check-spell-cc - OpenGrok history log for /netbsd-src/external/ibm-public/postfix/dist/mantools/check-spell-cc

Revision	Date	Author	Comments
# 059c16a8	23-Dec-2023	christos <christos@NetBSD.org>	Import Postfix 3.8.4 (last was 3.7.3) December 22, 2023: 3.8.4/3.7.9 ============================== Security: this release adds support to defend against an email spoofing attack (SMTP smuggling) o Import Postfix 3.8.4 (last was 3.7.3) December 22, 2023: 3.8.4/3.7.9 ============================== Security: this release adds support to defend against an email spoofing attack (SMTP smuggling) on recipients at a Postfix server. For background, see https://www.postfix.org/smtp-smuggling.html. Sites concerned about SMTP smuggling attacks should enable this feature on Internet-facing Postfix servers. For compatibility with non-standard clients, Postfix by default excludes clients in mynetworks from this countermeasure. The recommended settings are: # Optionally disconnect remote SMTP clients that send bare newlines, # but allow local clients with non-standard SMTP implementations # such as netcat, fax machines, or load balancer health checks. # smtpd_forbid_bare_newline = yes smtpd_forbid_bare_newline_exclusions = $mynetworks The smtpd_forbid_bare_newline feature is disabled by default. November 1, 2023: 3.8.3/3.7.8 ============================= Bugfix (defect introduced Postfix 2.5, date 20080104): the Postfix SMTP server was waiting for a client command instead of replying immediately, after a client certificate verification error in TLS wrappermode. Reported by Andreas Kinzler. Usability: the Postfix SMTP server (finally) attempts to log the SASL username after authentication failure. In Postfix logging, this appends ", sasl_username=xxx" after the reason for SASL authentication failure. The logging replaces an unavailable reason with "(reason unavailable)", and replaces an unavailable sasl_username with "(unavailable)". Based on code by Jozsef Kadlecsik. Compatibility bugfix (defect introduced: Postfix 2.11, date 20130405): in forward_path, the expression ${recipient_delimiter} would expand to an empty string when a recipient address had no recipient delimiter. The compatibility fix is to use a configured recipient delimiter value instead. Reported by Tod A. Sandman. September 1, 2023: 3.8.2/3.7.7 ============================== Bugfix (defect introduced: Postfix alpha, 19980207): the valid_hostname() check in the Postfix DNS client library was blocking unusual but legitimate wildcard names (.name) in some DNS lookup results and lookup requests. Examples: name class/type result .one.example IN CNAME .other.example .other.example IN A 10.0.0.1 .other.example IN TLSA ..certificate info... Such syntax is blesed in RFC 1034 section 4.3.3. Bugfix (defect introduced: Postfix 3.0, 20140218): when an address verification probe fails during or after an opportunistic TLS handshake, don't enforce a minimum time-in-queue before falling back to plaintext. Problem reported by Serg. June 5, 2023: 3.8.1/3.7.6 ========================= Optional: harden a Postfix SMTP server against remote SMTP clients that violate RFC 2920 (or 5321) command pipelining constraints. With "smtpd_forbid_unauth_pipelining = yes", the server disconnects a client immediately, after responding with "554 5.5.0 Error: SMTP protocol synchronization" and after logging "improper command pipelining" with the unexpected remote SMTP client input. This feature is disabled by default in Postfix 3.5-3.8 to avoid breaking home-grown utilities, but it is enabled by default in Postfix 3.9. A similar feature is enabled by default in the Exim SMTP server. Optional: some OS distributions crank up TLS security to 11, and in doing so increase the number of plaintext email deliveries. This introduces basic OpenSSL configuration file support that may be used to override OS-level settings. Details are in the postconf(5) manpage under tls_config_file and tls_config_name. Bugfix (defect introduced: Postfix 1.0): the command "postconf .. name=v1 .. name=v2 .." (multiple instances of the same parameter name) created multiple main.cf name=value entries with the same parameter name. It now logs a warning and skips the earlier name(s) and value(s). Found during code maintenance. Bugfix (defect introduced: Postfix 3.3): the command "postconf -M name1/type1='name2 type2 ...'" died with a segmentation violation when the request matched multiple master.cf entries. The master.cf file was not damaged. Problem reported by SATOH Fumiyasu. Bugfix (defect introduced: Postfix 2.11): the command "postconf -M name1/type1='name2 type2 ...'" could add a service definition to master.cf that conflicted with an already existing service definition. It now replaces all existing service definitions that match the service pattern 'name1/type1' or the service name and type in 'name2 type2 ...' with a single service definition 'name2 type2 ...'. Problem reported by SATOH Fumiyasu. Bugfix (defect introduced: Postfix 3.8) the posttls-finger command could access uninitialized memory when reconnecting. This also fixes a malformed warning message when a destination contains ":service" information. Reported by Thomas Korbar. Bugfix (defect introduced: Postfix 3.2): the MySQL client could return "not found" instead of "error" (for example, resulting in a 5XX SMTP status instead of 4XX) during the time that all MySQL server connections were turned down after error. Found during code maintenance. File: global/dict_mysql.c. This was already fixed in Postfix 3.4-3.7. April 18, 2023: 3.7.5 ===================== Bugfix (problem introduced in Postfix 3.5): check_ccert_access did not handle inline map specifications. Report and fix by Sean Gallagher. Bugfix (problem introduced in Postfix 3.4): the posttls-finger command failed to detect that a connection was resumed in the case that a server did not return a certificate. Fix by Viktor Dukhovni. Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return lazily-bound handles. Postfix now checks that the expected functionality will be available instead of failing later. Fix by Viktor Dukhovni. Safety: the long form "{ name = value }" in import_environment or export_environment is not documented (with spaces around the '='), but it was silently accepted, and it was stored in the process environment as the invalid form "name = value", thus not setting or overriding an entry for "name". This form is now stored as the expected "name=value". Found during code maintenance. Bugfix (problem introduced in Postfix 3.2): the MySQL client could return "not found" instead of "error" (for example, resulting in a 5XX SMTP status instead of 4XX) during the time that all MySQL server connections were turned down after error. Found during code maintenance. April 17, 2023: 3.8.0 ===================== Support to look up DNS SRV records in the Postfix SMTP/LMTP client, Based on code by Tomas Korbar (Red Hat). For example, with "use_srv_lookup = submission" and "relayhost = example.com:submission", the Postfix SMTP client will look up DNS SRV records for _submission._tcp.example.com, and will relay email through the hosts and ports that are specified with those records. TLS obsolescence: Postfix now treats the "export" and "low" cipher grade settings as "medium". The "export" and "low" grades are no longer supported in OpenSSL 1.1.1, the minimum version required in Postfix 3.6.0 and later. Also, Postfix default settings now exclude deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5), key exchange algorithms (DH, ECDH), and public key algorithm (DSS). Attack resistance: the Postfix SMTP server can now aggregate smtpd_client__rate and smtpd_client_*_count statistics by network block instead of by IP address, to raise the bar against a memory exhaustion attack in the anvil(8) server; Postfix TLS support unconditionally disables TLS renegotiation in the middle of an SMTP connection, to avoid a CPU exhaustion attack. The PostgreSQL client encoding is now configurable with the "encoding" Postfix configuration file attribute. The default is "UTF8". Previously the encoding was hard-coded as "LATIN1", which is not useful in the context of SMTP. The postconf command now warns for #comment in or after a Postfix parameter value. Postfix programs do not support #comment after other text, and treat that as input. January 12, 2023: 3.7.4 ======================= Workaround: with OpenSSL 3 and later always turn on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed opportunities for TLS session reuse. This is safe because the SMTP protocol implements application-level framing, and is therefore not affected by TLS truncation attacks. Fix by Viktor Dukhovni. Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily-bound handles for digest implementations. In sufficiently hostile configurations, Postfix could mistakenly believe that a digest algorithm is available, and fail when it is not. A similar workaround may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni. Bugfix (bug introduced in Postfix 2.11): the checkok() macro in tls/tls_fprint.c evaluated its argument unconditionally; it should evaluate the argument only if there was no prior error. Found during code review. Bugfix (bug introduced in Postfix 2.8): postscreen died with a segmentation violation when postscreen_dnsbl_threshold < 1. It should reject such input with a fatal error instead. Discovered by Benny Pedersen. Bitrot: fixes for linker warnings from newer Darwin (MacOS) versions. Viktor Dukhovni. Portability: Linux 6 support. Added missing documentation that cidr:, pcre: and regexp: tables support inline specification only in Postfix 3.7 and later. show more ...
# 4a672054	08-Oct-2022	christos <christos@NetBSD.org>	Import Postfix-3.7.3 (previous version was 3.5.2) This is the Postfix 3.7 (stable) release. The stable Postfix release is called postfix-3.7.x where 3=major release number, 7=minor release number, Import Postfix-3.7.3 (previous version was 3.5.2) This is the Postfix 3.7 (stable) release. The stable Postfix release is called postfix-3.7.x where 3=major release number, 7=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6 before proceeding. License change --------------- This software is distributed with a dual license: in addition to the historical IBM Public License 1.0, it is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. Bugfix for messages not delivered after "warning: Unexpected record type 'X' ============================================================================ Due to a bug introduced in Postfix 3.7.0, a message could falsely be flagged as corrupt with "warning: Unexpected record type 'X'". Such messages were moved to the "corrupt" queue directory, where they may still be found. See below for instructions to deal with these falsely flagged messages. This could happen for messages with 5000 or more recipients, or with fewer recipients on a busy mail server. The problem was first reported by Frank Brendel, reproduced by John Alex. A file in the "corrupt" queue directory may be inspected with the command "postcat /var/spool/postfix/corrupt/<filename>. If delivery of the file is still desired, the file can be moved back to /var/spool/postfix/incoming after updating Postfix and executing "postfix reload". Major changes - configuration ----------------------------- [Feature 20210605] Support to inline the content of small cidr:, pcre:, and regexp: tables in Postfix parameter values. Example: smtpd_forbidden_commands = CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}} This is the new smtpd_forbidden_commands default value. It will immediately disconnect a remote SMTP client when a command does not start with a letter (a-z or A-Z). The basic syntax is: /etc/postfix/main.cf: parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. /etc/postfix/master.cf: .. -o { parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. } .. where map-type is one of cidr, pcre, or regexp. Postfix ignores whitespace after '{' and before '}', and writes each rule as one text line to a nameless in-memory file: in-memory file: rule-1 rule-2 .. Postfix parses the result as if it is a file in /etc/postfix. Note: if a rule contains $, specify $$ to keep Postfix from trying to do $name expansion as it evaluates the parameter value. Major changes - lmdb support ---------------------------- [Feature 20210605] Overhauled the LMDB client's error handling, and added integration tests for future-proofing. There are no visible changes in documented behavior. Major changes - logging ----------------------- [Feature 20210815] To make the maillog_file feature more useful, the postlog(1) command is now set-gid postdrop, so that unprivileged programs can use it to write logging through the postlogd(8) daemon. This required hardening the postlog(1) command against privilege escalation attacks. DO NOT turn on the set-gid bit with older postlog(1) implementations. Major changes - pcre2 support ----------------------------- [Feature 20211127] Support for the pcre2 library (the legacy pcre library is no longer maintained). The Postfix build procedure automatically detects if the pcre2 library is installed, and if it is unavailable, the Postfix build procedure will detect if the legacy pcre library is installed. See PCRE_README if you need to build Postfix with a specific library. Visible differences: some error messages may have a different text, and the 'X' pattern flag is no longer supported with pcre2. Major changes - security ------------------------ [Feature 20220102] Postfix programs now randomize the initial state of in-memory hash tables, to defend against hash collision attacks involving a large number of attacker-chosen lookup keys. Presently, the only known opportunity for such attacks involves remote SMTP client IPv6 addresses in the anvil(8) service. The attack would require making hundreds of short-lived connections