Michael Herrmann
(informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c.
20010110
Bugfix: the mkdir() EEXIST race condition workaround was
not complete. Matthias Andree, Daniel Roesen. Files:
global/mail_queue.c, util/make_dirs.c.
20010111
Portability: IRIX 6.5.10 defines sa_len as a macro, causing
a name collision with a variable used by Postfix. Roberto
Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c.
20010116
Bugfix: REJECT by header/body_checks was flagged in smtpd
as a bounce, should be policy, in order to make postmaster
notifications more consistent. File: smtpd/smtpd.c.
Merged updated chroot setup procedure by Matthias Andree.
Files: examples/chroot-setup/LINUX2.
20010117
Formatting: changed the seconds and days formats in the
"your mail is delayed" text so that it does not switch to
scientific notation. File: bounce/bounce_notify_util.c.
20010119
Feature: SASL support for the LMTP client. Recent CYRUS
software requires this for Postfix over TCP sockets.
20010120
Bugfix: the 20001005 revised fallback_relay support caused
Postfix to send mail to the fallback even when the local
machine was an MX host for the final destination. Result:
mailer loop. Found by Laurent Wacrenier (teaser.fr). Files:
smtp/smtp_connect.c, smtp/smtp_addr.c.
20010121
Workaround: specify "broken_sasl_auth_clients = yes" in
order to support old Microsoft clients that implement
a non-standard version of RFC 2554 (AUTH command).
Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies
to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c.
20010125
Code cleanup: wrote creator/destructor for dictionary
objects that provides default methods that trap all attempts
to perform an unimplemented operation. Based on an ansatz
by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc].
Code cleanup: INSTALL.sh does not ask questions when stdin
is not connected to a tty (as in: make install instances across line boundaries.
sed(1) is an amazing tool. File: mantools/postlink.
20010204
Laid the ground work for logging of table accesses. This
will give more insight into how Postfix uses its lookup
tables. User interface comes later. File: util/dict_debug.c.
20010216
Bugfix: the pipe delivery agent expanded $size as if it
were a recipient, instead of expanding it as $nexthop or
as $sender. Reported by Michael Tokarev. File: pipe/pipe.c.
20010221
Bugfix: poor LMTP performance for domains that are listed
in $mydestination, because Postfix would send one recipient
at a time, with multiple deliveries of recipients of the
same message in parallel; a similar problem could exist
with virus scanning and with firewall relay hosts that
forward mail for $mydestination to an inside machine. This
behavior is now changed to depend on the transport-specific
xxx_destination_recipient_limit parameter. This also means
that you can now get qmail behavior for SMTP deliveries by
setting smtp_destination_recipient_limit=1. File:
{qmgr,nqmgr}/qmgr_message.c.
Workaround: Solaris socketpair() can fail with EINTR. Added
a sane_socketpair.c module that joins the ranks of the other
sane_whatever workarounds. Reported by Andrew McNamara.
File: util/sane_socketpair.[hc]
20010222
Documentation: the default main.cf file has a prominent
warning that mynetworks should be properly configured in
order to reject unauthorized mail relay requests from
strangers.
Documentation: the INSTALL document, section "mandatory
configuration file edits" has a section that explains that
mynetworks should be properly configured in order to reject
unauthorized mail relay requests from strangers.
20010223
Documentation: the basic.html document has a section that
explains that mynetworks should be properly configured in
order to reject unauthorized mail relay requests from
strangers.
Feature: new "mynetworks_style" parameter that controls
how mynetworks (trusted networks) is derived from the
inet_interfaces (machine interfaces) setting. Specify
"class" for entire class A, B, C networks; "subnet" for
the local subnets only; or "host" for maximal privacy.
Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc],
global/mynetworks.[hc], postconf/postconf.c.
Portability: MACOSX patches by Gerben Wierda.
Portability: Solaris /dev/null is a symlink, which tripped
up the code to safely open a file before local delivery. We now
grudgingly allow symlinks owned by root. File: util/safe_open.c.
20010224
Bugfix: "postconf mynetworks" ignored the inet_interfaces
setting. That was a very old one. File: postconf/postconf.c.
INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR
CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY
DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK.
Specify "mynetworks_style = class" to get the old behavior.
20010225
Portability: master sigchld handler based on writing to a
pipe, so that the master wakes up from select(). Based on
code by Erik Forsberg, Linkoping University, Sweden. File:
master/master_sig.c. Disabled until after the major release.
Code cleanup: Postfix should now run with no alias database.
Code cleanup: local_destination_recipient_limit and
local_destination_concurrency_limit have become first-class
configuration parameters. Files: global/mail_params.h,
*qmgr/qmgr.c, postconf/postconf.c.
20010226
Documentation suggestions by Lars Hecking and Richard
Huxton, Matthias Andree and many others.
Code cleanup: some queue/transport operations need to be
moved, after the code cleanup of the recipient/concurrency
limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c.
20010301
Feature: configurable name in syslog output (default:
"syslog_name = postfix") so that different Postfix instances
can be recognized by their logging. File: global/mail_task.c.
20010313
Workaround for logic mismatch in nqmgr that was exposed
with the introduction of the asynchronous bounce client.
Patrik Rak.
20010313
Bugfix: the RFC 822 untokenizer quoted newlines inside
comments. File: global/tok822_parse.c.
20010316
Cleanup: removed an extraneous warning when a queue file
write error happened.
20010321
Workaround: LMTP connection caching never worked for
destinations starting with unix: or inet:. File:
lmtp/lmtp_connect.c.
20010322
Portability: Solaris <2.6 does not have srandom() and
random() in libc. File: util/rand_sleep.c. It does not have
to be cryptographically strong.
Bugfix: the fast ETRN flush server could not handle [ipaddr]
or domain names with one-character hostname part. This
fix changes the destination to logfile name mapping, so
that you need to populate the new files with "sendmail -q".
The old files go away automatically. File: flush/flush.c.
20010327
Speed up mailq (sendmail -bp) display by flushing output
after each file. File: showq/showq.c.
Portability: missing string.h includes, %p wants (void *),
Lamont Jones, HP.
