postfix/dist/RELEASE_NOTES-1.1

In the text below, incompatible changes are labeled with the Postfix
snapshot that introduced the change. If you upgrade from a later
Postfix version, then you do not have to worry about that particular
incompatibility.

Official Postfix releases are called a.b.c where a=major release
number, b=minor release number, c=patchlevel.  Snapshot releases
are now called a.b.c-yyyymmdd where yyyymmdd is the release date
(yyyy=year, mm=month, dd=day).  The mail_release_date configuration
parameter contains the release date (both for official release and
snapshot release).  Patches change the patchlevel and the release
date. Snapshots change only the release date, unless they include
the same bugfixes as a patch release.

Incompatible changes with Postfix version 1.1.0 (released 20020117)
===================================================================

Changes are listed in order of decreasing importance, not release
date.

[snapshot-20010709] This release introduces a new queue file record
type that is used only for messages that actually use VERP (variable
envelope return path) support.  With this sole exception, the queue
file format is entirely backwards compatible with the previous
official Postfix release (20010228, a.k.a. Postfix 1.0.0).

[snapshot-20020106] This release modifies the existing master.cf
file. The local pickup service is now unprivileged, and the cleanup
and flush service are now "public". Should you have to back out to
a previous release, then you must 1) edit the master.cf file, make
the pickup service "privileged", and make the cleanup and flush
services "private"; 2) "chmod 755 /var/spool/postfix/public".  To
revert to a world-writable mail submission directory, "chmod 1733
/var/spool/postfix/maildrop".

[snapshot-20020106, snapshot-20010808, snapshot-20011103,
snapshot-20011121] You must stop and restart Postfix because of
incompatible changes in the local Postfix security model and in
the Postfix internal protocols. Old and new components will not
work together.

[snapshot-20020106] Simpler local Postfix security model.

- No world-writable maildrop directory. Postfix now always uses
  the set-gid postdrop command for local mail submissions.  The
  local mail pickup daemon is now an unprivileged process.

- No world-accessible pickup and queue manager server FIFOs.

- New set-gid postqueue command for the queue list/flush operations
  that used to implemented by the Postfix sendmail command.

[snapshot-20020106..15] Simpler Postfix installation and upgrading.

- All installation settings are now kept in the main.cf file, and
  better default settings are now generated for system dependent
  pathnames such as sendmail_path etc. The install.cf file is no
  longer used, except when upgrading from an older Postfix version.

- Non-default installation parameter settings can (but do not have
  to) be specified on the "make install" or "make upgrade" command
  line as name=value arguments.

- New postfix-files database (in /etc/postfix) with (pathname,
  owner, permission) information about all Postfix-related files.

- New postfix-install script replaces the awkward INSTALL.sh script.
  This is driven by the postfix-files database. It has better
  support for building packages for distribution to other systems.
  See PACKAGE_README for details.

- New post-install script (in /etc/postfix) for post-installation
  maintenance of directory/file permissions and ownership (this is
  used by "postfix check"). Example:

    # postfix stop
    # post-install set-permissions mail_owner=username setgid_group=groupname
    # postfix start

[snapshot-20020106] Postfix will not run if it detects that the
postfix user or group ID are shared with other accounts on the
system. The checks aren't exhaustive (that would be too resource
consuming) but should be sufficient to encourage packagers and
developers to do the right thing. To fix the problem, use the above
post-install command, after you have created the appropriate new
mail_owner or setgid_group user or group IDs.

[snapshot-20020106] If you run multiple Postfix instances on the
same machine you now have to specify their configuration directories
in the default main.cf file as "alternate_config_directories =
/dir1 /dir2 ...".  Otherwise, some Postfix commands will no longer
work: the set-group ID postdrop command for mail submission and
the set-group ID postqueue command for queue listing/flushing.

[snapshot-20010808] The default setting for the maps_rbl_domains
parameter is now "empty", because mail-abuse.org has become a
subscription-based service. The names of the RBL parameters haven't
changed.

[snapshot-20020106] Postfix SMTP access maps will no longer return
OK for non-local multi-domain recipient mail addresses (user@dom1@dom2,
user%dom1@dom2, etcetera); the lookup now returns DUNNO (undetermined).
Non-local multi-domain recipient addresses were already prohibited
from matching the permit_mx_backup and the relay_domains-based
restrictions.

[snapshot-20011210] Stricter checking of Postfix chroot configurations.
The Postfix startup procedure now warns if "system" directories
(etc, bin, lib, usr) under the Postfix top-level queue directory
are not owned by the super-user (usually the result of well-intended,
but misguided, applications of "chown -R postfix /var/spool/postfix).

[snapshot-20011008] The Postfix SMTP server now rejects requests
with a generic "try again later" status (451 Server configuration
error) when it detects an error in smtp_{client, helo, sender,
recipient, etrn}_restrictions settings.  More details about the
problem are logged to the syslogd; sending such information to
random clients would be inappropriate.

[snapshot-20011008] Postfix no longer flushes the entire mail queue
after receiving an ETRN request for a random domain name. Requests
for domains that do not match $fast_flush_domains are now rejected
instead.

[snapshot-20011226] Postfix configuration file comments no longer
continue on the next line when that next line starts with whitespace.
This change avoids surprises, but it may cause unexpected behavior
with existing, improperly formatted, configuration files. Caveat
user. Comment lines are allowed to begin with whitespace. Multi-line
input is no longer terminated by a comment line, by an all whitespace
line, or by an empty line.

