Changelog for
postfix-doc-3.1.3-264.1.x86_64.rpm :
Sun Oct 9 14:00:00 2016 michaelAATTstroeder.com
- update to 3.1.3:
* The Postfix SMTP server did not reset a previous session\'s
failed/total command counts before rejecting a client that
exceeds request or concurrency rates. This resulted in incorrect
failed/total command counts being logged at the end of the
rejected session.
* The unionmap multi-table interface did not propagate table
lookup errors, resulting in false \"user unknown\" responses.
* The documentation was updated with a workaround for false \"not
found\" errors with MySQL map queries that contain UTF8-encoded
text. The workaround is to specify \"option_group = client\" in
Postfix MySQL configuration files. This will be the default
setting with Postfix 3.2 and later.
Sun Sep 4 14:00:00 2016 michaelAATTstroeder.com
- update to 3.1.2:
* Changes to make Postfix build with OpenSSL 1.1.0.
* The makedefs script ignored readme_directory=pathname overrides.
Fix by Todd C. Olson.
* The tls_session_ticket_cipher documentation says that the default
cipher for TLS session tickets is aes-256-cbc, but the implemented
default was aes-128-cbc. Note that TLS session ticket keys are
rotated after 1/2 hour, to limit the impact of attacks on session
ticket keys.
Thu Jun 2 14:00:00 2016 schwabAATTsuse.de
- postfix-post-install.patch: remove empty patch
Sun May 29 14:00:00 2016 chrisAATTcomputersalat.de
- fix Changelog cause of Factory decline
Tue May 24 14:00:00 2016 varkolyAATTsuse.com
- Fix typo in config.postfix
Tue May 24 14:00:00 2016 varkolyAATTsuse.com
- bnc#981097 config.postfix creates broken main.cf for tls client configuration
- bnc#981099 /etc/sysconfig/postfix: POSTFIX_SMTP_TLS_CLIENT incomplete
- update to 3.1.1:
- The new address_verify_pending_request_limit
parameter introduces a safety limit for the number of address
verification probes in the active queue. The default limit is 1/4
of the active queue maximum size. The queue manager enforces the
limit by tempfailing probe messages that exceed the limit. This
design avoids dependencies on global counters that get out of sync
after a process or system crash.
- Machine-readable, JSON-formatted queue listing with \"postqueue -j\"
(no \"mailq\" equivalent).
- The milter_macro_defaults feature provides an optional list of macro
name=value pairs. These specify default values for Milter macros when
no value is available from the SMTP session context.
- Support to enforce a destination-independent delay between email
deliveries. The following example inserts 20 seconds of delay
between all deliveries with the SMTP transport, limiting the delivery
rate to at most three messages per minute.
smtp_transport_rate_delay = 20s
- Historically, the default setting \"postscreen_dnsbl_ttl = 1h\" assumes
that a \"not found\" result from a DNSBL server will be valid for one
hour. This may have been adequate five years ago when postscreen
was first implemented, but nowadays, that one hour can result in
missed opportunities to block new spambots.
To address this, postscreen now respects the TTL of DNSBL \"not
found\" replies, as well as the TTL of DNSWL replies (both \"found\"
and \"not found\"). The TTL for a \"not found\" reply is determined
according to RFC 2308 (the TTL of an SOA record in the reply).
Support for DNSBL or DNSWL reply TTL values is controlled by two
configuration parameters:
postscreen_dnsbl_min_ttl (default: 60 seconds).
postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
The postscreen_dnsbl_ttl parameter is now obsolete, and has become
the default value for the new postscreen_dnsbl_max_ttl parameter.
- New \"smtpd_client_auth_rate_limit\" feature, to
enforce an optional rate limit on AUTH commands per SMTP client IP
address. Similar to other smtpd_client_
*_rate_limit features, this
enforces a limit on the number of requests per $anvil_rate_time_unit.
- New SMTPD policy service attribute \"policy_context\",
with a corresponding \"smtpd_policy_service_policy_context\" configuration
parameter. Originally, this was implemented to share the same SMTPD
policy service endpoint among multiple check_policy_service clients.
- A new \"postfix tls\" command to quickly enable opportunistic TLS
in the Postfix SMTP client or server, and to manage SMTP server keys
and certificates, including certificate signing requests and
TLSA DNS records for DANE.
Tue Apr 19 14:00:00 2016 opensuseAATTdstoecker.de
- build with working support for SMTPUTF8
Sun Mar 20 13:00:00 2016 mrueckertAATTsuse.de
- fix build on sle11 by pointing _libexecdir to /usr/lib all the
time.
Sun Mar 20 13:00:00 2016 mrueckertAATTsuse.de
- some distros did not pull pkgconfig indirectly. pull it directly.
Sun Mar 20 13:00:00 2016 mrueckertAATTsuse.de
- fix building the dynamic maps: the old build had postgresql e.g.
with missing symbols.
- convert to AUXLIBS_
* instead of plain AUXLIBS which is needed
for proper dynamic maps.
- reordered the CCARGS and AUXLIBS
* lines to group by feature
- use pkgconfig or
*_config tools where possible
- picked up signed char from fedora spec file
- enable lmdb support: new BR lmdb-devel, new subpackage
postfix-lmdb.