per second from thousands of different IP addresses, because the anvil(8) service drops inactive counters after 100s. Other in-memory hash tables with attacker-chosen lookup keys are by design limited in size. The fix is cheap, and therefore implemented for all Postfix in-memory hash tables. Problem reported by Pascal Junod. [Feature 20211030] The postqueue command now sanitizes non-printable characters (such as newlines) in strings before they are formatted as json or as legacy output. These outputs are piped into other programs that are run by administrative users. This closes a hypothetical opportunity for privilege escalation. [Feature 20210815] Updated defense against remote clients or servers that 'trickle' SMTP or LMTP traffic, based on per-request deadlines and minimum data rates. Per-request deadlines: The new {smtpd,smtp,lmtp}_per_request_deadline parameters replace {smtpd,smtp,lmtp}_per_record_deadline, with backwards compatible default settings. This defense is enabled by default in the Postfix SMTP server in case of overload. The new smtpd_per_record_deadline parameter limits the combined time for the Postfix SMTP server to receive a request and to send a response, while the new {smtp,lmtp}_per_record_deadline parameters limit the combined time for the Postfix SMTP or LMTP client to send a request and to receive a response. Minimum data rates: The new smtpd_min_data_rate parameter enforces a minimum plaintext data transfer rate for DATA and BDAT requests, but only when smtpd_per_record_deadline is enabled. After a read operation transfers N plaintext bytes (possibly after TLS decryption), and after the DATA or BDAT request deadline is decreased by the elapsed time of that read operation, the DATA or BDAT request deadline is increased by N/smtpd_min_data_rate seconds. However, the deadline is never increased beyond the smtpd_timeout value. The default minimum data rate is 500 (bytes/second) but is still subject to change. The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding minimum DATA transfer rates for the Postfix SMTP and LMTP client. Major changes - tls support --------------------------- [Cleanup 20220121] The new tlsproxy_client_security_level parameter replaces tlsproxy_client_level, and the new tlsproxy_client_policy_maps parameter replaces tlsproxy_client_policy. This is for consistent parameter naming (tlsproxy_client_xxx corresponds to smtp_tls_xxx). This change was made with backwards-compatible default settings. [Feature 20210926] Postfix was updated to support OpenSSL 3.0.0 API features, and to work around OpenSSL 3.0.0 bit-rot (avoid using deprecated API features). Other code health ----------------- [typos] Typo fixes by raf. [pre-release checks] Added pre-release checks to detect a) new typos in documentation and source-code comments, b) missing entries in the postfix-files file (some documentation would not be installed), c) missing rules in the postlink script (some text would not have a hyperlink in documentation), and d) missing map-based $parameter names in the proxy_read_maps default value (the proxymap daemon would not automatically authorize some proxied maps). [memory stream] Improved support for memory-based streams made it possible to inline small cidr:, pcre:, and regexp: maps in Postfix parameter values, and to eliminate some ad-hoc code that converted tlsproxy(8) protocol data to or from serialized form. ************************************************************************* This is the Postfix 3.6 (stable) release. The stable Postfix release is called postfix-3.6.x where 3=major release number, 6=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called postfix-3.7-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 3.4 or earlier, read RELEASE_NOTES-3.5 before proceeding. License change --------------- This software is distributed with a dual license: in addition to the historical IBM Public License 1.0, it is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. Major changes - internal protocol identification ------------------------------------------------ [Incompat 20200920] Internal protocols have changed. You need to "postfix stop" before updating, or before backing out to an earlier release, otherwise long-running daemons (pickup, qmgr, verify, tlsproxy, postscreen) may fail to communicate with the rest of Postfix, causing mail delivery delays until Postfix is restarted. This change does not affect message files in Postfix queue directories, only the communication between running Postfix programs. With this change, every Postfix internal service, including the postdrop command, announces the name of its protocol before doing any other I/O. Every Postfix client program, including the Postfix sendmail command, will verify that the protocol name matches what it is supposed to be. The purpose of this change is to produce better error messages, for example, when someone configures the discard daemon as a bounce service in master.cf, or vice versa. This change may break third-party programs that implement a Postfix-internal protocol such as qpsmtpd. Such programs have never been supported. Fortunately, this will be an easy fix: look at the first data from the cleanup daemon: if it is a protocol announcement, you're talking to Postfix 3.6 or later. That's the only real change. Major changes - tls ------------------- [Incompat 20200705] The minimum supported OpenSSL version is 1.1.1, which will reach the end of life by 2023-09-11. Postfix 3.6 is expected to reach the end of support in 2025. Until then, Postfix will be updated as needed for compatibility with OpenSSL. The default fingerprint digest has changed from md5 to sha256 (Postfix 3.6 with compatibility_level >= 3.6). With a lower compatibility_level setting, Postfix defaults to using md5, and logs a warning when a Postfix configuration specifies no explicit digest type. Export-grade Diffie-Hellman key exchange is no longer supported, and the tlsproxy_tls_dh512_param_file parameter is ignored, [Feature 20200906] The tlstype.pl helper script by Viktor Dukhovni reports TLS information per message delivery. This processes output from the collate.pl script. See auxiliary/collate/README.tlstype and auxiliary/collate/tlstype.pl. Major changes - compatibility level ----------------------------------- [Feature 20210109] Starting with Postfix version 3.6, the compatibility level is "3.6". In future Postfix releases, the compatibility level will be the Postfix version that introduced the last incompatible change. The level is formatted as 'major.minor.patch', where 'patch' is usually omitted and defaults to zero. Earlier compatibility levels are 0, 1 and 2. This also introduces main.cf and master.cf support for the <=level, <level, and other operators to compare compatibility levels. With the standard <=, <, etc. operators, compatibility level 3.10 would be less than 3.9, which is undesirable. Major changes - services(5) override ------------------------------------ [Feature 20210418] Postfix no longer uses the services(5) database to look up the TCP ports for SMTP and LMTP services. Instead, this information is configured with the new known_tcp_ports configuration parameter (default: lmtp=24, smtp=25, smtps=submissions=465, submission=587). When a service is not specified in known_tcp_ports, Postfix will still query the services(5) database. Major changes - local_login_sender_maps --------------------------------------- [Feature 20201025] Fine-grained control over the envelope sender address for submission with the Postfix sendmail (or postdrop) commands. The local_login_sender_maps parameter (default: static:) specifies a list of lookup tables that are searched by the UNIX login name, and that return a list of allowed envelope sender patterns separated by space or comma. The default is backwards-compatible: every user may specify any sender envelope address. This feature is enforced by the postdrop command. When no UNIX login name is available, the postdrop command will prepend "uid:" to the numerical UID and use that instead. This feature ignores address extensions in the user-specified envelope sender address. Besides the special pattern "" which allows any sender address, there are "<>" which matches an empty sender address, and the "@domain" wildcard pattern. More information about those can be found in the postconf(5) manpage. Example: /etc/postfix/main.cf: # Allow root and postfix full control, anyone else can only # send mail as themselves. Use "uid:" followed by the numerical # UID when the UID has no entry in the UNIX password file. local_login_sender_maps = inline:{ { root = }, { postfix = } }, pcre:/etc/postfix/login_senders /etc/postfix/login_senders: # Allow both the bare username and the user@domain forms. /(.+)/ $1 $1@example.com Major changes - order of relay and recipient restrictions --------------------------------------------------------- [Incompat 20210131] With smtpd_relay_before_recipient_restrictions=yes, the Postfix SMTP server will evaluate smtpd_relay_restrictions before smtpd_recipient_restrictions. This is the default behavior with compatibility_level >= 3.6. This change makes the implemented behavior consistent with existing documentation. There is a backwards-compatibility warning that allows users to freeze historical behavior. See COMPATIBILITY_README for details. Major changes - respectful logging ---------------------------------- [Feature 20210220] Postfix version 3.6 deprecates terminology that implies white is better than black. Instead, Postfix prefers 'allowlist', 'denylist', and variations on those words. This change affects Postfix documentation, and postscreen parameters and logging. To keep the old postscreen logging set "respectful_logging = no" in main.cf. Noel Jones assisted with the initial transition. Changes in documentation ------------------------ Postfix documentation was updated to use 'allowlist', 'denylist', etc. These documentation changes do not affect Postfix behavior. Changes in parameter names -------------------------- The following postscreen parameters replace names that contain 'blacklist' or 'whitelist': postscreen_allowlist_interfaces postscreen_denylist_action postscreen_dnsbl_allowlist_threshold These new parameters have backwards-compatible default settings that support the old parameter names, so that the name change should not affect Postfix behavior. This means that existing management tools that use the old parameter names should keep working as before. This compatibility safety net may break when some management tools use the new parameter names, and some use the old names, such that different tools will disagree on how Postfix works. Changes in logging ------------------ The following logging replaces forms that contain 'blacklist' or 'whitelist': postfix/postscreen[pid]: ALLOWLIST VETO [address]:port postfix/postscreen[pid]: ALLOWLISTED [address]:port postfix/postscreen[pid]: DENYLISTED [address]:port To avoid breaking logfile analysis tools, Postfix keeps logging the old forms by default, as long as the compatibility_level parameter setting is less than 3.6, and the respectful_logging parameter is not explicitly configured. As a reminder, Postfix will log the following: postfix/postscreen[pid]: Using backwards-compatible default setting respectful_logging=no for client [address]:port To keep logging the old form, make the setting "respectful_logging = no" permanent in main.cf, for example: # postconf "respectful_logging = no" # postfix reload To stop the reminder, configure the respectful_logging parameter to "yes" or "no", or configure "compatibility_level = 3.6". Major changes - threaded bounces -------------------------------- [Feature 20201205] Support for threaded bounces. This allows mail readers to present a non-delivery, delayed delivery, or successful delivery notification in the same email thread as the original message. Unfortunately, this also makes it easy for users to mistakenly delete the whole email thread (all related messages), instead of deleting only the delivery status notification. To enable, specify "enable_threaded_bounces = yes". Other changes - smtpd_sasl_mechanism_list ----------------------------------------- [Feature 20200906] The smtpd_sasl_mechanism_list parameter (default: !external, static:rest) prevents confusing errors when a SASL backend announces EXTERNAL support which Postfix does not support. Other changes - delivery logging -------------------------------- [Incompat 20200531] Postfix delivery agents now log an explicit record when delegating delivery to a different Postfix delivery agent. For example, with "best_mx_transport = local", an SMTP delivery agent will now log when a recipient will be delivered locally. This makes the delegating delivery agent visible, where it would otherwise have remained invisible, which would complicate troubleshooting. postfix/smtp[pid]: queueid: passing <recipient> to transport=local This will usually be followed by logging for an actual delivery: postfix/local[pid]: queueid: to=<recipient>, relay=local, ... Other examples: the local delivery agent will log a record that it defers mailbox delivery through mailbox_transport or through fallback_transport. Other changes - error logging ----------------------------- [Incompat 20200531] Postfix programs will now log "Application error" instead of "Success" or "Unknown error: 0" when an operation fails with errno == 0, i.e., the error originates from non-kernel code. Other changes - dns lookups --------------------------- [Feature 20200509] The threadsafe resolver API (res_nxxx() calls) is now the default, not because the API is threadsafe, but because this is the API where new features are being added. To build old style, build with: make makefiles CCARGS="-DNO_RES_NCALLS..." This is the default for systems that are known not to support the threadsafe resolver API. show more ...