20010328
Bugfix: swapped logic caused cleanup to stall when the
queue file size exceeded the file size limit by less than
one the VSTREAM buffer size, so that the "file too big"
was detected after flushing the last queue file record.
File: cleanup/cleanup.c.
20010329
Portability: workaround for missing prototype problem in
dict_ldap.c. This module should move to the global directory,
because it depends on Postfix main.cf parameter information.
Workaround: after sending a trigger message over a socket,
do not immediately close the client side, but close it from
a background thread that waits until the server closes the
socket first. This avoids trouble with socket implementations
that destroy a socket when the client closes a socket
before the server has received the client's data. Files:
util/{inet,unix,stream}_trigger.c, util/events.c,
master/master_trigger.c, postkick/postkick.c.
20010403
Workaround: the mysql library can return null pointers
rather than zero-length strings. File: util/dict_mysql.c.
20010404
Ergonomics: log additional information about the reason
why "mail for XXX loops back to myself" when the local
machine is the best MX host. File: smtp/smtp_addr.c.
20010406
Changed some noisy LDAP client warnings into optional
logging. LaMont Jones, util/dict_ldap.c.
20010411
Bugfix: the SMTP server now replies with 550 instead of
503 when it receives the DATA command without having received
a valid recipient address. This is needed for the Sendmail
client-side pipelining implementation. Problem reported by
Lutz Jaenicke. File: smtpd/smtpd.c.
Cleanup: shut up if chattr fails on Reiserfs and other file
systems that do not support the respective attributes.
Files: conf/postfix-script-{no,}sgid.
20010413
Ergonomics: Postfix applications now warn when a DB or DBM
file is out of date, and recommend to rebuild the table.
Files: util/dict_db.c, util/dict_dbm.c.
20010414
Feature: specify a key of "-" to the postmap or postalias
-q or -d option, and the keys will be read from standard
input, one key per line. Files: postmap/postmap.c,
postalias/postalias.c.
Bugfix: with a non-default inet_interfaces setting, the
master ignored host information in master.cf host:port
settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net.
Files: master/master.h, master/master_ent.c.
20010426
Bugfix: the SMTP server did not parse invalid MAIL FROM or
RCPT TO addresses such as > the
way it was supposed to do. I thought this was taken care
of years ago. File: smtpd/smtpd.c.
20010427
Bugfix: smtpd would reject mail instead of replying with
a 4xx temporary error code when, for example, an LDAP or
mysql server was unavailable. Remotely based on a fix by
Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c.
20010429
Feature: the Postfix SMTP client now by default randomly
shuffles destination IP addresses of equal preference.
Specify "smtp_randomize_addresses = no" to disable.
Shuffling code by Elias Levy @ SecurityFocus.com Files:
dns/dns_rr.c, smtp/smtp_addr.c.
20010501
Bugfix: The SMTP server's 550 in reply to DATA should be
a 554 response. And it wasn't Sendmail. Claus Assman.
Bugfix: the INSTALL.sh test for non-interactive upgrade
broke rooted installations that specify settings via the
environment. Simon Mudd.
Bugfix: mailq output is now really flushed one message at
a time. File: sendmail/sendmail.c.
Feature: "postsuper -d queueID" deletes one message queue
file; "postsuper -d -" reads zero or more queue IDs from
standard input, and deletes one instance of each file.
File: postsuper/postsuper.c.
Code cleanup: in order to make postsuper -d safe with a
running Postfix mail system, some routines had to be made
tolerant for sudden queue file disappearances. Files:
global/deliver_request.c, *qmgr/qmgr_move.c.
Code cleanup: in order to make postsuper -d more usable,
the showq command was extended to safely list the possibly
world-writable maildrop directory. File: showq/showq.c.
20010504
Feature: postsuper -d will also delete defer and bounce
logfiles when the named queue file is found.
20010505
RFC 2821 feature: an SMTP server must reset all buffers
upon receipt of EHLO. File: smtpd/smtpd_check.c.
RFC 2821 feature: an SMTP server must accept a recipient
address of "postmaster" without domain name. File:
smtpd/smtpd_check.c.
RFC 2821 recommendation: reply with 503 to commands sent
after 554 greeting. File: smtpd/smtpd.c.
RFC 2821 recommendation: if VRFY is enabled, list it in
the EHLO response. File: smtpd/smtpd.c.
RFC 2821 recommendation: SMTP clients should use EHLO.
The default setting of smtp_always_send_ehlo has changed
from 0 (send EHLO if server greets with ESMTP) to 1 (always
send EHLO). In all cases, Postfix falls back to HELO if
the server does not support EHLO. File: smtp/smtp_proto.c.
20010507
Bugfix: with soft_bounce=yes, the SMTP server would log
5xx replies even though it would send 4xx replies to the
client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c.
20010515
Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN".
Updated the parsing code in smtp/smtp_proto.c. Problem
reported by Ralf Tessmann, Godot GmbH.
20010520
Standard: deleted the non-standard "via" portion from
Received: headers generated by Postfix bounce or other
notification processes. File: global/post_mail.c.
Robustness: eliminated stack-based recursion from the RFC
822 address parser. File: global/tok822_parse.c.
Standard: annotated the source code with comments based on
RFC 2821 and 2822. Not all the RFC changes make sense.
RFC 2821 recommendation: treat a RCPT 552 reply as if the
server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
Cleanup: moved ownership of the debug_peer parameters from
the applications to the library, so that a Postfix shared
library does not suffer from undefined references. Files:
smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c.
LaMont Jones, for Debian.
20010522
Feature: "postsuper -r queueID" re-queues a message, and
"postsuper -r ALL" re-queues all mail. The message is moved
to the maildrop queue so that the pickup daemon will copy
it to a new queue file, and so that address rewriting will
be done again. This is useful after changes of address
rewriting or virtual mappings.
Feature: "postsuper -d ALL [queue-name]" deletes a bunch
of mail.
20010523
Feature: "postsuper -s" (which is done by default) renames
queue files whose name (queue ID) does not match the message
file inode number.
