In addition to the names listed below, the following people provided useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd. Apologies for any names omitted. 19980105 The compiled-in default value for resolve_smtp_sender was wrong (from the days that it was a boolean), causing smtpd to dump core when the variable was not set in main.cf. The INSTALL instructions now have separate sections for the three basic ways of running vmailer. The INSTALL instructions now have discusses how to deal with chrooted processes. Ported to RedHat 5.0. My, these people have re-organized their include files quite a bit, haven't they. 19980106 On RedHat Linux 4.2/5.0, when a FIFO listener opens the FIFO with mode O_RDONLY, the FIFO remains forever readable after the writer has closed it. Workaround: open the FIFO mode O_RDWR. Test program: util/fifo_rdonly_bug.c Unfortunately, the above fix triggers a bug on BSD/OS 3.1 where opening the FIFO mode O_RDWR causes select() to claim that the FIFO is readable even before any data is written to it, causing read() to block or to fail. Test program: util/fifo_rdwr_bug.c printfck (check arguments of printf-like function calls) found a missing argument in local/command.c Miscellaneous Makefile cleanups that I didn't finish before the first alpha release. 19980107 Sometimes the DNS will claim that a domain does not exist, when in fact it does. Thus, it is a bad idea to reject mail from apparently non-existent domains. I have changed the smtpd so that it produces a soft error responses when a resolve_smtp_sender test fails with HOST_NOT_FOUND. Note: by default, this test is still disabled. The DB and DBM read routines will now automagically figure out if (key, value) pairs were written including a terminating null byte or not. The DB and DBM write routines will use this result to determine how to write, and will fall back to per-system defaults otherwise. Renamed the README to MUSINGS, and wrote up a README that reflects the current status of the software. Added -d (don't disconnect) and -c (show running counter) option to te smtp-source test program. These tools are great torture tests for the mail software, and for the system that it runs on. Turned down the process_limit parameter (# of parallel smtp clients or servers) to avoid unpleasant surprises. You can crank up the process_limit parameter in main.cf. 19980111 Feature: when run by the superuser, mailq now shows the mail queue even when the mail system is down. To this end, mailq (sendmail -bp) runs the showq program directly instead of connecting to the UNIX-domain service socket, and drops privileges etc. as usual. 19980119 Bugfix: Edwin Kremer spotted an oversight in the negated host matching code (for name or address patterns prefixed by !). Bugfix: upon receipt of a SIGHUP signal, the master now disconnects from its child processes, so that the current generation of child processes commits suicide, and so that the next generation of child processes will use the new configuration settings. Bugfix: the smtp server now skips the sender DNS domain lookup test for foo@[address] Bugfix: don't append the local domain to foo@[address] 19980120 Bugfix: old low-priority bug in some list walk code that caused the master to drop core when a service was turned off in master.cf. Robustness: the mail system should be able to start up and to accept local postings even while the naming service is down. For this reason, the mail system no longer uses gethostbyname() to look up its own machine name. Sites that use short hostnames will have to specify their FQDN in main.cf (this will eventually be done by the system installation/configuration procedure). Should the config language support backticks so one can say `domainname`? What about $name stuff between the backtics? Security: the master now creates FIFOs and UNIX-domain sockets as the mail owner instead of as root, for better protection against subverted mail systems. chmod() is susceptible to race conditions. fchmod(), although safer, often does not work on sockets. Portability: anticipate that all major UNIXes will create UNIX-domain sockets with permissions modified by the process umask (required by POSIX). For this reason, we always chmod() UNIX-domain sockets, unless the system allows us to use the safer fchmod() instead. Portability: the semi-resident servers now properly handle EWOULDBLOCK returns from accept() in addition to EGAIN (on some systems, EAGAIN and EWOULDBLOCK have different values). Bugfix: the semi-resident servers now properly handle EINTR returns From accept(). Bugfix: Edwin Kremer found that mynetworks() would compute (32 - mask) instead of mask. 19980121 Feature: /etc/vmailer/relocated is used by the local delivery program and specifies what mail should be bounced with a "user has moved to XXX" message. The main.cf configuration parameter is "relocated_maps". Just like the "virtual_maps" config parameter, this feature is off by default, and the parameter can have values such as "files" or "files, nis" (on hosts equipped with NIS). 19980123 Cleanup: virtual domain support moved from the queue manager to the resolve service, where it belongs. Feature: /etc/vmailer/canonical is used by the rewrite service for all addresses, and maps a canonical address (user@domain) to another address. Typical use is to generate Firstname.Lastname@domain addresses, or to clean up dirty addresses from non-RFC 822 mail systems. The main.cf configuration parameter is "canonical_maps". Just like the "virtual_maps" config parameter, this feature is off by default, and the parameter can have values such as "files" or "files, nis" (on hosts equipped with NIS). 19980124 HPUX10 port and many little fixes from Pieter Schoenmakers. Bugfix: isolated an old mysterious bug that could make the master deaf for new connections while no child process was running. A typical result was that no pickup daemon would be started after the previous one had terminated voluntarily. Bugfix: the NIS lookup code did not mystrdup() the NIS map name and would access free()d memory. 19980125 Bugfix: the vstream routines would sometimes ignore flushing errors. The error would still be reported by vstream_fclose() and vstream_ferror(). Feature: time limit on delivery to shell commands. Config parameter: command_time_limit. Default value: 100 sec. The idea is to prevent one bad .forward file or alias file entry from slowly using up all local delivery process slots. 19980126 Code cleanup: in preparation for SMTP extensions such as SIZE, allow an extended SMTP command to have a variable number of options. 19980127 Bugfix: moved canonical map lookups away from the rewriting module to the cleanup service, so that canonical map lookups do not interfere with address rewriting on behalf of other programs. Back to an older trivial-rewrite program version. Bugfix: moved virtual map lookups away from the resolver back to the queue manager, so that virtual domain lookup does not interfere with address resolution on behalf of other programs. Back to an older qmgr program version. 19980131 Feature: integrated and adapted Guido van Rooij's SIZE option (RFC 1870), carefully avoiding potential problems due to overflow (by multiplying large numbers) or unsigned underflow (by subtracting numbers). Code cleanup: cleaned up the code that parses the server response to the HELO/EHLO command, so that we can more reliably recognize what options a server supports. 19980201 Portability: integrated the IRIX 6 port by Oved Ben-Aroya. Portability: the software now figures out by itself if a server should open its FIFO read-write or read-only, to avoid getting stuck with a FIFO that stays readable forever. Bugfix: the cleanup service would terminate with a fatal vstream_fseek() error when the queue file was too large. Bugfix: the cleanup service could be killed by a signal when the queue file became too large. 19980203 Portability: some systems have statfs(), some have statvfs(), and the relevant include files are in a different place on almost every system. Portability: the makedefs script now nukes the -O compiler flag when building on AIX with IBM's own compiler... 19980204 Portability: HP-UX 9.x support by Pieter Schoenmakers. Portability: added SYSV-style ulimit() file size limit support for HP-UX 9.x. Portability: added some #includes that appeared to be missing according to the Digital UNIX cc compiler. Bugfix: sys_defs.h now correctly specifies NIS support for LINUX2, HPUX9 and HPUX10. Security: fixed a file descriptor leak in the local delivery agent that could give shell commands access to the VMailer IPC streams. This should not cause a vulnerability, given the design and implementation of the mailer, but it would be like asking for trouble. Bugfix: the sendmail -B (body type) option did not take a value. 19980205 Bugfix (SUNOS5): should not have deleted the SVID_GETTOD definition from util/sys_defs.h. Bugfix (HPUX9): forgot to specify whether to use statfs() or statvfs(). Bugfix (HPUX9): don't try to raise the file size ulimit. Bugfix (HPUX9): must specify file size limit in 512-blocks. 19980207 Robustness: the master process now raises the file size limit when it is started with a limit that is less than VMailer's file size limit. File: util/file_limit.c. Security: the dns lookup routines now screen all result names with valid_hostname(). Bad names are treated as transient errors. Feature: qmail compatibility: when the home_mailbox parameter is set, mail is delivered to ~/$home_mailbox instead of to /var[/spool]/mail/username. This hopefully makes it easier to lure people away from qmail :-) Robustness: several testers by accident configured relayhost the same as myhostname. The programs now explicitly check for this mistake. Bugfix: deliver_request_read() would free unallocated memory when it received an incomplete delivery request from the queue manager. Robustness: local_destination_concurrency=1 prevents parallel delivery to the same user (with possibly disastrous effects when that user has an expensive pipeline in the .forward or procmail config file). Each transport can have its own XXX_destination_concurrency parameter, to limit the number of simultaneous deliveries to the same destination. 19980208 Robustness: added "slow open" mode, to gradually increase the number of simultaneous connections to the same site as long as delivery succeeds, and to gradually decrease the number of connections while delivery fails. Brad Knowles provided the inspiration to do this. This also solves the "thundering herd" problem (making a bunch of connections to a dead host when it was time to retry that host). Let's see when other mailers fix this. Feature: Added $smtpd_banner and $mail_version, for those who want to show the world what software version they are running. Bugfix: vmailer-script now properly labels each syslog entry. 19980210 Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers Bugfix: the local delivery program now checks that a destination is a regular file before locking it. 19980211 Robustness: the local delivery agent sets HOME, LOGNAME, and SHELL when delivering to a user shell command. PATH is always set, and TZ is passed through if it is set. 19980212 Feature: mailq (sendmail -bp) now also lists the maildrop queue (with mail that hasn't been picked up yet). 19980213 Feature: the smtpd now says: 502 HELP not implemented. This should impress the heck out of the competition :-) 19980214 Feature: local delivery to configurable system-wide command (e.g. procmail) avoids the need for per-user ~/.forward shell commands. Config parameter: mailbox_command. 19980215 Performance: avoid running a shell when a command contains no shell magic characters or built-in shell commands. This speeds up delivery to all commands. File: util/exec_command.c. Bugfix: the local delivery agent, after reading EOF from a child process, now sends SIGKILL only when the child does not terminate within a limited amount of time. This avoids some problems with procmail. File: util/timed_wait.c. 19980217 Portability: folded in NetInfo support from Pieter Schoenmakers. 19980218 Feature: new vmlock command to run a command while keeping an exclusive lock on a mailbox. Feature: with "recipient_delimiter = +", mail for local address "user+foo" is delivered to "foo", with a "Delivered-To: user+foo@domain" message header. Files: qmgr/qmgr_message.c, local/recipient.c. This must be the cheapest feature. 19980219 Code cleanup: moved error handling into functions that should always succeed (non_blocking(), close_on_exec()). 19980223 Bugfix: null pointer bug in the cleanup program after processing a From: header with no mail address (or with only a comment). 19980226 Robustness: now detects when getpwnam() returns a name that differs from the requested name. Feature: Added %p support to the vbuf_print formatting module. Code cleanup: revamped the alias/include/.forward loop detection and duplicate suppression code in the local delivery agent. This must be the fourth iteration, and again the code has been simplified. 19980228 Robustness: don't treat anything starting with whitespace as a header record. Instead, explicitly test for leading whitespace where we permit it. Files: global/is_header.c, bounce/bounce_flush_service.c, local/delivered.c. 19980301 Compatibility: the sendmail program now accepts the -N command-line option (delivery status notification) but ignores it entirely, just like many other sendmail options. Bugfix: dns_lookup.c was too conservative with buffer sizes and would incorrectly report "malformed name server reply". 19980302 Bugfix: the local delivery agent was not null-byte clean. 19980307 Feature: integrated Pieter Schoenmaker's code for transport lookup tables that list (transport, nexthop) by destination. 19980309 Bugfix: delivery agents no longer rename corrupt queue files, because programs might fall over each other doing so. Instead, when a delivery agent detects queue file corruption, it chmods the queue file, simulates a soft error, and lets the queue manager take care of the problem. Bugfix: the SMTP server implemented VRFY incorrectly. Feature: first shot at a pipe mailer, which can be used to extend VMailer with external mail transports such as UUCP (provided that the remote site understands domain addressing, because VMailer version 1 does not rewrite addresses). Cleanup: extended the master/child interface so that the service name (from master.cf) is passed on to the child. The pipe mailer needs the service name so it can look up service-specific configuration parameters (privilege level, recipient limit, time limit, and so on). 19980310-12 Cleanup: factored out the pipe_command() code, so it can be shared between pipe mailer and local delivery agent. 19980314 Compatibility: the sendmail program now parses each command-line recipient as if it were an RFC 822 message header; some MUAs specify comma-separated recipients in a command-line argument; and some MUAs even specify "word word
" forms as command-line arguments. 19980315 Bugfix: VMailer's queue processing randomization wasn't adequate for unloaded systems with small backlogs. Bugfix: smtpd now uses double-buffered stream I/O to prevent loss of input sent ahead of responses. 19980316 Bugfix: the smtpd anti-relay code didn't treat all hosts listed in $mydestinations as local, so it would accept mail only for hosts listed in $relay_domains (default: my own domain). Bugfix: smtpd now replies with 502 when given an unknown command. 19980318 Cleanup: resolve/rewrite clients now automatically disconnect after a configurable amount of idle time (ipc_idle). 19980322 Tolerance: VRFY now permits user@domain, even though the RFC requires that special characters such as @ be escaped. 19980325 Bugfix: a recipient delimiter of "-" could interfere with special addresses such as owner-xxx or double-bounce. Tolerance: the SMTP client now permits blank lines in SMTP server responses. Tolerance: the SMTP client now falls back to SMTP when it apparently mistook an SMTP server as ESMTP capable. Bugfix: eliminated strtok() calls in favor of mystrtok(). Symptom: master.cf parsing would break if $inet_interfaces was more than one word. 19980328 Bugfix: user->addr patterns in canonical and virtual tables matched only $myorigin, not hosts listed in $mydestination or addresses listed in $inet_interfaces. The man pages were wrong too. File: global/addr_match.c. 19980401 Robustness: FIFO file permissions now default to 0622. On some systems, opening a FIFO read-only could deafen the pickup daemon. Only the listener end (which is opened as root) needs read access anyway, so there should not be a loss of functionality by making FIFOs non-readable for non-mail processes. 19980402 Compatibility: sendmail -I and -c options added. 19980403 Feature: virtual lookups are now recursive. File: qmgr/qmgr_message.c 19980405 Implemented sendmail -bs (stand-alone) mode. This mode runs as the user and therefore deposits into the maildrop queue. 19980406 The pickup service now removes malformed maildrop files. 19980407 The pickup service now guards against maildrop files with time stamps dated into the future. 19980408 Bugfix: in the canonical and virtual maps, foo->address would match foo@$myorigin only. This has been fixed to also match hosts listed in main.cf:$mydestination and the addresses listed in main.cf:$inet_interfaces. Bugfix: added double buffering support to the VMailer SMTP server. This makes the SMTP server robust against SMTP clients that talk ahead of time, and should have been in there from day one. 19980409 Bugfix: the VMailer SMTP client now recognizes its own hostname in the SMTP greeting banner only when that name appears as the first word on the first line. 19980410 Feature: smtpd now logs the local queue ID along with the client name/address, and pickup now logs the local queue ID along with the message owner. Bugfix: still didn't do virtual/canonical lookups right (code used the non-case-folded key instead of the case folded one). 19980418 Bugfix: the SMTP server did not flush the "250 OK queued as XXXX" message from the SMTP conversation history. 19980419 Bugfix: qmgr would not notice that a malformed message has multiple senders, and would leak memory (Tom Ptacek). 19980421 Portability: in the mantools scripts, the expr pattern no longer has ^ at the beginning, and the scripts now use the expand program instead of my own detab utility. 19980425 NetBSD 1.x patch by Soren S. Jorvang. 19980511 Feature: the SMTP server now logs the protocol (SMTP or ESMTP) as part of the Received: header. Feature: smtpd now logs the last command when a session is aborted due to timeout, unexpected EOF, or too many client errors. 19980514 Bugfix: the queue manager did not update the counter for in-core message structures, so the in-core message limit had no effect. This can be bad when you have a large backlog with many messages eligible for delivery. Robustness: the queue manager now also limits the total number of in-core recipient structures, so that it won't use excessive amounts of memory on sites that have large mailing lists. 19980518 Bugfix: the SMTP client did not notice that the DNS client received a truncated response. As a result, a backup MX host could incorrectly claim that it was the best MX host and declare a mailer loop. Added start_msg/stop_msg entries to the vmailer startup script, for easy installation. Cleanup: VMailer databases are now explicitly specified as type:name, for example, hash:/etc/aliases or nis:mail.aliases, instead of implicitly as "files", "nis" and so on. Test program: util/dict_open. This change allowed me to eliminate a lot of redundant code from mkmap_xxx.c, and from everything that does map lookups. 19980525 Bugfix: local/dotforward.c compared the result of opening a user's ~/.forward against the wrong error value. 19980526 Bugfix: the smtpd VRFY command could look at free()d memory. Robustness: the smtpd program had a fixed limit on the number of token structures. The code now dynamically allocates token structures. Bugfix: the queue manager still used the deprecated parameter name xxx_deliver_concurrency for concurrency control, but the documentation talks about the preferred parameter name xxx_destination_concurrency. Fix: try xxx_destination_concurrency first, then fall back to xxx_deliver_concurrency. 19980621-19980702 Cleanup: the string read routines now report the last character read or VSTREAM_EOF. This change is necessary for the implementation of the long SMTP line bugfix. Bugfix: the smtp server exited the DATA command prematurely when the client sent long lines. Reason: the smtp server did not remember that it broke long lines, so that '.' could appear to be the first character on a line when in fact it wasn't. Bugfix: the queue manager made lots of stupid errors while reading $qmgr_message_recipient_limit chunks of recipients from a queue file. This code has been restructured. 19980706 Performance: the cleanup program now always adds return-receipt and errors-to records to a queue file, so that the queue manager does not have to plow through huge lists of recipients. Robustness: the initial destination concurrency now defaults to 2, so that one bad message or one bad connection does not stop all mail to a site. The configuration parameter is called initial_destination_concurrency. Performance: the per-message recipient limit is now enforced by the queue manager instead of by the transport. Thus, a large list of recipients for the same site is now mapped onto several delivery requests which can be handled in parallel, instead of being mapped onto one delivery request that is sent to limited numbers of recipients, one group after the other. 19980707 Cleanup: the queue manager now does an additional recipient sort after the recipients have been resolved, so that the code can do better aggregation of recipients by next hop destination. Feature: lines in the master.cf file can now be continued in the same manner as lines in the main.cf file, i.e. by starting the next line with whitespace. Feature: the smtp client now warns that a message may be delivered multiple times when the response to "." is not received (the problem described in RFC 1047). Cleanup: when the queue manager changes its little mind after contacting a delivery agent (for example, it decides to skip the host because a transport or host goes bad), the delivery agent no longer complains about premature EOF. File: global/deliver_request.c 19980709 Bugfix: when breaking long lines, the SMTP client did not escape leading dots in secondary etc. line fragments. Fix: don't break lines. This change makes VMailer line-length transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c. 19980712 Cleanup: the queue manager to deliver agent protocol now distinguishes between domain-specific soft errors and recipient-specific soft errors. Result: many soft errors with SMTP delivery no longer affect other mail the same domain. 19980713 Feature: the file modification time stamp of deferred queue files is set to the nearest wakeup time of their recipient hosts, or if delivery was deferred due to a non-host problem, the time stamp is set into the future by the configurable minimal backoff time. Bugfix: the SMTP client and the MAILQ command would report as message size the total queue file size. That would grossly overestimate the size of a message with many recipients. Bugfix: the 19980709 fix screwed up locally-posted mail that didn't end in newline. 19980714 Robustness: the makedefs script now defaults to no optimization when compiling for purify. 19980715 Robustness: the makedefs script now defaults to no optimization when compiling with gcc 2.8, until this compiler is known to be OK. Workaround: when sending multiple messages over the same SMTP connection, some SMTP servers need an RSET command before the second etc. MAIL FROM command. The VMailer SMTP client now sends a redundant RSET command just in case. The queue manager now logs explicitly when delivery is deferred because of a "dead" message transport. 19980716 Feature: mailq and mail bounces now finally report why mail was deferred (the reason was logged to the syslog file only). Changes were made to the bounce service (generalized to be usable for defer logs), showq service (to show reasons) and the queue manager. As a result the defer directory (with one log per deferred message) may contain many files; also, this directory is accessed each time a message is let into the active queue, in order to delete its old defer log. This means that hashed directories are now a must. 19980718-20 Feature: configurable timeout for establishing smtp connections. Parameter: smtp_connect_timeout (default 0, which means use the timeout as wired into the kernel). Inspired by code from Lamont Jones. For a clean but far from trivial implementation, see util/timed_connect.c Cleaned up the interfaces that implement read/write deadlines. Instead of returning -2, the routines now set errno to ETIMEDOUT; the readable/writable tests are now separate. 19980722 Feature: the default indexed file type (hash, btree, dbm) is now configurable with the "database_type" parameter. The default value for this parameter is system specific. Feature: selectively turn on verbose logging for hosts that match the patterns specified via the "debug_peer_list" config parameter. Syntax is like the "bad_smtp_clients" parameter (see global/peer_list.c). The verbose logging level is specified with "debug_peer_level" (default 2). Security: the local delivery agent no longer delivers to files that have execute permission enabled. 19980723 Workarounds for Solaris 2.x UNIX-domain sockets: they lose data when you close them immediately after writing to them. This could screw up the delivery agent to queue manager protocol. 19980724 Cleanup: spent most of the day cleaning up queue manager code that defers mail when a site or transport dies, and fixed a few obscure problems in the process. 