Revision

Date

Author

Comments

# 059c16a8

23-Dec-2023

christos <christos@NetBSD.org>

Import Postfix 3.8.4 (last was 3.7.3)

December 22, 2023: 3.8.4/3.7.9
==============================

Security: this release adds support to defend against an email
spoofing attack (SMTP smuggling) o

Import Postfix 3.8.4 (last was 3.7.3)

December 22, 2023: 3.8.4/3.7.9
==============================

Security: this release adds support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server.
For background, see https://www.postfix.org/smtp-smuggling.html.

Sites concerned about SMTP smuggling attacks should enable this
feature on Internet-facing Postfix servers. For compatibility with
non-standard clients, Postfix by default excludes clients in
mynetworks from this countermeasure.

The recommended settings are:

# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.

November 1, 2023: 3.8.3/3.7.8
=============================

Bugfix (defect introduced Postfix 2.5, date 20080104): the Postfix
SMTP server was waiting for a client command instead of replying
immediately, after a client certificate verification error in TLS
wrappermode. Reported by Andreas Kinzler.

Usability: the Postfix SMTP server (finally) attempts to log the
SASL username after authentication failure. In Postfix logging,
this appends ", sasl_username=xxx" after the reason for SASL
authentication failure. The logging replaces an unavailable reason
with "(reason unavailable)", and replaces an unavailable sasl_username
with "(unavailable)". Based on code by Jozsef Kadlecsik.

Compatibility bugfix (defect introduced: Postfix 2.11, date 20130405):
in forward_path, the expression ${recipient_delimiter} would expand
to an empty string when a recipient address had no recipient
delimiter. The compatibility fix is to use a configured recipient
delimiter value instead. Reported by Tod A. Sandman.

September 1, 2023: 3.8.2/3.7.7
==============================

Bugfix (defect introduced: Postfix alpha, 19980207): the valid_hostname()
check in the Postfix DNS client library was blocking unusual but
legitimate wildcard names (*.name) in some DNS lookup results and
lookup requests. Examples:

name class/type result
*.one.example IN CNAME *.other.example
*.other.example IN A 10.0.0.1
*.other.example IN TLSA ..certificate info...
Such syntax is blesed in RFC 1034 section 4.3.3.

Bugfix (defect introduced: Postfix 3.0, 20140218): when an address
verification probe fails during or after an opportunistic TLS
handshake, don't enforce a minimum time-in-queue before falling
back to plaintext. Problem reported by Serg.

June 5, 2023: 3.8.1/3.7.6
=========================

Optional: harden a Postfix SMTP server against remote SMTP clients
that violate RFC 2920 (or 5321) command pipelining constraints.
With "smtpd_forbid_unauth_pipelining = yes", the server disconnects
a client immediately, after responding with "554 5.5.0 Error: SMTP
protocol synchronization" and after logging "improper command
pipelining" with the unexpected remote SMTP client input. This
feature is disabled by default in Postfix 3.5-3.8 to avoid breaking
home-grown utilities, but it is enabled by default in Postfix 3.9.
A similar feature is enabled by default in the Exim SMTP server.

Optional: some OS distributions crank up TLS security to 11, and
in doing so increase the number of plaintext email deliveries. This
introduces basic OpenSSL configuration file support that may be
used to override OS-level settings. Details are in the postconf(5)
manpage under tls_config_file and tls_config_name.

Bugfix (defect introduced: Postfix 1.0): the command "postconf ..
name=v1 .. name=v2 .." (multiple instances of the same parameter
name) created multiple main.cf name=value entries with the same
parameter name. It now logs a warning and skips the earlier name(s)
and value(s). Found during code maintenance.

Bugfix (defect introduced: Postfix 3.3): the command "postconf -M
name1/type1='name2 type2 ...'" died with a segmentation violation
when the request matched multiple master.cf entries. The master.cf
file was not damaged. Problem reported by SATOH Fumiyasu.

Bugfix (defect introduced: Postfix 2.11): the command "postconf -M
name1/type1='name2 type2 ...'" could add a service definition to
master.cf that conflicted with an already existing service definition.
It now replaces all existing service definitions that match the
service pattern 'name1/type1' or the service name and type in 'name2
type2 ...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu.

Bugfix (defect introduced: Postfix 3.8) the posttls-finger command
could access uninitialized memory when reconnecting. This also
fixes a malformed warning message when a destination contains
":service" information. Reported by Thomas Korbar.

Bugfix (defect introduced: Postfix 3.2): the MySQL client could
return "not found" instead of "error" (for example, resulting in
a 5XX SMTP status instead of 4XX) during the time that all MySQL
server connections were turned down after error. Found during code
maintenance. File: global/dict_mysql.c. This was already fixed in
Postfix 3.4-3.7.

April 18, 2023: 3.7.5
=====================

Bugfix (problem introduced in Postfix 3.5): check_ccert_access did
not handle inline map specifications. Report and fix by Sean
Gallagher.

Bugfix (problem introduced in Postfix 3.4): the posttls-finger
command failed to detect that a connection was resumed in the case
that a server did not return a certificate. Fix by Viktor Dukhovni.

Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return lazily-bound
handles. Postfix now checks that the expected functionality will
be available instead of failing later. Fix by Viktor Dukhovni.

Safety: the long form "{ name = value }" in import_environment or
export_environment is not documented (with spaces around the '='),
but it was silently accepted, and it was stored in the process
environment as the invalid form "name = value", thus not setting
or overriding an entry for "name". This form is now stored as the
expected "name=value". Found during code maintenance.

Bugfix (problem introduced in Postfix 3.2): the MySQL client could
return "not found" instead of "error" (for example, resulting in
a 5XX SMTP status instead of 4XX) during the time that all MySQL
server connections were turned down after error. Found during code
maintenance.

April 17, 2023: 3.8.0
=====================

Support to look up DNS SRV records in the Postfix SMTP/LMTP client,
Based on code by Tomas Korbar (Red Hat). For example, with
"use_srv_lookup = submission" and "relayhost = example.com:submission",
the Postfix SMTP client will look up DNS SRV records for
_submission._tcp.example.com, and will relay email through the
hosts and ports that are specified with those records.

