1The stable Postfix release is called postfix-2.8.x where 2=major 2release number, 8=minor release number, x=patchlevel. The stable 3release never changes except for patches that address bugs or 4emergencies. Patches change the patchlevel and the release date. 5 6New features are developed in snapshot releases. These are called 7postfix-2.9-yyyymmdd where yyyymmdd is the release date (yyyy=year, 8mm=month, dd=day). Patches are never issued for snapshot releases; 9instead, a new snapshot is released. 10 11The mail_release_date configuration parameter (format: yyyymmdd) 12specifies the release date of a stable release or snapshot release. 13 14If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7 15before proceeding. 16 17Major changes - restart Postfix 18------------------------------- 19 20If you upgrade from Postfix 2.6 or earlier, you must execute "postfix 21stop" and "postfix start" before you can use the postscreen(8) 22daemon. This is needed because the Postfix 2.6 "pass" master service 23type did not work reliably on some systems. 24 25If you upgrade from Postfix 2.7, or from Postfix 2.8 before July 2625, 2010, you must execute "postfix reload" (or "postfix stop" 27followed by "postfix start"). This is needed because the queue 28manager to delivery agent protocol has changed. Failure to do this 29results in repeated logging of warnings with: 30 31 warning: unexpected attribute rewrite_context ... 32 33If the warning does not go away after restarting Postfix, examine 34the output from this command: 35 36 strings -af /usr/libexec/postfix/* | grep mail_version= 37 38(where /usr/libexec/postfix is the value of main.cf:daemon_directory) 39and update the executables that have a version string that differs 40from the other programs. 41 42Major changes - DNSBL/DNSWL support 43----------------------------------- 44 45[Feature 20101126] Support for address patterns in DNS blacklist 46and whitelist lookup results. 47 48For example, "reject_rbl_client example.com=127.0.0.[2;4;6..8]" 49will reject clients when the lookup result is 127.0.0.2, 127.0.0.4, 50127.0.0.6, 127.0.0.7, or 127.0.0.8. 51 52The setting "postscreen_dnsbl_sites = example.com=127.0.0.[2;4;6..8]" 53rejects the same clients. 54 55An IPv4 address pattern has four fields separated by ".". Each 56field is either a decimal number, or a sequence inside "[]" that 57contains one or more ";"-separated decimal numbers or number..number 58ranges. 59 60Thus, any pattern field can be a sequence inside "[]", but a "[]" 61sequence cannot span multiple address fields, and a pattern field 62cannot contain both a number and a "[]" sequence at the same time. 63 64This means that the pattern 1.2.[3.4] is not valid (the sequence 65[3.4] cannot span two address fields) and the pattern 1.2.3.3[6..9] 66is also not valid (the last field cannot be both number 3 and 67sequence [6..9] at the same time). 68 69The syntax for IPv4 patterns is as follows: 70 71v4pattern = v4field "." v4field "." v4field "." v4field 72v4field = v4octet | "[" v4sequence "]" 73v4octet = any decimal number in the range 0 through 255 74v4sequence = v4seq_member | v4sequence ";" v4seq_member 75v4seq_member = v4octet | v4octet ".." v4octet 76 77[Feature 20101105] The Postfix SMTP server now supports DNS-based 78whitelisting with several safety features: permit_dnswl_client 79whitelists a client by IP address, and permit_rhswl_client whitelists 80a client by its hostname. These features use the same syntax as 81reject_rbl_client and reject_rhsbl_client, respectively. The main 82difference is that they return PERMIT instead of REJECT. 83 84Whitelisting is primarily a tool to reduce the false positive rate 85of DNS blocklist lookups. Client name whitelisting should not be 86used to make exceptions to access rules. The reason is that client 87name lookup can fail unpredictably due to some temporary outage. 88 89For safety reasons, permit_dnswl_client and permit_rhswl_client are 90silently ignored when they would override reject_unauth_destination. 91Also for safety reasons, the result is DEFER_IF_REJECT when DNS 92whitelist lookup fails (this result will be made configurable). 93 94Major changes - sqlite support 95------------------------------ 96 97[Feature 20100617] Support for read-only sqlite database access, 98with code by Axel Steiner and documentation by Jesus Garcia Crespo. 