[snapshot-20010714] Postfix delivery agents now refuse to create
a missing maildir or mail spool subdirectory when its parent
directory is world writable.  This is necessary to prevent security
problems with maildirs or with hashed mailboxes under a world
writable mail spool directory.

[snapshot-20010525] As per RFC 2821, the Postfix SMTP client now
always sends EHLO at the beginning of an SMTP session. Specify
"smtp_always_send_ehlo = no" for the old behavior, which is to send
EHLO only when the server greeting banner contains the word ESMTP.

[snapshot-20010525] As per RFC 2821, an EHLO command in the middle
of an SMTP session resets the Postfix SMTP server state just like
RSET. This behavior cannot be disabled.

[snapshot-20010709] The SMTP client now by default breaks lines >
2048 characters, to avoid mail delivery problems with fragile SMTP
server software.  To get the old behavior back, specify "smtp_break_lines
= no" in the Postfix main.cf file.

[snapshot-20010709] With recipient_delimiter=+ (or any character
other than -) Postfix will now recognize address extensions even
with owner-foo+extension addresses. This change was necessary to
make VERP useful for mailing list bounce processing.

[snapshot-20010610] The Postfix pipe delivery agent no longer
automatically case-folds the expansion of $user, $extension or
$mailbox command-line macros.  Specify the 'u' flag to get the old
behavior.

[snapshot-20011210] The Postfix sendmail command no longer exits
with status 1 when mail submission fails, but instead returns a
sendmail-compatible status code as defined in /usr/include/sysexits.h.

Major changes with Postfix version 1.1.0 (Released 20020117)
============================================================

Changes are listed in order of decreasing importance, not release
date.

The nqmgr queue manager is now bundled with Postfix. It implements
a smarter scheduling strategy that allows ordinary mail to slip
past mailing list mail, resulting in better response. This queue
manager is expected to become the default queue manager shortly.

[snapshot-20010709, snapshot-20010808] VERP (variable envelope
return path) support.  This is enabled by default, including in
the SMTP server. See the VERP_README file for instructions.  Specify
"disable_verp_bounces = yes" to have Postfix send one RFC-standard,
non-VERP, bounce report for multi-recipient mail, even when VERP
style delivery was requested.  This reduces the explosive behavior
of bounces when sending mail to a list.

[snapshot-20010709] QMQP server support, so that Postfix can be
used as a backend mailer for the ezmlm-idx mailing list manager.
You still need qmail to drive ezmlm and to process mailing list
bounces. The QMQP service is disabled by default. To enable, follow
the instructions in the QMQP_README file.

[snapshot-20010709] You can now reject unknown virtual(8) recipients
at the SMTP port by specifying a "domain.name whatever" entry in
the tables specified with virtual_mailbox_maps, similar to Postfix
virtual(5) domains.  [virtual(8) is the Postfix virtual delivery
agent, virtual(5) is the Postfix virtual map. The two implement
virtual domains in a very different manner.]

[snapshot-20011121] Configurable host/domain name wildcard matching
behavior: choice between "pattern `domain.name' matches string
`host.domain.name'" (this is to be deprecated in the future) and
"pattern `.domain.name' matches string `host.domain.name'" (this
is to be preferred in the future).  The configuration parameter
"parent_domain_matches_subdomains" specifies which Postfix features
use the behavior that will become deprecated.

[snapshot-20010808] Variable coupling between message receiving
rates and message delivery rates. When the message receiving rate
exceeds the message delivery rate, an SMTP server will pause for
$in_flow_delay seconds before accepting a message.  This delay
gives Postfix a chance catch up and access the disk, while still
allowing new mail to arrive.  This feature currently has effect
only when mail arrives via a small number of SMTP clients.

[snapshot-20010610, snapshot-20011121, snapshot-20011210] Workarounds
for a bug in old versions of the CISCO PIX firewall software that
caused mail to be resent repeatedly.  The workaround has no effect
for other mail deliveries. The workaround is turned off when mail
is queued for less than $smtp_pix_workaround_threshold_time seconds
(default:  500 seconds) so that the workaround is normally enabled
only for deferred mail.  The delay before sending .<CR><LF> is now
controlled by the $smtp_pix_workaround_delay_time setting (default:
10 seconds).

[snapshot-20011226] Postfix will now do null address lookups in
SMTPD access maps.  If your access maps cannot store or look up
null string key values, specify "smtpd_null_access_lookup_key =
<>" and the null sender address will be looked up as <> instead.

[snapshot-20011210] More usable virtual delivery agent, thanks to
a new "static" map type by Jeff Miller that always returns its map
name as the lookup result. This eliminates the need for per-recipient
user ID and group ID tables.  See the VIRTUAL_README file for more
details.

[snapshot-20011125] Anti-sender spoofing. New main.cf parameter
smtpd_sender_login_maps that specifies the (SASL) login name that
owns a MAIL FROM sender address.  Specify a regexp table in order
to require a simple one-to-one mapping.  New SMTPD restriction
reject_sender_login_mismatch that refuses a MAIL FROM address when
$smtpd_sender_login_maps specifies an owner but the client is not
(SASL) logged in as the MAIL FROM address owner, or when a client
is (SASL) logged in but does not own the address according to
$smtpd_sender_login_maps.

[snapshot-20011121] The mailbox_command_maps parameter allows you
to configure the external delivery command per user (local delivery
agent only).  This feature has precedence over the mailbox_command
and home_mailbox settings.

[snapshot-20011121] New "warn_if_reject" smtpd UCE restriction that
only warns if the restriction that follows would reject mail.  Look
for file records that contain the string "reject_warning".