19980726 Feature: the admin can now configure what classes of problems result in mail to the postmaster. Configuration parameter: "notify_classes". Default is backwards compatible: bounce, policy, protocol, resource, and software. 19980726-28 Feature: the admin can now configure what smtp server access control restrictions must be applied, and in what order. Configuration parameters: smtpd_client_restrictions, smtpd_helo_restrictions, smtpd_mail_restrictions and smtpd_rcpt_restrictions. Defaults are intended to be backwards compatible. The bad_senders and bad_clients lists are gone and have become db (dbm, nis, etc) maps. Files: smtpd/smtpd_check.c, config/main.cf. 19980729-31 Feature: hashed queues. Rewrote parts of the mail queue API. Configuration parameters: "hash_queue_names" specifies what queue directories will be hashed (default: the defer log directory), "hash_queue_depth" specifies the number of subdirectories used for hashing (default 2). 19980802 Bugfix: the pipe mailer should expand command-line arguments with $recipient once for every recipient (producing one command-line argument per recipient), instead of replacing $recipient by of all recipients (i.e. producing only one command-line argument). This is required for compatibility with programs that expect to be run from sendmail, such as uux. Thanks to Ollivier Robert for helping me to get this right. Code cleanup: for the above, cleaned up the macro expansion code in dict.c and factored out the parsing into a separate module, mac_parse.c. 19980803 "|command" and /file/name destinations in alias databases are now executed with the privileges of the database owner (unless root or vmailer). Thus, with: "alias_maps = hash:/etc/aliases, hash:/home/majordomo/aliases", and with /home/majordomo/aliases* owned by the majordomo account, you no longer need the majordomo set-uid wrapper program, and you no longer need root privileges in order to install a new mailing list. 19980804 Added support for the real-time blackhole list. Example: "client_restrictions = permit_mynetworks, reject_maps_rbl" All SMTP server "reject" status codes are now configurable: unknown_client_reject_code, mynetworks_reject_code, invalid_hostname_reject_code, unknown_hostname_reject_code, unknown_address_reject_code, relay_domains_reject_code, access_map_reject_code, maps_rbl_reject_code. Default values are documented in the smtpd/smtpd_check.c man page. 19980806-8 Code cleanup: after eye balling line-by line diffs, started deleting code that duplicated functionality because it was at the wrong abstraction level (smtp_trouble.c), moved functionality that was in the wrong place (dictionary reference counts in maps.c instead of dict.c), simplified code that was too complex (password-file structure cache) and fixed some code that was just wrong. 19980808 Robustness: the number of queue manager in-core structures for dead hosts is limited; the limit scales with the limit on the number of in-core recipient structures. The idea is to not run out of memory under conditions of stress. 19980809 Feature: mail to files and commands can now be restricted by class: alias, forward file or include file. The default restrictions are: "allow_mail_to_files = alias, forward" and allow_mail_to_commands = alias, forward". The idea is to protect against buggy mailing list managers that allow intruders to subscribe /file/name or "|command". 19980810-12 Cleanup: deleted a couple hundred lines of code from the local delivery agent. It will never be a great program; sendmail compatibility is asking a severe toll. 19980814 Cleanup: made the program shut up about some benign error conditions that were reported by Daniel Eisenbud. 19980814-7 Documentation: made a start of HTML docs that describe all configuration parameters. Feature: while documenting things, added smtpd_helo_required. 19980817 Bugfix: at startup the queue manager now updates the time stamps of active queue files some time into the future. This eliminates duplicate deliveries after "vmailer reload". Bugfix: the local delivery agent now applies the recipient delimiter after looking in the alias database, instead of before. Documentation bugfixes by Matt Shibla, Tom Limoncelli, Eilon Gishri. 19980819 GLIBC fixes from Myrdraal. Bugfix: applied showq buffer reallocation workaround in the wrong place. Bugfix: can't use shorts in varargs lists. SunOS 4 has short uid_t and gid_t. pipe_command() would complain. Bugfix: can't use signed char in ctype macros. All ctype arguments are now casted to unsigned char. Thanks, Casper Dik. 19980820 Bugfix: save the alias lookup result before looking up the owner. The previous alpha release did this right. Cleanup: mail_trigger() no longer complains when the trigger FIFO or socket is unavailable. This change is necessary to shut up the sendmail mail posting program, so that it can be used on mail clients that mount their maildrop via NFS. Experiment: pickup and pipe now run as vmailer most of the time, and switch to user privileges only temporarily. Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c pickup/pickup.c. Is this more secure/ What about someone manipulating such a process while not root? It still has ruid == 0. 19980822 Portability: with GNU make, commands such as "(false;true)" and "while :; do false; done" don't fail. Workaround: use "set -e" all over the place. Problem found by Jeff Wolfe. Feature: "check_XXX_access maptype:mapname" (XXX = client, helo, sender, recipient). Now you can make recipient and other SPAM restrictions dependent on client or sender access tables lookup results. 19980823 Bugfix: smtpd access table lookup keys were case sensitive. Added "permit" and "reject" operators. These are useful at the end of SPAM restriction lists (smtpd_XXX_restrictions). Added a first implementation of the permit_mx_backup SPAM restriction. This permits mail relaying to any domain that lists this mail system as an MX host (including mail for the local machine). Thanks to Ollivier Robert for useful discussions. 19980824 Bugfix: transport table lookup keys were case sensitive. 19980825 Portability: sa_len is some ugly #define on some SGI systems, so we must rename identifiers (file util/connect.c). Bugfix: uucp delivery errors are now sent to the sender. Thanks, Mark Delany. Bugfix: the pipe delivery agent now replaces empty sender by the mailer daemon address. Mark Delany, again. Portability: GNU getopt looks at all command-line arguments. Fix: insert -- into the pipe/uucp definition in master.cf. Bugfix: the smtp server command tokenizer silently discarded the [] around [text], so that HELO [x.x.x.x] was read as if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand. Bugfix: the HELO unknown hostname/bad hostname restrictions would have treated [text] as a domain name anyway. Bugfix: the $local_duplicate_filter_limit value was not picked up by the local delivery agent. This means the local delivery agent could run out of memory on large mailing list deliveries. 19980826 Performance: mkmap/mkalias now run with the same speed as sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte of memory for DB lookups. File: util/dict_db.c. 19980902 Robustness: the reject_unknown_hostname restriction for HELO/EHLO hostnames will now permit names that have an MX record instead of an A record. 19980903 Feature: appending @$myorigin to an unqualified address is configurable with the boolean append_at_myorigin parameter (default: yes). Feature: appending .$mydomain to user@host is configurable with the boolean append_dot_mydomain parameter (default: yes). Feature: site!user is rewritten to user@site, under control of the boolean parameter swap_bangpath (default: yes). Feature: permit a naked IP address in HELO commands (i.e. an address without the enclosing [] as required by the RFC), by specifying "permit_naked_ip_address" as one of the restrictions in the "smtpd_helo_restrictions" config parameter. 19980904 Code cleanup: when an SMTP client aborts a session after sending MAIL FROM, the cleanup service no longer warns that it is "skipping further client input". Files: cleanup/*.c. Thanks, Daniel Eisenbud, for prodding. Code cleanup: when an SMTP server disconnects in the middle of a session, don't try to send QUIT over the non-existing connection. Files: global/smtp_stream.c, smtp/smtp.c. Thanks, Daniel Eisenbud, for prodding, again. Code cleanup: the VMailer version number has moved from mail_params.h (which is included by lots of modules) to a separate file global/mail_version.h, so that a version change no longer results in massive recompilation. Bugfix: Errors-To was flagged as a sender address, so the address never was picked up. Code cleanup: support for Errors-To: headers completed. 19980905 Feature: per-message exponential delivery backoff, by looking at the amount of time a message has been queued. Thanks, Mark Delany. 19980906 Code cleanup: ripped out the per-host exponential backoff code. It was broken by 19980818. It was probably a bad idea anyway, because it required per-host, in-core, state kept by the queue manager. All we do now is to keep state for $minimal_backoff_time seconds, but only for a limited number of hosts. Daniel Eisenbud spotted the problem. Lost feature: the SMTP session transcripts now show who said what. This feature was inadvertently dropped during development. Thanks, Daniel Eisenbud, for reminding. Documentation: the hard-coded rewriting process of the trivial-rewrite program is described in html/rewrite.html. Feature: the local delivery agent now does alias lookups before and after chopping off the recipient subaddress. This allows you to forward user-anything to another user, without losing the ability to redirect specific user-foo addresses. 19980909 Feature: the smtp client now logs a warning that a server sends a greeting banner with the client's hostname, which could imply a mailer loop. 19980910 Feature: separate canonical maps for sender and recipient address rewriting, so that you can rewrite an ugly sender address and still forward mail to that same ugly address without creating a mailer loop. Files: cleanup_envelope.c, cleanup_message.c, cleanup_rewrite.c. 19980911 Feature: virtual maps now support multiple addresses on the right-hand side. In the case of virtual domains this can eliminate the need for address expansion via local aliases, making virtual domains much easier to administer. This required that I moved the virtual table lookups from the queue manager to the cleanup service, so that every recipient has an on-disk status record. Files: qmgr.c, qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c, cleanup_virtual.c. Feature: sendmail/mailq/newaliases pass on the -v flag to the program that they end up running, to make debugging a little easier. 19980914 Bugfix: some anti-spam measures didn't recognize some addresses as local and would do too much work. File: smtpd_check.c. Bugfix: the smtp sender/recipient table lookup restriction destroyed global data, so that other restrictions could break. File: smtpd_check.c. Bugfix: after vmailer reload, single-threaded servers could exit before flushing unwritten data to the client. Example: cleanup would exit before acking success to pickup, so the message would be delivered twice. Bug reported by Brian Candler. Cleanup: removed spurious error output from vmailer-script. Reported by Brian Candler. Tolerance: ignore non-numeric SMTP server responses. There's lot of brain damage out there on the net. 19980915 Feature: the smtp-sink benchmark tool now announces itself with a neutral name so that it can be run on the same machine as VMailer, without causing Postfix to complain about a mailer loop. Robustness: on LINUX, vmailer-script now does chattr +S to force synchronous directory updates. Fix developed with Chris Wedgwood. 19980916 Bugfix: when transforming an RFC 822 address to external form, there is no need to quote " characters in comments. This didn't break anything, it just looked ugly. File: global/tok822_parse.c 19980917 Workaround: with deliveries to /file/name, use fsync() and ftruncate() only on regular files. File: local/file.c Workaround: the plumbing code in master_spawn.c didn't check if it was dup2()/close()ing a descriptor to itself then closing it. Will have to redo the plumbing later. 19980918 Workaround: on multiprocessor Solaris machines, one-second rollover appears to happen on different CPUs at slightly different times. Made the queue manager more tolerant for such things. Problem reported by Daniel Eisenbud. Workaround: in preparation for deployment with a network-shared maildrop directory. make pickup more tolerant against clock drift between clients and servers. 19980921 New vstream_popen() module that opens a two-way channel across a socketpair-based pipe. This module isn't being used yet; it is here only to complete the vstream code. 19980922 Code cleanup: the xxx_server_main() interface for master child processes now uses a name-value argument list instead of an ugly and inflexible data structure. Bugfix: moved the test if a non-interactive process is run by hand, so that the "don't do this" error message can be printed to stderr before any significant processing. Bugfix: smtpd now can talk to unix-domain sockets without bailing out on a peer lookup problem. Files: smtpd/smtpd.c, util/peer_name.c. Safety: by default, the postmaster is no longer informed of protocol problems, policy violations or bounces. Safety: the SMTP server now sleeps before sending a [45]xx error response, in order to prevent clients from hammering the server with a connect/error/disconnect loop. Parameter: smtpd_error_sleep_time (default: 5). Feature: the logging facility is compile-time configurable (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1"). 19980923 Bugfix: changed virtual/canonical map search order from (user@domain, @domain, user) to (user@domain, user, @domain) so the search order is most specific to least specific. File: global/addr_map.c, lots of documentation. Bugfix: after the change of 19980910, cleanup_message extracted recipients from Reply-To: etc. headers. Found by Lamont Jones. 19980925 Bugfix: the change in virtual/canonical map search order broke @domain entries; they would never be looked up if the address matched $myorigin or $mydestinations. Found by Chip Christian who now regrets asking for the change. Bugfix: cleanup initialized an error mask incorrectly, so that it would keep writing to a file larger than the queue file size limit, and so it would treat the error as a recoverable one instead of sending a bounce. Thanks, Pieter Schoenmakers. Bugfix: the "queue file cleanup on fatal error" action was no longer enabled in the sendmail mail posting agent. Feature: the sendmail mail posting program now returns EX_UNAVAILABLE when the size of the input exceeds the queue file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN. 19980926 Code cleanup: the dotlock file locking routine is no longer derived from Eric Allman's 4.3BSD port of mail.local. Code cleanup: the retry strategy of the file locking routines dot_lockfile() and deliver_flock() is now configurable (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale). Code cleanup: the master.pid lock file is now created with symlink paranoia, and is properly locked so that PID rollover will not cause false matches. Bugfix: the vbuf_print() formatting engine did not know about the '+' format specifier. Cleanup: replaced unnecessary instances of stdio calls by vstream ones. 19980929-19981002 Compatibility: added support for "sendmail -q". This required a change to the queue manager trigger protocol, and a code reorganization of the way queue scans were done. The queue manager socket now has become public. 10091002 SMTPD now logs "lost connection after end-of-message" instead of "lost connection after DATA". 10091005 More bullet proofing: timeouts on all triggers. 19981006 Bugfix: make the number of cleanup processes unlimited, in order to avoid deadlock. The number of instances needed is one per smtp/pickup process, and an indeterminate number per local delivery agent. Thanks, Thanks, David Miller and Terry Lorrah for cleueing me in. Bugfix: "sendmail -t" extracted recipients weren't subjected to virtual mapping. Daniel Eisenbud strikes again. 19981007 Compatibility: if the first input line ends in CRLF, the sendmail posting agent will treat all CRLF as LF. Otherwise, CRLF is left alone. This is a compromise between sendmail compatibility (all lines end in CRLF) and binary transparency (some, but not all, lines contain CRLF). 19981008 Robustness: stop recursive virtual expansion when the left-hand side appears in its own expansion. 19981009 Portability: trigger servers such as pickup and qmgr can now use either FIFOs or UNIX-domain sockets; hopefully at least one of them works properly. Trigger clients were already capable of using either form of local IPC. 19981011 Feature: masquerading. Strip subdomains from domains listed in $masquerade_domains. Exception: envelope recipients are left alone, in order to not screw up routing. 19981015 Code cleanup: moved the recipient duplicate filter from the user-level sendmail posting agent to the semi-resident cleanup service, so that the filter operates on the output from address canonicalization and of virtual expansion, instead of operating on their inputs. 19981016 Bugfix: after kill()ing a bunch of child processes, wait() sometimes fails before all children have been reaped, and must be called again, or the master will SIGSEGV later. Problem reported by Scott Cotton. Workaround: don't log a complaint when an SMTP client goes away without sending QUIT. 19981018 Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard error (EINVAL) when the result buffer is not large enough. This can happen on systems with many real or virtual interfaces. File: util/inet_addr_local.c. Problem reported by Scott Cotton. Workaround: the optional HELO/EHLO hostname syntax check now allows a single trailing dot. Workaround: with UNIX-domain sockets, LINUX connect() blocks until the server calls accept(). File: qmgr/qmgr_transport.c. Terry Lorrah and Scott Cotton provided the necessary evidence. 19981020 Robustness: recursive canonical mapping terminates when the result stops changing. Code cleanup: reorganized the address rewriting and mapping code in the cleanup service, to make it easier to implement the previous enhancement. 19981022 Code cleanup: more general queue scanning programming interface, in preparation for hashed queues. File: qmgr/qmgr_scan.c. Bugfix: a non-FIFO server with a process limit of 1 has a too short listen queue. Until now this was not a problem because only FIFO servers had a process limit of 1, and FIFOs have no listen queue. Fix: always configure a listen queue of proc_limit or more. File: master/master_listen.c. 19981023 Feature: by popular request, mail delay is logged when delivering, bouncing or deferring mail. 19981024 Cleanup: double-bounce mail is now absorbed by the queue manager, instead of the local delivery agent, so that the mail system will not go mad when no local delivery agent is configured. 19981025 Cleanup: moved the relocated table from the local delivery agent to the queue manager, so that the table can also be used for virtual addresses. Code reorg: in order for the queue manager to absorb recipients, the queue file has to stay open until all recipients have been assigned to a destination queue. 19981026 vmlogger command, so that vmailer-script logging becomes consistent with the rest of the VMailer system. Code reorg: logger interface now can handle multiple output handlers (e.g. syslog and stderr stream). Bugfix: a first line starting with whitespace is no longer treated as an extension of our own Received: header. Files: smtpd/smtpd.c, pickup/pickup.c. 19981027 Bugfix: the bang-path swapping code went into a loop on an address consisting of just a single !. Eilon Gishri had the privilege of finding this one. Workaround: the non-blocking UNIX-domain socket connect is now enabled only on systems that need it. It may cause kernel trouble on Solaris 2.x. Bugfix: the resolver didn't implement bangpath swapping, so that mail for site!user@mydomain would be delivered to a local user named "site!user". 19981028 Cleanup: a VSTREAM can now use different file descriptors for reading and writing. This was necessary to prevent "sendmail -bs" and showq from writing to stdin. Eilon Gishri observed the problem. 19981029 The RFC 822 address manipulation routines no longer give special attention to 8-bit data. Files: global/tok822_parse.c, global/quote_822_local.c. Bugfix: host:port and other non-domain stuff is no longer allowed in mail addresses. File: qmgr/qmgr_message.c. Workaround: LINUX accept() wakes up before the three-way handshake is complete, so it can fail with ECONNRESET. Files: master/single_server.c, master/multi_server.c. Feature: when delivering to user+foo, try ~user/.forward+foo before trying ~user/.forward. Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't clean up when terminated by a signal. Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should not try to enforce spam controls because it cannot access the address rewriting machinery. Cleanup: the percent hack (user%domain -> user@domain) is now configurable (allow_percent_hack, default: yes). Bugfix: daemons in -S (stand-alone) mode didn't change directory to the queue. This was no problem with daemons run by the sendmail compatibility program. 19981030 Feature: when virtual/canonical/relocated lookup fails for an address that contains the optional recipient delimiter (e.g., user+foo@domain), the search is done again with the unextended address (e.g., user@domain). File: global/addr_find.c. Code reorg: the address searching is now implemented by a separate module global/addr_find.c, so that the same code can be used for both (non-mapping) relocated table lookups and for canonical and virtual mapping. The actual mapping is still done in the global/addr_map.c module. Robustness: the SMTP client now skips hosts that don't send greeting banner text. File: smtp/smtp_connect.c Feature: preliminary support to disable delivered-to. This is desirable for mailing list managers that don't want to advertise internal aliases. Generic support: when the recipient_feature_delimiter configuration parameter is set, the local delivery agent uses it to split the recipient localpart into fields. Any field that has a known name such as "nodelivered" enables the corresponding delivery feature. 19981031 Code reorg: address splitting on recipient delimiter is now centralized in global/split_addr.c, which knows about all reserved names that should never be split. Robustness: when a request for an internal service cannot be satisfied because the master has terminated, terminate instead of trying to reach the service every 30 seconds. Safety: the local delivery agent now runs as vmailer most of the time, just like pickup and pipe. Files: local/local.c, local/mailbox.c 19981101 Compatibility: the tokenizer for alias/forward/etc. expansion now updates an optional counter with the number of destinations found; If no destinations is found in a .forward file, deliver to the mailbox instead. Thanks, Daniel Eisenbud, for showing the way to go. Robustness: the pickup daemon should always include a posting-time record, even when the sendmail posting agent didn't. However, just like before, user-provided posting times will be ignored. Ollivier Robert found this one. Robustness: duplicate entries in aliases or maps now cause a warning instead of a fatal error (and an incomplete file). Robustness: mkmap now prints a warning when an entry is in "key: value" format, which is the format expected for alias databases, not for maps. Portability: on LINUX, prepend "+" to the getopt() options string so that getopt() will stop at the first non-option argument. Suggestion by Marco d'Itri. 19981103 Cleaned up the set_eugid() and open_as() implementations, and added stat_as() and fstat_as() so that the local delivery agent would look up include files and .forward files with the right privileges. 19981104 Bugfix: the :include: routine now stat()s/open()s files included by root-owned aliases as root, not as nobody. Bugfix: the master crashed when a service with wakeup timer was disabled or renamed. Fix: eliminate some pathological coupling between process management and wakeup management. Feature: partial implementation of ETRN (causes a full deferred queue scan). Thanks Lamont Jones for reminding me that things can be useful already before they are perfect. Cleanup: simplified the SMTPD tokenizer. Bugfix: sendmail -bs didn't properly notify the mail system of new mail. Compatibility: the MAIL FROM and RCPT TO commands now accept the most common address forms without enclosing <>. The <> is still needed for addresses that contain a "string", an [address], or a colon (:). 19981105 Bugfix: "master -t" would claim that the master runs when in fact the pid directory does not exist, causing trouble with first time startup (reported by several). Portability: added a sane_accept() module that maps all beneficial accept() error results to EAGAIN. According to private communication with Alan Cox, Linux 2.0.x accept() can return a variety of error conditions, so we play safe and allow for any error that may happen because SYN+ACK could not be sent. Portability: NETBSD1 uses dotlock files (Perry Metzger). Bugfix: the local delivery agent did not canonicalize owner-foo sender addresses, so that local users would see owner-foo instead of owner-foo@$myorigin (Perry Metzger). OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda). 