Bugfix: memory leak in the LDAP client module. Alain
Thivillon, France Teaser - Groupe Firstream.
20010525
Portability: gcc 2.6.3 does not have __attribute__ (Clive
Jones, dgw.co.uk). File: util/sys_defs.h.
Bugfix: the SMTP and LMTP clients claimed that a queue file
needed to be delivered again (even when all recipients were
erased from the queue file) when no QUIT or RSET reply was
received (by default, this does not happen with SMTP mail
because the SMTP client does not wait for QUIT replies and
does not send RSET to deliver mail). As a result of the
same bug the LMTP client followed a dangling pointer when
sending QUIT after process idle timeout while the LMTP
server had disconnected. Files: smtp/smtp_proto.c,
lmtp/lmtp_proto.c.
20010526
newaliases no longer complains when an empty list is
specified with the alias_database configuration parameter.
File: sendmail/sendmail.c.
20010529
Workaround: old PIX firewall code messes up when the final
"." at the end of DATA spans a packet boundary.
When Postfix detects PIX SMTP fixup mode, Postfix flushes
the output buffers before sending the final ".".
File: smtp/smtp_proto.c.
20010530
Portability: updated code for Mac OS X, accounting for the
post-Beta changes. Code by Joe Block, UCF School of
Optics/CREOL.
20010601
Safety: postdrop turns off interrupts when cleaning up
after interrupt. The additional safety does not hurt anyone.
File: src/postdrop/postdrop.c.
20010607
Safety: dropped the RFC 2821 compliant code that treats
552 RCPT TO replies as 452. It created more problems than
it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c.
Logging: the SMTP server now logs a warning if RBL lookups
have problems other than "not found". file: smtpd/smtpd_check.c.
20010610
Feature: address quoting and case folding flags for the
pipe(8) mailer.
20010611
Workaround: some MTAs fall on their face when they receive
unexpectedly long lines. From now on, Postfix defaults to
breaking long lines at 2048 (like Sendmail so it has got to
be right). To get the old, content preserving, behavior
specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c.
20010614
Bugfix: did not really undo 2821 552->452 mapping.
20010628
Bugfix: postfix-script used a hard-coded maildrop group
owner instead of using the install-time specified name
stored in /etc/postfix/install.cf. Problem reported by
David Terrell @ meat.net.
20010701
Feature: mail_spool_directory ending in / causes maildir
style delivery.
Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters
and kern.ipc.maxsockets cannot be set with sysctl commands.
File: html/faq.html. Len Conrad @ Go2France.com.
Cleanup: the virtual delivery agent was poorly integrated
so that the SMTP server and queue manager did not reject
mail for unknown users. Files: smtpd/smtpd_check.c.
20010705
Feature: QMQP server, compatible with qmail and the ezmlm
list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c.
20010706
Feature: QMQP stress test message generator program. Files:
smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c.
20010708
Bugfix: with disable_dns=yes, the SMTP client treated all
host lookup errors as permanent. File: smtp/smtp_addr.c.
20010709
Feature: VERP support, based on a patch by Peng Yong, and
with the missing parts filled in so that the Postfix bounce
daemon can send one VERP bounce per undeliverable recipient.
Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c,
bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple
support routines in the global library.
Cleanup: with recipient_delimiter=+ (or any character other
than -) Postfix will now recognize address extensions even
with owner-foo+extension addresses. This is necessary to
make VERP work for mailing lists.
20010710
Bugfix: potential memory leak in the queue managers with
the new VERP delimiter record. Fix by Patrik Rak.
20010711
Cleanup: you can now specify the VERP delimiter characters
on the sendmail(1) command line, but they are still optional.
Safety: with maildir style delivery and with hashed mailboxes
the system mail spool directory must not be world writable.
20010713
Safety: the verp_delimiter_filter parameter (default: -=+)
limits what characters Postfix accepts as VERP delimiter
characters.
20010714
Logging: the queue manager now logs a "status=expired"
record when it returns a message that is too old. Files:
*qmgr/qmgr_active.c.
20010719
Feature: stiffer coupling between mail receiving rates and
mail delivery rates, using a trivial token-based scheme,
implemented by reading and writing an in-memory pipe. The
queue manager produces one token when it retrieves mail
from the incoming queue. The cleanup daemon consumes one
token when it adds mail to the incoming queue. If no token
is available the cleanup server pauses for $in_flow_delay
seconds and proceeds anyway. The delay allows mail sending
process to catch up and access the disk while not blocking
inbound mail. Valid delays are 0..10 seconds.
20010727
Bugfix: updated LDAP client module from LaMont Jones, HP.
This also introduces new LDAP query filter patterns: %u
(address localpart) and %d (domain part). Files:
conf/sample-ldap.cf, util/dict_ldap.c.
20010729
Bugfix: recursive smtpd_whatever_restrictions clobbered
intermediate results when switching between sender and
recipient address restrictions. Problem found by Victor
Duchovni, morganstanley.com. In order to fix, introduced
address resolver result caching, which should also help to
speed up sender/recipient address restriction processing.
Bugfix: the not yet announced DUNNO access table lookup
result did not prevent lookups with substrings of the same
lookup key. Found by Victor Duchovni, morganstanley.com.
20010730
Robustness: trim trailing whitespace from regexp and pcre
right-hand sides, for consistency with DB/DBM tables.
Files: util/dict_pcre.c, util/dict_regexp.c.
20010731
Robustness: eliminate duplicate IP addresses after expansion
of hostnames in $inet_interfaces, so that Postfix does not
suddenly refuse to start up after someone changes the DNS.
Files: util/inet_addr_list.c global/own_inet_addr.c.
Feature: specify "disable_verp_bounces = yes" to have
Postfix send one RFC-standard, non-VERP, bounce report for
multi-recipient mail, even when VERP style delivery was
requested.
20010801
Bugfix: postconf was using unexpanded values internally
for myhostname, inet_interfaces, and mynetworks_style.
This broke the "postconf -d" mynetworks computation. File:
postconf/postconf.c.