99See SQLITE_README and sqlite_table(5) for details. 100 101Major changes - Milter support 102------------------------------- 103 104[Incompat 20101103] Postfix now requests default delivery status 105notifications when adding a recipient with the Milter smfi_addrcpt 106action, instead of "never notify" as with Postfix automatically-added 107recipients (always_bcc and sender/recipient_bcc_maps). 108 109Major changes - alias expansion 110------------------------------- 111 112[Incompat 20101202] Postfix now reports a temporary delivery error 113when the result of virtual alias expansion would exceed the 114virtual_alias_recursion_limit or virtual_alias_expansion_limit. 115Previously, Postfix would silently drop the excess recipients and 116deliver the message. 117 118[Incompat 20101006] To avoid repeated delivery to mailing lists 119with pathological nested alias configurations, the local(8) delivery 120agent now keeps the owner-alias attribute of a parent alias, when 121delivering mail to a child alias that does not have its own owner 122alias. 123 124With this change, local addresses from that child alias will be 125written to a new queue file, and a temporary error with one local 126address will no longer result in repeated delivery to other mailing 127list members. Specify "reset_owner_alias = yes" for the older, 128more fragile, behavior. 129 130The postconf(5) manpage entry for "reset_owner_alias" has more 131background information on this issue. 132 133Major changes - dns lookup 134-------------------------- 135 136[Incompat 20100827] The Postfix SMTP client no longer appends the 137local domain when looking up a DNS name without ".". Specify 138"smtp_dns_resolver_options = res_defnames" to get the old behavior, 139which may produce unexpected results. 140 141Major changes - logging 142----------------------- 143 144[Incompat 20100728] The format of the "postfix/smtpd[pid]: queueid: 145client=host[addr]" logfile record has changed. When available, the 146before-filter client information and the before-filter queue ID are 147now appended to the end of the record. 148 149[Feature 20100728] Improved message tracking across SMTP-based 150content filters. The logging example below is from an after-filter 151SMTP server. Here, 951F692462F is a before-filter queue ID, 152hades.porcupine.org is a before-filter SMTP client, while 6B4A9924782 153is the after-filter queue ID, and localhost[127.0.0.1] is the 154SMTP-based content filter that sends mail into the after-filter 155SMTP server. 156 157 postfix/smtpd[4074]: 6B4A9924782: 158 client=localhost[127.0.0.1], 159 orig_queue_id=951F692462F 160 orig_client=hades.porcupine.org[168.100.189.10] 161 162Major changes - reply footer 163---------------------------- 164 165[Feature 20110105] The SMTP server now supports contact information 166that is appended to "reject" responses. This includes SMTP server 167responses that aren't logged to the maillog file, such as responses 168to syntax errors, or unsupported commands. 169 170Example: 171 smtpd_reject_footer = For assistance, call 800-555-0101. 172 173Server response: 174 550-5.5.1 <user@example> Recipient address rejected: User unknown 175 550 5.5.1 For assistance, call 800-555-0101. 176 177This feature supports macro expansion ($client_address, $localtime, 178etc.), as documented in the postconf(5) manpage. 179 180This feature is also supported as postscreen_reject_footer using 181the same setting as smtpd_reject_footer by default. 182 183Major changes - rfc compliance 184------------------------------ 185 186[Incompat 20101206] Postfix by default no longer adds a "To: 187undisclosed-recipients:;" header when no recipient specified in the 188message header. The Internet mail RFCs have supported messages 189without recipient header for almost 10 years now. 190 191For backwards compatibility, specify: 192 193/etc/postfix/main.cf 194 undisclosed_recipients_header = To: undisclosed-recipients:; 195 196Note: both the ":" and ";" are required. 197 198Major changes - tls support 199--------------------------- 200 201[Incompat 20110102] The Postfix SMTP server now always re-computes 202the SASL mechanism list after successful completion of the STARTTLS 203command. Earlier versions only re-computed the mechanism list when 204the values of smtp_sasl_tls_security_options and smtp_sasl_security_options 205differ. This could produce incorrect results, because the Dovecot 206authentication server may change responses when the SMTP session 207is encrypted. 