TLS obsolescence: Postfix now treats the "export" and "low" cipher
grade settings as "medium". The "export" and "low" grades are no
longer supported in OpenSSL 1.1.1, the minimum version required in
Postfix 3.6.0 and later. Also, Postfix default settings now exclude
deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5),
digest (MD5), key exchange algorithms (DH, ECDH), and public key
algorithm (DSS).

Attack resistance: the Postfix SMTP server can now aggregate
smtpd_client_*_rate and smtpd_client_*_count statistics by network
block instead of by IP address, to raise the bar against a memory
exhaustion attack in the anvil(8) server; Postfix TLS support
unconditionally disables TLS renegotiation in the middle of an SMTP
connection, to avoid a CPU exhaustion attack.

The PostgreSQL client encoding is now configurable with the "encoding"
Postfix configuration file attribute. The default is "UTF8".
Previously the encoding was hard-coded as "LATIN1", which is not
useful in the context of SMTP.

The postconf command now warns for #comment in or after a Postfix
parameter value. Postfix programs do not support #comment after
other text, and treat that as input.

January 12, 2023: 3.7.4
=======================

Workaround: with OpenSSL 3 and later always turn on
SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
opportunities for TLS session reuse. This is safe because the SMTP
protocol implements application-level framing, and is therefore
not affected by TLS truncation attacks. Fix by Viktor Dukhovni.

Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily-bound
handles for digest implementations. In sufficiently hostile
configurations, Postfix could mistakenly believe that a digest
algorithm is available, and fail when it is not. A similar workaround
may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.

Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally; it should
evaluate the argument only if there was no prior error. Found during
code review.

Bugfix (bug introduced in Postfix 2.8): postscreen died with a
segmentation violation when postscreen_dnsbl_threshold < 1. It
should reject such input with a fatal error instead. Discovered by
Benny Pedersen.

Bitrot: fixes for linker warnings from newer Darwin (MacOS) versions.
Viktor Dukhovni.

Portability: Linux 6 support.

Added missing documentation that cidr:, pcre: and regexp: tables
support inline specification only in Postfix 3.7 and later.

# 4a672054

08-Oct-2022

christos <christos@NetBSD.org>

Import Postfix-3.7.3 (previous version was 3.5.2)

This is the Postfix 3.7 (stable) release.

The stable Postfix release is called postfix-3.7.x where 3=major
release number, 7=minor release number,

Import Postfix-3.7.3 (previous version was 3.5.2)

This is the Postfix 3.7 (stable) release.

The stable Postfix release is called postfix-3.7.x where 3=major
release number, 7=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6
before proceeding.

License change
---------------

This software is distributed with a dual license: in addition to the
historical IBM Public License 1.0, it is now also distributed with the
more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.

Bugfix for messages not delivered after "warning: Unexpected record type 'X'
============================================================================

Due to a bug introduced in Postfix 3.7.0, a message could falsely
be flagged as corrupt with "warning: Unexpected record type 'X'".

Such messages were moved to the "corrupt" queue directory, where
they may still be found. See below for instructions to deal with
these falsely flagged messages.

This could happen for messages with 5000 or more recipients, or
with fewer recipients on a busy mail server. The problem was first
reported by Frank Brendel, reproduced by John Alex.

A file in the "corrupt" queue directory may be inspected with the
command "postcat /var/spool/postfix/corrupt/<filename>. If delivery
of the file is still desired, the file can be moved back to
/var/spool/postfix/incoming after updating Postfix and executing
"postfix reload".

Major changes - configuration
-----------------------------

[Feature 20210605] Support to inline the content of small cidr:,
pcre:, and regexp: tables in Postfix parameter values.

Example:

smtpd_forbidden_commands =
CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}}

This is the new smtpd_forbidden_commands default value. It will
immediately disconnect a remote SMTP client when a command does not
start with a letter (a-z or A-Z).

The basic syntax is:

/etc/postfix/main.cf:
parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } ..

/etc/postfix/master.cf:
.. -o { parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. } ..

where map-type is one of cidr, pcre, or regexp.

Postfix ignores whitespace after '{' and before '}', and writes each
rule as one text line to a nameless in-memory file:

in-memory file:
rule-1
rule-2
..

Postfix parses the result as if it is a file in /etc/postfix.

Note: if a rule contains $, specify $$ to keep Postfix from trying
to do $name expansion as it evaluates the parameter value.

Major changes - lmdb support
----------------------------

[Feature 20210605] Overhauled the LMDB client's error handling, and
added integration tests for future-proofing. There are no visible
changes in documented behavior.

Major changes - logging
-----------------------

[Feature 20210815] To make the maillog_file feature more useful,
the postlog(1) command is now set-gid postdrop, so that unprivileged
programs can use it to write logging through the postlogd(8) daemon.
This required hardening the postlog(1) command against privilege
escalation attacks. DO NOT turn on the set-gid bit with older
postlog(1) implementations.

Major changes - pcre2 support
-----------------------------

[Feature 20211127] Support for the pcre2 library (the legacy pcre
library is no longer maintained). The Postfix build procedure
automatically detects if the pcre2 library is installed, and if it
is unavailable, the Postfix build procedure will detect if the
legacy pcre library is installed. See PCRE_README if you need to
build Postfix with a specific library.

Visible differences: some error messages may have a different text,
and the 'X' pattern flag is no longer supported with pcre2.

Major changes - security
------------------------

[Feature 20220102] Postfix programs now randomize the initial state
of in-memory hash tables, to defend against hash collision attacks
involving a large number of attacker-chosen lookup keys. Presently,
the only known opportunity for such attacks involves remote SMTP
client IPv6 addresses in the anvil(8) service. The attack would
require making hundreds of short-lived connections per second from
thousands of different IP addresses, because the anvil(8) service
drops inactive counters after 100s. Other in-memory hash tables
with attacker-chosen lookup keys are by design limited in size. The
fix is cheap, and therefore implemented for all Postfix in-memory
hash tables. Problem reported by Pascal Junod.