20010803
Feature: masquerade_classes parameter for fine control of
address masquerading. The default setting is backwards
compatible: envelope_sender header_sender header_recipient.
Files: cleanup/whatever.c.
20010822
Code cleanup: the bounce daemon complained about data that
it was not going to send back anyway. Fix: stop reading
the original message when the bounce message reaches the
bounce message size limit. File: bounce/bounce_notify_util.c.
20010826
Logging: postsuper now logs the queue ID when it requeues
a message, or when it deletes a message from the mail queue.
File: postsuper/postsuper.c.
20010830
Safety: the SMTP server now sends a 4xx (try again later)
response when an UCE restriction is misconfigured, instead
of ignoring the bad restriction and possibly accepting mail
that it should not accept. File: smtpd/smtpd_check.c.
20010907
Workaround: the Postfix qmqp-source program produced mail
not ending in newline. qmail-qmqpd accepts such mail, but
qmail-remote is unable to deliver it. Matthias Andree,
uni-dortmund.de. File: smtpstone/qmqp-source.c.
20010910
Bugfix: the smtp-sink stress test program broke when RCPT
TO commands crossed network packet boundaries. Problem
reported by Matthias Andree, uni-dortmund.de. File:
smtpstone/smtp-sink.c.
20010917
Code cleanup: permit_mx_backup implements the old behavior
(accept mail if the local MTA is MX relay), and allows an
additional restriction via the permit_mx_backup_networks
parameter (accept mail only if the primary MX hosts match
the specified list of network blocks). This second restriction
is now entirely optional, for backwards compatibility.
Bugfix: an address extension could be appended multiple
times to the result of a canonical or virtual map lookup.
File: global/mail_addr_map.c. Fix by Victor Duchovni,
Morgan Stanley.
Bugfix: split_addr() would split an address even when there
was no data before the recipient delimiter. In combination
with the above bug, this could cause an address to grow
exponentially in size. Problem reported by Victor Duchovni,
Morgan Stanley. File: global/split_addr.c.
20010918
Bugfix: the mail_addr_map() fix was almost but not quite
right. It took two clever people and several iterations of
email to really fix the mail_addr_map() problem. Thanks
to Victor Duchovni and Liviu Daia.
20011006
Cleanup: Postfix no longer flushes the whole deferred queue
after an ETRN request for a random domain name (i.e. a
domain name not matched by $fast_flush_domains); the SMTP
server instead replies with "459 service unavailable".
Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c.
20011008
Bugfix: there was a minute memory leak when an smtpd access
restriction was misconfigured. File: smtpd/smtpd_check.c.
20011010
Code cleanup: Postfix daemons now print the name of the
UNIX-domain socket (instead of "unknown stream") in case
of a malformed client request. Files: master/*server.c.
20011010-14
Code cleanup: replaced the ugly mail_print() and mail-scan()
protocols by (name,value) attribute lists. This gives better
error detection when we make changes to internal protocols,
and allows new attributes to be introduced without breaking
everything immediately. Files: util/attr_print.c util/attr_scan.c
global/mail_command_server.c global/mail_command_client.c
as wel as most Postfix applications and daemons.
20011015
Put base 64 encoding into place on the replaced internal
protocols. Files: util/base64_code.[hc].
Feature: header/body REJECT rules can now provide text that
is sent to the originator. Files: cleanup/cleanup.c,
cleanup/cleanup_message.c, conf/sample-filter.cf.
20011016
Bugfix: As of 20000625, Errors-To: was broken, because the
code to extract the address was not moved from recipient
address rewriting to sender address rewriting. Problem
reported by Roelof Osinga @ nisser.com. File:
cleanup/cleanup_message.c.
20011029
Bugfix: virtual map expansion terminated early because the
detection of self-referential entries was flawed. File:
cleanup/cleanup_map1n.c.
20011031
Bugfix: mail_date() mis-formatted negative time zone offsets
with fractional hours (-03-30 instead of -0330). Fix by
Chad House, greyfirst.ca. File: global/mail_date.c.
20011102
Feature: new -f option to postmap and postalias (do not
lowercase the lookup key while creating a table). Files:
util/dict.h postmap/postmap.c postalias/postalias.c.
Code cleanup: simplified the attribute print/scan routines,
and removed the never-used support for sending and receiving
integer arrays and string arrays. Files: util/attr_print.c,
util/attr_scan.c.
Bugfix: qmqpd could read past the end of a string while
looking for qmail's VERP magic token in the envelope sender
address. File: qmqpd/qmqpd.c.
Code cleanup: finished testing the new internal protocols.
The only bug was with the flush server, which still needs
to support the old (string + null byte) protocol for triggers
from the Postfix master daemon.
20011103
Bugfix: Postfix would log the wrong error text when locally
submitted mail was deferred due to "soft_bounce = yes".
Bugfix: The LDAP client dropped any entries that don't have
the result_attribute, but errored out when a DN didn't
exist. The behavior is now consistent: treat non-existant
DN's in a special result attribute expansion the same as
DN's with no attribute. LaMont Jones, HP.
20011104
Bugfix: the new smtp-sink -n option (terminate after the
specified number of deliveries) wasn't optional.
Portability: updated Mac OS X documentation and install
scripts by Gerben Wierda.
20011105
Bugfix: missing terminator in new attribute-based function
call caused signal 11. File: src/cleanup/cleanup.c.
Lame workaround for ESTALE errors with mail delivery over
NFS. Additional bandages were added to the local delivery
agent. However, Wietse maintains that Postfix offers no
guarantee for reliable delivery over NFS.
Feature: put "warn_if_reject" before an smtpd restriction,
and that restriction logs warnings without rejecting mail.
This makes it easier to test configurations "live" without
having to lose mail. File: smtpd/smtpd_check.c.
20011107
Workaround: in order to get mail past PIX firewall bugs,
the Postfix SMTP client now blocks until the socket send
buffer is empty before sending the final ".". Files:
util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into
sleep(10) on 20011119. Sleep suggested by Hobbit.
20011108
Feature: added string-null encoding for internal protocols.
Files: util/attr_print0.c, util/attr_scan0.c.