[snapshot-20011127] New header/body_check result "WARN" to make
Postfix log a warning about a header/body line without rejecting
the content.

[snapshot-20011103] In header/body_check files, REJECT can now be
followed by text that is sent to the originator. That feature was
stuck waiting for years, pending the internal protocol revision.

[snapshot-20011008] The permit_mx_backup feature allows you to
specify network address blocks via the permit_mx_backup_networks
parameter.  This requires that the primary MX hosts for the given
destination match the specified network blocks. When no value is
given for permit_mx_backup_networks, Postfix will accept mail
whenever the local MTA is listed in the DNS as an MX relay host
for a destination, even when you never gave permission to do so.

[snapshot-20010709] Specify "mail_spool_directory = /var/mail/"
(note the trailing "/" character) to enable maildir format for
/var/mail/username.

[snapshot-20010808] Finer control over address masquerading. The
masquerade_classes parameter now controls header and envelope sender
and recipient addresses.  With earlier Postfix versions, address
masquerading rewrote all addresses except for the envelope recipient.

[snapshot-20010610] The pipe mail delivery agent now supports proper
quoting of white space and other special characters in the expansions
of the $sender and $recipient command-line macros. This was necessary
for correct operation of the "simple" content filter, and is also
recommended for delivery via UUCP or BSMTP.

[snapshot-20010610] The pipe mail delivery agent now supports case
folding the localpart and/or domain part of expansions of the
$nexthop, $recipient, $user, $extension or $mailbox command-line
macros. This is recommended for mail delivery via UUCP. Bug: $nexthop
is always case folded because of problems in the queue manager
code.

[snapshot-20010525] This release contains many little revisions of
little details in the light of the new RFC 2821 and RFC 2822
standards. Changes that may affect interoperability are listed
above under "incompatible changes".  Other little details are
discussed in comments in the source code.

[snapshot-20010502] The Postfix SMTP client now by default randomly
shuffles destination IP addresses of equal preference (whether
obtained via MX lookup or otherwise). Reportedly, this is needed
for sites that use Bernstein's dnscache program. Specify
"smtp_randomize_addresses = no" to disable this behavior. Based on
shuffling code by Aleph1.

[snapshot-20011127] New parameter smtpd_noop_commands to specify
a list of commands that the Postfix SMTP server treats as NOOP
commands (no syntax check, no state change). This is a workaround
for misbehaving clients that send unsupported commands such as
ONEX.

[snapshot-20010502] "postmap -q -" and "postmap -d -" read key
values from standard input, which makes it easier to drive them
from another program.  The same feature was added to the postalias
command.

[snapshot-20010502] The postsuper command now has a command-line
option to delete queue files.  In principle this command can be
used while Postfix is running, but there is a possibility of deleting
the wrong queue file when Postfix deletes a queue file and reuses
the queue ID for a new message.  In that case, postsuper will delete
the new message.

[snapshot-20010525] The postsuper queue maintenance tool now renames
files whose name (queue ID) does not match the message file inode
number. This is necessary after a Postfix mail queue is restored
from another machine or from backups.  The feature is selected with
the -s option, which is the default, and runs whenever Postfix is
started.

[snapshot-20010525] The postsuper queue maintenance tool has a new
-r (requeue) option for subjecting some or all queue files to
another iteration of address rewriting. This is useful after the
virtual or canonical maps have changed.

[snapshot-20010525] The postsuper queue maintenance tool was extended
with options to read queue IDs from standard input. This makes the
tool easier to drive from scripts.

[snapshot-20010329] Better support for running multiple Postfix
instances on one machine. Each instance can be recognized by its
logging (defaults:  "syslog_name = postfix", "syslog_facility =
mail").

Major incompatible changes with release-20010228 Patch 01 (a.k.a. Postfix 1.0.1)
================================================================================

This release changes the names of the "fast ETRN" logfiles with
delayed mail per destination. These files are maintained by the
Postfix "fast flush" daemon. The old scheme failed with addresses
of the form user@[ip.address] and user@a.domain.name.  In order to
populate the new "fast ETRN" logfiles, execute the command "sendmail
-q".  The old "fast ETRN" logfiles go away by themselves (default:
after 7 days).

Major incompatible changes with release-20010228 (a.k.a. Postfix 1.0.0)
=======================================================================

[snapshot-20010225] POSTFIX NO LONGER RELAYS MAIL FOR CLIENTS IN
THE ENTIRE CLASS A/B/C NETWORK. To get the old behavior, specify
"mynetworks_style = class" in the main.cf file. The default
(mynetworks_style = subnet) is to relay for clients in the local
IP subnet. See conf/main.cf.

[snapshot-20001005, snapshot-20010225] You must execute "postfix
stop" before installing this release.  Some recommended parameter
settings have changed, and a new entry must be added to the master.cf
file before you can start Postfix again.

1 - The recommended Postfix configuration no longer uses flat
    directories for the "incoming" "active", "bounce", and "defer"
    queue directories.  The "flush" directory for the new "flush"
    service directory should not be flat either.

    Upon start-up, Postfix checks if the hash_queue_names configuration
    parameter is properly set up, and will add any queue directory
    names that are missing.

2 - In order to improve performance of one-to-one mail deliveries
    the queue manager will now look at up to 10000 queue files
    (was: 1000).  The default qmgr_message_active_limit setting
    was changed accordingly.

    If you have a non-default qmgr_message_active_limit in main.cf,
    you may want adjust it.

3 - The new "flush" service needs to be configured in master.cf.

