1The stable Postfix release is called postfix-2.10.x where 2=major 2release number, 10=minor release number, x=patchlevel. The stable 3release never changes except for patches that address bugs or 4emergencies. Patches change the patchlevel and the release date. 5 6New features are developed in snapshot releases. These are called 7postfix-2.11-yyyymmdd where yyyymmdd is the release date (yyyy=year, 8mm=month, dd=day). Patches are never issued for snapshot releases; 9instead, a new snapshot is released. 10 11The mail_release_date configuration parameter (format: yyyymmdd) 12specifies the release date of a stable release or snapshot release. 13 14If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 15before proceeding. 16 17Debian Exim before 4.80-3 interoperability workaround 18----------------------------------------------------- 19 20Debian Exim versions before 4.80-3 may fail to communicate with 21Postfix and possibly other MTAs, with the following Exim SMTP client 22error message: 23 24 TLS error on connection to server-name [server-address] 25 (gnutls_handshake): The Diffie-Hellman prime sent by the server 26 is not acceptable (not long enough) 27 28This problem may affect Debian Exim versions before 4.80-3 that use 29TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details 30see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563 31 32To restore Postfix SMTP server interoperability with affected Exim 33SMTP clients, configure the Postfix SMTP server to use a 2048-bit 34prime number instead of 1024: 35 36 # cd /etc/postfix 37 # openssl dhparam -out dh2048.pem 2048 38 # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem' 39 40This change increases the CPU cost of EDH key exchanges (rarely a 41problem for SMTP servers) and is unlikely to cause problems with 42other SMTP client implementations. 43 44This problem should not affect EECDH (Ephemeral Elliptic Curve 45Diffie-Hellman) key exchanges. 46 47Major changes - laptop-friendliness 48----------------------------------- 49 50[Incompat 20120924] Postfix no longer uses FIFOs to emulate UNIX-domain 51sockets on Solaris 9 (Vintage 2002!) and later. If you install 52Postfix for the first time on an older Solaris system, edit the 53master.cf file and replace "unix" with "fifo" for the pickup and 54qmgr services. 55 56[Feature 20120924] the default master.cf file now uses "unix" instead 57of "fifo" for the pickup and qmgr services. This avoids periodic 58disk drive spin-up. 59 60Major changes - permit logging 61------------------------------ 62 63[Feature 20120303] [Feature 20120303] New control for "permit" 64logging in smtpd_mumble_restrictions (by default, the SMTP server 65logs "reject" actions but not "permit" actions). Specify 66"smtpd_log_access_permit_actions = static:all" to log all "permit"-style 67actions, or specify a list of explicit action names. More details 68are in the postconf(5) manpage. 69 70Major changes - postconf 71------------------------ 72 73[Incompat 20121224] The postconf command produces more warnings: 74 75- An attempt to modify a read-only parameter (process_name, process_id) 76 in main.cf or master.cf. 77 78- An undefined $name in a parameter value in main.cf or master.cf 79 (except for backwards-compatibility parameters such as $virtual_maps). 80 81[Feature 20121224] The postconf command has been updated to make 82trouble-shooting (and support) easier. In summary, use "postconf 83-Mxf" and "postconf -nxf" to review master.cf and main.cf parameter 84settings with expanded parameter values. 85 86- "postconf -x" now expands $name in main.cf and master.cf parameter 87 values. 88 89- postconf warns about attempts to modify a read-only parameter 90 (process_name, process_id) in main.cf or master.cf. 91 92- postconf warns about an undefined $name in a parameter value in 93 main.cf or master.cf (except for backwards-compatibility parameters 94 such as $virtual_maps). 95 96[Feature 20121227] 97 98- "postconf -o name=value" overrides main.cf parameter settings. 99 This can be used, for example, to examine stress-dependent settings 100 with "postconf -x -o stress=yes". 101 102Major changes - postscreen 103-------------------------- 104 105[Incompat 20121123] The postscreen deep protocol tests now log the 106last command before a protocol error ("UNIMPLEMENTED" when the last 107command is not implemented, "CONNECT" when there was no prior 108command). The changed logfile messages are: 109 110NON-SMTP COMMAND from [address]:port after command: text 111BARE NEWLINE from [address]:port after command 112COMMAND TIME LIMIT from [address]:port after command 113COMMAND COUNT LIMIT from [address]:port after command 114COMMAND LENGTH LIMIT from [address]:port after command 115 116Major changes - load-balancer support 117------------------------------------- 118 119[Incompat 20120625] The postscreen(8)-to-smtpd(8) protocol has 120changed. To avoid "cannot receive connection attributes" warnings 121and dropped connections, execute the command "postfix reload". No 122mail will be lost as long as the remote SMTP client tries again 123later. 124 125[Feature 20120625] Support for upstream proxy agent in the postscreen(8) 126and smtpd(8) daemons. To enable the haproxy protocol, specify one 127of the following: 128 129 postscreen_upstream_proxy_protocol = haproxy 130 smtpd_upstream_proxy_protocol = haproxy 131 132Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes 133that are behind postscreen. Configure postscreen_upstream_proxy_protocol 134instead. 135 136Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT 137protocol with smtpd_authorized_xclient_hosts. This supports SASL 138authentication in the proxy agent (Postfix 2.9 and later). 139 140Major changes - relay safety 141---------------------------- 142 143[Incompat 20130613] New smtpd_relay_restrictions parameter built-in 144default settings: 145 146 smtpd_relay_restrictions = 147 permit_mynetworks 148 permit_sasl_authenticated 149 defer_unauth_destination 150 151This safety net prevents open relay problems due to mistakes 152with spam filter rules in smtpd_recipient_restrictions. 