[Feature 20211030] The postqueue command now sanitizes non-printable
characters (such as newlines) in strings before they are formatted
as json or as legacy output. These outputs are piped into other
programs that are run by administrative users. This closes a
hypothetical opportunity for privilege escalation.

[Feature 20210815] Updated defense against remote clients or servers
that 'trickle' SMTP or LMTP traffic, based on per-request deadlines
and minimum data rates.

Per-request deadlines:

The new {smtpd,smtp,lmtp}_per_request_deadline parameters replace
{smtpd,smtp,lmtp}_per_record_deadline, with backwards compatible
default settings. This defense is enabled by default in the Postfix
SMTP server in case of overload.

The new smtpd_per_record_deadline parameter limits the combined
time for the Postfix SMTP server to receive a request and to send
a response, while the new {smtp,lmtp}_per_record_deadline parameters
limit the combined time for the Postfix SMTP or LMTP client to send
a request and to receive a response.

Minimum data rates:

The new smtpd_min_data_rate parameter enforces a minimum plaintext
data transfer rate for DATA and BDAT requests, but only when
smtpd_per_record_deadline is enabled. After a read operation transfers
N plaintext bytes (possibly after TLS decryption), and after the
DATA or BDAT request deadline is decreased by the elapsed time of
that read operation, the DATA or BDAT request deadline is increased
by N/smtpd_min_data_rate seconds. However, the deadline is never
increased beyond the smtpd_timeout value. The default minimum data
rate is 500 (bytes/second) but is still subject to change.

The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding
minimum DATA transfer rates for the Postfix SMTP and LMTP client.

Major changes - tls support
---------------------------

[Cleanup 20220121] The new tlsproxy_client_security_level parameter
replaces tlsproxy_client_level, and the new tlsproxy_client_policy_maps
parameter replaces tlsproxy_client_policy. This is for consistent
parameter naming (tlsproxy_client_xxx corresponds to smtp_tls_xxx).
This change was made with backwards-compatible default settings.

[Feature 20210926] Postfix was updated to support OpenSSL 3.0.0 API
features, and to work around OpenSSL 3.0.0 bit-rot (avoid using
deprecated API features).

Other code health
-----------------

[typos] Typo fixes by raf.

[pre-release checks] Added pre-release checks to detect a) new typos
in documentation and source-code comments, b) missing entries in
the postfix-files file (some documentation would not be installed),
c) missing rules in the postlink script (some text would not have
a hyperlink in documentation), and d) missing map-based $parameter
names in the proxy_read_maps default value (the proxymap daemon
would not automatically authorize some proxied maps).

[memory stream] Improved support for memory-based streams made it
possible to inline small cidr:, pcre:, and regexp: maps in Postfix
parameter values, and to eliminate some ad-hoc code that converted
tlsproxy(8) protocol data to or from serialized form.

*************************************************************************

This is the Postfix 3.6 (stable) release.

The stable Postfix release is called postfix-3.6.x where 3=major
release number, 6=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-3.7-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 3.4 or earlier, read RELEASE_NOTES-3.5
before proceeding.

License change
---------------

This software is distributed with a dual license: in addition to the
historical IBM Public License 1.0, it is now also distributed with the
more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.

Major changes - internal protocol identification
------------------------------------------------

[Incompat 20200920] Internal protocols have changed. You need to
"postfix stop" before updating, or before backing out to an earlier
release, otherwise long-running daemons (pickup, qmgr, verify, tlsproxy,
postscreen) may fail to communicate with the rest of Postfix, causing
mail delivery delays until Postfix is restarted.

This change does not affect message files in Postfix queue directories,
only the communication between running Postfix programs.

With this change, every Postfix internal service, including the postdrop
command, announces the name of its protocol before doing any other I/O.
Every Postfix client program, including the Postfix sendmail command,
will verify that the protocol name matches what it is supposed to be.

The purpose of this change is to produce better error messages, for
example, when someone configures the discard daemon as a bounce
service in master.cf, or vice versa.

This change may break third-party programs that implement a
Postfix-internal protocol such as qpsmtpd. Such programs have never
been supported. Fortunately, this will be an easy fix: look at the
first data from the cleanup daemon: if it is a protocol announcement,
you're talking to Postfix 3.6 or later. That's the only real change.

Major changes - tls
-------------------

[Incompat 20200705] The minimum supported OpenSSL version is 1.1.1,
which will reach the end of life by 2023-09-11. Postfix 3.6 is
expected to reach the end of support in 2025. Until then, Postfix
will be updated as needed for compatibility with OpenSSL.

The default fingerprint digest has changed from md5 to sha256 (Postfix
3.6 with compatibility_level >= 3.6). With a lower compatibility_level
setting, Postfix defaults to using md5, and logs a warning when a Postfix
configuration specifies no explicit digest type.

Export-grade Diffie-Hellman key exchange is no longer supported,
and the tlsproxy_tls_dh512_param_file parameter is ignored,

[Feature 20200906] The tlstype.pl helper script by Viktor Dukhovni
reports TLS information per message delivery. This processes output
from the collate.pl script. See auxiliary/collate/README.tlstype and
auxiliary/collate/tlstype.pl.

Major changes - compatibility level
-----------------------------------

[Feature 20210109] Starting with Postfix version 3.6, the compatibility
level is "3.6". In future Postfix releases, the compatibility level will
be the Postfix version that introduced the last incompatible change. The
level is formatted as 'major.minor.patch', where 'patch' is usually
omitted and defaults to zero. Earlier compatibility levels are 0, 1 and 2.

This also introduces main.cf and master.cf support for the <=level,
<level, and other operators to compare compatibility levels. With the
standard <=, <, etc. operators, compatibility level 3.10 would be less
than 3.9, which is undesirable.