    Upon start-up, Postfix checks if the new "flush" service is
    configured in the master.cf file, and will add an entry if it
    is missing.

Should you wish to back out to a previous Postfix release there is
no need to undo the above queue configuration changes.

[snapshot-20000921] The protocol between queue manager and delivery
agents has changed.  This means that you cannot mix the Postfix
queue manager or delivery agents with those of Postfix versions
prior to 20000921. This change does not affect Postfix queue file
formats.

[snapshot-20000529] This release introduces an incompatible queue
file format change ONLY when content filtering is enabled (see text
in FILTER_README). Old Postfix queue files will work fine, but
queue files with the new content filtering info will not work with
Postfix versions before 20000529.  Postfix logs a warning and moves
incompatible queue files to the "corrupt" mail queue subdirectory.

Minor incompatible changes with release-20010228
================================================

[snapshot-20010225] The incoming and deferred queue directories
are now hashed by default.  This improves the performance considerably
under heavy load, at the cost of a small but noticeable slowdown
when one runs "mailq" on an unloaded system.

[snapshot-20010222] Postfix no longer automatically delivers
recipients one at a time when their domain is listed in $mydestination.
This change solves delivery performance problems with delivery via
LMTP, with virus scanning, and with firewall relays that forward
all mail for $mydestination to an inside host.

The "one recipient at a time" delivery behavior is now controlled
by the per-transport recipient limit (xxx_destination_recipient_limit,
where xxx is the name of the delivery mechanism).  This parameter
controls the number of recipients that can be sent in one delivery
(surprise).

The setting of the per-transport recipient limit also controls the
meaning of the per-transport destination concurrency limit (named
xxx_destination_concurrency_limit, where xxx is again the name of
the delivery mechanism):

 1) When the per-transport recipient limit is 1 (i.e., send one
    recipient per delivery), the per-transport destination concurrency
    limit controls the number of simultaneous deliveries to the
    same recipient.  This is the default behavior for delivery via
    the Postfix local delivery agent.

 2) When the per-transport recipient limit is > 1 (i.e., send
    multiple recipients per delivery), the per-transport destination
    concurrency limit controls the number of simultaneous deliveries
    to the same domain.  This is the default behavior for all other
    Postfix delivery agents.

[snapshot-20010128] The Postfix local delivery agent now enforces
mailbox file size limits (default: mailbox_size_limit = 51200000).
This limit affects all file write access by the local delivery
agent or by a process run by the local delivery agent. The purpose
of this parameter is to act as a safety for run-away software. It
cannot be a substitute for a file quota management system. Specify
a limit of 0 to disable.

[snapshot-20010128] REJECT in header/body_checks is now flagged as
policy violation rather than bounce, for consistency in postmaster
notifications.

[snapshot-20010128] The default RBL (real-time blackhole lists)
domain examples have been changed from *.vix.com to *.mail-abuse.org.

[snapshot-20001210] Several interfaces of libutil and libglobal
routines have changed.  This may break third-party code written
for Postfix. In particular, the safe_open() routine has changed,
the way the preferred locking method is specified in the sys_defs.h
file, as well as all routines that perform file locking. When
compiling third-party code written for Postfix, the incompatibilities
will be detected by the compiler provided that #include file
dependencies are properly maintained.

[snapshot-20001210] When delivering to /file/name (as directed in
an alias or .forward file), the local delivery agent now logs a
warning when it is unable to create a /file/name.lock file. Mail
is still delivered as before.

[snapshot-20001210] The "sun_mailtool_compatibility" feature is
going away (a compatibility mode that turns off kernel locks on
mailbox files). It still works, but a warning is logged. Instead
of using "sun_mailtool_compatibility", specify the mailbox locking
strategy as "mailbox_delivery_lock = dotlock".

[snapshot-20001210] The Postfix SMTP client now skips SMTP server
replies that do not start with "CODE SPACE" or with "CODE HYPHEN"
and flags them as protocol errors. Older Postfix SMTP clients
silently treated "CODE TEXT" as "CODE SPACE TEXT", i.e. as a valid
SMTP reply.

[snapshot-20001121] On RedHat Linux 7.0, you must install the
db3-devel RPM before you can compile the Postfix source code.

[snapshot-20000924] The postmaster address in the "sorry" text at
the top of bounced mail is now just postmaster, not postmaster@machine.
The idea is to refer users to their own postmaster.

[snapshot-20000921] The notation of [host:port] in transport tables
etc. is going away but it is still supported. The preferred form
is now [host]:port.  This change is necessary to support IPV6
address forms which use ":" as part of a numeric IP address. In a
future release, Postfix will log a warning when it encounters the
[host:port] form.

[snapshot-20000921] In mail headers, Errors-To:, Reply-To: and
Return-Receipt:  addresses are now rewritten as a sender address
(was: recipient).

[snapshot-20000921] Postfix no longer inserts Sender: message
headers.

[snapshot-20000921] The queue manager now logs the original number
of recipients when opening a queue file (example: from=<>, size=3502,
nrcpt=1).

[snapshot-20000921] The local delivery agent no longer appends a
blank line to mail that is delivered to external command.

[snapshot-20000921] The pipe delivery agent no longer appends a
blank line when the F flag is specified (in the master.cf file).
Specify the B flag if you need that blank line.

[snapshot-20000507] As required by RFC 822, Postfix now inserts a
generic destination message header when no destination header is
present.  The text is specified via the undisclosed_recipients_header
configuration parameter (default:  "To: undisclosed-recipients:;").