19981106 Portability: the master startup would take a long time on AIX because AIX has a very large per-process open file limit. Fix is to check the status of only the first couple hundred file descriptors instead. File: master/master.c. Bugfix: mail to user@[net.work.addr.ess] was broken because of a reversed test. File: qmgr/qmgr_message.c. 19981107 Compatibility: don't clobber the envelope sender address when an alias has no owner-foo alias (problem diagnosed by Christophe Kalt). Bugfix: mail to local users in include files would be delivered directly if the alias didn't have an owner-foo alias, and if the alias database and include file were owned by root. Feature: with user+foo addresses, any +foo address extension that is not explicitly matched in canonical, virtual or alias databases is propagated to the table lookup result. 19981108 Bugfix: minor memory leak in the user+foo table lookup code. Configurability: specify virtual.domain in the virtual map, and mail for unknown@virtual.domain will bounce automatically. The $relay_domains default value now includes $virtual_maps, so the SMTP server will accept mail for the domain. Marco d'Itri put me on the right track. Configurability: The mydestinations configuration parameter now accepts /file/name expressions and type:name lookup tables. Code cleanup: in order to make the previous two enhancements possible, revised the string/host/address matching engine so it can handle any mixture of strings, /file/name patterns and type:name lookup tables. Files: util/match_{list,ops}.c, global/{domain,namadr,string}_list.c. 19981110 Code cleanup: replaced remaining isxxx() calls by ISXXX(). 19981111 Bugfix: the "bounce unknown virtual user" code was in the wrong place. Problem tackled with help of Chip Christian. Portability: reportedly, Solaris 2.5.1 can hang waiting for a UNIX-domain connection to be accepted, so it gets the same workaround that was designed for LINUX. Problem reported by Scott Cotton. 19981112 Management: "vmailer stop" now allows delivery agents to finish what they are doing, like "vmailer reload". Management; "vmailer abort" causes immediate termination. Workaround: zombie processes pile up with HP-UX. Reason: select() does not return upon SIGCHLD when SA_RESTART is specified to sigaction(). Workaround: shorten the select() timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS. Thanks, Lamont Jones. 19981117 Rename: VMailer is now Postfix. Sigh. 19981118 Cleanup: generalized the safe_open() routine so that it is no longer limited to mailbox files, lock files, etc. Bugfix (found during code review): vstream*printf() could run off the end of a stream buffer after an I/O error, because vbuf_print() ignored the result from VBUF_SPACE(). Bugfix (found during code review): resolve_local() could clobber its argument, but the docs didn't say so. 19981121 Cleanup: the is_header() routine now allows 8-bit data in header labels. 19981123 Bugfix (found during code review): the mail_queue_enter() path argument wasn't optional. File: global/mail_queue.c 19981124 Cleanup: eliminated redundant tests for a zero result from vstream_fdopen(). Unlike the stdio fdopen() routine, the vstream_fdopen() routine either succeeds or never returns. Bugfix: the queue manager now looks at the clock before examining a file time stamp, to avoid spurious complaints about time warps on busy machines. File: qmgr/qmgr_active.c. 19981125 Compatibility: allow trailing dot at the end of user@domain. Address canonicalization now strips it off. Issue brought forward by Eilon Gishri. File: trivial-rewrite/rewrite.c. Robustness: changed DNS lookup order of MAIL FROM etc. domains from MX then A to A then MX, just in case the MX lookup fails with a server error. Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat, postlock, postlog, postkick. Also renamed mkmap and mkalias to postmap and postalias. 19981126 Workaround: Lamont Jones found a way for HP-UX to terminate select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN. Files: util/sys_defs.h, master/master_sig.c. Bugfix: the Delivered-To: loop detection code had stopped working, when long ago the is_header() routine was changed. File: local/delivered.c. 19981128 Bugfix: postcat opened queue files read-write, where only read access was needed. File: postcat/postcat.c. 19981129 Safety: added a sleep(1) to all fatal and panic exits. File: util/msg.c. 19981201 Robustness: postcat now insists that a file starts with a time record. Consistency: added "-c config_dir" command-line options where appropriate. 19981202 Man pages, on-line version. 19981203 Man pages, html version; overview documentation. 19981206 Sendmail silently accepted the unsupported -qRsite and -qSsite options. It now prints an error message and terminates. Separated the contributed tree from the IBM code; moved the LDAP and NEXTSTEP/OPENSTEP code to the contributed source tree because obviously I didn't write it. 19981206-9 Had to write a postconf configuration utility in order to reliably find out about all configuration parameters and their defaults. Documentation bugfixes by Matt Shibla, Scott Drassinower, Greg A. Woods. 19981209 On machines with short hostnames, postconf -d cored while reporting a fatal error. It should not report that error in the first place. Thanks, Eilon Gishri. Changed the FAQ entry about rejecting mail for *.my.domain on a firewall. Chip Christian was right, I was wrong. 19981214 Portability: with GNU getopt, optind is not initially 1, breaking an assumption in sendmail/sendmail.c. Liviu Daia. Annoyance: on non-networked systems, don't warn that only one network interface was found. File: global/inet_addr_local.c. Reported by several. Bugfix: on non-networked systems, the smtp client assumed that it was running in virtual host mode, and would bind to the loopback interface. File smtp/smtp_connect.c. Liviu Daia, again. 19981220 Robustness: when looking up an A or MX record, do not give up when the A query fails because of a server error. File dns/dns_lookup.c. Reported by Scott Drassinower. 19981221 Bugfix: "bounce mail for non-existent virtual user" didn't work when a non-default relay host was configured in main.cf or in the transport table. File: qmgr/qmgr_message.c. Bugfix: the maildrop directory should not be world-readable. Files: conf/postfix-script, showq/showq.c. Documentation: fixed several omissions and errors. Documentation: removed references to the broken recipient feature delimiter configuration parameter. Bugfix: write mailbox file as the recipient, so that file quota work as expected. Bugfix: pickup would die when it tried to remove a non-file in the maildrop directory (Jeff Wolfe). 19981222 Sendmail no longer logs the queue ID when it is unable to notify the pickup daemon. This is a late addition to the "unreadable maildrop queue" patch. user.lock files are now created as root, so that postfix needs no group directory write permission. 19981224 Security: allow queue file link counts > 1, to avoid non-delivery of maildrop files with links to a non-maildrop directory. Files: global/mail_open_ok.c, and anything that calls this code (qmgr, pickup, showq). If multiple hard links are a problem, see the set-gid "postdrop" utility below. 19981225 Robustness: the queue manager no longer aborts when a queue file suddenly disappears (e.g. because the file was removed by hand). Feature: when a writable maildrop directory is a problem, sites can make the new "postdrop" utility set-gid. This command is never used when the maildrop directory is world-writable. Robustness: make the queue file creation routine more resistant against denial of service race attack. File: global/mail_queue.c 19981226 New suid_priv module to enable/disable privileges in a set-uid/gid program. In the end I decided to not use it. 19981228 Robustness: make the pickup daemon more resistant against non-file race attack. Cleanup: generic mail_stream.c interface for writing queue file streams to files, daemons or commands. This simplifies the code in smtpd and in sendmail that must be able to pipe mail through the postdrop command. The cleanup daemon has been modified to use the same interface. Result: less code. Feature: smtpd now logs the only recipient in Received: headers. Feature: separate command and daemon directories. Both default to $program_directory. Install conf/postfix-script if you want to use this feature. 19981230 Patch to avoid conflict with non-writable top-level Makefile (Lamont Jones). 19981231 Portability: port to UnixWare 7 by Ronald Joe Record, SCO. 19990104 Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions Ltd.) Files: quote_82[12]_local.c. Bugfix: wrong default for relay_domains (Juergen Kirschbaum, Bayerische Landesbank). File: mail_params.h. Bugfix: changed 5xx response for "too may recipients" to 4xx. File: smtpd.c. 19990106 Feature: defer_transports specifies the names of transports that should be used only when "sendmail -q" (or equivalent) is issued. For example, "defer_transports = smtp" is useful for sites that are disconnected most of the time. File: qmgr_message.c. 19990107 Feature: local_command_shell specifies a non-default shell for delivery to command by the local delivery agent. For example, "local_command_shell = /some/where/smrsh -c" restricts what may appear in "|command" destinations. File: global/pipe_command.c. 19990112-16 Feature: SMTP command pipelining support based on an initial version by Jon Ribbens, Oaktree Internet Solutions Ltd. This one took several days of massaging before I felt comfortable about it. Files: smtp.c, smtp_proto.c. Bugfix: the SMTP server would flush responses one-by-one, which caused suboptimal performance with pipelined clients. The vstream routines now flush the write buffer when the read() routine is called, instead of flushing when the application changes from writing to reading. Delayed flush prevents the SMTP server from flushing responses one-by-one and thus triggering Nagle's algorithm. File: util/vstream.c. 19990117 Bugfixes and enhancements to the smtpstone tools by Drew Derbyshire, Kendra Electronic Wonderworks: send helo command, send message headers, format the message content to lines < 80, work around NT stacks, make "." recognition more robust. Files: smtp-source.c, smtp-sink.c. Strategy: look at the deferred queue only when the incoming queue is empty; limit the number of recipients read from a queue file depending on the number of recipients already in core. Files: qmgr.c, qmgr_message.c. Feature: postponed anti-UCE restrictions. The decision to reject junk mail on the basis of the client name/address, HELO hostname or sender address can now be postponed until the RCPT TO command (or HELO or MAIL FROM if you like). File: smtpd_check.c. 19990118 Feature: incremental updates of alias databases and of other lookup tables. Both postalias and postmap now take a -i option for incremental updates from standard input. Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c. Compatibility: newaliases can now update multiple alias databases: list them in the "alias_database" parameter in main.cf. By the same token, postalias can now update multiple maps in one command. Files: post{map,alias}/post{map,alias}.c Feature: mail to <> is now sent to the address specified with the "empty_address_recipient" configuration parameter which defaults to MAILER-DAEMON (idea by Lamont Jones, Hewlett-Packard). File: cleanup/cleanup_envelope.c. Compatibility: the transport table now uses .domain.name to match subdomains, just like sendmail mailer tables (patch by Lamont Jones, Hewlett-Packard). Feature: mailq now ends with a total queue size summary (Eilon Gishri, Israel Inter University Computation Center). 19990119 Feature: address masquerade exceptions for user names listed in the "masquerade_exceptions" configuration parameter. File: cleanup/cleanup_masquerade.c. Feature: qmail-style maildir support, based on initial code by Kevin W. Brown, Quantum Internet Services Inc. Workaround: Solaris 2.something connect() fails with ECONNREFUSED when the system is busy (Chris Cappuccio, Empire Net). File: global/mail_connect.c. Feature: the cleanup service now adds a Return-Path: header when none is present. This header is needed for some mail delivery programs (see below). File: cleanup_message.c. Feature: the pipe mailer now supports $user, $extension and $mailbox macros in command-line expansions. This, plus the Return-Path: header (see above), should be sufficient to support cyrus IMAP out of the box. Based on initial code by Joerg Henne, Cogito Informationssysteme GMBH. File: pipe/pipe.c. Bugfix: with address extensions enabled, canonical and virtual lookups now are done in the proper order: user+foo@domain, user@domain, user+foo, user, @domain. File: global/mail_addr_find.c. 19990119 Feature: the local mailer now prepends a Received: message header with the queue ID to forwarded mail, in order to make message tracing easier. File: local/forward.c. Cleanup: after "postfix reload", no more broken pipe complaints from resolve/rewrite clients. 19990121 Feature: pickup (again) logs uid and sender address. On repeated request by Scott Cotton, Internet Consultants Group, Inc. Portability: doze() function for systems without usleep(). Cleanup: clients are now consistently logged as host[address]. 19990122 Maildir support changed: specify "home_mailbox = Maildir/". The magic is the trailing /. Suggested by Daniel Eisenbud, University of California at Berkeley. Maildir support from aliases, :include: and .forward files. Specify /file/name/ - the trailing / is required. Suggested by Daniel Eisenbud, University of California at Berkeley. Workaround: watchdog timer to prevent the queue manager from locking up on some systems. Bugfix: in Received: headers, the "for " information was in the wrong place. Pointed out by Jon Ribbens, Oaktree Internet Solutions Ltd. 19990124 Portability: more workarounds for GNU getopt() by Liviu Daia, Institute of Mathematics, Romanian Academy. File: sendmail/sendmail.c. 19990125 Bugfix: Postfix should not masquerade recipient addresses extracted from message headers. Problem reported by David Blacka, Network Solutions. File: cleanup/cleanup_message.c. 19990126 Feature: smtpd_etrn_restrictions parameter to restrict who may use ETRN and what domains may be specified. Example: "smtpd_etrn_restrictions = permit_mynetworks, reject". Requested by Jon Ribbens, Oaktree Internet Solutions Ltd. File: smtpd/smtpd_check.c. 19990127 Bugfix: in an attempt to shave some cycles, the anti junk mail routines would use the wrong resolved address. This "optimization" is now turned off. Problem reported by Sam Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c. Feature: BIFF notifications. For compatibility reasons this feature is on by default. This "protocol" can be a real performance pig. Specify "biff = no" in main.cf if your machine has lots of shell users. Feature requested by Dan Farmer - it's one of the things one does for friends. Files: local/mailbox.c, local/biff_notify.c. Bugfix: another case sensitivity problem, this time with virtual lookups to recognize unknown@virtual.domain. Problem reported by Bo Kleve, Linkoping University. File: qmgr/qmgr_message.c. 19990128 Feature: with "soft_bounce = yes", defer delivery instead of bouncing mail. This is a safety net for configuration errors with delivery agents. It has no effect on errors in virtual maps, canonical maps, or in junk mail restrictions. Feature requested by Bennett Todd. File: global/bounce.c. 19990129 Compatibility: the qmail maildir.5 documentation prescribes maildir file names of the form time.pid.hostname, which is wrong because Postfix processes perform multiple deliveries. Elsewhere the qmail author has documented how maildir files should be named under such conditions. Postfix has been changed to be conformant. File: local/maildir.c. 19990131 Feature: special treatment of owner-foo and foo-request can be turned off. Specify "owner_request_special = no". Requested by Matthew Green and others. Files: local/alias.c, global/split_addr.c. This affects canonical, virtual and alias lookups. 19990204 Portability: signal handling for HP-UX 9 by Lamont Jones of Hewlett Packard. File: master/master_sig.c. Robustness: disable random walk inside a per-site queue to avoid message starvation under heavy load. File: qmgr_entry.c. Robustness: under some conditions the queue manager could declare a host dead after just one delivery failure. File: qmgr_queue.c. 19990212 Feature: skip SMTP servers that greet us with a 4XX status code. Example: "smtp_skip_4xx_greeting = yes". By default, the Postfix SMTP client defers delivery when a server declines talking to us. File: smtp/smtp_connect.c. Robustness: upon startup the queue manager now moves active queue files to the incoming queue instead of the deferred queue, to avoid anomalous delivery delays on systems that have a huge incoming queue. Files: qmgr/qmgr.c, qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script* 19990213 Robustness: added watchdog timers to avoid getting stuck on systems with broken select() socket implementations. File: qmgr_transport.c, qmgr_deliver.c. 19990218 Feature: NFS-friendly delivery to mailbox by avoiding the use of root privileges as much as possible. With input by Mike Muus, Army Research Lab, USA. Feature: the smtp-sink test server now supports SMTP command pipelining. To this end we had to generalize the timer and vstream support. Poor performance is fixed 19990222. Cleanup: timer event routines now have the same interface as read/write event routines (event type + context). File: util/events.c. Feature: new vstream_peek() routine to tell how much unread data is left in a VSTREAM buffer. This is the vstream variant of the peekfd() routine for kernel read buffers. File: util/vstream.c. Feature: directory scanning support for hashed mail queue directories. So far the results are disappointing: with depth = 2 (16 directories with 16 subdirectories), mailq takes 5 seconds with an empty queue unless all directories happen to be cached in memory. We need a bit map before hashed queue directories become practical. Depth=1 hashing doesn't slow down mailq much, but doesn't help much either. Files: util/scan_dir.c, global/mail_scan_dir.c. 19990221 Workaround: with "ignore_mx_lookup_error = yes", the SMTP client always performs an A lookup when an MX lookup could not be completed, rather than treating MX lookup failure as a temporary error condition. Unfortunately there are many broken DNS servers on the Internet. File: smtp/smtp_addr.c. 19990222 Performance: rewrote the guts of the smtp-sink test server so it can do pipelining without losing performance. 19990223 Workaround: hotmail.com sometimes drops the connection after "." (causing misleading diagnostics to be logged) or waits minutes after receiving QUIT. Solution: do not wait for the response to QUIT. File: smtp/smtp_proto.c. This is turned off with: "smtp_skip_quit_response = no". 19990224 Feature: the pipe mailer accepts user=username:groupname, based on code submitted by Philip A. Prindeville, Mirapoint, Inc., USA. File: pipe/pipe.c. Workaround: use file locking to prevent multiple processes from select()ing on the same socket. This causes performance problems on large BSD systems. Files: master/*_server.c. 19990225 Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to the loopback interface. Problem reported by Steve Bellovin of AT&T. File: smtp/smtp_addr.c. Feature: "postsuper" command to remove stale queue files to update queues after changes to the queue structure parameters (hash_queue_names, hash_queue_depth). This command is to be run from the postfix-script maintenance shell script. 19990301 Feature: new postconf -h (suppress `name = ' in output) option to make the program easier to use in, e.g., shell scripts. Feature: dict_unix module so you can add the UNIX passwd table to the SMTPD access control list. 19990302 Feature: "luser_relay = destination" captures mail for non-existent local recipients. This works only when the local delivery agent does mailbox delivery (including delivery via mailbox_command), not when mailbox delivery is delegated to another message transport. Feature: new reject_non_fqdn_{hostname,sender,recipient} restrictions to require fully.qualified.domain forms in HELO, MAIL FROM and RCPT TO commands (while still allowing the <> sender address). 19990304 Bugfix: backed out the 19990119 change to always insert Return-Path: if that header is not present. The pipe and local agents now are responsible for prepending Return-Path:. Files: cleanup/cleanup_message.c, global/mail_copy.[hc], pipe/pipe.c, global/header_opts.c. This causes an incompatible change to the pipe flags parameter, because Return-Path: now must be requested explicitly. 19990305 Bugfix: showq (the mailq server) incorrectly assumed that all recipients of a deferred message are listed in the corresponding defer logfile. It now lists all recipients. Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure that sender records always precede recipient records). Cleanup: smtpd HELO restrictions validate [numerical] forms. Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial code by Philip A. Prindeville, Mirapoint, Inc., USA. 19990306 Cleanup: re-vamped the valid_hostname module, and added a maximal label length (63) requirement. Feature: fallback_relay parameter to specify extra backup hosts in case the regular relay hosts are not found or not available. Files: smtp/smtp_addr.c. Feature: "always_bcc = address" specifies where to send a copy of each message that enters he system. However, if that copy bounces, the sender will be informed of the bounce. Files: smtpd/smtpd.c, pickup/pickup.c Compatibility: the transport map will now route on top-level domains, so you can dump all of .bitnet to a bitnet relay. 19990307 Feature: LDAP lookups, updated by Jon Hensley, Merit Network, USA. Feature: regular expression (PCRE) support by Andrew McNamara, connect.com.au Pty. Ltd., Australia. In order to use this code specify pcre:/file/name. You can use this anywhere you would use a DB or DBM file, NIS or LDAP. See: PCRE_README for how to enable this code. Feature: "delay_warning_time = 4" causes Postfix to send a "your mail is delayed" notice after approx. 4 hours. Daniel Eisenbud, University of California at Berkeley. Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster notices for delayed mail are disabled by default. In order to receive postmaster notices, specify "notify_classes = ... delay ...". Cleanup: do not send undeliverable bounced mail to postmaster. This was causing lots of pain with junk mail from bogus sender addresses to non-existent recipients. This change was reversed 19990311. 19990308 Bugfix: the dotforward routine was too eager with throwing away extension information, so that the Delivered-To: info would differ for \mailbox and |command. Problem reported by Rafi Sadowski, Open University, Israel. Bugfix: seems I never got around to fix the btree access method. I finally did. Problem reported by: Matt Smith, AvTel Communications Inc., USA. 19990311 Back by popular demand: with "notify_classes = 2bounce ..." Postfix will send undeliverable bounced mail to postmaster. The default is to not send double bounces. This change reverses a change made on 19990307. 19990312 Feature: configurable exit handler for server skeletons. Philip A. Prindeville, Mirapoint, Inc., USA. Files: master/*server.c. Feature: mail_spool_directory configuration parameter to specify the UNIX mail spool directory. The default setting is system dependent. 19990313 Cleanup: share file descriptors for resolve and rewrite client connections. This puts less strain on the trivial-rewrite service. Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov, Nizhny Novgorod City Health Emergency Station. Feature: configurable delays in the smtpstone test programs. With input by Philip A. Prindeville, Mirapoint, Inc., USA. Files: smtpstone/*.c. Bugfix: a "signal 11" problem in the trivial-rewrite program that would occasionally happen after "postfix reload". Reason: some rewrite clients would clobber their input, and when they had to retransmit the query, the input would be a zero-length string, which trivial-rewrite isn't supposed to receive. 19990314 Feature: "mailbox_transport = cyrus" delegates all local mailbox delivery to a master.cf entry called "cyrus" (the same trick for procmail), including users not found in the UNIX passwd database. This gives the flexibility of $name expansions by the pipe mailer, without losing local aliases and ~/.forward processing. Result of discussions with Rupa Schomaker, RS Consulting. 19990315 Feature: the mydestination parameter can now be an empty string, for hosts that don't receive any mail locally. Be sure to specify a default route for mail that comes to the machine or mail will loop. 19990316 Bugfix: the SMTPD check scaffolding didn't apply the same sanity checks as the production code. Problem reported by Alain Thivillon, Herve Schauer Consultants, France. File: smtpd/smtpd_check.c. Portability: some systems can have more than 59 seconds in a minute. Based on a fix by Liviu Daia, Institute of Mathematics, Romanian Academy. File: global/mail_date.c. Enhancement: include the client network address in the rejected by RBL response. Lamont Jones, Hewlett-Packard. Workaround: use fstat() to figure out if the maildrop is world-writable. access() uses the real uid, which stinks. Robustness: don't do partial address lookups (user@, domain, user, @domain) with regexp-style tables. Security: don't allow regexp-style tables to be used for aliases. It would be too easy to slip in "|command" or :include: or /file/name. 19990317 Feature: "fallback_transport = cyrus" delegates non-UNIX recipients to a master.cf entry called "cyrus", allowing you to have both UNIX and non-UNIX mailboxes side by side. 19990319 Workaround: on 4.4 BSD derivatives, fstat() can return EBADF on an open file descriptor. Now, that was a surprise. This caused std{out,err} from cron commands to not be delivered. Bugfix: "local -v" stopped working. Workaround: more watchdog timers for postfix-unfriendly systems. By now every Postfix daemon has one. Call it life insurance. Robustness: increased the maximal time to receive or deliver mail from $ipc_timeout (default: 3600 seconds) to the more generous $daemon_timeout (default: 18000 seconds). We don't want false alarms. Portability: IRIX 5.2 does not have usleep(). 