208 209[Incompat 20110102] The smtpd_starttls_timeout default value is now 210stress-dependent. By default, TLS negotiations must now complete 211under overload in 10s instead of 300s. 212 213[Feature 20101223] The new tls_disable_workarounds parameter specifies 214a list or bit-mask of OpenSSL bug work-arounds to disable. This may 215be necessary if one of the work-arounds enabled by default in OpenSSL 216proves to pose a security risk, or introduces an unexpected 217interoperability issue. Some bug work-arounds known to be problematic 218are disabled in the default value of the parameter when linked with 219an OpenSSL library that could be vulnerable. See postconf(5) and 220TLS_README for details. 221 222With "tls_preempt_cipherlist = yes" the Postfix SMTP server will 223choose its most preferred cipher that is supported (offered) by the 224client. This can lead to a more secure or performant cipher choice, 225but may also introduce interoperability problems when a client 226announces support for a cipher that does not work. See postconf(5) 227and TLS_README for details. 228 229[Feature 20101217] The lower-level code in the TLS engine was 230simplified by removing an unnecessary layer of data copying. OpenSSL 231now writes directly to the network. The difference in performance 232should be hardly noticeable. 233 234[Incompat 20100610] Postfix no longer appends the system-supplied 235default CA certificates to the lists specified with *_tls_CAfile 236or with *_tls_CApath. This prevents third-party certificates from 237getting mail relay permission with the permit_tls_all_clientcerts 238feature. 239 240Unfortunately this change may cause compatibility problems when 241configurations rely on certificate verification for other purposes. 242Specify "tls_append_default_CA = yes" for backwards compatibility. 243 244Major changes - postscreen 245-------------------------- 246 247See html/POSTSCREEN_README.html for an introduction to postscreen 248(or the text version, README_FILES/POSTSCREEN_README). The text 249below summarizes milestones in reverse chronological order. 250 251[Incompat 20110111] The postscreen_access_list feature replaces the 252postscreen_whitelist_networks and postscreen_blacklist_networks 253features. Reason: CIDR-style access maps are some 100x faster than 254the code that implemented the postscreen_white/blacklist_networks 255support. CIDR maps can match about 100 million CIDR patterns/second 256on a modern CPU, which is not blindingly fast but adequate for the 257near future. 258 259[Feature 20110102] STARTTLS support for the postscreen(8) daemon. 260This is implemented by a new tlsproxy(8) daemon that you will need 261to enable in master.cf (see POSTSCREEN_README for instructions). 262tlsproxy(8) implements its own tlsproxy_mumble versions of TLS-related 263smtpd_mumble parameters. This leaves no confusion about which 264parameters will affect tlsproxy(8) behavior, but it adds another 26525 parameters to the documentation. 266 267[Incompat 20100912] If your DNSBL queries have a "secret" in the 268domain name, you must now censor this information from the postscreen(8) 269SMTP replies. For example: 270 271 /etc/postfix/main.cf: 272 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply 273 274 /etc/postfix/dnsbl_reply: 275 # Secret DNSBL name Name in postscreen(8) replies 276 secret.zen.spamhaus.org zen.spamhaus.org 277 278The texthash: format is similar to hash: except that there is no need to 279run postmap(1) before the file can be used, and that it does not detect 280changes after the file is read. It is new with Postfix version 2.8. 281 282[Incompat 20100912] The postscreen "continue" action is now called 283"ignore". The old name is still supported but no longer documented. 284 285[Incompat 20100912] The postscreen_hangup_action parameter was 286removed. Postscreen now always behaves as if "postscreen_hangup_action 287= drop". 288 289[Incompat 20100912] The postscreen_cache_retention_time default was 290increased from 1d to 7d, to avoid deleting results from expensive 291deep SMTP protocol tests too quickly. 