[snapshot-20000507] The Postfix sendmail command treats a line with
only `.' as the end of input, for the sake of sendmail compatibility.
To disable this feature, specify the sendmail-compatible `-i' or
`-oi' flags on the sendmail command line.

[snapshot-20000507] For the sake of Sendmail compatibility, the
Postfix SMTP client skips over SMTP servers that greet with a 4XX
or 5XX reply code, treating them as unreachable servers.  To obtain
prior behavior (4XX=retry, 5XX=bounce), specify "smtp_skip_4xx_greeting
= no" and "smtp_skip_5xx_greeting = no".

Major changes with release-20010228
===================================

Postfix produces DSN formatted bounced/delayed mail notifications.
The human-readable text still exists, so that users will not have
to be unnecessarily confused by all the ugliness of RFC 1894.  Full
DSN support will be later.

This release introduces full content filtering through an external
process. This involves an incompatible change in queue file format.
Mail is delivered to content filtering software via an existing
mail delivery agent, and is re-injected into Postfix via an existing
mail submission agent.  See examples in the FILTER_README file.
Depending on how the filter is implemented, you can expect to lose
a factor of 2 to 4 in delivery performance of SMTP transit mail,
more if the content filtering software needs lots of CPU or memory.

Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick
and dirty emergency content filter that looks at non-header lines
one line at a time (including MIME headers inside the message body).
Details in conf/sample-filter.cf.

The header_checks and body_checks features can be used to strip
out unwanted data. Specify IGNORE on the right-hand side and the
data will disappear from the mail.

Support for SASL (RFC 2554) authentication in the SMTP server and
in the SMTP and LMTP clients. See the SASL_README file for more
details. This file still needs better examples.

Postfix now ships with an LMTP delivery agent that can deliver over
local/remote TCP sockets and over local UNIX-domain sockets.  The
LMTP_README file gives example, but still needs to be revised.

Fast "ETRN" and "sendmail -qR".  Postfix maintains per-destination
logfiles with information about what mail is queued for selected
destinations.  See the file ETRN_README for details.

The mailbox locking style is now fully configurable at runtime.
The new configuration parameter is called "mailbox_delivery_lock".
Depending on the operating system type, mailboxes can be locked
with one or more of "flock", "fcntl" or "dotlock".  The command
"postconf -l" shows the available locking styles.  The default
mailbox locking style is system dependent.  This change affects
all mailbox and all "/file/name" deliveries by the Postfix local
delivery agent.

Minor changes with release-20010228
===================================

You can now specify multiple SMTP destinations in the relayhost
and fallback_relay configuration parameters. The destinations are
tried in the specified order. Specify host or host:port (perform
MX record lookups), [host] or [host]:port (no MX record lookups),
[address] or [address]:port (numerical IP address).

The "mailbox_transport" and "fallback_transport" parameters now
understand the form "transport:nexthop", with suitable defaults
when either transport or nexthop are omitted, just like in the
Postfix transport map. This allows you to specify for example,
"mailbox_transport = lmtp:unix:/file/name".

The local_transport and default_transport configuration parameters
can now be specified in transport:destination notation, just like
the mailbox_transport and fallback_transport parameters.  The
:destination part is optional.  However, these parameters take only
one destination, unlike relayhost and fallback-relay which take
any number of destinations.

More general virtual domain support.  Postfix now supports both
Sendmail-style virtual domains and Postfix-style virtual domains.
Details and examples are given in the revised virtual manual page.

- With Sendmail-style virtual domains, local users/aliases/mailing
  lists are visible as localname@virtual.domain. This is convenient
  if you want to host mailing lists under virtual domains.

- With Postfix-style virtual domains, local users/aliases/mailing
  lists are not visible as localname@virtual.domain. Each virtual
  domain has its own separate name space.

More general "soft bounce" feature.  Specify "soft_bounce = yes"
in main.cf to prevent the SMTP server from bouncing mail while you
are testing configurations. Until this release the SMTP server was
not aware of soft bounces.

Workarounds for non-standard RFC 2554 (AUTH command) implementations.
Specify "broken_sasl_auth_clients = yes" to enable SMTP server
support for old Microsoft client applications. The Postfix SMTP
client supports non-standard RFC 2554 servers by default.

All time-related configuration parameters now accept a one-letter
suffix to indicate the time unit (s: second, m: minute, h: hour,
d: day, w: week). The exceptions are the LDAP and MYSQL modules
which are maintained separately.

New "import_environment" and "export_environment" configuration
parameters provide explicit control over what environment variables
Postfix will import, and what environment variables Postfix will
pass on to a non-Postfix process.

In order to improve performance of one-to-one deliveries, Postfix
by default now looks at up to 10000 messages at a time (was: 1000).

Specify "syslog_facility = log_local1" etc. to separate the logging
from multiple Postfix instances. However, a non-default logging
facility takes effect only after process initialization. Errors
during command-line parsing are still logged with the default syslog
facility, as are errors while processing the main.cf file.

Postfix now strips out Content-Length: headers in incoming mail to
avoid confusion in mail user agents.

Specify "require_home_directory = yes" to prevent mail from being
delivered to a user whose home directory is not mounted. This
feature is implemented by the Postfix local delivery agent.

The pipe mailer has a size limit (size=nnn) command-line argument.

The pipe delivery agent has a configurable end-of-line attribute.
Specify "pipe ... eol=\r\n" for delivery mechanisms that require
CRLF record delimiters. The eol attribute understands the following
C-style escape sequences:  \a \b \f \n \r \t \v \nnn \\.