19990320 Bugfix: \username was broken. Frank Dziuba was the first to notice. 19990321 Workaround: from now on, Postfix on Solaris uses stream pipes instead of UNIX-domain sockets. Despite workarounds, the latter were causing more trouble than anything else on all systems combined. 19990322 Portability: the makedefs would mis-identify IRIX 6.5.x as IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller Institute for Production Technology, Denmark. Feature: reject_unknown_recipient_domain restriction for recipient addresses. For the sake of symmetry, we now also have reject_unknown_sender_domain. This means the old reject_unknown_address restriction is being phased out. Suggested by Rask Ingemann Lambertsen, Denmark Technical University. Feature: unknown sender/recipient domain restrictions now distinguish between soft errors (always: 450) and hard errors (configurable with the unknown_address_reject_code parameter, default: 450; use 550 at your own risk). Feature: no HELO junk mail restrictions means that no syntax check will be done on HELO/EHLO hostname arguments. Bugfix: the initial Solaris workaround for UNIX-domain sockets could cause the queue manager to block if Postfix ran into a delivery agent process limit. After another code rewrite that problem is eliminated. Thanks to Chris Cappuccio, Empire Net, for assistance with testing. 19990323 Bugfix: too much forwarding when users list their own name in their .forward file (e.g. mail to user@localhost would go through .forward, would be forwarded to user@$myorigin, and would go through .forward again). Problem reported by Roman Dolejsi, Prague University of Economics. 19990324 Bugfix: missing map name in check_xxx_access restrictions could cause a segmentation error. Lamont Jones, Hewlett- Packard. Feature: forward_path configuration parameter (default: $home/.forward$recipient_delimiter$extension,$home/.forward). Based on initial code by Philip A. Prindeville, Mirapoint, Inc., USA. Files: local/dotforward.c. 19990325 Workaround: Solaris NIS alias maps need special entries (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal keys/values include a null byte at the end, but the YP_XXX ones don't. Problem reported by Walcir Fontanini, state university of Campinas, Brazil. File: postalias/postalias.c. Compatibility: Solaris NIS apparently does include a null byte at the end of keys and values. File: util/sys_defs.h. Feature: library support for config parameters that are not $name expanded at program start-up. This was needed for forward_path, and will also be needed to make message headers customizable. Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett- Packard. File: util/dict_pcre.c. 19990326 Compatibility: Postfix now puts two spaces after the sender in a "From sender date..." header. Found by John A. Martin, fixed by Lamont Jones, Hewlett-Packard. Bugfix: when a recipient appeared multiple times in a local alias or include expansion, the delivery status could be left uninitialized, causing the mail to be deferred and delivered again. File: local/recipient.c. 19990327 Cleanup: the dictionary routines now take an extra flag argument to control such things as warning about duplicates, and appending null bytes to key/value. The latter was needed for a clean implementation of NIS master alias maps support. Feature: POSIX regular expressions by Lamont Jones. See config/sample-regexp.c. Right now, enabled on *BSD and LINUX only. 19990328 Code cleanup: dictionaries now have flags that say whether lookup keys are fixed strings or whether keys are subjected to pattern matching. This is needed to avoid passing partial addresses to regexp-based lookup tables (user, @domain, user@, domain). Files: util/dict*.c. Bugfix: fixed memory leaks and core dumps in the regexp and pcre routines (neither handled an empty pattern file). 19990329 Code cleanup: the dictionary I/O routines now do their own locking depending on dictionary flag settings. This means that the low-level dict_get() interface can now be used for safe dictionary lookups. This is needed for 19990328's partial lookup key support. Files: util/dict*.c. global/maps.c. Feature: regular expression matches are no longer limited to user@domain address forms in access/canonical/virtual maps, but can also be used for domains in transport maps. This needed the partial lookup key support to avoid passing partial addresses to regexp-based lookup tables (user, @domain, user@, domain). Files: global/maps.c global/mail_addr_find.c. Feature: new dictionary types can be registered with dict_open_register(). File: util/dict_open.c. 19990330 Bug fix: match_list membership dictionary lookups were case sensitive when they should not. Patch by Lutz Jaenicke, BTU Cottbus, Germany. 19990402 Feature: $domain macro support in forward_path. Philip A. Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c. Feature: if an address extension (+foo) is explicitly matched by the .forward+foo file name, do not propagate the extension to recipient addresses. This is more consistent with the way aliases are expanded. File: local/dotforward.c. 19990404 Bugfix: after receiving mail, the SMTP server didn't reset the cleanup error flag, so that multiple deliveries over the same SMTP session could fail due to errors with previous deliveries. Found by Lamont Jones, Hewlett-Packard. 19990405 Feature: MIME-encapsulated bounces. Philip A. Prindeville, Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c Cleanup: vstreams now properly look at the EOF flag before attempting to read, eliminating the need for typing Ctrl-D twice to test programs; the EOF flag is reset after each unget or seek operation. Files: util/vstream.c, util/vbuf.c. Feature: in preparation for configurable message headers the mac_parse() routine now balances the parentheses in ${name} or $(name). We need this in order to support conditional expressions such as ${name?text} where `text' contains other ${name} expressions. 19990406 Cleanup: changed MIME header information to make bounces more RFC 1892 compliant. 19990407 Feature: "best_mx_transport = local" delivers mail locally if the local machine is the best mail exchanger (by default, mail is bounced with a "mail loops back to myself" error). Config: in order to make feature tracking easier the source code distribution now has a copy of the default settings in conf/main.cf.default. Feature: separate configurable postmaster addresses for single bounces (bounce_notice_recipient), double bounces (2bounce_notice_recipient), delayed mail (delay_notice_recipient), and for other mailer errors (error_notice_recipient). The default for all is "postmaster". 19990408 Workaround: on Solaris 2.x, the master appears to lose its exclusive lock on the master.pid file, so keep grabbing the lock each time the master wakes up from select(). Robustness: don't flush VSTREAM buffers after I/O error. This prevents surprises when calling vstream_fclose() after truncating a mailbox to its original size. Portability: on LINUX systems, if exists, don't look for . Workaround: specify "sun_mailtool_compatibility = yes" to avoid clashes with the mailtool application. This disables kernel locks on mailbox files. Use only where needed. Portability: renamed readline to readlline, to avoid clashes with mysql. 19990409 Bugfix: ignore temp queue files that aren't old enough. Problem reported by Vivek Khera, Khera Communications, Inc. Bugfix: fixed typo in dict_db.c that caused processes to not release DB shared locks. Feature: auto-detection of changes to DB or DBM lookup tables. This avoids the need to run "postfix reload" after change to the smtp access table and other tables. Feature: regular expression checks for message headers. This requires support for POSIX or for PCRE regular expressions. Specify "header_checks = regexp:/file/name" or "header_checks = pcre:/file/name", and specify "/^header-name: badstuff/ REJECT" in the pattern file (patterns are case-insensitive by default). Code by Lamont Jones, Hewlett-Packard. It is to be expected that full content filtering will be delegated to an external command. 19990410 Bugfix: auto-detection of changes to DB or DBM lookup tables wasn't done for TCP connections. 19990410 Feature: $recipient expansion in forward_path. Philip A. Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c Feature: the smtp client consistently treats a numerical hostname as an address. File: smtp/smtp_addr.c. 19990414 Compatibility: support comment lines starting with # in $mydestination include files. This makes Postfix more compatible with sendmail.cw files. File: util/match_list.c. Feature: if your machines have short host names, specify "mydomain = domain.name", and you no longer have to specify "myhostname = host.domain.name". Files: global/mail_params.c, postconf/postconf.c. 19990420 Cleanup: bounce mail when a mailbox goes over file quota, instead of deferring delivery. File: local/mailbox.c. 19990421 Feature: auto-detection of changes to DB or DBM lookup tables now includes the case where a file is unlinked. Philip A. Prindeville, Mirapoint, Inc., USA. File: util/dict.c. 19990422 Robustness: Lotus mail sends MAIL FROM: <@> instead of <>. Problem reported by Erik Toubro Nielsen, IFAD, Denmark. Files: trivial-rewrite/rewrite.c (@ becomes empty address) and global/rewrite_clnt.c (allow empty response). Bugfix: showq could segfault when writing to a broken pipe. Problem reported by Bryan Fullerton, Canadian Broadcasting Corporation. Files: util/vbuf_print.c. Cleanup: got rid of the "fatal: write error: Broken pipe" message when mailq output is piped into a program that terminates early. Cleanup: bounce messages are multipart/mixed with the error report as part of the first message segment, because users had trouble extracting the delivery error report from the attachment. 19990423 Cleanup: the default junk mail reject code is now 554 (service unavailable) rather than 550 (user unknown). Folded in the updated dict_ldap.c module by John Hensley, Merit Network, USA. Folded in the vstream_popen.c updates by Philip A. Prindeville, Mirapoint, Inc., USA. This copies a lot of code from pipe_command(); the next step is to trim that module. 19990425 Workaround: renamed config.h to mail_conf.h etc. in order to avoid name collisions with LINUX (yes, they have a system include file called config.h). For compatibility with people who have written software for Postfix, there's a config.h that aliases the old names to the new ones. That file will go away eventually. 19990426 Feature: error mailer, in order to easily bounce mail for specific destinations. In the transport table, specify: "host.domain error:host.domain is unavailable". Too bad that the transport table triggers on destination domain only; it would be nice to bounce specific users as well. 19990427 Cleanup: "disable_dns_lookups = yes" now should disable all DNS lookups by the SMTP client. 19990428 Bugfix: with DBM files, Postfix was watching the "dir" file modification time for changes. It should be watching the "pag" file instead. 19990429 Cleanup: all callbacks in the master to server API now pass on the service name and the application-specific argument vector. Files: master/*server.c. 19990504 Feature: conditional macro expansion. ${name?text} expands to text when name is defined, otherwise the result is empty. ${name:text} expands to text when name is undefined, otherwise the result is empty. File: util/mac_expand.c. Feature: conditional macro expansion of the forward_path configuration parameters of $user, $home, $shell, $recipient, $extension, $domain, $mailbox and $recipient_delimiter. Files: local/dotforward.c, local/local_expand.c. 19990506 Cleanup: eliminated misleading warnings about unknown HELO etc. SMTPD restrictions when the HELO etc. information is not available. File: smtpd/smtpd_check.c. 19990507 Feature: all smtpd reject messages now contain the MAIL FROM and RCPT TO addresses, if available. 19990508 Feature: conditional macro expansion of the luser_relay configuration parameter. It is no longer possible to specify /file/name or "|command" destinations. File: local/unknown.c. Cleanup: changed the mac_parse interface so that the application callback routine can return status information. Updated the dict_regexp and dict_pcre modules accordingly. Cleanup: changed the mac_expand interface so that the caller provides an attribute lookup routine, instead of having to provide a copy of all attributes upfront. Files: util/mac_expand.c, local/local_expand.c. Feature: control over how address extensions are propagated to other addresses. By default, propagation of unmatched address extensions is now restricted to canonical and virtual mappings. Specify "propagate_unmatched_extensions = canonical, virtual, alias, forward, include" to restore previous behavior. 19990509 Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address) and MAILBOX (address localpart) environment variables are exported to shell commands (including mailbox_command). Feature: new command_expansion_filter parameter to control what characters may appear in message attributes that are exported via environment variables. Cleanup: SMTPD reject messages are more informative, and more complete sender/recipient information is logged for the local sysadmin. 19990510 Bugfix: missing MIME header in postmaster bounce notices. Found by Samuel Tardieu, Ecole Nationale Superieure des Telecommunications, France. Feature: UCE restrictions are always delayed until RCPT TO, VRFY or ETRN. To change back to the default specify "smtpd_delay_reject = no" in /etc/postfix/main.cf. Bugfix: missing duplicate filter call. This caused too many deliveries when a user is listed multiple times in an alias. Reported by Hideyuki Suzuki, School of Engineering, University of Tokyo. Backed out on 19990512 because it caused problems. Fixed 19990513 but needs further study. Feature: it is now possible to move queue files back into the maildrop queue, so that they can benefit from changes in canonical and virtual mappings. In order to make this possible, some restrictions on queue file contents were relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c. Feature: made a start with integrating Joerg Henne's dictionary extensions to remove entries and to iterate over entries. That code is almost four months old by now. 19990511 Feature: added a "undeliverable postmaster notification discarded" warning when mail is dropped on the floor. Requested by Michael Hasenstein, SuSE, Germany. 19990517 Bugfix: reject_non_fqdn_sender/recipient would pass user@[ip_address] regardless of destination. Eric Cholet had the honor of suffering from this one. 19990527 More SMTP client logging for easier debugging: the smtp client now logs hostname[ip.addr], and logs every failed attempt to reach an MX host, not just the last one. 19990601 Bugfix: emit a blank line before a MIME boundary; the line is part of the boundary. File: bounce/bounce_notify_service.c. Wolfgang Segmuller, IBM Research. 19990610 Bugfix: the "is this the loopback interface" test was broken. Reported by Claus Fischer @microworld.com. File: smtp/smtp_connect.c. Usability: added helpful warnings about restrictions that are being ignored after check_relay_domains, etc. Portability: Reliant Unix support by Gert-Jan Looy, Siemens, the Netherlands. 19990611 Robustness: the postfix-script start-up procedure now detects a missing master program, avoiding misleading warnings that the mail system is already running. Fix suggested by David E. Smith @technopagan.org. Portability: Mac OS X Server Port by Mark Miller @swoon.net. Feature: on systems that use dotlock files for mailbox locking, the local delivery agent now will attempt to use dotlock files when delivering to user-specified files. Dotlock files for user-specified destinations are created with the privileges of the user. For backwards compatibility, Postfix will attempt to create dotlocks for user-specified destinations only when the user has parent directory write permission. Feature: specify "expand_owner_alias = yes" in order to use the right-hand side of an owner- alias, instead of using the left-hand side address. Needed by Juergen Georgi. 19990622 Bugfix: the local delivery agent did not set user attributes when delivering to root, so that forward_path did not expand properly. Found by Jozsef Kadlecsik, KFKI Research Institute for Particle and Nuclear Physics, Hungary. File: local/dotforward.c. Bugfix: the unix:passwd.byname mechanism is not suitable for smtpd access control - the user name would have to end in @, or the access control software would have to be changed. Removed the example from the RELEASE_NOTES file. 19990623 Bugfix: the smtp server did not reset the error flag after ".". Found by James Ponder, Oaktree Internet Solutions Ltd. File: smtpd/smtpd.c. Bugfix: fencepost error in the doze() routine (an usleep() replacement for systems without one). Found by Simon J Mudd. File: util/doze.c. 19990624 Portability: support for AIX 3.2.5 (!) by Florian Lohoff @rfc822.org. Portability: Ultrix 4.3 support by Christian von Roques @pond.sub.org. Feature: mysql support by Scott Cotton and Joshua Marcus, Internet Consultants Group, Inc. Files: util/dict_myqsl.*. 19990627 Bugfix: Postfix is now distributed under the new IBM Public License (version 1, dated June 14, 1999). Feature: the Delivered-To: header can be turned off for delivery to command or file/mailbox. The default setting is: "prepend_delivered_header = command, file, forward". Turning off the Delivered-To: header when forwarding mail is not recommended. 19990628 Feature: the postlock command now returns EX_TEMPFAIL when the destination file is locked by another process. 19990705 Workaround: in the SMTP client, move the "mail loops back to myself test" from the 220 greeting to the HELO response. This change does not weaken the test, and makes Postfix more robust against broken software that greets with the client hostname. 19990706 Workaround: in the INSTALL file, use `&&' instead of `;' in (cd path; tar ...) pipelines because some UNIX re-invented shells don't bail out when cd fails. Matthias Andree @stud.uni-dortmund.de. 19990709 Bugfix: $user was not set when delivering to a non-user. Found by Vladimir Ulogov @ rohan.control.att.com when configuring a luser_relay that contained $user. 19990714 Robustness: add PATH statement to Solaris2 chroot setup script to avoid running the ucb commands. Problem found by Panagiotis Astithas @ ece.ntua.gr. 19990721 Bugfix: don't claim a "mail loops to myself" error when the best MX host was not found in the DNS. Found by Andrew McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c. 19990810 Feature: added "-c config_dir" support to the postconf command. This probably means that "-f file" will never be implemented. 19990812 Bugfix: showq didn't print properly when listing a maildrop file. Fix by: Andrew McNamara, connect.com.au Pty Ltd. File: showq/showq.c. Feature: added SENDER to the list of parameters exported to external commands. File: local/command.c. Code by: Lars Hecking, National Microelectronics Research Centre, Ireland. 19990813 Bugfix: sendmail -t (extract recipients from headers) did not work when the always_bcc feature was turned on. Reported by: Denis Shaposhnikov @ neva.vlink.ru. 19990813 Bugfix: "sendmail -bd" returns a bogus exit status (the child process ID). Fix by Lamont Jones of Hewlett-Packard. File: sendmail/sendmail.c. 19990824 Bugfix: null pointer dereference while rejecting VRFY before MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net. 19990826 Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP code that had been removed for the first public beta release; NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases database. Submitted by Gerben Wierda. Portability: workaround for a FreeBSD 3.x active network interface without IP address by Pierre Beyssac @ enst.fr. File: inet_addr_local.c. 19990831 Workaround: sendmail now prints a warning when installed set-uid or when run by a set-uid command. Reportedly, the linuxconf software turns on the set-uid bit, which could open up a security loophole. File: sendmail/sendmail.c. Bugfix: Postfix daemons now temporarily lock DB/DBM files while opening them, in order to avoid "invalid argument" errors because some other process is changing the file. Files: util/dict_db.c, util/dict_dbm.c. Robustness: Postfix locks queue files during delivery, to prevent duplicate delivery when "postfix reload" is immediately followed by "sendmail -q". This involves a change of the deliver_request interface: delivery agents no longer need to open and close queue files explicitly. Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c, local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c. Feature: reject_unauth_destination SMTP recipient restriction that rejects destinations not in $relay_domains. By Lamont Jones of Hewlett-Packard. File: smtpd/smtpd_check.c. Security: do not allow weird characters in the expansion of $names that appear in $forward_path. Just like with shell commands, replace bad characters in expansions by underscores. Configuration parameter: forward_expansion_filter. 19990902 Documentation: added a sample postfix alias to the examples in the INSTALL document and in the conf/aliases file. Reminded by Simon J. Mudd @ alltrading.com. 19990903 Bugfix: in case of some error conditions the pickup daemon could leak small amounts of memory. 19990905 Bugfix: no more "skipping further client input" warnings when a message header is rejected. Feature: reject_unauth_pipelining SMTP restriction that rejects mail from clients that improperly use SMTP command pipelining. Robustness: the LDAP client by default no longer looks up names containing "*". See the lookup_wildcards feature in LDAP_README. Update by John Hensley. Documentation: address masquerading with exceptions FAQ by Jim Seymour @ jimsun.LinxNet.com. Bugfix: mysql reconnect after disconnect by Scott Cotton Internet Consultants Group, Inc. File: util/dict_myqsl.c. Portability: the Postfix to PCRE interface now expects version 2.08. Postfix is no longer compatible with PCRE versions before 2.6. 19990906 Feature: INSTALL.sh script that makes Postfix installation a bit less painful. This script can be used for installing and for upgrading Postfix. It replaces files instead of overwriting them, and leaves existing configuration and queue files intact. 19990907 Bugfix: reject_non_fqdn_sender used the wrong test to see if a sender address was given and could dump core. This must have been broken ever since the UCE tests were moved to the RCPT TO stage in 19990510. Bugfix: check_sender_access was recognized as a valid restriction name only if a sender had been specified. 19990908 Portability: Unixware has only after sendmail is installed. Changed postlock.c to use global/sys_exits.h. 19990909 Performance: added one-entry cache to the address rewriting client and to the address resolving client. This is because UCE restrictions tend to produce the same query repeatedly. Files: global/rewrite_clnt.c, global/resolve_clnt.c. Feature: the UCE restrictions are now fully recursive so you can have per-client/helo/sender/recipient restrictions. Instead of OK, REJECT or [45]xx, you can specify a sequence of restrictions on the right-hand side of an SMTPD access table. This means you can no longer use canonical/virtual/alias maps as SMTPD access tables. But the loss is compensated for. File: smtpd/smtpd_access.c. Feature: restriction classes, essentially a short-hand for restriction lists. These short hands are useful mostly on the right-hand side of SMTPD access tables. You must use restriction classes in order to have lookup tables on the right-hand side of an SMTPD access table. File: smtpd/smtpd_access.c. Feature: "permit_recipient_map maptype:mapname" permits a recipient address when it matches the specified table. Lookups are done just as with canonical/virtual maps. With this, you can also use passwd/aliases as SMTPD access maps. File: smtpd/smtpd_access.c. 19990910 Changed "permit_address_map" into "permit_recipient_map" and added a test for the case that they specify a lookup table on the right-hand side of an SMTPD access map. File: smtpd/smtpd_access.c. Cleanup: removed spurious sender address checks for <>. File: smtpd/smtpd_check.c. Cleanup: the smtp client now consistently logs host[address] for all connection attempts. 19990919 Feature: in an SMTPD access map, an all-numeric right-hand side now means OK, for better cooperation with out-of-band authentication mechanisms. 19990922 Security: recipient addresses must not start with '-', in order to protect external commands. The old behavior is re-instated when main.cf specifies: "allow_min_user = yes". Credits to Mads Kiilerich @ Kiilerich.com. File: qmgr/qmgr_message.c. Bugfix: after 19990831, the queue manager would throw away defer logs after deferring mail to known-to-be-dead hosts or message transports. This means that in some cases, mailq would not show why mail is delayed, and that delayed mail could be sent back with recipients missing from the error report. Reported by Giulio Orsero @ tiscalinet.it. 19990923 Bugfix: the above bugfix broke bounces of mail with bad address syntax and relocated users. Problem diagnosed by Dick Porter @ acm.org. Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF INSTEAD notices to the sample-xxx.cf files. 