Feature: configurable parent domain matching for domain
and hostname/address match lists: either .domain or the
domain name itself. Files: util/match_ops.c util/match_list.c
Feature: added pretend-to-be-behind-PIX mode to the smtp-sink
test program, in order to stress test some PIX bug workaround
code.
20011109
Workaround: Linux and Solaris systems have no reasonable
way to block until a socket drains. On these systems Postfix
simply waits for 10 seconds, in order to work around PIX
"." bugs. File: util/sock_empty_wait.c.
20011114
Bugfix: reset the smtpd command transaction log between
deliveries. File: smtpd/smtpd.c.
20011115
Feature: mailbox_command_maps no longer requires that every
user has an entry. If the user does not have a command
entry, the local delivery agent tries the other delivery
methods (mailbox_command, home_mailbox). File: local/mailbox.c.
Bugfix: reset the smtpd command transaction log between
non-deliveries. File: smtpd/smtpd.c.
20011116
Bugfix: consolidated all the command transaction log resets
and eliminated one missing reset (Victor Duchovni, Morgan
Stanley). File: smtpd/smtpd.c.
20011118
Cleanup: replaced unnecessary match_list wrapper code by
macros. Files: global/{string,domain,namadr}_list.[hc].
20011119
Feature: configurable parent domain matching strategy for
transport map lookups. File: trivial-rewrite/transport.c.
New parent_domain_matches_subdomains parameter. This lists
all the Postfix features where a domain name matches itself
and all its subdomains (instead of requiring ".domain.name"
for subdomain matches). Planning for future backwards
compatibility :-) File: global/match_parent_style.c.
Workaround: simplified the PIX "." bug to always
sleep for 10 seconds. File: smtp/smtp_proto.c.
20011120
Workaround: disable attribute string length restriction so
that trivial-rewrite does not refuse to rewrite broken mail
headers. Files: util/attr_scan*.c.
20011121
Bugfix: missing long integer support in the new IPC protocols.
Files: util/attr_scan*.c, util/attr_print*.c.
Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1
(Gerben Wierda).
20011125
Bugfix: spurious postmaster notifications because some flag
was not reset.
Feature: new parameter smtpd_sender_login_maps that specifies
the (SASL) login name that owns a MAIL FROM address.
Specify a regexp table in order to require a simple one-to-one
mapping. This is used in the reject_sender_login_mismatch
sender anti-spoofing feature.
Feature: restriction reject_sender_login_mismatch refuses
a MAIL FROM address when $smtpd_sender_login_maps specifies
an owner but the client is not (SASL) logged in as the MAIL
FROM address owner, or when a client is (SASL) logged in
but the client login name does not own the MAIL FROM address
according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c.
Documentation: added some redundancy to the LMTP_README
file so people can keep track of the difference between
the Postfix LMTP client and the non-Postfix LMTP server.
20011126
Feature: smtpd_noop_commands specifies a list of commands
that are treated as NOOP (no operation) commands, without
syntax check or state change. File: smtpd/smtpd.c.
Bugfix: the "mark queue file as corrupt" code did not work
because it was never used. Files: global/mark_corrupt.c,
global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c,
local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c,
virtual/mailbox.c, virtual/maildir.c.
Bugfix: the bounce daemon broke in the unlikely case of a
non-existing queue file. File: bounce/bounce_notify_util.c.
20011127
Feature: added WARN command to header/body_checks files as
proposed by Michael Tokarev. File: cleanup/cleanup_message.c.
Bugfix: the postdrop program was broken after the change
of Postfix internal protocols. This broke "sendmail -bs"
mail submissions with "secure" maildrop directory. Reported
by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c.
Feature: a first start at fault injection for testing
unlikely error scenarios (such as corrupt queue files).
Parameter: fault_injection_code, must be left at zero for
production use.
20011128
Robustness: add a file size limit to the sendmail and
postdrop submission programs to stop run-away process
accidents. This is not a defense against DOS attack.
Files: sendmail/sendmail.c, postdrop/postdrop.c.
That resulted in a considerable amount of work to properly
propagate "file too large" conditions back to the sendmail
mail posting user interface. Took the opportunity to express
other mail submission fatal exits with the
exit status codes. Files: sendmail/sendmail.c,
postdrop/postdrop.c.
20011129
Maintenance: dict_ldap.c wasn't updated after the revision
of the string matching routines. File: util/dict_ldap.c.
20011208
Maintenance: LDAP module and documentation from LaMont
Jones. This version adds verbose logging for LDAP library
routines. Files: src/util/dict_ldap.[hc], LDAP_README,
conf/sample-ldap.cf
Portability: made memory alignment restrictions configurable.
File: util/mymalloc.c.
Bugfix? Avoid surprises with source routed destinations
and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c.
Security: "postfix check" looks for damage by well-intended
but misguided use of "chown -R postfix /var/spool/postfix".
That would make chrooted Postfix less secure than non-chrooted
Postfix. These extra tests may cause complaints with
third-party patches such as TLS that introduce their own
files into the jail.
Feature: static map type that always returns the map name
as lookup value, regardless of lookup key value. Contributed
Jeff Miller (jeffm at ghostgun.com)
Feature: turn off the PIX . workaround for
the first mail delivery attempt, i.e. when mail is queued
for less than $smtp_pix_workaround_threshold_time (default:
500) seconds. New parameter $smtp_pix_workaround_delay_time
to control the delay before sending . (default: 10
seconds) when doing the PIX . workaround.
20011210
Bugfix: the 20011128 change in sendmail and postdrop did
not handle the case of message_size_limit=0. Fix by Will
Day, Georgia Tech.
20011212
Compatibility: The SMTP server now accepts as
if the client sent . Reportedly, some badly written
windows software produces such garbage, and some badly
written windows anti-VIRUS software cannot handle such
garbage. File: global/smtp_stream.c.
20011214
Bugfix: postmap/postalias queries ignored the -f flag.
Reported by Hamish Marson.
20011217
Compatibility: Sendmail now has a -L option to set the
syslogging label. Postfix sendmail uses syslog_name instead,
and ignores the -L option.