In master.cf you can selectively override main.cf configuration
parameters, for example: "smtpd -o myhostname=foo.com".

In main.cf, specify "smtp_bind_address=x.x.x.x" to bind SMTP
connections to a specific local interface. Or override the default
setting in master.cf with "smtp -o smtp_bind_address=x.x.x.x".
For now, you must specify a numeric IP address.

Questionable feature: with "smtp_always_send_ehlo = yes", the SMTP
client sends EHLO regardless of the content of the SMTP server's
greeting.

Specify "-d key" to postalias or postmap in order to remove one
key. This still needs to be generalized to multi-key removal (e.g.,
read keys from stdin).

Comments in Postfix configuration files no longer contain troff
formatting codes.  The text is now generated from prototype files
in a new "proto" subdirectory.

Major changes with postfix-19991231:
====================================

- It is now much more difficult to configure Postfix as an open
relay. The SMTP server requires that "smtpd_recipient_restrictions"
contains at least one restriction that by default refuses mail (as
is the default).  There were too many accidents with changes to
the UCE restrictions.

- The relay_domains parameter no longer needs to contain $virtual_maps.

- Overhauled FAQ (html/faq.html) with many more examples.

- Updated UCE documentation (html/uce.html) with more examples.
More UCE configuration examples in sample configuration files.

- Several little improvements to the installation procedure:
relative symlinks, configurable directory for scratch files so the
installation can be done without write access to the build tree.

- Updated LDAP client code (John Hensley).

- Updated mysql client code (Scott Cotton).

- The SMTP server now rejects mail for unknown users in virtual
domains that are defined by Postfix virtual maps.

- The SMTP server can reject mail for unknown local users.  Specify
"local_recipient_maps = $alias_maps, unix:passwd.byname" if your
local mail is delivered by a UNIX-style local delivery agent.  See
example in conf/main.cf.

- Use "disable_vrfy_command = yes" to disable the SMTP VRFY command.
This prevents some forms of address harvesting.

- The sendmail "-f" option now understands <user> and even understands
forms with RFC 822-style comments.

- New "qmgr_fudge_factor" parameter allows you to balance mailing
list performance against response time for one-to-one mail.  The
fudge factor controls what percentage of delivery resources Postfix
will devote to one message.  With 100%, delivery of one message
does not begin before delivery of the previous message is completed.
This is good for list performance, bad for one-to-one mail. With
10%, response time for one-to-one mail improves much, but list
performance suffers: in the worst case, people near the start of a
mailing list get a burst of postings today, while people near the
end of the list get that same burst of postings a whole day later.

- It is now relatively safe to configure 550 status codes for the
main.cf unknown_address_reject_code or unknown_client_reject_code
parameters.  The SMTP server now always sends a 450 (try again)
reply code when an UCE restriction fails due to a soft DNS error,
regardless of what main.cf specifies.

- The RBL checks now show the content of TXT records (Simon J Mudd).

- The Postfix SMTP server now understands a wider range of illegal
address forms in MAIL FROM and RCPT TO commands. In order to disable
illegal forms, specify "strict_rfc821_envelopes = yes". This also
disables support for MAIL FROM and RCPT TO addresses without <>.

- Per-client/helo/sender/recipient UCE restrictions (fully-recursive
UCE restriction parser). See the RESTRICTION_CLASS file for details.

- Use "postmap -q key" or "postalias -q key" for testing Postfix
lookup tables or alias files.

- Use "postconf -e name=value..." to edit the main.cf file.  This
is easier and safer than editing the main.cf file by hand. The
edits are done on a temporary copy that is renamed into place.

- Use "postconf -m" to display all supported lookup table types
(Scott Cotton).

- New "permit_auth_destination" UCE restriction for finer-grained
access control (Jesper Skriver).

Incompatible changes with postfix-19990906
==========================================

- On systems that use user.lock files to protect system mailboxes
against simultaneous updates, Postfix now uses /file/name.lock
files while delivering to files specified in aliases/forward/include
files. This is a no-op when the recipient lacks directory write
permission.

- The LDAP client code no longer looks up a name containing "*"
because it could be abused.  See the LDAP_README file for how to
restore previous behavior.

- The Postfix to PCRE interface now expects PCRE version 2.08.
Postfix is no longer compatible with PCRE versions prior to 2.06.

Major changes with postfix-19990906
===================================

Several bugfixes, none related to security.  See the HISTORY file
for a complete list of changes.

- Postfix is now distributed under IBM Public License Version 1.0
which does not carry the controversial termination clause. The new
license does have a requirement that contributors make source code
available.

- INSTALL.sh install/upgrade procedure that replaces existing
programs and shell scripts instead of overwriting them, and that
leaves existing queue files and configuration files alone.

- The ugly Delivered-To: header can now be turned off selectively.
The default setting is:  "prepend_delivered_header = command, file,
forward".  Turning off the Delivered-To:  header when forwarding
mail is not recommended.

- mysql client support by Scott Cotton and Joshua Marcus, Internet
Consultants Group, Inc. See the file MYSQL_README for instructions.

- reject_unauth_destination SMTP recipient restriction that rejects
destinations not in $relay_domains. Unlike the check_relay_domains
restriction, reject_unauth_destination ignores the client hostname.
By Lamont Jones of Hewlett-Packard.

- reject_unauth_pipelining SMTP *anything* restriction to stop mail
from spammers that improperly use SMTP command pipelining to speed
up their deliveries.

- Postfix "sendmail" now issues a warning and drops privileges if
installed set-uid root.