19991007 Compatibility: ignore the sendmail -U (initial user submission) option. Thomas Quinot @ cuivre.fr.eu.org. 19991103 Code cleanup: don't send postmaster notifications when an SMTP client sends a DATA command while no recipients were accepted. This can happen when a pipelined client runs into an UCE block. File: smtpd/smtpd.c. 19991104 Robustness: do not apply UCE header checks to mail that is generated by Postfix (bounces, forwarded mail etc.). Files: smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c. Robustness: new generic watchdog module that can deal with clocks that jump occasionally. Files: util/watchdog.c, master/master.c, master/{single,multi,trigger}_server.c. This hopefully ends the false watchdog alarms that happen when clocks are set or when laptops are resumed. Code cleanup: BSMTP requires dot quoting as per RFC 821. Based on code by Florian Lohoff @ rfc822.org. Files: global/mail_copy.[hc], pipe/pipe.c. 19991105 Bugfix: the crufty code in inet_addr_local() did not find IP aliases. File: util/inet_addr_local.c. Portability: the INSTALL.sh utility did not find users or groups in NIS or Netinfo tables. The script no longer searches the /etc/passwd and /etc/group files. Instead it now queries the unix:passwd.byname and unix:group.byname maps. For this, a -q (query) option was added to postmap (and to postalias, for symmetry). Files: util/dict_unix.c, postalias/postalias.c, postmap/postmap.c, INSTALL.sh. Bugfix: LDAP lookup timeout settings were ignored. Patch by John Hensley. File: util/dict_ldap.c. 19991108 Bugfix: when doing a fresh install, INSTALL.sh didn't set main.cf:mail_owner properly (Simon J. Mudd). 19991109 Bugfix: when doing a fresh install, INSTALL.sh no longer worked (missing main.cf file). Fix: add "-c" argument to the postmap commands (Lars Hecking @ nmrc.ucc.ie). Documentation: removed spurious "do not edit" comments from the sample pcre and regexp configuration files. 19991110-13 Code cleanup: greatly simplified the SMTPD command parser and somewhat simplified the code that groks RFC 822-style address syntax in MAIL FROM and RCPT TO commands. New parameter: strict_rfc821_envelopes (default: no) to reject RFC 822 address forms (with comments etc.) in SMTP envelopes. By default, the Postfix SMTP server only logs a warning. 19991113 Oops, also updated the SMTP VRFY code in the light of changes to the SMTPD command parser. Cleanup: the local delivery agent now explicitly rejects recipients with an empty username. 19991114 Workaround: with some gawk versions, postconf/extract.awk reportedly returns a non-zero exit status upon success. Added an explicit exit(0) statement. 19991115 Feature: DNS TXT record lookup support, based on initial code by Simon J Mudd. File: dns/dns_lookup.c. Feature: RBL TXT record lookups, based on initial code by Simon J Mudd. File: smtpd/smtpd_check.c. Feature: permit_auth_destination restriction based on code by Jesper Skriver @ skriver.dk. Code cleanup: the transport table now can override all deliveries, including local ones. 19991116 Code cleanup: a new "local_transports" configuration parameter explicitly lists all transports that deliver mail locally. The first name listed there is the default local transport. This is the end of the "empty next-hop hostname" hack to indicate that a destination is local. Files: trivial-rewrite/resolve.c, global/local_transport.[hc] Feature: "postconf -m" shows what lookup table types are available. Code by Scott Cotton, Internet Consultants Group, Inc. Feature: "postconf -e" edits any number of main.cf parameters. The edit is done on a copy, and the copy is renamed into the place of the original. File: postconf/postconf.c, util/readlline.[hc]. 19991117 Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c. Feature: on systems with h_errno, the "reject_unknown_client" restriction now distinguishes between soft errors (always reply with 450) and hard errors (use the user-specified reply code). This should lessen the load by broken mailers that re-connect once a minute. Feature: forward/reverse name/address check for SMTP client hostnames. This fends off some hypothetical attacks by spammers who are in control of their own reverse mapping. Robustness: postconf no longer aborts when it can't figure out the local domain name; it prints a warning instead. This allows you to use "postconf -e" to fix the problem. 19991118 Bugfix: the RFC822 address parser would misparse a leading \ as an atom all by itself. Problem reported by Keith Stevenson @ louisville.edu. File: global/tok822_parse.c. 19991119 Bugfix: tiny memory leak in pipe_command() when fork() fails. File: global/pipe_command.c. 19991120 Bugfix: reversed test for all-numerical results in SMTPD access maps. File: smtpd/smtpd_check.c. 19991121 Robustness: INSTALL.sh no longer uses postmap for sanity checks. Feature: INSTALL.sh now has an install_root option. Bugfix: INSTALL.sh now installs manual pages with proper permissions and ownership. Bugfix: the LDAP client did not properly escape special characters in lookup keys (patch by John Hensley). File: util/dict_ldap.c. 19991122 Bugfix: missing absolute path in INSTALL.sh broke fresh install. 19991124 Bugfix: the local delivery agent's recipient duplicate filter did not work when configured to use unlimited memory (which is not a recommended setting). Patrik Rak @raxoft.cz. 19991125 Bugfix: postconf didn't have an umask(022) call at the beginning (problem experienced by Matthias Andree). 19991126 Bugfix: DNS TXT records now have string lengths before text (Mark Martinec @ nsc.ijs.si). 19991127 Update: the LDAP client code now supports escapes as per RFC2254 (John Hensley). 19991207 Performance: one message with many recipients no longer stops other mail from being delivered. The queue manager now frees in-memory recipients as soon as a message is delivered to one destination, rather than waiting until all in-memory destinations of that message have been tried. Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. Performance: when delivering mail to a huge list of recipients, the queue manager now reads more recipients from the queue file before delivery concurrency drops too low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. 19991208 Updated LDAP client code by John Hensley with escape sequences as per RFC 2254. File: util/dict_ldap.c. Updated MYSQL client code by Scott Cotton. File: dict_mysql.c. Feature: added -N/-n options to include/exclude terminating nulls in keys and values in postmap/postalias DB or DBM files. Normally, Postfix uses whatever is appropriate for the host system. A non-default setting can be necessary for inter-operability with third-party software. Bugfix: the local delivery agent would deliver to the user instead of the .forward file when the .forward file was already visited via some non-recursive path. Patch by Patrik Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c. Robustness: attempt to deliver all addresses in the expansion of an alias or .forward file, even when some addresses must be deferred. File: local/token.c. 19991211 Performance: qmgr_fudge_factor controls what percentage of delivery resources Postfix will devote to one message. With 100%, delivery of one message does not begin before delivery of the previous message is completed. This is good for list performance, bad for one-to-one mail. With 10%, response time for one-to-one mail improves much, but list performance suffers. In the worst case, people near the start of a mailing list get a burst of postings today, while people near the end of the list get that same burst of postings a whole day later. Files: qmgr/qmgr_message.c, qmgr/qmgr_entry.c. Bugfix: address rewriting would panic on a lone \ at the end of a line where an address was expected. Jason Hoos @ thwack.net. File: global/rewrite_clnt.c. 19991215 Bugfix: the strict RFC821 envelope address check should not be applied to VRFY commands. File: smtpd/smtpd.c. Cleanup: permit_recipient_maps is gone, because that could only be used inside UCE restrictions. 19991216 Feature: allow an empty inet_interfaces parameter, just like an empty mydestination parameter. It's needed for true null clients and for firewalls that deliver no local mail. Feature: "disable_vrfy_command = yes" disables some forms of address harvesting used by spammers. Workaround: added the alias map parameter definition to the smtpd code. This is a symptom of a general problem with parameters that have non-empty default values: unless a program explicitly defines such a parameter, the parameter defaults to the empty string when used in other parameters. There's also a problem with evaluation order. Feature: the SMTP server rejects mail for unknown users in virtual domains that are defined by Postfix virtual domain files. File: smtpd/smtpd_check.c. Feature: reject mail for unknown local users at the SMTP port. The local_recipient_maps configuration parameter specifies maps with all addresses that are local with respect to $mydestination or $inet_interfaces. Example: "local_recipient_maps = $alias_maps unix:passwd.byname". This feature is disabled by default. You may have to copy the passwd file into the chroot jail. File: smtpd/smtpd_check.c. Feature: the sendmail -f option now understands '' and even understands address forms with RFC 822-style comments. 19991217 Cleanup: no more UCE checks for VRFY commands. It still reports unknown local/virtual users. File: smtpd/smtpd_check.c. Robustness: upon Postfix startup, report discrepancies between system files inside and outside the chroot jail. Files: conf/postfix-script-nosgid, conf/postfix-script-sgid. 19991218 Cleanup: INSTALL.sh produces relative symlinks, which is necessary when install_root is not /. 19991219 Documentation: completely reorganized the FAQ and added many new entries. Rewrote the UCE html documentation. Cleanup: INSTALL.sh uses a configurable directory for scratch files, so that it can install from a file system that is not writable by the super-user. Cleanup: INSTALL.sh gives helpful hints when the "mv" command is unable to move symlinks across file system boundaries. 19991220 Cleanup: it is no longer necessary to list $virtual_maps as part of the relay_domains definition. The SMTP server now by default accepts mail for destinations that match $inet_interfaces, $mydestination or $virtual_maps, whether or not these are specified in relay_domains. We still need the ugly "virtual.domain whatever" hack in the virtual maps. Files: smtpd/smtpd_check.c and lots of documentation and sample config files. 19991221 Removed cyrus -q flag (ignore quotas) from the sample master.cf file. 19991223 Bugfix: smtpd should not check for unknown users when running in stand-alone (sendmail -bs) mode. Problem experienced by Chuck Mead. File: smtpd/smtpd.c. Retraction: the "local_transports" configuration parameter is gone. Adjusted code and documentation accordingly. Instead, use just one "local_transport" parameter with the name of the default local transport. Files: smtpd/smtpd_check.c, qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c. Feature: Postfix SMTPD now insists that the smtpd recipient restrictions contain at least one restriction that by default rejects mail. This should make it much more difficult to change Postfix into an open relay. File: smtpd/smtpd_check.c. Retraction: null-length inet_interfaces is too confusing. 19991224 Bugfix: the relative symlink code in INSTALL.sh computed the ../ prefix from the wrong pathname. 1999122[5-7] Feature: "allow_untrusted_routing = no" (default) prevents forwarding of source-routed mail from untrusted clients to destinations that are blessed by the relay_domains parameter (example: user@domain2@domain1 etc.). This plugs a mail relay loophole where a backup MX host forwards junk mail to a primary MX host which forwards the junk to the Internet. Files: global/quote_822_local.c, smtp/quote_821_local.c, trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, smtp/smtpd_check.c. In order to make this possible, the Postfix resolver data structure and protocol has changed, so that all resolver clients need to be re-compiled. Side effect from the above change: from now on, an address with @ in the recipient localpart no longer bounces with "user unknown" but instead is rejected with "relay access denied" or "source-routed relay access denied". 19991227 Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands misbehave on boundary cases: directory exists or file does not exist. Those who re-invent... 19991229 Added the no source routing info requirement to addresses accepted by the permit_mx_backup UCE restriction. 19991230 Added a spawn daemon (not compiled and installed by default) to enable LMTP delivery over UNIX-domain sockets. The goal is to simplify the experimental LMTP delivery agent by ripping out the privileged code that forks the LMTP server. 20000102 Clarified documentation after early feedback on the 19991231 release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar. Sanity check: a common error is to list Postfix virtual domains in the mydestination parameter. This causes the new optional local_recipient_maps feature to reject mail for virtual users. The SMTP server now explicitly tests for this common error and logs a warning instead of refusing the mail. File: smtpd/smtpd_check.c. 20000104 Bugfix: a case sensitivity bug had slipped through in the anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN to be rejected with "relay access denied". This was found by Jim Maenpaa @ jmm.com. Questionable feature: set "smtp_skip_5xx_greeting = yes" to make Postfix more sendmail compatible, even though this is wrong, IMNSHO. File: smtp/smtp_connect.c. Portability: Ultrix patch from Simon Burge @ thistledown.com.au. Portability: Siemens Pyramid (dcosx) patch by Thomas D. Knox @ vushta.com. Performance: FreeBSD has bidirectional pipes that are faster than socketpairs. Anticipating on more platform-specific optimizations, all duplex pipe plumbing is now isolated in a duplex_pipe.c module that provides a system-independent interface. 20000105 Cleanup: the INSTALL.sh script now updates the sample files in /etc/postfix even when main.cf exists. 20000106 Bugfix: the SMTP server should consult the relocated map for virtual destinations (Denis Shaposhnikov). Files: smtpd/smtpd.c smtpd/smtpd_check.c. 20000108 Workaround: rename() over NFS can fail with ENOENT even when the operation succeeds (Graham Orndorff @ WebTV). This is not news. Any non-idempotent operation can fail over NFS when the NFS server's acknowledgment is lost and the NFS client code retries the operation (other examples are: create, symlink, link, unlink, mkdir, rmdir). Postfix has workarounds for the cases where this is most likely to cause trouble. Files: util/sane_{rename,link}.[hc]. If you want reliable mail system, do not use NFS. 20000115 Workaround: better detection of bad hardware. Added SIGBUS to the list of signals that the master will log before exiting. 20000122 Portability: preliminary SCO5 port Christopher Wong @ csports.com. This still needs to a workaround for "find" not supporting "-type s" (actually, UNIX-domain sockets have no unique representation in the file system and show up as FIFOs). 20000115-22 Bugfix: in case of a too long message header, don't extract recipients from message headers. With the previous behavior, Bcc information could be left in the message body, as one person found out the hard way. Files: cleanup/cleanup.c, cleanup/cleanup_extracted.c, global/cleanup_user.h. 20000124 Whatever: RFC 1869 amends RFC 821 and specifies that code 555 is to be used when a MAIL FROM or RCPT TO parameter is not implemented or not recognized. Russ Allbery @stanford.edu. This reply code is added to the list of reply codes that cause the Postfix SMTP client to mail a transcript to the postmaster. File: smtp/smtp_trouble.c. 20000126 Emergency feature: qmgr_site_hog_factor (default: 90 percent) limits the amount of resources that Postfix devotes to a single destination. With less than 100, Postfix defers the excess mail so that one site with a large backlog does not block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c. 20000128 Cleanup: the queue manager no longer replaces the nexthop field by the recipient localpart when a destination matches $mydestination/$inet_interfaces. The price is the introduction of a new parameter local_destination_recipient_limit which defaults to 1 in order to maintain backwards compatibility. Files: qmgr/qmgr.c, qmgr/qmgr_message.c. 20000129 Bugfix: extracted recipients were misfiled when a message was moved back to the maildrop queue. But they still worked due to a coincidence. Feature: bounce_recip() bounces a recipient immediately without accessing a bounce logfile. This is necessary for VERP bounces, for bounces by delivery agents that change the sender address, and for bounces that for some reason must not use temporary logfiles. Files: global/bounce.c, bounce/bounce_recip_service.c. 20000130 Bugfix: the too long header fix of 20000115-22 lost mail with too long headers that didn't need to extract recipients from message headers. Bugfix: the too long header fix of 20000115-22 lost mail without (blank line + message body). Code rewrite: reorganized the cleanup daemon source code so that the cleanup service can be called one record at a time (see cleanup/cleanup_api.c); also got rid of the global state variables and fixed a couple bugs that were introduced with 20000115-22. 20000204 Feature: in daemon mode, the MAIL FROM size check can be postponed until RCPT TO so that Postfix can log sender and recipient. Simon J Mudd. Files: smtpd/smtpd.c Robustness: limit the number of recipient addresses that can be extracted from message headers. Parameter: extract_recipient_limit (default: 10240). Files: cleanup/cleanup_message.c, cleanup/cleanup_extracted.c. Cleanup: the message header reject logging now includes sender and recipient address (if possible), so that the logging looks more like the other reject logging. File: cleanup/cleanup_message.c. Documentation: added sections on regular expression tables to the access, canonical, virtual, transport and relocated man pages, and write new man pages that are specific to regular expressions: pcre_table.5 and regexp_table.5. 20000214 Bugfix: postconf reported some parameters more than once because the parameter extracting script didn't recognize lines that differ in whitespace only. File: postconf/extract.awk. Reported by Kenn Martin. 20000221 Logging: the SMTP client now logs log host+port when it is unable to connect to a non-MX host, just like it logs host+port when unable to connect to an MX host. 20000226 Bugfix: the SMTP server's "User unknown" test didn't notice LDAP etc. dictionary access errors. The code now reports a 450 status (try again instead of bounce) if the reply is not definitive. File: smtp/smtpd_check.c. Robustness: the smtp-source program could stall when making hundreds of parallel connections to a Postfix system with only one SMTP server process. The fix is to use non-blocking connect() calls, very carefully. File: smtpstone/smtp-source.c. 20000303 Feature: with smtp_always_send_ehlo the SMTP client will send EHLO regardless of the content of the SMTP server's greeting. File: smtp/smtp_proto.c. 20000304 Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary updates, if supported by the underlying mechanism. Files: util/dict.h, util/dict_open.c, util/dict_db.c. 20000307 Cleanup: the manual pages in Postfix configuration files no longer contain troff formatting codes. The text is now generated from prototype files in a new "proto" subdirectory. Requested by Matthias Andree @ stud.uni-dortmund.de. 20000308 Bugfix: the unused db and dbm "delete" routines would clobber the per-dictionary flags when called before reading or writing the table. Files: util/dict_dbm.c, util/dict_db.c. Lutz Jaenicke @ aet.TU-Cottbus.DE. Bugfix: the SMTP server would produce a cryptic message when a queue file write error happened before it had written any recipients. Keith Stevenson. File: smtpd/smtpd.c. Robustness: the db and dbm "delete" routines didn't adjust to dictionaries with/without one trailing null in lookup keys and values. Did a complete rewrite of the routines. Files: util/dict_db.c, util/dict_dbm.c. Feature: specify "-d key" to postalias or postmap in order to remove one key. This still needs to be generalized to multi-key removal (read stdin?). Files: postmap/postmap.c, postalias/postalias.c. Test: added test targets for the dictionary delete operations. Files: util/Makefile.in, util/dict_test.{c,in,ref}. Feature: added data offset and recipient count fields to the first queue file record output from the cleanup daemon. The recipient counts provides an initial estimate for a more advanced queue manager scheduling algorithm. Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. 20000311 Portability: HP-UX awk can't handle bare { in regexps (Lamont Jones. HP). File: postconf/extract.awk. Compatibility: sendmail now recognizes '.' as end of input. File: sendmail/sendmail.c. 20000313 Compatibility: dtcm (CDE desktop calendar manager) leaks a file descriptor into its child process, and requires that sendmail closes the descriptor, otherwise mail notification will hang. These GUI programmers never figured out that the child process must close the writing end of a pipe. File: sendmail/sendmail.c. 20000314 Feature: SASL authentication in the SMTP server and client. Based on code contributed by Till Franke, SuSE. Specify: "smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable = yes". The "permit_sasl_authenticated" UCE restriction gives special treatment to authenticated clients. 20000315 Workaround: added -blibpath option for AIX 4.x, to close hole in case postdrop needs to be set-gid. 20000320 Portability: FreeBSD 5.x added to the list of supported systems (Mark Huizer). 20000323 Portability: INSTALL.sh looks if sendmail is in /usr/lib rather than in /usr/sbin. 20000326 Bugfix: settings in one mysql configuration file would act as the implicit defaults for the next one, which could be confusing. Patch by Scott Cotton. File: util/dict_mysql.c. Robustness: limit the number of "junk" commands that can be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET). Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files: global/mail_params.h, smtpd/smtpd.c. 20000413 Portability: more MacOS X patches by Gerben Wierda. Bugfix: RFC 822 requires the presence of at least one destination message header. The cleanup daemon now generates a generic "To: undisclosed-recipients:;" message header when no destination header is present. The header content is specified with the undisclosed_recipients_header parameter. Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping Project-Resource Centre. 20000416 Workaround: allow <(comment)> as SMTP MAIL FROM address. 20000417 The SASL authentication in the SMTP server and client works, but only on Linux and Solaris, neither of which I wish to run on my laptop. 20000418 Added LMTP support to the smtp-source and smtp-sink utilities so that I don't have to install Cyrus IMAP just to test LMTP. 20000419 Bugfix: removed the () from the tokenized representation of RFC 822 comments, so that comments with \( or \) can be unparsed correctly. Problem reported by Bodo Moeller. 20000423 Bugfix: mail_copy() could prepend > or . in the middle of long lines. Found by code inspection. 20000427 New code: unescape module that translates C escape sequences into their equivalent character values. File: util/unescape.c. Feature: the pipe mailer now has a way to specify the output record delimiter (for example, eol=\r\n). This is necessary for transports that require CRLF instead of UNIX-style LF. 20000502 In order to support timeouts more conveniently, VSTREAMs now have built into them the concept of timeout. Instead of calling read() and write(), the low-level VSTREAM interface now by default uses timed_read() and timed_write() which receive a timeout parameter; vstream_ctl(stream, VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a stream, and vstream_ftimeout(stream) queries a stream for timeout errors. This change simplified timeout handling considerably. Files: util/vbuf.h, util/vstream.[hc], global/smtp_stream.c, global/timed_ipc.c. 20000504 Added application context to VSTREAMs, which is passed on transparently to application-provided read/write routines. vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context. Files: util/vstream.[hc]. Added vstream_setjmp() and vstream_longjmp() support to make exception handling more convenient. Turn on exception handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...). Files: util/vstream.[hc]. Cleaned up the smtp_stream module further and got rid of the global state that limited the use of this module to one stream per process. Files: global/smtp_stream.[hc]. 20000505 Bugfix: the SMTP server now flushes unwritten output before tarpit delays, to avoid protocol timeouts in pipelined sessions when a client causes lots of errors. Found by Lamont Jones, HP. File: smtpd/smtpd_chat.c. Finished the LMTP client, which is based on a modified version of the SMTP client by Philippe Prindeville, Mirapoint, Inc., later modified by Amos Gouaux, UTDallas, and then Wietse ripped it all up again. Currently this talks LMTP over TCP only. Feature: override main.cf parameters in master.cf. Specify "-o parameter=value" after the program name. This allows you to selectively override myhostname etc. See also the new smtp_bind_address parameter below. 20000506 Convenience: the LMTP and SMTP clients now append the local domain to unqualified nexthop destinations. This makes it more convenient to set up transport maps. Files: lmtp/lmtp_addr.c, smtp/smtp_addr.c. Sendmail compatibility: the Postfix SMTP client now skips servers that greet the client with a 4xx or 5xx status code. To disable, set both smtp_skip_4xx_greeting and smtp_skip_5xx_greeting to "no". 20000507 Portability: NetBSD has migrated to /etc/mail/aliases. We can expect to see this happen more often when systems start shipping Sendmail 8.10. File: util/sys_defs.h Updated LDAP code by John Hensley, with support for dereferencing of LDAP aliases, which have nothing to do with Postfix aliases. Feature: "smtp_bind_address=x.x.x.x" specifies the source IP address for SMTP client connections. Specify in master.cf as "smtp -o smtp_bind_address=x.x.x.x" in order to give different delivery agents different source addresses. 