Security: subtle hardening of the Postfix chroot jail,
Postfix queue file permissions and access methods, in case
someone compromises the postfix account. Michael Tokarev,
who received the insights from Solar Designer, who tested
Postfix with a kernel module that is paranoid about open()
calls. Files: master/master_wakeup.c, util/fifo_trigger.c,
postfix-script.
Convenience: issue a warning instead of aborting when the
local machine name is not in fully-qualified domain form.
This would otherwise break initial postfix installation
which needs the postconf command. File: global/mail_params.c.
20011220
Added more garbage detection to postconf -e input processing.
20011221
Feature: SMTPD access map lookups of null sender addresses.
If your access maps cannot store or look up null string
key values, specify "smtpd_null_access_lookup_key = <>"
and the null sender address will be looked up as <> instead.
File: src/smtpd_access.c.
20011223
Safety: configuration file comments no longer span multiple
lines when the next line begins with whitespace; multi-line
input is no longer terminated by a comment line, by an all
white space line, or by an empty line. Michael Tokarev made
the crucial suggestion to simplify the readline routine.
Files: util/readlline.c, postconf/postconf.c.
Cleanup: proper detection of big number overflow in EHLO
and MAIL FROM size announcements, with input from Victor
Duchovni, Morgan Stanley. Files: global/off_cvt.c,
smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c.
Forward compatibility: added queue file record types for
original recipient and for generic named attributes.
Cleanup: safe_open() now returns sensible errno values so
that the fifo_trigger() external interface is restored.
20011225
Upgrade: PCRE_README now describes PCRE version 3.x.
Cleanup: flush SMTPD command history upon receipt of EHLO,
RSET, and upon DATA completion, only if it exceeds
$smtpd_history_flush_threshold lines (default: 100).
Distant derivative of code by Michael Tokarev. File:
smtpd/smtpd.c.
20011228
Bugfix: a readlline() error message showed less text than
intended. Christian von Roques.
Cleanup: postfix now installs with group-writable maildrop
directory and with a set-gid postdrop mail submission
command. The pickup service is now unprivileged. The
world-writable maildrop directory no longer exists.
The cleanup service is now public, in preparation for local
sendmail/postdrop mail submission that avoids the maildrop
queue directory while Postfix is up.
Cleanup: moved the main.cf/master.cf file editing from the
postfix-script file to the INSTALL.sh file.
Cleanup: INSTALL.sh no longer accepts "no" as the destination
of Postfix manual pages.
20011230
Cleanup: the code for "mailq", "sendmail -q", and for
"sendmail -qRsite" was moved from the sendmail command to
a new set-gid postqueue command. The pickup and qmgr FIFOs
are no longer world writable. Files: sendmail/sendmail.c,
postqueue/postqueue.c.
20020101
Security: new alternate_config_directories parameter that
specifies what directories a set-gid command will accept
as its configuration directory. The list must be specified
in the default main.cf file. File: global/mail_conf.c.
Cleanup: "sendmail -qRsite" is no longer implemented by
connecting to the SMTP port. It is now implemented by
talking to the fast flush service. File: postqueue/postqueue.c.
20020203
Cleanup: INSTALL.sh now records all installation information
in the main.cf file. The now obsolete install.cf file is
used only when upgrading from an older Postfix release.
Cleanup: INSTALL.sh now takes name=value settings on the
command line, and has a new "-upgrade" command line option
to turn on non-interactive installation.
Security: additional run-time checks to discourage sharing
of Postfix user/group ID values with other accounts.
20020105
Cleanup: SMTPD access maps now return DUNNO (undetermined)
instead of OK when a recipient address contains multiple
domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan
Stanley. File: smtpd/smtpd_check.c.
20020106
Bugfix: SMTPD access maps did not handle address extensions.
File: smtpd/smtpd_check.c.
20020107
Bugfix: postfix-script, when creating a missing maildrop
queue directory, still referenced install.cf when setting
maildrop directory group ownership; and the postfix command
did not export the setgid_group parameter to the postfix-script
shell script. Victor Duchovni.
Bugfix: postfix-script, when creating a missing public
queue directory, did not set group ownership of the public
directory.
20020109
Cleanup: rewrote the Postfix installation procedure again.
It is now separated into 1) a primary installation script
(postfix-install) that installs files locally or that builds
a package for distribution and that stores file owner and
permission information in /etc/postfix/post-files, and 2)
a post-installation script (/etc/postfix/post-install) that
creates missing directories, that sets file/directory
ownership and permissions, and that upgrades existing
configuration files if necessary.
20020110
Workaround: AIX null read() return on an empty but open
non-blocking pipe. File: master/master_flow.c. Report:
Hamish Marson.
20020111
Feedback: feedback, bugfixes, and brain-dead shell workarounds
for the install scripts by Victor Duchovni and Simon Mudd.
20020113
Rewrote postfix-install. The postfix-files file now controls
what is installed. Refined the semantics of many post-install
operations. post-install now auto-saves settings that
override main.cf.
20020114
Bugfix: alternate_config_directories did not take comma
or whitespace as separators. File: global/mail_conf.c.
Victor Duchovni, Morgan Stanley.
Bugfix: the rewritten postfix-install script did not chattr
+S the Postfix queue.
20020115
Cleanup: added sample_directory and readme_directory
installation parameters for sample configuration files and
for README files. Files: postconf.c, postfix-install,
conf/postfix-files, conf/post-install.
Robustness: the postfix command now exports all installation
parameter settings, and input filters the environment, so
that the startup shell scripts produce a consistent result.
Files: postconf.c.
20020117
Portability: patch from LaMont Jones for compiling dict_ldap.c
with the Netscape SDK.
Feature: added "r" (recursive chown/chgrp) flag to the
postfix-files database, for more convenient change of
Postfix queue ownership. Files: conf/postfix-files,
conf/post-install.
20020122
Documentation: lots of little fixes.
Documentation: updates for the VIRTUAL_README file by Victor
Duchovni, Morgan Stanley.
Bugfix: postqueue -s dereferenced a null pointer when given
a numerical domain argument. LaMont Jones, HP.