- No more duplicate delivery when "postfix reload" is immediately
followed by "sendmail -q".

- No more "invalid argument" errors when a Postfix daemon opens a
DB/DBM file while some other process is changing the file.

- Portability to the Mac OS X Server, Reliant Unix, AIX 3.2.5 and
Ultrix 4.3.

Incompatible changes with postfix-19990601:
===========================================

- The SMTP server now delays all UCE restrictions until the RCPT
TO, VRFY or ETRN command. This makes the restrictions more useful,
because many SMTP clients do not expect negative responses earlier
in the protocol.  In order to restore the old behavior, specify
"smtpd_delay_reject = no" in /etc/postfix/main.cf.

- The Postfix local delivery agent no longer automatically propagates
address extensions to aliases/include/forward addresses.  Specify
"propagate_unmatched_extensions = canonical, virtual, alias, forward,
include" to restore the old behavior.

- The Postfix local delivery agent no longer does $name expansion
on words found in the mailbox_command configuration parameter. This
makes it easier to specify shell syntax. See conf/main.cf.

- The luser_relay syntax has changed. You can specify one address;
it is subjected to $user, etc. expansions. See conf/main.cf.

- File system reorganization: daemon executables are now in the
libexec subdirectory, command executables in the bin subdirectory.
The INSTALL instructions now recommend installing daemons and
commands into separate directories.

Major changes with postfix-19990601:
=====================================

- New USER, EXTENSION, LOCAL, DOMAIN and RECIPIENT environment
variables for delivery to command (including mailbox_command) by
the local delivery agent. As you might expect, the information is
censored. The list of acceptable characters is specified with the
command_expansion_filter configuration parameter.  Unacceptable
characters are replaced by underscores. See html/local.8.html.

- Specify "forward_path = /var/forward/$user" to avoid looking up
.forward files in user home directories.  The default value is
$home/.forward$recipient_delimiter$extension, $home/.forward.
Initial code by Philip A.  Prindeville, Mirapoint, Inc., USA.

- Conditional $name expansion in forward_path and luser_relay.
Available names are: $user (bare user name) $shell (user login
shell), $home (user home directory), $local (everything to the left
of @), $extension (optional address extension), $domain (everything
to the right of @), $recipient (the complete address) and
$recipient_delimiter.  A simple $name expands as usual.  ${name?value}
expands to value when $name is defined.  ${name:value} expands to
value when $name is not defined. With ${name?value} and ${name:value},
the value is subject to another iteration of $name expansion.

- POSIX regular expression support, enabled by default on 4.4BSD,
LINUX, HP-UX, and Solaris 2.5 and later. See conf/sample-regexp.cf.
Initial code by Lamont Jones, Hewlett-Packard, borrowing heavily
from the PCRE implementation by Andrew McNamara, connect.com.au
Pty. Ltd., Australia.

- Regular expression checks for message headers.  This requires
support for POSIX or for PCRE regular expressions.  Specify
"header_checks = regexp:/file/name" or "header_checks = pcre:/file/name",
and specify "/^header-name:  badstuff/ REJECT" in the pattern file
(patterns are case-insensitive by default).  Code by Lamont Jones,
Hewlett-Packard.  It is to be expected that full content filtering
will be delegated to an external command.

- Regular expression support for all lookup tables, including access
control (full mail addresses only), address rewriting (canonical/virtual,
full mail addresses only) and transport tables (full domain names
only).  However, regular expressions are not allowed for aliases,
because that would open up security exposures.

- Automatic detection of changes to DB or DBM lookup tables.  This
eliminates the need to run "postfix reload" after each change to
the SMTP access table, or to the canonical, virtual, transport or
aliases tables.

- New error mailer. Specify ".domain.name error:domain is undeliverable"
in the transport table to bounce mail for entire domains.

- No more Postfix lockups on Solaris (knock on wood). The code no
longer uses Solaris UNIX-domain sockets, because they are still
broken, even with Solaris 7.

- Workaround for the Solaris mailtool, which keeps an exclusive
kernel lock on the mailbox while its window is not iconified (specify
"sun_mailtool_compatibility = yes" in main.cf).

- Questionable workaround for Solaris, which reportedly loses
long-lived exclusive locks that are held by the master daemon.

- New reject_unknown_{sender,recipient}_domain restrictions for
sender and recipient mail addresses that distinguish between soft
errors (always 450) and hard errors (unknown_address_reject_code,
default 450).

- MIME-encapsulated bounce messages, making it easier to recover
bounced mail. Initial implementation by Philip A.  Prindeville,
Mirapoint, Inc., USA. Support for RFC 1892 (multipart/report) and
RFC 1894 (DSN) will have to wait until Postfix internals have been
revised to support RFC 1893.

- Separately configurable "postmaster" addresses for single bounces
(bounce_notice_recipient), double bounces (2bounce_notice_recipient),
delayed mail (delay_notice_recipient), and for mailer error reports
(error_notice_recipient). See conf/main.cf.

- Questionable feature: specify "best_mx_transport = local" if
this machine is the best MX host for domains not in mydestinations.

Incompatible changes with postfix-19990317:
===========================================

- You MUST install the new version of /etc/postfix/postfix-script.

- The pipe mailer "flags" syntax has changed. You now explicitly
MUST specify the R flag in order to generate a Return-Path:  message
header (as needed by, for example, cyrus).

Major changes with postfix-19990317:
====================================

A detailed record of changes is given in the HISTORY file.