20000510 Cleanup: mailbox_transport did not work with the lmtp delivery agent. This dates back to when Postfix used empty nexthop information to indicate that a destination was local. File: global/deliver_pass.c. Bugfix: configuration parameters for one mysql dictionary would become default settings for the next one. File: dict_mysql.c. This patch was merged into Postfix a while back but apparently that Postfix version was nuked when other parts were redesigned. Update by Scott Cotton. Bugfix: some Postfix delivery agents would abort on addresses of the form `stuff@.' which could be generated only locally. Found by Patrik Rak. File: trivial-rewrite/resolve.c. Third-party Berkeley DB support for HP-UX by Lamont Jones. File: makedefs. 20000511 Bugfix: Postfix would incorrectly reject domain names with adjacent - characters. File: util/valid_hostname.c. Bugfix: the 20000505 pipeline tarpit delay flush was wrong and caused the client and server to get out of phase. Yuck! 20000513 Feature: VSTREAMs now have the concept of last fill/flush time, which is needed to prevent timeouts with pipelined SMTP sessions as detailed in the next item. Bugfix: delayed SMTP command/reply flushing to prevent sender delays from accumulating too much and causing timeouts with pipelined sessions. For example, client-side delays happen when a client does DNS lookups to replace hostname aliases in MAIL FROM or RCPT TO commands; server-side delays happen when an UCE restriction involves a time-consuming DNS lookup, or when a server generates tarpit delays. Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c. Portability: define ANAL_CAST for compilation environments that reject explicit casts between pointers and integral types. File: util/sys_defs.h, master/*server.c. Upon closer investigation, this turned out to be the result of someone's compiler configuration preferences. Therefore the change is likely to go away after a code cleanup. 20000514 Feature: mysql client support for multi-valued queries (select email, email2 from aliastbl where username='$local') By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c. Finalized the delayed SMTP command/reply flushing code in the SMTP and LMTP clients after lots of testing and review. 20000520 Robustness: upon receipt of mail, map the mailer-daemon sender address back into the magic null string. File: cleanup/cleanup_envelope.c. 20000524 Bugfix: the code for masquerade_exceptions was case sensitive. Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c. 20000526 Feature: experimental queue manager by Patrik Rak with a fancy pre-emptive scheduling algorithm that improves delivery performance of mail with few recipients. This queue manager is made available as "nqmgr". 20000528 Feature: the SMTP client SASL password file can contain entries for destination domain names (the address remote part) not just mail server hostnames. File: smtp_sasl_glue.c. Feature: smtpd_sasl_local_domain parameter (default: $myhostname) to specify the local SASL authentication realm. File: smtpd_sasl_glue.c. Feature: specify "body_checks=regexp:/file/name" for a very crude one line at a time message body content filter. This feature uses the same filtering syntax as the header_checks feature. File: cleanup/cleanup_message.c. See also the conf/sample-filter.cf file. 20000530 Feature: full content filtering through external software. This uses existing interfaces for sending mail to the external content filter and for injecting it back into Postfix. Details in FILTER_README. Files: pickup/pickup.c, smtpd/smtpd.c, qmgr/qmgr_message.c. 20000531 More SASL feedback by Liviu Daia, regarding the use of authentication realms. File smtpd/smtpd_sasl_glue.c. Added a simple shell-script based content filtering example to the FILTER_README file. Content filtering support for nqmgr by Patrik Rak. File: nqmgr/qmgr_message.c. Renamed "content inspection" etc. to "content filtering" in anticipation of a new hook for content inspection that only inspects mail without re-injecting it into Postfix. 20000601 Feature: limit the size of pipe mailer deliveries with the size=nnn command-line attribute. Patch by Andrew McNamara. 20000603 Bugfix: don't try to do SASL authentication when running in stand-alone (sendmail -bs) mode. Fix by Liviu Daia. Bug: the unauthorized pipelining test fails with single recipient mail when smtpd_delay_reject = yes. 20000617 Bugfix: conf/sample-ldap.cf was no longer up to date with reality. Patch by Lamont Jones, HP. Bugfix: the maildir delivery routine left temporary files lying around after unsuccessful delivery (problem reported by Brian Laughton @ Corp.Axxent.Ca). 20000621 AIX 4.x had POSIX regular expression support all the time I was working on Postfix. Better find out late than never. 20000623 Bugfix: the SMTP server did not reset the so-called junk command counter after successful delivery (Mark Hoffman @ wallst.com). File: smtpd/smtpd.c. 20000625 Cleanup: remove Content-Length from incoming mail. The sender has no authority over the format of mail as stored by the receiving system. File: global/header_opts.h. Feature: rewrite Mail-Followup-To: as sender. Files: global/header_opts.[hc]. Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as sender, so that address masquerading works as expected. Files: global/header_opts.c. Feature: specify "require_home_directory = yes" to prevent mail from being delivered to a user whose home directory is not mounted. File: local/dotforward.c. Cleanup: the pipe deliver agent no longer appends a blank line when the F flag (prepend From_ line) is specified. Specify the B flag if you need that blank line. The local delivery agent no longer appends a blank line to mail that is delivered to external command. Files: pipe/pipe.c, global/mail_copy.[hc]. 20000708 Portability: support for NEXT/OPENSTEP requires extra include file in util/watchdog.c (Masaki Murase). 20000715 Added macros to turn on vstream/vstring/etc. format string checking by gcc, in addition to the checking that was already implemented with printfck. File: util/sys_defs.h, the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike the printfck tool, gcc finds format argument type mismatches only in code that isn't #ifdef-ed out. 20000718 Robustness: make_dirs() now continues when a missing directory is created by another process. 20000720 Feature: the queue manager now logs the number of recipients when opening a queue file (a zero recipient count is logged with older queue files). File: global/opened.c. 20000726 Robustness: added watchdog_pat() routine to keep the watchdog quiet if a client stays connected for a lot of time. Files: util/watchdog.[hc], smtpd/smtpd.c. 20000729 Robustness: if relayhost is specified but the host does not exist, defer mail instead of bouncing it (which would lose the mail if the bounce would have to be delivered to that same non-existent relayhost). Problem reported by Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c. 20000821 Feature: added -r (replace key+value) option to postalias and postmap. Cleanup: smtpd now replies with 555 when the client sends unrecognized RCPT TO parameters, as required by RFC 1869 (problem report by Robert Norris @ its.monash.edu.au). File: smtpd/smtpd.c. 20000822 Logging: the SMTP server's SASL code logs the authentication method along with an authentication failure. Suggested by Ronald F. Guilmette @ monkeys.com. Workaround: some systems have file size resource limits that cannot be represented with the off_t type that is used by standard functions such as lseek(2). Problem reported by Blaz Zupan @ amis.net. 20000823 Feature: all this discussion about when to reject mail and when not made me decide to implement a TCP-based map type so that it becomes relatively simple to implement dynamic access controls, for example, hold off mail from an unknown client or sender until we have completed some investigation, after which we will either reject or accept. However, this code is turned off until it is finished. 20000905 Robustness: the dns client now rejects malformed domain names rather than depending on the DNS to report that the name does not exist. Linux returns a rather misleading server failure code as found out by Patrik Rak. File: dns/dns_lookup.c. 20000911 Feature: added IGNORE keyword to header_checks and body_checks to pretend that certain data does not exist. File: cleanup/cleanup_message.c. 20000911 Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender without prior authentication. The RFC allows this, although one wonders what the reasoning behind this is. File: smtpd/smtpd_sasl_proto.c. 20000913 Bugfix: the rmail script did not handle remote UUCP systems that send a from_ line with unqualified envelope sender. Reported by Luciano Mannucci. Compatibility: don't insert Sender: header lines. Sendmail has not done so for at least 10 years, if it ever did. Problem reported by Brad Knowles. File: cleanup/cleanup_message.c. 20000916 Bugfix: when propagating an address extension in a virtual or canonical mapping, cleanup accesses memory that is no longer allocated. This can happen when the result address length is more than 100 characters. Problem reported by Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c. Bugfix: fixed a misleading error message when the cleanup server reaches the queue file size limit. Fix by Robby Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c. 20000917 Bugfix: postalias -i would complain about duplicate entries for the Sendmail-compatible @ entry and for the NIS-compatible YP_LAST_MODIFIED and YP_MASTER_NAME entries. 20000918 Gross hack: prevent looping on a bad recipient by always forwarding recipients in :include: files to a new mail delivery request, even when owner-listname is not set. File: local/recipient.c. 20000919 Convenience: INSTALL.sh now imports default settings from the process environment, in order to make scripting easier. Robustness: INSTALL.sh now systematically skips over CVS, RCS and SCCS cruft. Portability: another fix for NEXTSTEP (Masaki MURASE). File: util/spawn_command.h. 20000920 Cleanup: in a transport table entry, do not ignore port numbers specified as [host]:port. In fact, this is now becoming the preferred form, in order to avoid parsing problems with IPV6 addresses. Postfix supports both forms, but future versions will print a warning for the old form. Problem reported by Claus Fischer @ werhats.at Bugfix: missing initialization for state->sasl_method can cause permit_sasl_authenticated to always succeed. Report and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE. FAQ: added notes about how to delete, copy or restore queue files in a safe manner. 20000921 File reorganization. No code change except Makefiles. All sources are pushed down by one directory level to keep file listings usable. Released as 20000922, so that I have a reference to run "diff -cr against. Bugfix: the spawn service was installed without man pages. Portability: MacOSX hints and tips by Joe Block, University of Central Florida School of Optics/CREOL Portability: The MacOSX gcc compiler does not understand the new printf_like/scanf_like attributes. File: util/sys_defs.h. 20000922 nqmgr update from Patrik Rak for the changed queue manager to delivery agent protocol. Lame feature: syslog_facility parameter to control where syslogd sends Postfix logging (default: syslog_facility = mail). However, errors during command-line parsing are still logged with the default syslog facility, as are errors while processing the main.cf file (surprise). Based on code by Andrew McNamara. 20000923 Cleanup: new bounce logfile API so that Postfix can change to an extensible bounce logfile format with per-recipient sender addresses (needed for VERP and for reporting local list delivery problems to the list owner) and other attributes. File: global/bounce_log.[hc]. Cleanup: replaced the ad-hoc logfile parsing code in showq by something that uses the generic bounce logfile API. 20000924 Feature: Postfix bounced mail and delayed mail notifications now have the standard RFC 1894 form (DSN). The bounce service now uses the generic bounce logfile API. File: bounce/bounce_notify_service.c, bounce/bounce_notify_util.c. Cleanup: deleted the per-recipient bounce protocol. Future bounce logfiles will support per-recipient bounce addresses. Files: global/bounce.c, bounce/bounce_recip_service. 20000925 Workaround: sendmail allows MAIL FROM and RCPT TO envelope addresses like > so we will never get rid of them. To disallow, specify "strict_rfc821_envelopes = yes". File: smtpd/smtpd.c. 20000926-20001003 Feature: a "flush" server that keeps per-destination records of deferred mail. It is the basis of a faster ETRN and "sendmail -qRsite" implementation. This code was rewritten half a dozen times. 20000928 Bugfix: the stricter dns_lookup() argument checks revealed that Postfix was doing DNS lookups for domain literals ([ip.address]) when expanding aliases in MAIL FROM and RCPT TO address parameters. Reported by Jim Littlefield. File: smtp/smtp_unalias.c. Documentation: added text on the biff=yes/no parameter to conf/sample-local.cf (text provided by Paul Wagland, relational-consultancy.com. Robustness? Log errors from SASL library code as warnings not as fatal errors. Files: smtp*/*glue.c. 20001001 Feature: in master.cf, specify ? after wakeup time to avoid waking up services that aren't being used. 20001003 Feature: the fast flush refresh and purge time interval parameters can now be specified in user-specified units by providing an appropriate suffix: s (seconds), m (minutes), h (hours), d (days), w (weeks). unit. This was needed so that I could test the flush server code in a reasonable way (its timeouts are normally specified in days or hours, and I don't have that much time for testing). Other Postfix time interval parameters will be migrated as time permits. Files: conf/sample-flush.cf, global/mail_conf_time.c, postconf/postconf.c. Unfeature: qmgr_hog_factor is now disabled by default. It was just too confusing. If you don't know what this means, do not worry. 20001005 Cleanup: after "postfix reload" do not penalize mail that was in the active queue, but make it ready for immediate delivery so that ETRN etc. works as intended. Files: *qmgr/qmgr.c, *qmgr/qmgr_active.c. Portability: Redhat 7 library interfaces have changed incompatibly, which breaks existing software. File makedefs. Consistency: the fallback_relay parameter did not understand the [] or host:port syntax, and there was no way to suppress MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c. Convenience: you can now specify multiple SMTP destinations in the relayhost or fallback_relay configuration parameters. The specified destinations will be tried in the specified order. File: smtp/smtp_connect.c. Many typographical corrections by Matthias Andree. 20001024 Documentation: the canonical, virtual etc. manual pages did not document the effect of leading whitespace. 20001025 Bugfix: virtual map expansion stopped too early with self-referential aliases. Reported by Michael Douglass @ datafoundry.net. File: cleanup/cleanup_map1n.c. 20001026 Horror: postmap and postalias (newaliases) silently lose the file lock while building a lookup table with Berkeley DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE. The result is that table lookups fail while the table is being built, so that mail is lost. In order to avoid this misbehavior one has to use an undocumented feature that is NOT available with the DB1.85 compatibility interface. Therefore, Postfix now supports three Berkeley DB programming interfaces of increasing complexity. File: util/dict_db.c. Bugfix: some character manipulations were not portable for signed/unsigned characters. Files: global/quote_821_local.c, global/quote_822_local.c. Workaround: apparently, some software sends SMTP mail that begins with "From sender time-stamp". Sendmail silently ignores such RFC violating garbage, and therefore Postfix needs to jump another hoop. File: smtpd/smtpd.c. 20001028 Bugfix: the flush server tried to access config files after going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE. File: flush/flush.c. Update: revised LDAP module from primary maintainer John Hensley, with contributions from many other people. Files: util/dict_ldap.c, LDAP_README. Update: LINUX2 chroot setup script by Matthias Andree, uni-dortmund.de. Feature: specify unix:/path/name for LMTP connections over UNIX-domain sockets, and specify inet:host or inet:host:port for IPV4. If no unix: or inet: is specified, IPV4 is assumed. File: lmtp/lmtp_connect.c. Feature: added UNIX-domain support to the smtpstone test programs in order to test the LMTP client UNIX-domain support. 20001030 Bugfix: further testing in preparation for 19991231-pl10 revealed that the DB map code was now broken for every platform. 20001031 Performance: the slow start (gradually increase number of parallel connections to the same site) was too gentle and Postfix would back off too quickly. Files: qmgr/qmgr_queue.c and nqmgr/qmgr_queue.c. 20001101 FAQ update by Ralph Hildebrandt. 20001104 Portability: RedHat Linux has changed incompatibly, again. Fixed with the help of Matthias Andree. File: makedefs. 20001109 Cleanup: changed prototype of internal function that did not return a useful result. File: src/util/vstream_popen.c. 20001110 Workaround: the Debian post install script passes an open file descriptor into the master server and waits forever. Reported by Lamont Jones. File: master/master.c. 20001114 Compatibility: added sendmail -G (gateway submission) option for compatibility with the sendmail rmail command. Requested by David Gilbert, Velocet Communications. 20001116 Documentation: added MAILER-DAEMON to the list of sample masquerade_exceptions settings in conf/sample-rewrite.cf. Suggested by Karl O. Pinc, pop.artic.edu. Performance: the slow start (gradually increase number of parallel connections to the same site) was too gentle and Postfix would back off too quickly. Files: qmgr/qmgr_queue.c and nqmgr/qmgr_queue.c. Yup, changed the same code, again. We now allow for a margin above the actual concurrency, with the size of the initial destination concurrency. Final solution by Patrik Rak. Bugfix: the recipient home directory test broke mailbox_transport support for non-UNIX recipients. File: local/recipient.c. 20001117 Robustness: additional integrity tests for the nqmgr by Patrik Rak. File: nqmgr/qmgr_message.c. 20001118 Bugfix: the new LDAP client code did not work properly if the new ldap_domain parameter was not specified. LaMont Jones, HP. File: util/dict_ldap.c. Feature: the soft_bounce safety net is extended to the SMTP server. With "soft_bounce = yes", The SMTP server changes all 5xx (reject) replies into 4xx (try again) replies. Documentation: the virtual(5) man page now documents both Postfix-style virtual domains and Sendmail-style virtual domains, including their interaction with local usernames, aliases and mailing lists. Hopefully, this ends some of the confusion surrounding virtual domain support. Updated several FAQ entries concerning virtual domain support. Documentation: added FAQ entry for the biff service. 20001119 Bugfix: per-destination queue names were case sensitive so that the same site could have multiple queues. Reported by Patrik Rak. Files: *qmgr/qmgr_message.c. 20001120 Bugfix: per-destination deferred mail logfiles were case sensitive so that the same site could have multiple deferred mail logfiles, so that not all mail would be flushed with ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c. Portability: added (int) casts to printf-like arguments that specify the width of %*letter conversions. On some systems, sizeof and pointer difference expressions are wider than an int. Reported by Valentin Nechayev @ lucky.net. 20001121: Compatibility: Postfix now retries delivery when an external command is killed by a signal, because people expect such behavior from Sendmail. File: global/pipe_command.c. 20001123-30 Feature: mailbox locking is now configurable. The configuration parameter name is "mailbox_delivery_lock". Depending on the operating system one can specify one or more of "flock", "fcntl" and "dotlock". Use "postconf -l" to find out what locking methods Postfix supports. The default setting is system dependent. All mailbox file opens are now done by one central mbox_open() routine. This affects the operation of the postlock command, and of local delivery to mailbox or /file/name. Files: util/safe_open.c, util/myflock.c, global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c. local/mailbox.c, local/file.c, postlock/postlock.c. Compatibility: the old sun_mailtool_compatibility parameter is being phased out. It still works (by turning off flock/fcntl locks), but logs a warning as a reminder that it will go away. Compatibility: when delivering to /file/name, the local delivery agent now logs a warning when it is unable to create a /file/name.lock file, and then delivers the mail (older Postfix versions would silently deliver). 20001202 Feature: specify "smtp_never_send_ehlo = no" to disable ESMTP. Someone asked for this long ago. Files: smtp/smtp.c, smtp/smtp_proto.c. Feature? Bugfix? The smtp client now skips server replies that do not start with "CODE SPACE" or with "CODE HYPHEN", and flags them as protocol errors. Older versions silently treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c. 20001203 Documentation: postmap(1) and postalias(1) did not document the process exit status for "-q key". 20001204 Bugfix: the Postfix master daemon no longer imported MAIL_CONF and some other necessary environment parameters. Postfix now has explicit "import_environment" and "export_environment" configuration parameters that control what environment parameters are shared with non-Postfix processes. Files: util/clean_env.c, util/spawn_command.c, util/vstream_popen.c, global/pipe_command.c, and everything that invokes this code. 20001208 Bugfix: while processing massive amounts of one-recipient mail, qmgr could deadlock for 10 seconds while sending a bounce message. All queue manager bounce send requests are now implemented asynchronously. Files: global/abounce.[hc] (asynchronous bounce client), qmgr/qmgr_active.c. Problem reported by El Bunzo (webpower.nl) and Tiger Technologies (tigertech.com). 20001209 Feature: mailbox_transport and fallback_transport can now have the form transport:nexthop, with suitable defaults when either transport or nexthop are omitted, just like in the Postfix transport map. This allows you to specify for example, "mailbox_transport = lmtp:unix:/file/name". File: global/deliver_pass.c. 20001210 Bugfix: the local_destination_concurrency_limit paramater no longer worked as per-user concurrency limit but instead worked as per-domain limit, so that the limit of "2" in the default main.cf files resulted in poor local delivery performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c. Problem reported by David Schweikert (ee.ethz.ch) and Dallas Wisehaupt (cynicism.com). 20001210 Feature: support for MYSQL connections over UNIX-domain sockets by Piotr Klaban. Files: util/dict_mysql.c, MYSQL_README. 20001211 Small dirt: postconf -m produced too much output due to a missing "else", and the optional SASL code needed a fix for the changed name_mask API. 20001212 Workaround: due to an error, record type L for "filter transport name" was the same as that for the already existing record type L for "record not ending in newline", causing the pickup daemon to discard all records not ending in newline. The code cannot be changed without breaking compatibility with queued mail, so the pickup server is changed to discard type L records only from the message envelope, not from the content. File: pickup/pickup.c. 20001213 Bugfix: dict_ldap did not properly initialize a handle after connection timeout. Problem reported by Alain Thivillon. File: util/dict_ldap.c. 20001214 Feature: local_transport and default_transport now also understand the transport[:destination] notation, so that all transport config parameters are similar again. File: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. Code cleanup: mailbox_transport and fallback_transport no longer allow the user to omit the transport part of a transport:destination specification. That just did not make any sense at all. The :destination part is still optional. File: global/deliver_pass.c. Feature: most time-related configuration parameters take a one-letter suffix that specifies the time unit: s (second), m (minutes), h (hours), d (days), w (weeks). "postconf -d" output includes the default time unit. Files: many. Code cleanup: in a CONFIG_TIME_TABLE, the default time unit is now always the last character of a default time value. It is no longer necessary to specify the default time unit separately. This change means that it will not be possible to specify default values in the form of function calls, but that was unused anyway. Files: global/mail_conf_time.c, and user code. 20001217 Bugfix: reorganized some code in the MYSQL client to end a number of memory allocation/deallocation problems. This code needs more work. File: dict_mysql.c. 20001218 Bugfix: the MYSQL client did not provide function pointers for unimplemented operations, causing "postmap -d" to dump core instead if issuing an error message. This is what I get for accepting code that I cannot test myself. 