Cleanup: smtpd now logs a warning when permit_sasl_authenticated
is used while SASL authentication is disabled, instead of
simply ignoring the restriction. LaMont Jones, HP. File:
smtpd/smtpd.c.
Safety: when postmap creates a non-existent file, the new
file inherits group/other read permissions from the source
file. Based on code by LaMont Jones, HP. File:
postmap/postmap.c.
20020123
Portability: some Linux systems install libnsl.so without
libnsl.a file, causing an yp_match undefined reference
problem. File: makedefs.
20020124
Portability: post-install now requests that command_directory
is given on the command line when the postconf command is
in an unusual place.
Safety: extra code to detect and report Berkeley DB version
mismatches between compile time and run time. This test
is limited to mismatches in the major version number only.
File: util/dict_db.c. Based on code by Lawrence Greenfield,
Carnegie-Mellon university.
Safety: the postfix command and the master daemon abort if
they are running set-uid.
Documentation: the postmap manual page described an out of
date input file format.
20020129
Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
Therefore, input mail flow control is disabled by default.
Files: makedefs, global/mail_params.h, conf/main.cf.
Problem reported by Kurt Andersen, Agilent.
20020201
Workaround: changed the default smtpd_null_access_lookup_key
setting to <>, because some Bezerkeloid DB implementations
can't handle null-length lookup keys. File: global/mail_params.h.
Bugfix: backed out a null-length address panic call by
ignoring the problem, like Postfix did in the past. File:
global/resolve_local.c.
Safety: "postfix check" will now warn if /usr/lib/sendmail
and /usr/sbin/sendmail differ, and will propose to replace
one by a symlink to the other. File: conf/postfix-script.
20020204
Sanity: additional permission checks for "postfix check"
that warn for setgid_group group ownership mismatches. by
Matthias Andree, uni-dortmund.de. File: conf/postfix-script.
Bugfix: "postfix check" used a too simplistic way to
recognize file ownership (grepping ls output). It now uses
the recently discovered "find -prune". Peter Bieringer,
Matthias Andree. File: conf/postfix-script.
20020218
Workaround: log a warning and disconnect when an SMTP client
ignores our negative replies and starts sending message
content without permission. File: smtpd/smtpd.c.
20020220
Bugfix: mismatch in the file being locked by dict_dbm and
the file being locked by postmap, so that locks did not
work correctly. Victor Duchovni, Morgan Stanley.
20020222
Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
produce incorrect results with 8-bit characters. For example,
non-ASCII characters could compare equal to ASCII characters,
and that could result in any number of security problems.
Files: util/strcasecmp.c, COPYRIGHT (the BSD license).
Bugfix: off-by-one error, causing a null byte to be written
outside dynamically allocated memory in the queue manager
with addresses of exactly 100 bytes long, resulting in
SIGSEGV on systems with an "exact fit" malloc routine.
Experienced by Ralf Hildebrandt; diagnosed by Victor
Duchovny. Files: *qmgr/qmgr_message.c. This is not a
security problem.
Bugfix: make all recipient comparisons transitive, because
Solaris qsort() causes SIGSEGV errors otherwise. Victor
Duchovny, Morgan Stanley. File: *qmgr/qmgr_message.c.
20020302
Bugfix: don't strip source route (@domain...:) when the
result would be an empty address. This avoids problems when
append_at_myorigin is set to "no" (which is not supported).
Problem reported by Charles McColgan, Big Fish Communications.
File: trivial-rewrite/rewrite.c.
20020304
Cleanup: postqueue should not not complain when output
fails with "broken pipe".
20020308
Bugfix? reply with 550 not 552 when content is rejected.
552 is reserved for "too much mail".
Documentation: add note to sendmail manual page that running
"sendmail -bs" as $mail_owner enables SMTP server UCE and
access control checks. This is meant for use from inetd etc.
Matthias Andree.
20020311
Bugfix: DBM maps should use different files for locking
and for change detection. Problem reported by Victor
Duchovny, Morgan Stanley. Files: util/dict.h util/dict.c
util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.
20020313
Bugfix: mailq could show addresses with unusual characters
twice. Problem reported by Victor Duchovny, Morgan Stanley.
File: showq/showq.c.
Bugfix: null recipients weren't properly recorded in
bounce/defer logfiles. Such recipient addresses are not
accepted in SMTP mail, but they could appear within locally
submitted mail. File: bounce/bounce_append_service.c.
20020318
Workaround: Berkeley DB can't handle null key lookups,
which happen with HELO names ending in ".". Victor Duchovni,
Morgan Stanley. File: smtpd/smtpd_check.c.
Logging: log a hint when mail is deferred because the
soft_bounce parameter is set. People sometimes forget to
turn it off. File: global/bounce.c.
20020319
Cleanup: add a msg_warn() call when fork() fails in
pipe_command(), to make problems easier to investigate.
Chris Wedgwood. File: global/pipe_command.c.
20020324
Cleanup: more graceful handling of long physical message
header lines upon input. Physical header lines can now
extend up to $header_size_limit characters. When a logical
message header is too long, the excess text is discarded
and Postfix no longer switches to body mode, to avoid
breaking MIME encapsulation. Based on code by Victor
Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c,
cleanup/cleanup_message.c.
Cleanup: more graceful handling of long physical message
header or body lines upon output by the SMTP client. The
SMTP client output line length is controlled by a new
parameter smtp_line_length_limit (default: 990; specify 0
to disable the limit). Long lines are folded by inserting
, to avoid breaking MIME encapsulation.
Based on code by Victor Duchovni, Morgan Stanley. File:
smtp/smtp_proto.c.
20020325
Cleanup: allow additional text after a WARN command in a
header/body_checks pattern file, so that one can change
REJECT+text into WARN+text and vice versa. Based on code
by Fredrik Thulin, Stockholm University.
Cleanup: log a warning when an unknown command is found in
a header/body_checks pattern file, or when additional text
is found after a command that does not expect additional
text. Based on code by Fredrik Thulin, Stockholm University.
