1This is the Postfix 3.7 (stable) release. 2 3The stable Postfix release is called postfix-3.7.x where 3=major 4release number, 7=minor release number, x=patchlevel. The stable 5release never changes except for patches that address bugs or 6emergencies. Patches change the patchlevel and the release date. 7 8New features are developed in snapshot releases. These are called 9postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year, 10mm=month, dd=day). Patches are never issued for snapshot releases; 11instead, a new snapshot is released. 12 13The mail_release_date configuration parameter (format: yyyymmdd) 14specifies the release date of a stable release or snapshot release. 15 16If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6 17before proceeding. 18 19License change 20--------------- 21 22This software is distributed with a dual license: in addition to the 23historical IBM Public License 1.0, it is now also distributed with the 24more recent Eclipse Public License 2.0. Recipients can choose to take 25the software under the license of their choice. Those who are more 26comfortable with the IPL can continue with that license. 27 28Bugfix for messages not delivered after "warning: Unexpected record type 'X' 29============================================================================ 30 31Due to a bug introduced in Postfix 3.7.0, a message could falsely 32be flagged as corrupt with "warning: Unexpected record type 'X'". 33 34Such messages were moved to the "corrupt" queue directory, where 35they may still be found. See below for instructions to deal with 36these falsely flagged messages. 37 38This could happen for messages with 5000 or more recipients, or 39with fewer recipients on a busy mail server. The problem was first 40reported by Frank Brendel, reproduced by John Alex. 41 42A file in the "corrupt" queue directory may be inspected with the 43command "postcat /var/spool/postfix/corrupt/<filename>. If delivery 44of the file is still desired, the file can be moved back to 45/var/spool/postfix/incoming after updating Postfix and executing 46"postfix reload". 47 48Major changes - configuration 49----------------------------- 50 51[Feature 20210605] Support to inline the content of small cidr:, 52pcre:, and regexp: tables in Postfix parameter values. 53 54Example: 55 56 smtpd_forbidden_commands = 57 CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}} 58 59This is the new smtpd_forbidden_commands default value. It will 60immediately disconnect a remote SMTP client when a command does not 61start with a letter (a-z or A-Z). 62 63The basic syntax is: 64 65/etc/postfix/main.cf: 66 parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. 67 68/etc/postfix/master.cf: 69 .. -o { parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. } .. 70 71where map-type is one of cidr, pcre, or regexp. 72 73Postfix ignores whitespace after '{' and before '}', and writes each 74rule as one text line to a nameless in-memory file: 75 76in-memory file: 77 rule-1 78 rule-2 79 .. 80 81Postfix parses the result as if it is a file in /etc/postfix. 82 83Note: if a rule contains $, specify $$ to keep Postfix from trying 84to do $name expansion as it evaluates the parameter value. 85 86Major changes - lmdb support 87---------------------------- 88 89[Feature 20210605] Overhauled the LMDB client's error handling, and 90added integration tests for future-proofing. There are no visible 91changes in documented behavior. 92 93Major changes - logging 94----------------------- 95 96[Feature 20210815] To make the maillog_file feature more useful, 97the postlog(1) command is now set-gid postdrop, so that unprivileged 98programs can use it to write logging through the postlogd(8) daemon. 99This required hardening the postlog(1) command against privilege 100escalation attacks. DO NOT turn on the set-gid bit with older 101postlog(1) implementations. 102 103Major changes - pcre2 support 104----------------------------- 105 106[Feature 20211127] Support for the pcre2 library (the legacy pcre 107library is no longer maintained). The Postfix build procedure 108automatically detects if the pcre2 library is installed, and if it 109is unavailable, the Postfix build procedure will detect if the 110legacy pcre library is installed. See PCRE_README if you need to 111build Postfix with a specific library. 112 113Visible differences: some error messages may have a different text, 114and the 'X' pattern flag is no longer supported with pcre2. 115 116Major changes - security 117------------------------ 118 119[Feature 20220102] Postfix programs now randomize the initial state 120of in-memory hash tables, to defend against hash collision attacks 121involving a large number of attacker-chosen lookup keys. Presently, 122the only known opportunity for such attacks involves remote SMTP 123client IPv6 addresses in the anvil(8) service. The attack would 124require making hundreds of short-lived connections per second from 125thousands of different IP addresses, because the anvil(8) service 126drops inactive counters after 100s. Other in-memory hash tables 127with attacker-chosen lookup keys are by design limited in size. The 128fix is cheap, and therefore implemented for all Postfix in-memory 129hash tables. Problem reported by Pascal Junod. 130 131[Feature 20211030] The postqueue command now sanitizes non-printable 132characters (such as newlines) in strings before they are formatted 133as json or as legacy output. These outputs are piped into other 134programs that are run by administrative users. This closes a 135hypothetical opportunity for privilege escalation. 136 137[Feature 20210815] Updated defense against remote clients or servers 138that 'trickle' SMTP or LMTP traffic, based on per-request deadlines 139and minimum data rates. 140 141Per-request deadlines: 142 143The new {smtpd,smtp,lmtp}_per_request_deadline parameters replace 144{smtpd,smtp,lmtp}_per_record_deadline, with backwards compatible 145default settings. This defense is enabled by default in the Postfix 146SMTP server in case of overload. 147 148The new smtpd_per_record_deadline parameter limits the combined 149time for the Postfix SMTP server to receive a request and to send 150a response, while the new {smtp,lmtp}_per_record_deadline parameters 151limit the combined time for the Postfix SMTP or LMTP client to send 152a request and to receive a response. 153 154Minimum data rates: 155 156The new smtpd_min_data_rate parameter enforces a minimum plaintext 157data transfer rate for DATA and BDAT requests, but only when 158smtpd_per_record_deadline is enabled. After a read operation transfers 159N plaintext bytes (possibly after TLS decryption), and after the 160DATA or BDAT request deadline is decreased by the elapsed time of 161that read operation, the DATA or BDAT request deadline is increased 162by N/smtpd_min_data_rate seconds. However, the deadline is never 163increased beyond the smtpd_timeout value. The default minimum data 164rate is 500 (bytes/second) but is still subject to change. 165 166The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding 167minimum DATA transfer rates for the Postfix SMTP and LMTP client. 168 169Major changes - tls support 170--------------------------- 171 172[Cleanup 20220121] The new tlsproxy_client_security_level parameter 173replaces tlsproxy_client_level, and the new tlsproxy_client_policy_maps 174parameter replaces tlsproxy_client_policy. This is for consistent 175parameter naming (tlsproxy_client_xxx corresponds to smtp_tls_xxx). 176This change was made with backwards-compatible default settings. 177 178[Feature 20210926] Postfix was updated to support OpenSSL 3.0.0 API 179features, and to work around OpenSSL 3.0.0 bit-rot (avoid using 180deprecated API features). 181 182Other code health 183----------------- 184 185[typos] Typo fixes by raf. 186 187[pre-release checks] Added pre-release checks to detect a) new typos 188in documentation and source-code comments, b) missing entries in 189the postfix-files file (some documentation would not be installed), 190c) missing rules in the postlink script (some text would not have 191a hyperlink in documentation), and d) missing map-based $parameter 192names in the proxy_read_maps default value (the proxymap daemon 193would not automatically authorize some proxied maps). 194 195[memory stream] Improved support for memory-based streams made it 196possible to inline small cidr:, pcre:, and regexp: maps in Postfix 197parameter values, and to eliminate some ad-hoc code that converted 198tlsproxy(8) protocol data to or from serialized form. 199 200