20001221 Code cleanup: configuration parameters that are $name expanded at run-time now have their own data type hierarchy instead of being piggy-backed on top of strings that are $name expanded at program initialization time. Files: global/mail_conf.h, global/mail_conf_raw.c, and code that calls it. 20001230 Update: replaced the default rbl.maps.vix.com setting by the current blackholes.mail-abuse.org. 20010102 Code cleanup: the queue manager is a bit greedier with allocating a delivery agent. Problem pointed out by Patrik Rak. All bugs in the solution are mine. Files: *qmgr/qmgr_active.c. 20010105 Bugfix: the FILTER_README shell script example did not correctly pass exit status to the parent. Bugfix: soft errors in client hostname lookups would be treated as hard errors. Fix by Michael Herrmann (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c. 20010110 Bugfix: the mkdir() EEXIST race condition workaround was not complete. Matthias Andree, Daniel Roesen. Files: global/mail_queue.c, util/make_dirs.c. 20010111 Portability: IRIX 6.5.10 defines sa_len as a macro, causing a name collision with a variable used by Postfix. Roberto Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c. 20010116 Bugfix: REJECT by header/body_checks was flagged in smtpd as a bounce, should be policy, in order to make postmaster notifications more consistent. File: smtpd/smtpd.c. Merged updated chroot setup procedure by Matthias Andree. Files: examples/chroot-setup/LINUX2. 20010117 Formatting: changed the seconds and days formats in the "your mail is delayed" text so that it does not switch to scientific notation. File: bounce/bounce_notify_util.c. 20010119 Feature: SASL support for the LMTP client. Recent CYRUS software requires this for Postfix over TCP sockets. 20010120 Bugfix: the 20001005 revised fallback_relay support caused Postfix to send mail to the fallback even when the local machine was an MX host for the final destination. Result: mailer loop. Found by Laurent Wacrenier (teaser.fr). Files: smtp/smtp_connect.c, smtp/smtp_addr.c. 20010121 Workaround: specify "broken_sasl_auth_clients = yes" in order to support old Microsoft clients that implement a non-standard version of RFC 2554 (AUTH command). Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c. 20010125 Code cleanup: wrote creator/destructor for dictionary objects that provides default methods that trap all attempts to perform an unimplemented operation. Based on an ansatz by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc]. Code cleanup: INSTALL.sh does not ask questions when stdin is not connected to a tty (as in: make install instances across line boundaries. sed(1) is an amazing tool. File: mantools/postlink. 20010204 Laid the ground work for logging of table accesses. This will give more insight into how Postfix uses its lookup tables. User interface comes later. File: util/dict_debug.c. 20010216 Bugfix: the pipe delivery agent expanded $size as if it were a recipient, instead of expanding it as $nexthop or as $sender. Reported by Michael Tokarev. File: pipe/pipe.c. 20010221 Bugfix: poor LMTP performance for domains that are listed in $mydestination, because Postfix would send one recipient at a time, with multiple deliveries of recipients of the same message in parallel; a similar problem could exist with virus scanning and with firewall relay hosts that forward mail for $mydestination to an inside machine. This behavior is now changed to depend on the transport-specific xxx_destination_recipient_limit parameter. This also means that you can now get qmail behavior for SMTP deliveries by setting smtp_destination_recipient_limit=1. File: {qmgr,nqmgr}/qmgr_message.c. Workaround: Solaris socketpair() can fail with EINTR. Added a sane_socketpair.c module that joins the ranks of the other sane_whatever workarounds. Reported by Andrew McNamara. File: util/sane_socketpair.[hc] 20010222 Documentation: the default main.cf file has a prominent warning that mynetworks should be properly configured in order to reject unauthorized mail relay requests from strangers. Documentation: the INSTALL document, section "mandatory configuration file edits" has a section that explains that mynetworks should be properly configured in order to reject unauthorized mail relay requests from strangers. 20010223 Documentation: the basic.html document has a section that explains that mynetworks should be properly configured in order to reject unauthorized mail relay requests from strangers. Feature: new "mynetworks_style" parameter that controls how mynetworks (trusted networks) is derived from the inet_interfaces (machine interfaces) setting. Specify "class" for entire class A, B, C networks; "subnet" for the local subnets only; or "host" for maximal privacy. Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc], global/mynetworks.[hc], postconf/postconf.c. Portability: MACOSX patches by Gerben Wierda. Portability: Solaris /dev/null is a symlink, which tripped up the code to safely open a file before local delivery. We now grudgingly allow symlinks owned by root. File: util/safe_open.c. 20010224 Bugfix: "postconf mynetworks" ignored the inet_interfaces setting. That was a very old one. File: postconf/postconf.c. INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK. Specify "mynetworks_style = class" to get the old behavior. 20010225 Portability: master sigchld handler based on writing to a pipe, so that the master wakes up from select(). Based on code by Erik Forsberg, Linkoping University, Sweden. File: master/master_sig.c. Disabled until after the major release. Code cleanup: Postfix should now run with no alias database. Code cleanup: local_destination_recipient_limit and local_destination_concurrency_limit have become first-class configuration parameters. Files: global/mail_params.h, *qmgr/qmgr.c, postconf/postconf.c. 20010226 Documentation suggestions by Lars Hecking and Richard Huxton, Matthias Andree and many others. Code cleanup: some queue/transport operations need to be moved, after the code cleanup of the recipient/concurrency limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c. 20010301 Feature: configurable name in syslog output (default: "syslog_name = postfix") so that different Postfix instances can be recognized by their logging. File: global/mail_task.c. 20010313 Workaround for logic mismatch in nqmgr that was exposed with the introduction of the asynchronous bounce client. Patrik Rak. 20010313 Bugfix: the RFC 822 untokenizer quoted newlines inside comments. File: global/tok822_parse.c. 20010316 Cleanup: removed an extraneous warning when a queue file write error happened. 20010321 Workaround: LMTP connection caching never worked for destinations starting with unix: or inet:. File: lmtp/lmtp_connect.c. 20010322 Portability: Solaris <2.6 does not have srandom() and random() in libc. File: util/rand_sleep.c. It does not have to be cryptographically strong. Bugfix: the fast ETRN flush server could not handle [ipaddr] or domain names with one-character hostname part. This fix changes the destination to logfile name mapping, so that you need to populate the new files with "sendmail -q". The old files go away automatically. File: flush/flush.c. 20010327 Speed up mailq (sendmail -bp) display by flushing output after each file. File: showq/showq.c. Portability: missing string.h includes, %p wants (void *), Lamont Jones, HP. 20010328 Bugfix: swapped logic caused cleanup to stall when the queue file size exceeded the file size limit by less than one the VSTREAM buffer size, so that the "file too big" was detected after flushing the last queue file record. File: cleanup/cleanup.c. 20010329 Portability: workaround for missing prototype problem in dict_ldap.c. This module should move to the global directory, because it depends on Postfix main.cf parameter information. Workaround: after sending a trigger message over a socket, do not immediately close the client side, but close it from a background thread that waits until the server closes the socket first. This avoids trouble with socket implementations that destroy a socket when the client closes a socket before the server has received the client's data. Files: util/{inet,unix,stream}_trigger.c, util/events.c, master/master_trigger.c, postkick/postkick.c. 20010403 Workaround: the mysql library can return null pointers rather than zero-length strings. File: util/dict_mysql.c. 20010404 Ergonomics: log additional information about the reason why "mail for XXX loops back to myself" when the local machine is the best MX host. File: smtp/smtp_addr.c. 20010406 Changed some noisy LDAP client warnings into optional logging. LaMont Jones, util/dict_ldap.c. 20010411 Bugfix: the SMTP server now replies with 550 instead of 503 when it receives the DATA command without having received a valid recipient address. This is needed for the Sendmail client-side pipelining implementation. Problem reported by Lutz Jaenicke. File: smtpd/smtpd.c. Cleanup: shut up if chattr fails on Reiserfs and other file systems that do not support the respective attributes. Files: conf/postfix-script-{no,}sgid. 20010413 Ergonomics: Postfix applications now warn when a DB or DBM file is out of date, and recommend to rebuild the table. Files: util/dict_db.c, util/dict_dbm.c. 20010414 Feature: specify a key of "-" to the postmap or postalias -q or -d option, and the keys will be read from standard input, one key per line. Files: postmap/postmap.c, postalias/postalias.c. Bugfix: with a non-default inet_interfaces setting, the master ignored host information in master.cf host:port settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net. Files: master/master.h, master/master_ent.c. 20010426 Bugfix: the SMTP server did not parse invalid MAIL FROM or RCPT TO addresses such as > the way it was supposed to do. I thought this was taken care of years ago. File: smtpd/smtpd.c. 20010427 Bugfix: smtpd would reject mail instead of replying with a 4xx temporary error code when, for example, an LDAP or mysql server was unavailable. Remotely based on a fix by Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c. 20010429 Feature: the Postfix SMTP client now by default randomly shuffles destination IP addresses of equal preference. Specify "smtp_randomize_addresses = no" to disable. Shuffling code by Elias Levy @ SecurityFocus.com Files: dns/dns_rr.c, smtp/smtp_addr.c. 20010501 Bugfix: The SMTP server's 550 in reply to DATA should be a 554 response. And it wasn't Sendmail. Claus Assman. Bugfix: the INSTALL.sh test for non-interactive upgrade broke rooted installations that specify settings via the environment. Simon Mudd. Bugfix: mailq output is now really flushed one message at a time. File: sendmail/sendmail.c. Feature: "postsuper -d queueID" deletes one message queue file; "postsuper -d -" reads zero or more queue IDs from standard input, and deletes one instance of each file. File: postsuper/postsuper.c. Code cleanup: in order to make postsuper -d safe with a running Postfix mail system, some routines had to be made tolerant for sudden queue file disappearances. Files: global/deliver_request.c, *qmgr/qmgr_move.c. Code cleanup: in order to make postsuper -d more usable, the showq command was extended to safely list the possibly world-writable maildrop directory. File: showq/showq.c. 20010504 Feature: postsuper -d will also delete defer and bounce logfiles when the named queue file is found. 20010505 RFC 2821 feature: an SMTP server must reset all buffers upon receipt of EHLO. File: smtpd/smtpd_check.c. RFC 2821 feature: an SMTP server must accept a recipient address of "postmaster" without domain name. File: smtpd/smtpd_check.c. RFC 2821 recommendation: reply with 503 to commands sent after 554 greeting. File: smtpd/smtpd.c. RFC 2821 recommendation: if VRFY is enabled, list it in the EHLO response. File: smtpd/smtpd.c. RFC 2821 recommendation: SMTP clients should use EHLO. The default setting of smtp_always_send_ehlo has changed from 0 (send EHLO if server greets with ESMTP) to 1 (always send EHLO). In all cases, Postfix falls back to HELO if the server does not support EHLO. File: smtp/smtp_proto.c. 20010507 Bugfix: with soft_bounce=yes, the SMTP server would log 5xx replies even though it would send 4xx replies to the client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c. 20010515 Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN". Updated the parsing code in smtp/smtp_proto.c. Problem reported by Ralf Tessmann, Godot GmbH. 20010520 Standard: deleted the non-standard "via" portion from Received: headers generated by Postfix bounce or other notification processes. File: global/post_mail.c. Robustness: eliminated stack-based recursion from the RFC 822 address parser. File: global/tok822_parse.c. Standard: annotated the source code with comments based on RFC 2821 and 2822. Not all the RFC changes make sense. RFC 2821 recommendation: treat a RCPT 552 reply as if the server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. Cleanup: moved ownership of the debug_peer parameters from the applications to the library, so that a Postfix shared library does not suffer from undefined references. Files: smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c. LaMont Jones, for Debian. 20010522 Feature: "postsuper -r queueID" re-queues a message, and "postsuper -r ALL" re-queues all mail. The message is moved to the maildrop queue so that the pickup daemon will copy it to a new queue file, and so that address rewriting will be done again. This is useful after changes of address rewriting or virtual mappings. Feature: "postsuper -d ALL [queue-name]" deletes a bunch of mail. 20010523 Feature: "postsuper -s" (which is done by default) renames queue files whose name (queue ID) does not match the message file inode number. Bugfix: memory leak in the LDAP client module. Alain Thivillon, France Teaser - Groupe Firstream. 20010525 Portability: gcc 2.6.3 does not have __attribute__ (Clive Jones, dgw.co.uk). File: util/sys_defs.h. Bugfix: the SMTP and LMTP clients claimed that a queue file needed to be delivered again (even when all recipients were erased from the queue file) when no QUIT or RSET reply was received (by default, this does not happen with SMTP mail because the SMTP client does not wait for QUIT replies and does not send RSET to deliver mail). As a result of the same bug the LMTP client followed a dangling pointer when sending QUIT after process idle timeout while the LMTP server had disconnected. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. 20010526 newaliases no longer complains when an empty list is specified with the alias_database configuration parameter. File: sendmail/sendmail.c. 20010529 Workaround: old PIX firewall code messes up when the final "." at the end of DATA spans a packet boundary. When Postfix detects PIX SMTP fixup mode, Postfix flushes the output buffers before sending the final ".". File: smtp/smtp_proto.c. 20010530 Portability: updated code for Mac OS X, accounting for the post-Beta changes. Code by Joe Block, UCF School of Optics/CREOL. 20010601 Safety: postdrop turns off interrupts when cleaning up after interrupt. The additional safety does not hurt anyone. File: src/postdrop/postdrop.c. 20010607 Safety: dropped the RFC 2821 compliant code that treats 552 RCPT TO replies as 452. It created more problems than it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. Logging: the SMTP server now logs a warning if RBL lookups have problems other than "not found". file: smtpd/smtpd_check.c. 20010610 Feature: address quoting and case folding flags for the pipe(8) mailer. 20010611 Workaround: some MTAs fall on their face when they receive unexpectedly long lines. From now on, Postfix defaults to breaking long lines at 2048 (like Sendmail so it has got to be right). To get the old, content preserving, behavior specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c. 20010614 Bugfix: did not really undo 2821 552->452 mapping. 20010628 Bugfix: postfix-script used a hard-coded maildrop group owner instead of using the install-time specified name stored in /etc/postfix/install.cf. Problem reported by David Terrell @ meat.net. 20010701 Feature: mail_spool_directory ending in / causes maildir style delivery. Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters and kern.ipc.maxsockets cannot be set with sysctl commands. File: html/faq.html. Len Conrad @ Go2France.com. Cleanup: the virtual delivery agent was poorly integrated so that the SMTP server and queue manager did not reject mail for unknown users. Files: smtpd/smtpd_check.c. 20010705 Feature: QMQP server, compatible with qmail and the ezmlm list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c. 20010706 Feature: QMQP stress test message generator program. Files: smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c. 20010708 Bugfix: with disable_dns=yes, the SMTP client treated all host lookup errors as permanent. File: smtp/smtp_addr.c. 20010709 Feature: VERP support, based on a patch by Peng Yong, and with the missing parts filled in so that the Postfix bounce daemon can send one VERP bounce per undeliverable recipient. Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple support routines in the global library. Cleanup: with recipient_delimiter=+ (or any character other than -) Postfix will now recognize address extensions even with owner-foo+extension addresses. This is necessary to make VERP work for mailing lists. 20010710 Bugfix: potential memory leak in the queue managers with the new VERP delimiter record. Fix by Patrik Rak. 20010711 Cleanup: you can now specify the VERP delimiter characters on the sendmail(1) command line, but they are still optional. Safety: with maildir style delivery and with hashed mailboxes the system mail spool directory must not be world writable. 20010713 Safety: the verp_delimiter_filter parameter (default: -=+) limits what characters Postfix accepts as VERP delimiter characters. 20010714 Logging: the queue manager now logs a "status=expired" record when it returns a message that is too old. Files: *qmgr/qmgr_active.c. 20010719 Feature: stiffer coupling between mail receiving rates and mail delivery rates, using a trivial token-based scheme, implemented by reading and writing an in-memory pipe. The queue manager produces one token when it retrieves mail from the incoming queue. The cleanup daemon consumes one token when it adds mail to the incoming queue. If no token is available the cleanup server pauses for $in_flow_delay seconds and proceeds anyway. The delay allows mail sending process to catch up and access the disk while not blocking inbound mail. Valid delays are 0..10 seconds. 20010727 Bugfix: updated LDAP client module from LaMont Jones, HP. This also introduces new LDAP query filter patterns: %u (address localpart) and %d (domain part). Files: conf/sample-ldap.cf, util/dict_ldap.c. 20010729 Bugfix: recursive smtpd_whatever_restrictions clobbered intermediate results when switching between sender and recipient address restrictions. Problem found by Victor Duchovni, morganstanley.com. In order to fix, introduced address resolver result caching, which should also help to speed up sender/recipient address restriction processing. Bugfix: the not yet announced DUNNO access table lookup result did not prevent lookups with substrings of the same lookup key. Found by Victor Duchovni, morganstanley.com. 20010730 Robustness: trim trailing whitespace from regexp and pcre right-hand sides, for consistency with DB/DBM tables. Files: util/dict_pcre.c, util/dict_regexp.c. 20010731 Robustness: eliminate duplicate IP addresses after expansion of hostnames in $inet_interfaces, so that Postfix does not suddenly refuse to start up after someone changes the DNS. Files: util/inet_addr_list.c global/own_inet_addr.c. Feature: specify "disable_verp_bounces = yes" to have Postfix send one RFC-standard, non-VERP, bounce report for multi-recipient mail, even when VERP style delivery was requested. 20010801 Bugfix: postconf was using unexpanded values internally for myhostname, inet_interfaces, and mynetworks_style. This broke the "postconf -d" mynetworks computation. File: postconf/postconf.c. 20010803 Feature: masquerade_classes parameter for fine control of address masquerading. The default setting is backwards compatible: envelope_sender header_sender header_recipient. Files: cleanup/whatever.c. 20010822 Code cleanup: the bounce daemon complained about data that it was not going to send back anyway. Fix: stop reading the original message when the bounce message reaches the bounce message size limit. File: bounce/bounce_notify_util.c. 20010826 Logging: postsuper now logs the queue ID when it requeues a message, or when it deletes a message from the mail queue. File: postsuper/postsuper.c. 20010830 Safety: the SMTP server now sends a 4xx (try again later) response when an UCE restriction is misconfigured, instead of ignoring the bad restriction and possibly accepting mail that it should not accept. File: smtpd/smtpd_check.c. 20010907 Workaround: the Postfix qmqp-source program produced mail not ending in newline. qmail-qmqpd accepts such mail, but qmail-remote is unable to deliver it. Matthias Andree, uni-dortmund.de. File: smtpstone/qmqp-source.c. 20010910 Bugfix: the smtp-sink stress test program broke when RCPT TO commands crossed network packet boundaries. Problem reported by Matthias Andree, uni-dortmund.de. File: smtpstone/smtp-sink.c. 20010917 Code cleanup: permit_mx_backup implements the old behavior (accept mail if the local MTA is MX relay), and allows an additional restriction via the permit_mx_backup_networks parameter (accept mail only if the primary MX hosts match the specified list of network blocks). This second restriction is now entirely optional, for backwards compatibility. Bugfix: an address extension could be appended multiple times to the result of a canonical or virtual map lookup. File: global/mail_addr_map.c. Fix by Victor Duchovni, Morgan Stanley. Bugfix: split_addr() would split an address even when there was no data before the recipient delimiter. In combination with the above bug, this could cause an address to grow exponentially in size. Problem reported by Victor Duchovni, Morgan Stanley. File: global/split_addr.c. 20010918 Bugfix: the mail_addr_map() fix was almost but not quite right. It took two clever people and several iterations of email to really fix the mail_addr_map() problem. Thanks to Victor Duchovni and Liviu Daia. 20011006 Cleanup: Postfix no longer flushes the whole deferred queue after an ETRN request for a random domain name (i.e. a domain name not matched by $fast_flush_domains); the SMTP server instead replies with "459 service unavailable". Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c. 20011008 Bugfix: there was a minute memory leak when an smtpd access restriction was misconfigured. File: smtpd/smtpd_check.c. 20011010 Code cleanup: Postfix daemons now print the name of the UNIX-domain socket (instead of "unknown stream") in case of a malformed client request. Files: master/*server.c. 20011010-14 Code cleanup: replaced the ugly mail_print() and mail-scan() protocols by (name,value) attribute lists. This gives better error detection when we make changes to internal protocols, and allows new attributes to be introduced without breaking everything immediately. Files: util/attr_print.c util/attr_scan.c global/mail_command_server.c global/mail_command_client.c as wel as most Postfix applications and daemons. 20011015 Put base 64 encoding into place on the replaced internal protocols. Files: util/base64_code.[hc]. Feature: header/body REJECT rules can now provide text that is sent to the originator. Files: cleanup/cleanup.c, cleanup/cleanup_message.c, conf/sample-filter.cf. 20011016 Bugfix: As of 20000625, Errors-To: was broken, because the code to extract the address was not moved from recipient address rewriting to sender address rewriting. Problem reported by Roelof Osinga @ nisser.com. File: cleanup/cleanup_message.c. 20011029 Bugfix: virtual map expansion terminated early because the detection of self-referential entries was flawed. File: cleanup/cleanup_map1n.c. 20011031 Bugfix: mail_date() mis-formatted negative time zone offsets with fractional hours (-03-30 instead of -0330). Fix by Chad House, greyfirst.ca. File: global/mail_date.c. 20011102 Feature: new -f option to postmap and postalias (do not lowercase the lookup key while creating a table). Files: util/dict.h postmap/postmap.c postalias/postalias.c. Code cleanup: simplified the attribute print/scan routines, and removed the never-used support for sending and receiving integer arrays and string arrays. Files: util/attr_print.c, util/attr_scan.c. Bugfix: qmqpd could read past the end of a string while looking for qmail's VERP magic token in the envelope sender address. File: qmqpd/qmqpd.c. Code cleanup: finished testing the new internal protocols. The only bug was with the flush server, which still needs to support the old (string + null byte) protocol for triggers from the Postfix master daemon. 20011103 Bugfix: Postfix would log the wrong error text when locally submitted mail was deferred due to "soft_bounce = yes". Bugfix: The LDAP client dropped any entries that don't have the result_attribute, but errored out when a DN didn't exist. The behavior is now consistent: treat non-existant DN's in a special result attribute expansion the same as DN's with no attribute. LaMont Jones, HP. 20011104 Bugfix: the new smtp-sink -n option (terminate after the specified number of deliveries) wasn't optional. Portability: updated Mac OS X documentation and install scripts by Gerben Wierda. 20011105 Bugfix: missing terminator in new attribute-based function call caused signal 11. File: src/cleanup/cleanup.c. Lame workaround for ESTALE errors with mail delivery over NFS. Additional bandages were added to the local delivery agent. However, Wietse maintains that Postfix offers no guarantee for reliable delivery over NFS. Feature: put "warn_if_reject" before an smtpd restriction, and that restriction logs warnings without rejecting mail. This makes it easier to test configurations "live" without having to lose mail. File: smtpd/smtpd_check.c. 20011107 Workaround: in order to get mail past PIX firewall bugs, the Postfix SMTP client now blocks until the socket send buffer is empty before sending the final ".". Files: util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into sleep(10) on 20011119. Sleep suggested by Hobbit. 