1This is the Postfix 3.7 (stable) release. 2 3The stable Postfix release is called postfix-3.7.x where 3=major 4release number, 7=minor release number, x=patchlevel. The stable 5release never changes except for patches that address bugs or 6emergencies. Patches change the patchlevel and the release date. 7 8New features are developed in snapshot releases. These are called 9postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year, 10mm=month, dd=day). Patches are never issued for snapshot releases; 11instead, a new snapshot is released. 12 13The mail_release_date configuration parameter (format: yyyymmdd) 14specifies the release date of a stable release or snapshot release. 15 16If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6 17before proceeding. 18 19License change 20--------------- 21 22This software is distributed with a dual license: in addition to the 23historical IBM Public License 1.0, it is now also distributed with the 24more recent Eclipse Public License 2.0. Recipients can choose to take 25the software under the license of their choice. Those who are more 26comfortable with the IPL can continue with that license. 27 28Major changes - configuration 29----------------------------- 30 31[Feature 20210605] Support to inline the content of small cidr:, 32pcre:, and regexp: tables in Postfix parameter values. 33 34Example: 35 36 smtpd_forbidden_commands = 37 CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}} 38 39This is the new smtpd_forbidden_commands default value. It will 40immediately disconnect a remote SMTP client when a command does not 41start with a letter (a-z or A-Z). 42 43The basic syntax is: 44 45/etc/postfix/main.cf: 46 parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. 47 48/etc/postfix/master.cf: 49 .. -o { parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. } .. 50 51where map-type is one of cidr, pcre, or regexp. 52 53Postfix ignores whitespace after '{' and before '}', and writes each 54rule as one text line to a nameless in-memory file: 55 56in-memory file: 57 rule-1 58 rule-2 59 .. 60 61Postfix parses the result as if it is a file in /etc/postfix. 62 63Note: if a rule contains $, specify $$ to keep Postfix from trying 64to do $name expansion as it evaluates the parameter value. 65 66Major changes - lmdb support 67---------------------------- 68 69[Feature 20210605] Overhauled the LMDB client's error handling, and 70added integration tests for future-proofing. There are no visible 71changes in documented behavior. 72 73Major changes - logging 74----------------------- 75 76[Feature 20210815] To make the maillog_file feature more useful, 77the postlog(1) command is now set-gid postdrop, so that unprivileged 78programs can use it to write logging through the postlogd(8) daemon. 79This required hardening the postlog(1) command against privilege 80escalation attacks. DO NOT turn on the set-gid bit with older 81postlog(1) implementations. 82 83Major changes - pcre2 support 84----------------------------- 85 86[Feature 20211127] Support for the pcre2 library (the legacy pcre 87library is no longer maintained). The Postfix build procedure 88automatically detects if the pcre2 library is installed, and if it 89is unavailable, the Postfix build procedure will detect if the 90legacy pcre library is installed. See PCRE_README if you need to 91build Postfix with a specific library. 92 93Visible differences: some error messages may have a different text, 94and the 'X' pattern flag is no longer supported with pcre2. 95 96Major changes - security 97------------------------ 98 99[Feature 20220102] Postfix programs now randomize the initial state 100of in-memory hash tables, to defend against hash collision attacks 101involving a large number of attacker-chosen lookup keys. Presently, 102the only known opportunity for such attacks involves remote SMTP 103client IPv6 addresses in the anvil(8) service. The attack would 104require making hundreds of short-lived connections per second from 105thousands of different IP addresses, because the anvil(8) service 106drops inactive counters after 100s. Other in-memory hash tables 107with attacker-chosen lookup keys are by design limited in size. The 108fix is cheap, and therefore implemented for all Postfix in-memory 109hash tables. Problem reported by Pascal Junod. 110 111[Feature 20211030] The postqueue command now sanitizes non-printable 112characters (such as newlines) in strings before they are formatted 113as json or as legacy output. These outputs are piped into other 114programs that are run by administrative users. This closes a 115hypothetical opportunity for privilege escalation. 116 117[Feature 20210815] Updated defense against remote clients or servers 118that 'trickle' SMTP or LMTP traffic, based on per-request deadlines 119and minimum data rates. 120 121Per-request deadlines: 122 123The new {smtpd,smtp,lmtp}_per_request_deadline parameters replace 124{smtpd,smtp,lmtp}_per_record_deadline, with backwards compatible 125default settings. This defense is enabled by default in the Postfix 126SMTP server in case of overload. 127 128The new smtpd_per_record_deadline parameter limits the combined 129time for the Postfix SMTP server to receive a request and to send 130a response, while the new {smtp,lmtp}_per_record_deadline parameters 131limit the combined time for the Postfix SMTP or LMTP client to send 132a request and to receive a response. 133 134Minimum data rates: 135 136The new smtpd_min_data_rate parameter enforces a minimum plaintext 137data transfer rate for DATA and BDAT requests, but only when 138smtpd_per_record_deadline is enabled. After a read operation transfers 139N plaintext bytes (possibly after TLS decryption), and after the 140DATA or BDAT request deadline is decreased by the elapsed time of 141that read operation, the DATA or BDAT request deadline is increased 142by N/smtpd_min_data_rate seconds. However, the deadline is never 143increased beyond the smtpd_timeout value. The default minimum data 144rate is 500 (bytes/second) but is still subject to change. 145 146The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding 147minimum DATA transfer rates for the Postfix SMTP and LMTP client. 148 149Major changes - tls support 150--------------------------- 151 152[Cleanup 20220121] The new tlsproxy_client_security_level parameter 153replaces tlsproxy_client_level, and the new tlsproxy_client_policy_maps 154parameter replaces tlsproxy_client_policy. This is for consistent 155parameter naming (tlsproxy_client_xxx corresponds to smtp_tls_xxx). 156This change was made with backwards-compatible default settings. 157 158[Feature 20210926] Postfix was updated to support OpenSSL 3.0.0 API 159features, and to work around OpenSSL 3.0.0 bit-rot (avoid using 160deprecated API features). 161 162Other code health 163----------------- 164 165[typos] Typo fixes by raf. 166 167[pre-release checks] Added pre-release checks to detect a) new typos 168in documentation and source-code comments, b) missing entries in 169the postfix-files file (some documentation would not be installed), 170c) missing rules in the postlink script (some text would not have 171a hyperlink in documentation), and d) missing map-based $parameter 172names in the proxy_read_maps default value (the proxymap daemon 173would not automatically authorize some proxied maps). 174 175[memory stream] Improved support for memory-based streams made it 176possible to inline small cidr:, pcre:, and regexp: maps in Postfix 177parameter values, and to eliminate some ad-hoc code that converted 178tlsproxy(8) protocol data to or from serialized form. 179 180