Bugfix: sendmail should not recognize "." as the end of
input when the current read operation started in the middle
of a line. Victor Duchovni, Morgan Stanley. File:
sendmail/sendmail.c.
20020328
Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
File: util/sys_defs.h.
20020329
Bugfix: defer_transports broke because the flush server
triggered mail delivery (as if ETRN was sent) while doing
some internal housekeeping of per-destination logfiles.
Problem experienced by LaMont Jones, HP. File: flush/flush.c.
Bugfix: virtual mapping broke for addresses with embedded
whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
cleanup/cleanup_map1n.c.
20020330
Bugfix: postqueue did not pass on non-default configuration
directory settings when running showq while the mail system
is down. The super-user is now exempted from environment
stripping in postqueue/postqueue.c. Problem reported by
Victor Duchovni, Morgan Stanley.
20020414
Portability: Postfix will no longer attempt to build with
gdbm support, because gdbm is broken. File: makedefs.
20020417
Bugfix: the post-install script failed to upgrade master.cf
settings from private to public if the service was explicitly
configured as private.
20020426
Bugfix: the SMTP client forgot to quote whitespace etc.
in a sender/recipient address when DNS lookup was turned
off (disable_dns_lookups = yes). Problem experienced by
Chip Paswater. Files: smtp/smtp_proto.c.
20020503
Cleanup: postqueue silently ignored command-line arguments
following -p or -f options, instead of complaining; postqueue
produced an incorrect error message (mail system down) when
the command was installed with incorrect privileges. File:
postqueue/postqueue.c.
Bugfix: while reporting a domain name or IP address syntax
error, postqueue could dereference a dangling pointer with
some getopt() implementations. LaMont Jones, HP. File:
postqueue/postqueue.c.
20020504
Portability: run-time test to avoid GDBM trouble. File:
util/dict_dbm.c.
20020508
Bugfix: close user@domain@postfix-style.virtual.domain
source routing relaying loophole involving postfix-style
virtual domains with @virtual.domain catch-all patterns.
Problem reported by Victor Duchovny. File: smtpd/smtpd_check.c.
Bugfix: mail_addr_map() used the "wrong" @ character in
addresses with multiple @. Victor Duchovny. File:
global/mail_addr_map.c.
Bugfix: for address localpart quoting, now quote @ as a
special character everywhere, except when resolving addresses.
Previously, the @ was nowhere quoted as a special character,
not even in SMTP commands. Files: global/quote_82[12]_local.c
and some clients.
20020509
Safety: don't allow an OK access rule lookup result for
user@domain@postfix-style.virtual.domain. Suggested by
Victor Duchovny, Morgan Stanley. File: smtpd/smtpd_check.c.
Bugfix: quote unquoted address localparts that need quoting.
Files: global/tok822_parse.c, global/quote_82[12]_local.c.
20020512
Cleanup: the SMTP client logged and bounced the CNAME
expanded recipient address, and thereby complicated trouble
shooting. File: src/smtp_proto.c.
Bugfix: the SMTP and LMTP clients bounced the quoted
recipient address, resulting in too much quoting in bounce
reports. Files: src/smtp_proto.c, lmtp/lmtp_proto.c.
20020513
Bugfix: the LDAP client used the "wrong" @ character in
addresses with multiple @. LaMont Jones, HP. File:
util/dict_ldap.c.
Compatibility: forwards "postqueue -r" compatibility with
the additional queue file records that are stored by snapshot
20050512.
Cleanup: specify "resolve_dequoted_address = no" to prevent
Postfix from looking inside quotes for extra @ etc. characters
when resolving an address. This behavior is technically
more correct, but it opens a mail relay loophole with "user
@domain"@domain when relaying mail to a Sendmail system.
20020514
Bugfix: the new code for header address quoting sometimes
did not null terminate strings so that arbitrary garbage
could appear at the end of message headers. Reported by
Ralf Hildebrandt. File: global/tok822_parse.c.
Safety: user@domain@domain is no longer accepted by the
permit_mx_backup uce restriction (unless Postfix is configured
with "resolve_dequoted_address = no"). Victor Duchovny,
Morgan Stanley. File: smtpd/smtpd_check.c.
20020517
Cleanup: Mailbox-Line: message header labels should be
X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.
20020526
Bugfix: the SMTP server now disallows RCPT TO:<"">, just
like it disallows RCPT TO:<>. File: smtpd/smtpd.c.
Documentation: replace domain.name by domain.tld in the
example config files. The domain exists. They were getting
mail from poorly configured Postfix boxes.
Bugfix: The Postfix sendmail command did not export the
MAIL_CONFIG environment setting to the postdrop command.
File: global/mail_config.h.
20021121
Bugfix: garbage in "user@garbage"@domain address forms may
cause the SMTP or LMTP client to terminate with a fatal
error exit because garbage/tcp is not an existing service.
This cannot be abused to cause the SMTP or LMTP client to
send data into unauthorized ports. Files: *qmgr/qmgr_message.c,
trivial-rewrite/resolve.c.
20030728
Bugfix: an invalid address resolved to an invalid result,
and caused the address resolver client to keep trying
forever, resulting in a local or remote DOS condition of
smtpd, qmgr, and other programs. Reported by Michal
Zalewski. File: trivial-rewrite/resolve.c.
Open problems:
Low: sendmail does not store null command-line recipients.
Low: don't do user@domain and @domain lookups in
local_recipient_maps queries.
Low: after reorganizing configuration parameters, add flags
to all parameters whose value can be read from file.
Medium: need in-process caching for map lookups. LDAP
servers seem to need this in particular. Need a way to
expire cached results that are too old.
Medium: make address rewriting on/off configurable for
envelopes and/or headers.
Low: generic showq protocol, to allow for more intelligent
processing than just mailq. Maybe marry this with postsuper.
Low: default domain for appending to unqualified recipients.
Low: The $process_id_directory setting is not used anywhere
in Postfix. Problem reported by Michael Smith, texas.net.
This should be documented, or better, the code should warn
about attempts to set read-only parameters.
Low: postconf -e edits parameters that postconf won't list.