20011108 Feature: added string-null encoding for internal protocols. Files: util/attr_print0.c, util/attr_scan0.c. Feature: configurable parent domain matching for domain and hostname/address match lists: either .domain or the domain name itself. Files: util/match_ops.c util/match_list.c Feature: added pretend-to-be-behind-PIX mode to the smtp-sink test program, in order to stress test some PIX bug workaround code. 20011109 Workaround: Linux and Solaris systems have no reasonable way to block until a socket drains. On these systems Postfix simply waits for 10 seconds, in order to work around PIX "." bugs. File: util/sock_empty_wait.c. 20011114 Bugfix: reset the smtpd command transaction log between deliveries. File: smtpd/smtpd.c. 20011115 Feature: mailbox_command_maps no longer requires that every user has an entry. If the user does not have a command entry, the local delivery agent tries the other delivery methods (mailbox_command, home_mailbox). File: local/mailbox.c. Bugfix: reset the smtpd command transaction log between non-deliveries. File: smtpd/smtpd.c. 20011116 Bugfix: consolidated all the command transaction log resets and eliminated one missing reset (Victor Duchovni, Morgan Stanley). File: smtpd/smtpd.c. 20011118 Cleanup: replaced unnecessary match_list wrapper code by macros. Files: global/{string,domain,namadr}_list.[hc]. 20011119 Feature: configurable parent domain matching strategy for transport map lookups. File: trivial-rewrite/transport.c. New parent_domain_matches_subdomains parameter. This lists all the Postfix features where a domain name matches itself and all its subdomains (instead of requiring ".domain.name" for subdomain matches). Planning for future backwards compatibility :-) File: global/match_parent_style.c. Workaround: simplified the PIX "." bug to always sleep for 10 seconds. File: smtp/smtp_proto.c. 20011120 Workaround: disable attribute string length restriction so that trivial-rewrite does not refuse to rewrite broken mail headers. Files: util/attr_scan*.c. 20011121 Bugfix: missing long integer support in the new IPC protocols. Files: util/attr_scan*.c, util/attr_print*.c. Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1 (Gerben Wierda). 20011125 Bugfix: spurious postmaster notifications because some flag was not reset. Feature: new parameter smtpd_sender_login_maps that specifies the (SASL) login name that owns a MAIL FROM address. Specify a regexp table in order to require a simple one-to-one mapping. This is used in the reject_sender_login_mismatch sender anti-spoofing feature. Feature: restriction reject_sender_login_mismatch refuses a MAIL FROM address when $smtpd_sender_login_maps specifies an owner but the client is not (SASL) logged in as the MAIL FROM address owner, or when a client is (SASL) logged in but the client login name does not own the MAIL FROM address according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c. Documentation: added some redundancy to the LMTP_README file so people can keep track of the difference between the Postfix LMTP client and the non-Postfix LMTP server. 20011126 Feature: smtpd_noop_commands specifies a list of commands that are treated as NOOP (no operation) commands, without syntax check or state change. File: smtpd/smtpd.c. Bugfix: the "mark queue file as corrupt" code did not work because it was never used. Files: global/mark_corrupt.c, global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c, local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c, virtual/mailbox.c, virtual/maildir.c. Bugfix: the bounce daemon broke in the unlikely case of a non-existing queue file. File: bounce/bounce_notify_util.c. 20011127 Feature: added WARN command to header/body_checks files as proposed by Michael Tokarev. File: cleanup/cleanup_message.c. Bugfix: the postdrop program was broken after the change of Postfix internal protocols. This broke "sendmail -bs" mail submissions with "secure" maildrop directory. Reported by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c. Feature: a first start at fault injection for testing unlikely error scenarios (such as corrupt queue files). Parameter: fault_injection_code, must be left at zero for production use. 20011128 Robustness: add a file size limit to the sendmail and postdrop submission programs to stop run-away process accidents. This is not a defense against DOS attack. Files: sendmail/sendmail.c, postdrop/postdrop.c. That resulted in a considerable amount of work to properly propagate "file too large" conditions back to the sendmail mail posting user interface. Took the opportunity to express other mail submission fatal exits with the exit status codes. Files: sendmail/sendmail.c, postdrop/postdrop.c. 20011129 Maintenance: dict_ldap.c wasn't updated after the revision of the string matching routines. File: util/dict_ldap.c. 20011208 Maintenance: LDAP module and documentation from LaMont Jones. This version adds verbose logging for LDAP library routines. Files: src/util/dict_ldap.[hc], LDAP_README, conf/sample-ldap.cf Portability: made memory alignment restrictions configurable. File: util/mymalloc.c. Bugfix? Avoid surprises with source routed destinations and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c. Security: "postfix check" looks for damage by well-intended but misguided use of "chown -R postfix /var/spool/postfix". That would make chrooted Postfix less secure than non-chrooted Postfix. These extra tests may cause complaints with third-party patches such as TLS that introduce their own files into the jail. Feature: static map type that always returns the map name as lookup value, regardless of lookup key value. Contributed Jeff Miller (jeffm at ghostgun.com) Feature: turn off the PIX . workaround for the first mail delivery attempt, i.e. when mail is queued for less than $smtp_pix_workaround_threshold_time (default: 500) seconds. New parameter $smtp_pix_workaround_delay_time to control the delay before sending . (default: 10 seconds) when doing the PIX . workaround. 20011210 Bugfix: the 20011128 change in sendmail and postdrop did not handle the case of message_size_limit=0. Fix by Will Day, Georgia Tech. 20011212 Compatibility: The SMTP server now accepts as if the client sent . Reportedly, some badly written windows software produces such garbage, and some badly written windows anti-VIRUS software cannot handle such garbage. File: global/smtp_stream.c. 20011214 Bugfix: postmap/postalias queries ignored the -f flag. Reported by Hamish Marson. 20011217 Compatibility: Sendmail now has a -L option to set the syslogging label. Postfix sendmail uses syslog_name instead, and ignores the -L option. Security: subtle hardening of the Postfix chroot jail, Postfix queue file permissions and access methods, in case someone compromises the postfix account. Michael Tokarev, who received the insights from Solar Designer, who tested Postfix with a kernel module that is paranoid about open() calls. Files: master/master_wakeup.c, util/fifo_trigger.c, postfix-script. Convenience: issue a warning instead of aborting when the local machine name is not in fully-qualified domain form. This would otherwise break initial postfix installation which needs the postconf command. File: global/mail_params.c. 20011220 Added more garbage detection to postconf -e input processing. 20011221 Feature: SMTPD access map lookups of null sender addresses. If your access maps cannot store or look up null string key values, specify "smtpd_null_access_lookup_key = <>" and the null sender address will be looked up as <> instead. File: src/smtpd_access.c. 20011223 Safety: configuration file comments no longer span multiple lines when the next line begins with whitespace; multi-line input is no longer terminated by a comment line, by an all white space line, or by an empty line. Michael Tokarev made the crucial suggestion to simplify the readline routine. Files: util/readlline.c, postconf/postconf.c. Cleanup: proper detection of big number overflow in EHLO and MAIL FROM size announcements, with input from Victor Duchovni, Morgan Stanley. Files: global/off_cvt.c, smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c. Forward compatibility: added queue file record types for original recipient and for generic named attributes. Cleanup: safe_open() now returns sensible errno values so that the fifo_trigger() external interface is restored. 20011225 Upgrade: PCRE_README now describes PCRE version 3.x. Cleanup: flush SMTPD command history upon receipt of EHLO, RSET, and upon DATA completion, only if it exceeds $smtpd_history_flush_threshold lines (default: 100). Distant derivative of code by Michael Tokarev. File: smtpd/smtpd.c. 20011228 Bugfix: a readlline() error message showed less text than intended. Christian von Roques. Cleanup: postfix now installs with group-writable maildrop directory and with a set-gid postdrop mail submission command. The pickup service is now unprivileged. The world-writable maildrop directory no longer exists. The cleanup service is now public, in preparation for local sendmail/postdrop mail submission that avoids the maildrop queue directory while Postfix is up. Cleanup: moved the main.cf/master.cf file editing from the postfix-script file to the INSTALL.sh file. Cleanup: INSTALL.sh no longer accepts "no" as the destination of Postfix manual pages. 20011230 Cleanup: the code for "mailq", "sendmail -q", and for "sendmail -qRsite" was moved from the sendmail command to a new set-gid postqueue command. The pickup and qmgr FIFOs are no longer world writable. Files: sendmail/sendmail.c, postqueue/postqueue.c. 20020101 Security: new alternate_config_directories parameter that specifies what directories a set-gid command will accept as its configuration directory. The list must be specified in the default main.cf file. File: global/mail_conf.c. Cleanup: "sendmail -qRsite" is no longer implemented by connecting to the SMTP port. It is now implemented by talking to the fast flush service. File: postqueue/postqueue.c. 20020203 Cleanup: INSTALL.sh now records all installation information in the main.cf file. The now obsolete install.cf file is used only when upgrading from an older Postfix release. Cleanup: INSTALL.sh now takes name=value settings on the command line, and has a new "-upgrade" command line option to turn on non-interactive installation. Security: additional run-time checks to discourage sharing of Postfix user/group ID values with other accounts. 20020105 Cleanup: SMTPD access maps now return DUNNO (undetermined) instead of OK when a recipient address contains multiple domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. 20020106 Bugfix: SMTPD access maps did not handle address extensions. File: smtpd/smtpd_check.c. 20020107 Bugfix: postfix-script, when creating a missing maildrop queue directory, still referenced install.cf when setting maildrop directory group ownership; and the postfix command did not export the setgid_group parameter to the postfix-script shell script. Victor Duchovni. Bugfix: postfix-script, when creating a missing public queue directory, did not set group ownership of the public directory. 20020109 Cleanup: rewrote the Postfix installation procedure again. It is now separated into 1) a primary installation script (postfix-install) that installs files locally or that builds a package for distribution and that stores file owner and permission information in /etc/postfix/post-files, and 2) a post-installation script (/etc/postfix/post-install) that creates missing directories, that sets file/directory ownership and permissions, and that upgrades existing configuration files if necessary. 20020110 Workaround: AIX null read() return on an empty but open non-blocking pipe. File: master/master_flow.c. Report: Hamish Marson. 20020111 Feedback: feedback, bugfixes, and brain-dead shell workarounds for the install scripts by Victor Duchovni and Simon Mudd. 20020113 Rewrote postfix-install. The postfix-files file now controls what is installed. Refined the semantics of many post-install operations. post-install now auto-saves settings that override main.cf. 20020114 Bugfix: alternate_config_directories did not take comma or whitespace as separators. File: global/mail_conf.c. Victor Duchovni, Morgan Stanley. Bugfix: the rewritten postfix-install script did not chattr +S the Postfix queue. 20020115 Cleanup: added sample_directory and readme_directory installation parameters for sample configuration files and for README files. Files: postconf.c, postfix-install, conf/postfix-files, conf/post-install. Robustness: the postfix command now exports all installation parameter settings, and input filters the environment, so that the startup shell scripts produce a consistent result. Files: postconf.c. 20020117 Portability: patch from LaMont Jones for compiling dict_ldap.c with the Netscape SDK. Feature: added "r" (recursive chown/chgrp) flag to the postfix-files database, for more convenient change of Postfix queue ownership. Files: conf/postfix-files, conf/post-install. 20020122 Documentation: lots of little fixes. Documentation: updates for the VIRTUAL_README file by Victor Duchovni, Morgan Stanley. Bugfix: postqueue -s dereferenced a null pointer when given a numerical domain argument. LaMont Jones, HP. Cleanup: smtpd now logs a warning when permit_sasl_authenticated is used while SASL authentication is disabled, instead of simply ignoring the restriction. LaMont Jones, HP. File: smtpd/smtpd.c. Safety: when postmap creates a non-existent file, the new file inherits group/other read permissions from the source file. Based on code by LaMont Jones, HP. File: postmap/postmap.c. 20020123 Portability: some Linux systems install libnsl.so without libnsl.a file, causing an yp_match undefined reference problem. File: makedefs. 20020124 Portability: post-install now requests that command_directory is given on the command line when the postconf command is in an unusual place. Safety: extra code to detect and report Berkeley DB version mismatches between compile time and run time. This test is limited to mismatches in the major version number only. File: util/dict_db.c. Based on code by Lawrence Greenfield, Carnegie-Mellon university. Safety: the postfix command and the master daemon abort if they are running set-uid. Documentation: the postmap manual page described an out of date input file format. 20020129 Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe. Therefore, input mail flow control is disabled by default. Files: makedefs, global/mail_params.h, conf/main.cf. Problem reported by Kurt Andersen, Agilent. 20020201 Workaround: changed the default smtpd_null_access_lookup_key setting to <>, because some Bezerkeloid DB implementations can't handle null-length lookup keys. File: global/mail_params.h. Bugfix: backed out a null-length address panic call by ignoring the problem, like Postfix did in the past. File: global/resolve_local.c. Safety: "postfix check" will now warn if /usr/lib/sendmail and /usr/sbin/sendmail differ, and will propose to replace one by a symlink to the other. File: conf/postfix-script. 20020204 Sanity: additional permission checks for "postfix check" that warn for setgid_group group ownership mismatches. by Matthias Andree, uni-dortmund.de. File: conf/postfix-script. Bugfix: "postfix check" used a too simplistic way to recognize file ownership (grepping ls output). It now uses the recently discovered "find -prune". Peter Bieringer, Matthias Andree. File: conf/postfix-script. 20020218 Workaround: log a warning and disconnect when an SMTP client ignores our negative replies and starts sending message content without permission. File: smtpd/smtpd.c. 20020220 Bugfix: mismatch in the file being locked by dict_dbm and the file being locked by postmap, so that locks did not work correctly. Victor Duchovni, Morgan Stanley. 20020222 Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp() produce incorrect results with 8-bit characters. For example, non-ASCII characters could compare equal to ASCII characters, and that could result in any number of security problems. Files: util/strcasecmp.c, COPYRIGHT (the BSD license). Bugfix: off-by-one error, causing a null byte to be written outside dynamically allocated memory in the queue manager with addresses of exactly 100 bytes long, resulting in SIGSEGV on systems with an "exact fit" malloc routine. Experienced by Ralf Hildebrandt; diagnosed by Victor Duchovny. Files: *qmgr/qmgr_message.c. This is not a security problem. Bugfix: make all recipient comparisons transitive, because Solaris qsort() causes SIGSEGV errors otherwise. Victor Duchovny, Morgan Stanley. File: *qmgr/qmgr_message.c. 20020302 Bugfix: don't strip source route (@domain...:) when the result would be an empty address. This avoids problems when append_at_myorigin is set to "no" (which is not supported). Problem reported by Charles McColgan, Big Fish Communications. File: trivial-rewrite/rewrite.c. 20020304 Cleanup: postqueue should not not complain when output fails with "broken pipe". 20020308 Bugfix? reply with 550 not 552 when content is rejected. 552 is reserved for "too much mail". Documentation: add note to sendmail manual page that running "sendmail -bs" as $mail_owner enables SMTP server UCE and access control checks. This is meant for use from inetd etc. Matthias Andree. 20020311 Bugfix: DBM maps should use different files for locking and for change detection. Problem reported by Victor Duchovny, Morgan Stanley. Files: util/dict.h util/dict.c util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c. 20020313 Bugfix: mailq could show addresses with unusual characters twice. Problem reported by Victor Duchovny, Morgan Stanley. File: showq/showq.c. Bugfix: null recipients weren't properly recorded in bounce/defer logfiles. Such recipient addresses are not accepted in SMTP mail, but they could appear within locally submitted mail. File: bounce/bounce_append_service.c. 20020318 Workaround: Berkeley DB can't handle null key lookups, which happen with HELO names ending in ".". Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. Logging: log a hint when mail is deferred because the soft_bounce parameter is set. People sometimes forget to turn it off. File: global/bounce.c. 20020319 Cleanup: add a msg_warn() call when fork() fails in pipe_command(), to make problems easier to investigate. Chris Wedgwood. File: global/pipe_command.c. 20020324 Cleanup: more graceful handling of long physical message header lines upon input. Physical header lines can now extend up to $header_size_limit characters. When a logical message header is too long, the excess text is discarded and Postfix no longer switches to body mode, to avoid breaking MIME encapsulation. Based on code by Victor Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c, cleanup/cleanup_message.c. Cleanup: more graceful handling of long physical message header or body lines upon output by the SMTP client. The SMTP client output line length is controlled by a new parameter smtp_line_length_limit (default: 990; specify 0 to disable the limit). Long lines are folded by inserting , to avoid breaking MIME encapsulation. Based on code by Victor Duchovni, Morgan Stanley. File: smtp/smtp_proto.c. 20020325 Cleanup: allow additional text after a WARN command in a header/body_checks pattern file, so that one can change REJECT+text into WARN+text and vice versa. Based on code by Fredrik Thulin, Stockholm University. Cleanup: log a warning when an unknown command is found in a header/body_checks pattern file, or when additional text is found after a command that does not expect additional text. Based on code by Fredrik Thulin, Stockholm University. Bugfix: sendmail should not recognize "." as the end of input when the current read operation started in the middle of a line. Victor Duchovni, Morgan Stanley. File: sendmail/sendmail.c. 20020328 Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda. File: util/sys_defs.h. 20020329 Bugfix: defer_transports broke because the flush server triggered mail delivery (as if ETRN was sent) while doing some internal housekeeping of per-destination logfiles. Problem experienced by LaMont Jones, HP. File: flush/flush.c. Bugfix: virtual mapping broke for addresses with embedded whitespace. Fix by Victor Duchovni, Morgan Stanley. File: cleanup/cleanup_map1n.c. 20020330 Bugfix: postqueue did not pass on non-default configuration directory settings when running showq while the mail system is down. The super-user is now exempted from environment stripping in postqueue/postqueue.c. Problem reported by Victor Duchovni, Morgan Stanley. 20020414 Portability: Postfix will no longer attempt to build with gdbm support, because gdbm is broken. File: makedefs. 20020417 Bugfix: the post-install script failed to upgrade master.cf settings from private to public if the service was explicitly configured as private. 20020426 Bugfix: the SMTP client forgot to quote whitespace etc. in a sender/recipient address when DNS lookup was turned off (disable_dns_lookups = yes). Problem experienced by Chip Paswater. Files: smtp/smtp_proto.c. 20020503 Cleanup: postqueue silently ignored command-line arguments following -p or -f options, instead of complaining; postqueue produced an incorrect error message (mail system down) when the command was installed with incorrect privileges. File: postqueue/postqueue.c. Bugfix: while reporting a domain name or IP address syntax error, postqueue could dereference a dangling pointer with some getopt() implementations. LaMont Jones, HP. File: postqueue/postqueue.c. 20020504 Portability: run-time test to avoid GDBM trouble. File: util/dict_dbm.c. 20020508 Bugfix: close user@domain@postfix-style.virtual.domain source routing relaying loophole involving postfix-style virtual domains with @virtual.domain catch-all patterns. Problem reported by Victor Duchovny. File: smtpd/smtpd_check.c. Bugfix: mail_addr_map() used the "wrong" @ character in addresses with multiple @. Victor Duchovny. File: global/mail_addr_map.c. Bugfix: for address localpart quoting, now quote @ as a special character everywhere, except when resolving addresses. Previously, the @ was nowhere quoted as a special character, not even in SMTP commands. Files: global/quote_82[12]_local.c and some clients. 20020509 Safety: don't allow an OK access rule lookup result for user@domain@postfix-style.virtual.domain. Suggested by Victor Duchovny, Morgan Stanley. File: smtpd/smtpd_check.c. Bugfix: quote unquoted address localparts that need quoting. Files: global/tok822_parse.c, global/quote_82[12]_local.c. 20020512 Cleanup: the SMTP client logged and bounced the CNAME expanded recipient address, and thereby complicated trouble shooting. File: src/smtp_proto.c. Bugfix: the SMTP and LMTP clients bounced the quoted recipient address, resulting in too much quoting in bounce reports. Files: src/smtp_proto.c, lmtp/lmtp_proto.c. 20020513 Bugfix: the LDAP client used the "wrong" @ character in addresses with multiple @. LaMont Jones, HP. File: util/dict_ldap.c. Compatibility: forwards "postqueue -r" compatibility with the additional queue file records that are stored by snapshot 20050512. Cleanup: specify "resolve_dequoted_address = no" to prevent Postfix from looking inside quotes for extra @ etc. characters when resolving an address. This behavior is technically more correct, but it opens a mail relay loophole with "user @domain"@domain when relaying mail to a Sendmail system. 20020514 Bugfix: the new code for header address quoting sometimes did not null terminate strings so that arbitrary garbage could appear at the end of message headers. Reported by Ralf Hildebrandt. File: global/tok822_parse.c. Safety: user@domain@domain is no longer accepted by the permit_mx_backup uce restriction (unless Postfix is configured with "resolve_dequoted_address = no"). Victor Duchovny, Morgan Stanley. File: smtpd/smtpd_check.c. 20020517 Cleanup: Mailbox-Line: message header labels should be X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c. 20020526 Bugfix: the SMTP server now disallows RCPT TO:<"">, just like it disallows RCPT TO:<>. File: smtpd/smtpd.c. Documentation: replace domain.name by domain.tld in the example config files. The domain exists. They were getting mail from poorly configured Postfix boxes. Bugfix: The Postfix sendmail command did not export the MAIL_CONFIG environment setting to the postdrop command. File: global/mail_config.h. 20021121 Bugfix: garbage in "user@garbage"@domain address forms may cause the SMTP or LMTP client to terminate with a fatal error exit because garbage/tcp is not an existing service. This cannot be abused to cause the SMTP or LMTP client to send data into unauthorized ports. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. 20030728 Bugfix: an invalid address resolved to an invalid result, and caused the address resolver client to keep trying forever, resulting in a local or remote DOS condition of smtpd, qmgr, and other programs. Reported by Michal Zalewski. File: trivial-rewrite/resolve.c. Open problems: Low: sendmail does not store null command-line recipients. Low: don't do user@domain and @domain lookups in local_recipient_maps queries. Low: after reorganizing configuration parameters, add flags to all parameters whose value can be read from file. Medium: need in-process caching for map lookups. LDAP servers seem to need this in particular. Need a way to expire cached results that are too old. Medium: make address rewriting on/off configurable for envelopes and/or headers. Low: generic showq protocol, to allow for more intelligent processing than just mailq. Maybe marry this with postsuper. Low: default domain for appending to unqualified recipients. Low: The $process_id_directory setting is not used anywhere in Postfix. Problem reported by Michael Smith, texas.net. This should be documented, or better, the code should warn about attempts to set read-only parameters. Low: postconf -e edits parameters that postconf won't list.