292 293[Feature 20100912] SMTP protocol engine for deep protocol tests, 294and for logging the helo/sender/recipient information when postscreen 295rejects an attempt to deliver mail. 296 297The postscreen SMTP protocol engine implements a number of deep 298protocol tests and defers or rejects all attempts to deliver mail. 299The first test detects unauthorized SMTP command pipelining (an 300SMTP client sends multiple commands, instead of sending one command 301and waiting for the server response); a second deep protocol test 302implements the Postfix SMTP server's smtpd_forbidden_commands feature 303(a client sends commands such as CONNECT, GET, POST); and a third 304deep protocol test detects spambots that send SMTP commands that 305end in newline instead of carriage-return/newline. Real spambots 306rarely make this mistake, but poorly-written software often does. 307 308Deep protocol tests are disabled by default, because the built-in 309SMTP engine cannot not hand off the "live" connection from a good 310SMTP client to a Postfix SMTP server process. To work around this, 311postscreen(8) defers attempts to deliver mail with a 4XX status, 312and waits for the client to disconnect. The next time a good client 313connects, it will be allowed to talk to a Postfix SMTP server process 314to deliver mail. 315 316[Feature 20100830] Postscreen DNSBL support is extended with optional 317fixed-string filters, with optional integral weight factors, and 318with an adjustable threshold to block SMTP clients with DNSBL score 319>= that threshold. Reply filters will be implemented later. 320 321The updated postscreen configuration syntax is: 322 323 postscreen_dnsbl_sites = domain[=ipaddr][*weight] ... 324 postscreen_dnsbl_threshold = score 325 326Elements inside [] are optional, ipaddr is an IPv4 address, and 327weight and score are integral numbers. The [] are not part of the 328postscreen_dnsbl_sites input. By default, weight and score are 329equal to 1, and entries without filter will match any non-error 330DNSBL reply. Use a negative weight value for whitelisting. 331 332Examples: 333 334To use example.com as a high-confidence blocklist, and to block 335mail with example.net and example.org only when both agree, use: 336 337 postscreen_dnsbl_threshold = 2 338 postscreen_dnsbl_sites = example.com*2, example.net, example.org 339 340To filter only DNSBL replies containing 127.0.0.4, use: 341 342 postscreen_dnsbl_sites = example.com=127.0.0.4 343 344See also postconf(5) for the fine details. 345 346[Incompat 20100101] When periodic cache cleanup is enabled (the 347default), the postscreen(8) server now requires that the cache 348database supports the "delete" and "sequence" operations. To disable 349periodic cache cleanup specify a zero postscreen_cache_cleanup_interval 350value. 351 352[Feature 20100101] Periodic cache cleanup for the postscreen(8) 353cache database. The time between cache cleanup runs is controlled 354with the postscreen_cache_cleanup_interval (default: 12h) parameter. 355Cache cleanup increases the database access latency, so this should 356not be run more often than necessary. 357 358In addition, the postscreen_cache_retention_time (default: 1d) 359parameter specifies how long to keep an expired entry in the cache. 360This prevents a client from being logged as "NEW" after its record 361expired only a little while ago. 362 363[Feature 20091008] Prototype postscreen(8) server that runs a number 364of time-consuming checks in parallel for all incoming SMTP connections, 365before clients are allowed to talk to a real Postfix SMTP server. 366It detects clients that start talking too soon, or clients that 367appear on DNS blocklists, or clients that hang up without sending 368any command. 369 370By doing these checks in a single postscreen(8) process, Postfix 371can avoid wasting one SMTP server process per connection. A side 372benefit of postscreen(8)'s DNSBL lookups is that DNS records are 373already cached before the Postfix SMTP server looks them up later. 374 375postscreen(8) maintains a temporary whitelist of positive decisions. 376Once an SMTP client is whitelisted, it is immediately forwarded to 377a real Postfix SMTP server process without further checking. 378 379By default, the program logs only statistics, and it does not run 380any checks on clients in mynetworks (primarily, to avoid problems 381with buggy SMTP implementations in network appliances). The logging 382function alone is already useful for research. 383 384