Major changes - services(5) override
------------------------------------

[Feature 20210418] Postfix no longer uses the services(5) database
to look up the TCP ports for SMTP and LMTP services. Instead, this
information is configured with the new known_tcp_ports configuration
parameter (default: lmtp=24, smtp=25, smtps=submissions=465,
submission=587). When a service is not specified in known_tcp_ports,
Postfix will still query the services(5) database.

Major changes - local_login_sender_maps
---------------------------------------

[Feature 20201025] Fine-grained control over the envelope sender address
for submission with the Postfix sendmail (or postdrop) commands.

The local_login_sender_maps parameter (default: static:*) specifies
a list of lookup tables that are searched by the UNIX login name, and
that return a list of allowed envelope sender patterns separated by
space or comma. The default is backwards-compatible: every user may
specify any sender envelope address.

This feature is enforced by the postdrop command. When no UNIX login
name is available, the postdrop command will prepend "uid:" to the
numerical UID and use that instead.

This feature ignores address extensions in the user-specified
envelope sender address.

Besides the special pattern "*" which allows any sender address,
there are "<>" which matches an empty sender address, and the
"@domain" wildcard pattern. More information about those can be found
in the postconf(5) manpage.

Example:

/etc/postfix/main.cf:
# Allow root and postfix full control, anyone else can only
# send mail as themselves. Use "uid:" followed by the numerical
# UID when the UID has no entry in the UNIX password file.
local_login_sender_maps =
inline:{ { root = *}, { postfix = * } },
pcre:/etc/postfix/login_senders

/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
/(.+)/ $1 $1@example.com

Major changes - order of relay and recipient restrictions
---------------------------------------------------------

[Incompat 20210131] With smtpd_relay_before_recipient_restrictions=yes,
the Postfix SMTP server will evaluate smtpd_relay_restrictions before
smtpd_recipient_restrictions. This is the default behavior with
compatibility_level >= 3.6.

This change makes the implemented behavior consistent with existing
documentation. There is a backwards-compatibility warning that allows
users to freeze historical behavior. See COMPATIBILITY_README for
details.

Major changes - respectful logging
----------------------------------

[Feature 20210220] Postfix version 3.6 deprecates terminology
that implies white is better than black. Instead, Postfix prefers
'allowlist', 'denylist', and variations on those words. This change
affects Postfix documentation, and postscreen parameters and logging.

To keep the old postscreen logging set "respectful_logging = no"
in main.cf.

Noel Jones assisted with the initial transition.

Changes in documentation
------------------------

Postfix documentation was updated to use 'allowlist', 'denylist', etc.
These documentation changes do not affect Postfix behavior.

Changes in parameter names
--------------------------

The following postscreen parameters replace names that contain 'blacklist'
or 'whitelist':

postscreen_allowlist_interfaces
postscreen_denylist_action
postscreen_dnsbl_allowlist_threshold

These new parameters have backwards-compatible default settings
that support the old parameter names, so that the name change should
not affect Postfix behavior. This means that existing management tools
that use the old parameter names should keep working as before.

This compatibility safety net may break when some management tools
use the new parameter names, and some use the old names, such that
different tools will disagree on how Postfix works.

Changes in logging
------------------

The following logging replaces forms that contain 'blacklist' or
'whitelist':

postfix/postscreen[pid]: ALLOWLIST VETO [address]:port
postfix/postscreen[pid]: ALLOWLISTED [address]:port
postfix/postscreen[pid]: DENYLISTED [address]:port

To avoid breaking logfile analysis tools, Postfix keeps logging the old
forms by default, as long as the compatibility_level parameter setting
is less than 3.6, and the respectful_logging parameter is not explicitly
configured. As a reminder, Postfix will log the following:

postfix/postscreen[pid]: Using backwards-compatible default setting
respectful_logging=no for client [address]:port

To keep logging the old form, make the setting "respectful_logging =
no" permanent in main.cf, for example:

# postconf "respectful_logging = no"
# postfix reload

To stop the reminder, configure the respectful_logging parameter to
"yes" or "no", or configure "compatibility_level = 3.6".

Major changes - threaded bounces
--------------------------------

[Feature 20201205] Support for threaded bounces. This allows mail
readers to present a non-delivery, delayed delivery, or successful
delivery notification in the same email thread as the original
message.

Unfortunately, this also makes it easy for users to mistakenly delete
the whole email thread (all related messages), instead of deleting
only the delivery status notification.

To enable, specify "enable_threaded_bounces = yes".

Other changes - smtpd_sasl_mechanism_list
-----------------------------------------

[Feature 20200906] The smtpd_sasl_mechanism_list parameter (default:
!external, static:rest) prevents confusing errors when a SASL backend
announces EXTERNAL support which Postfix does not support.

Other changes - delivery logging
--------------------------------

[Incompat 20200531] Postfix delivery agents now log an explicit record
when delegating delivery to a different Postfix delivery agent.

For example, with "best_mx_transport = local", an SMTP delivery
agent will now log when a recipient will be delivered locally. This
makes the delegating delivery agent visible, where it would otherwise
have remained invisible, which would complicate troubleshooting.

postfix/smtp[pid]: queueid: passing <recipient> to transport=local

This will usually be followed by logging for an actual delivery:

postfix/local[pid]: queueid: to=<recipient>, relay=local, ...

Other examples: the local delivery agent will log a record that it
defers mailbox delivery through mailbox_transport or through
fallback_transport.

Other changes - error logging
-----------------------------

[Incompat 20200531] Postfix programs will now log "Application error"
instead of "Success" or "Unknown error: 0" when an operation fails with
errno == 0, i.e., the error originates from non-kernel code.

Other changes - dns lookups
---------------------------

[Feature 20200509] The threadsafe resolver API (res_nxxx() calls)
is now the default, not because the API is threadsafe, but because
this is the API where new features are being added.

To build old style, build with:

make makefiles CCARGS="-DNO_RES_NCALLS..."

This is the default for systems that are known not to support the
threadsafe resolver API.