153 154If your site has a complex mail relay policy configured under 155smtpd_recipient_restrictions, this safety net may defer mail that 156Postfix should accept. 157 158To fix this safety net, take one of the following actions: 159 160- Set smtpd_relay_restrictions empty, and keep using the existing 161 mail relay authorization policy in smtpd_recipient_restrictions. 162 163- Copy the existing mail relay authorization policy from 164 smtpd_recipient_restrictions to smtpd_relay_restrictions. 165 166There is no need to change the value of smtpd_recipient_restrictions. 167 168[Feature 20130613] This version introduces the smtpd_relay_restrictions 169feature for mail relay control. The new built-in default settings 170are: 171 172 smtpd_relay_restrictions = 173 permit_mynetworks 174 permit_sasl_authenticated 175 defer_unauth_destination 176 177 smtpd_recipient_restrictions = 178 ( optional spam blocking rules would go here ) 179 180For comparison, this is the Postfix before 2.10 default: 181 182 smtpd_recipient_restrictions = 183 permit_mynetworks 184 reject_unauth_destination 185 ( optional spam blocking rules would go here ) 186 187With Postfix versions before 2.10, the mail relay policy and spam 188blocking policy were combined under smtpd_recipient_restrictions, 189resulting in error-prone configuration. 190 191As of Postfix 2.10, the mail relay policy is preferably implemented 192with smtpd_relay_restrictions, so that a permissive spam blocking 193policy under smtpd_recipient_restrictions will not unexpectedly 194result in a permissive mail relay policy. 195 196As of Postfix 2.10.0 the smtpd_relay_restrictions parameter built-in 197default settings are: 198 199 smtpd_relay_restrictions = 200 permit_mynetworks 201 permit_sasl_authenticated 202 defer_unauth_destination 203 204If your site has a complex mail relay policy configured under 205smtpd_recipient_restrictions, this safety net may defer mail that 206Postfix should accept. 207 208To migrate from an earlier Postfix release with the least amount 209of pain: 210 211- Set smtpd_relay_restrictions empty, and keep using the existing 212 mail relay authorization policy in smtpd_recipient_restrictions. 213 214- There is no need to change the value of smtpd_recipient_restrictions. 215 216To take advantage of the new smtpd_relay_restrictions feature: 217 218- Copy the existing mail relay authorization policy from 219 smtpd_recipient_restrictions to smtpd_relay_restrictions. 220 221- There is no need to change the value of smtpd_recipient_restrictions. 222 223Major changes - start-up 224------------------------ 225 226[Feature 20120306] New master "-w" option, to wait for master daemon 227process initialization to complete. This feature returns an error 228exit status if master daemon initialization fails, or if it does 229not complete in a reasonable amount of time. The exit status is 230used by "postfix start" to provide more accurate information to 231system start-up scripts. 232 233Major changes - tls 234------------------- 235 236[Incompat 20130203] Thanks to OpenSSL documentation, the Postfix 2372.9.0..2.9.5 SMTP client and server server used an incorrect procedure 238to compute TLS certificate PUBLIC-KEY fingerprints (these may be 239used in the check_ccert_access and in smtp_tls_policy_maps features). 240Support for certificate PUBLIC-KEY finger prints was introduced 241with Postfix 2.9; there is no known problem with the certificate 242fingerprint algorithms available since Postfix 2.2. 243 244Certificate PUBLIC-KEY finger prints may be used in the Postfix 245SMTP server (with "check_ccert_access") and in the Postfix SMTP 246client (with the "fingerprint" security level). 247 248Specify "tls_legacy_public_key_fingerprints = yes" temporarily, 249pending a migration from configuration files with incorrect Postfix 2502.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct 251fingerprints used by Postfix 2.9.6 and later. 252 253To compute the correct PUBLIC-KEY finger prints: 254 255# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. 256$ openssl x509 -in cert.pem -noout -pubkey | \ 257 openssl pkey -pubin -outform DER | \ 258 openssl dgst -sha1 -c 259 260# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. 261$ openssl x509 -in cert.pem -noout -pubkey | \ 262 openssl rsa -pubin -outform DER | \ 263 openssl dgst -md5 -c 264 265[Feature 20120422] This release adds support to turn off the TLSv1.1 266and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these 267are known to cause inter-operability problems with for example 268hotmail. 269 270The radical workaround is to temporarily turn off problematic 271protocols globally: 272 273/etc/postfix/main.cf: 274 smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 275 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 276 277 smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 278 smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 279 280However, it may be better to temporarily turn off problematic 281protocols for broken sites only: 282 283/etc/postfix/main.cf: 284 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy 285 286/etc/postfix/tls_policy: 287 example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 288 289Important: 290 291- Note the use of ":" instead of comma or space. Also, note that 292 there is NO space around the "=" in "protocols=". 293 294- The smtp_tls_policy_maps lookup key must match the "next-hop" 295 destination that is given to the Postfix SMTP client. If you 296 override the next-hop destination with transport_maps, relayhost, 297 sender_dependent_relayhost_maps, or otherwise, you need to specify 298 the same destination for the smtp_tls_policy_maps lookup key. 299