- Less postmaster mail. Undeliverable bounce messages (double
bounces) are now discarded. Specify "notify_classes = 2bounce..."
to get copies of double bounces. Specify "notify_classes = bounce..."
to get copies of normal and double bounces.

- Improved LDAP client code by John Hensley of Merit Network, USA.
See LDAP_README for details.

- Perl-compatible regular expression support for lookup maps by
Andrew McNamara, connect.com.au Pty. Ltd., Australia..  Example:
"check_recipient_access pcre:/etc/postfix/sample-pcre.cf". Regular
expressions provide a powerful tool not only for SMTP access control
but also for address rewriting. See PCRE_README for details.

- Automatic notification of delayed mail (disabled by default).
With "delay_warning_time = 4", Postfix informs senders when mail
has not been delivered after 4 hours. Initial version of the code
by Daniel Eisenbud, University of California at Berkeley. In order
to get postmaster copies of such warnings, specify "notify_classes
= delay...".

- More configurable local delivery: "mail_spool_directory" to
specify the UNIX mail spool directory; "mailbox_transport" to
delegate all mailbox delivery to, for example, cyrus, and
"fallback_transport" to delegate delivery of only non-UNIX users.
And all this without losing local aliases and local .forward
processing.  See config/main.cf and config/master.cf.

- Several changes to improve Postfix behavior under worst-case
conditions (frequent Postfix restarts/reloads combined with lots
if inbound mail, intermittent connectivity problems, SMTP servers
that become comatose after receiving QUIT).

- More NFS-friendly mailbox delivery. The local delivery agent
now avoids using root privileges where possible.

- For sites that do not receive mail at all, mydestination can now
be an empty string. Be sure to set up a transport table entry to
prevent mail from looping.

- New "postsuper" utility to clean up stale files from Postfix
queues.

- Workaround for BSD select() collisions that cause performance
problems on large BSD systems.

- Several questionable but useful features to capture mail:
"always_bcc = address" to capture a copy of every message that
enters the system, and "luser_relay = address" to capture mail for
unknown recipients (does not work when mailbox_transport or
fallback_transport are being used).

- Junk mail controls: new reject_non_fqdn_{hostname,sender,recipient}
restrictions to reject non-FQDN arguments in HELO, MAIL FROM and
RCPT TO commands, and stricter checking of numeric HELO arguments.

- "fallback_relay" feature for sites that use DNS but that can't
talk to the entire world. The fall-back relay gets the mail when
a destination is not found in the DNS or when the destination is
found but not reachable.

- Several questionable controls that can help to keep mail going:
specify "smtp_skip_4xx_greeting = yes" to skip SMTP servers that
greet with 4XX, "ignore_mx_lookup_error = yes" to look up an A
record when a DNS server does not respond to an MX query.

Incompatible changes with postfix-beta-19990122-pl01:
=====================================================

None.

Major changes with postfix-beta-19990122-pl01:
==============================================

- Restrict who may use ETRN and what domains may be specified.
Example:  "smtpd_etrn_restrictions = permit_mynetworks, reject".

- BIFF notifications.  For compatibility reasons this feature is
on by default.  Specify "biff = no" in main.cf if your machine has
lots of shell users.

- With "soft_bounce = yes", defer delivery instead of bouncing
mail. This is a safety net for configuration errors with delivery
agents. It has no effect on errors in virtual maps, canonical maps,
or in junk mail restrictions.

- Specify "owner_request_special = no" to turn off special treatment
of owner-foo and foo-request addresses.

Incompatible changes with postfix-beta-19990122:
================================================

- The syntax of the transport table has changed. An entry like:

	customer.org	smtp:[gateway.customer.org]

  no longer forwards mail for anything.customer.org. For that you
  need to specify:

	customer.org	smtp:[gateway.customer.org]
	.customer.org	smtp:[gateway.customer.org]

  This change makes transport tables more compatible with
  sendmail mailer tables.

- The format of syslog records has changed. A client is now always
logged as hostname[address]; the pickup daemon logs queue file uid
and sender address.

Major changes with postfix-beta-19990122:
=========================================

- Junk mail restrictions can now be postponed to the RCPT TO command.
Specify: "smtpd_recipient_restrictions = reject_maps_rbl...".

- More flexible interface for delivery to e.g., cyrus IMAP without
need for PERL scripts to munge recipient addresses. In addition to
$sender, $nexthop and $recipient, the pipe mailer now also supports
$user, $extension and $mailbox.

- New mail now has precedence over deferred mail, plus some other
tweaks to make bulk mail go faster. But it ain't no cure for massive
network outages.

- Watchdog timer for systems that cause the Postfix queue manager
to lock up, so it recovers without human intervention.

- Delivery to qmail-style maildir files, which is good for NFS
environments.  Specify "home_mailbox = Maildir/", or specify
/file/name/ in aliases or in .forward files. The trailing / is
required to turn on maildir delivery.

- Incremental updates of aliases and maps. Specify "postmap -i
mapname" and it will read new entries from stdin.

- Newaliases will now update more than one alias database.
Specify the names with the main.cf "alias_database" parameter.

- Address masquerading exceptions to prevent users from being
masqueraded. Specify "masquerade_exceptions = root".

- A pipelined SMTP client. Deliveries to Postfix, qmail, LSOFT,
zmailer, and exim (once it's fixed) speed up by some 30% for short
messages with one recipient, with more for multi-recipient mails.

- Hook for local delivery to "|command" via the smrsh restricted
shell, to restrict what commands may be used in .forward etc. files.
Specify "local_command_shell = /some/where/smrsh -c".