- don\'t delete vmail user/groups
Wed Mar 9 13:00:00 2016 varkolyAATTsuse.com
- update to 3.1.0
- Since version 3.0 postfix supports dynamic loading of cdb:, ldap:,
lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients.
Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch
could be removed.
- Adapting all the patches to postfix 3.1.0
- remove obsolete patches
* add_missed_library.patch
* postfix-opensslconfig.patch
- update vda patch
* remove postfix-vda-v13-2.10.0.patch
* add postfix-vda-v13-3.10.0.patch
- The patch postfix-db6.diff is not more neccessary
- Backwards-compatibility safety net.
With NEW Postfix installs, you MUST install a main.cf file with
the setting \"compatibility_level = 2\". See conf/main.cf for an
example.
With UPGRADES of existing Postfix systems, you MUST NOT change the
main.cf compatibility_level setting, nor add this setting if it
does not exist.
Several Postfix default settings have changed with Postfix 3.0. To
avoid massive frustration with existing Postfix installations,
Postfix 3.0 comes with a safety net that forces Postfix to keep
running with backwards-compatible main.cf and master.cf default
settings. This safety net depends on the main.cf compatibility_level
setting (default: 0). Details are in COMPATIBILITY_README.
- Major changes - tls
* [Feature 20160207] A new \"postfix tls\" command to quickly enable
opportunistic TLS in the Postfix SMTP client or server, and to
manage SMTP server keys and certificates, including certificate
signing requests and TLSA DNS records for DANE.
* As of the middle of 2015, all supported Postfix releases no longer
nable \"export\" grade ciphers for opportunistic TLS, and no longer
use the deprecated SSLv2 and SSLv3 protocols for mandatory or
opportunistic TLS.
* [Incompat 20150719] The default Diffie-Hellman non-export prime was
updated from 1024 to 2048 bits, because SMTP clients are starting
to reject TLS handshakes with primes smaller than 2048 bits.
* [Feature 20160103] The Postfix SMTP client by default enables DANE
policies when an MX host has a (DNSSEC) secure TLSA DNS record,
even if the MX DNS record was obtained with insecure lookups. The
existence of a secure TLSA record implies that the host wants to
talk TLS and not plaintext. For details see the
smtp_tls_dane_insecure_mx_policy configuration parameter.
- Major changes - default settings
[Incompat 20141009] The default settings have changed for relay_domains
(new: empty, old: $mydestination) and mynetworks_style (new: host,
old: subnet). However the backwards-compatibility safety net will
prevent these changes from taking effect, giving the system
administrator the option to make an old default setting permanent
in main.cf or to adopt the new default setting, before turning off
backwards compatibility. See COMPATIBILITY_README for details.
[Incompat 20141001] A new backwards-compatibility safety net forces
Postfix to run with backwards-compatible main.cf and master.cf
default settings after an upgrade to a newer but incompatible Postfix
version. See COMPATIBILITY_README for details.
While the backwards-compatible default settings are in effect,
Postfix logs what services or what email would be affected by the
incompatible change. Based on this the administrator can make some
backwards-compatibility settings permanent in main.cf or master.cf,
before turning off backwards compatibility.
- Major changes - address verification safety
[Feature 20151227] The new address_verify_pending_request_limit
parameter introduces a safety limit for the number of address
verification probes in the active queue. The default limit is 1/4
of the active queue maximum size. The queue manager enforces the
limit by tempfailing probe messages that exceed the limit. This
design avoids dependencies on global counters that get out of sync
after a process or system crash.
Tempfailing verify requests is not as bad as one might think. The
Postfix verify cache proactively updates active addresses weeks
before they expire. The address_verify_pending_request_limit affects
only unknown addresses, and inactive addresses that have expired
from the address verify cache (by default, after 31 days).
- Major changes - json support
[Feature 20151129] Machine-readable, JSON-formatted queue listing
with \"postqueue -j\" (no \"mailq\" equivalent). The output is a stream
of JSON objects, one per queue file. To simplify parsing, each
JSON object is formatted as one text line followed by one newline
character. See the postqueue(1) manpage for a detailed description
of the output format.
- Major changes - milter support
[Feature 20150523] The milter_macro_defaults feature provides an
optional list of macro name=value pairs. These specify default
values for Milter macros when no value is available from the SMTP
session context.
For example, with \"milter_macro_defaults = auth_type=TLS\", the
Postfix SMTP server will send an auth_type of \"TLS\" to a Milter,
unless the remote client authenticates with SASL.
This feature was originally implemented for a submission service
that may authenticate clients with a TLS certificate, without having
to make changes to the code that implements TLS support.
- Major changes - output rate control
[Feature 20150710] Destination-independent delivery rate delay
Support to enforce a destination-independent delay between email
deliveries. The following example inserts 20 seconds of delay
between all deliveries with the SMTP transport, limiting the delivery
rate to at most three messages per minute.
/etc/postfix/main.cf:
smtp_transport_rate_delay = 20s
For details, see the description of default_transport_rate_delay
and transport_transport_rate_delay in the postconf(5) manpage.
- Major changes - postscreen dnsbl
[Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL
lookup results
Historically, the default setting \"postscreen_dnsbl_ttl = 1h\" assumes
that a \"not found\" result from a DNSBL server will be valid for one
hour. This may have been adequate five years ago when postscreen
was first implemented, but nowadays, that one hour can result in
missed opportunities to block new spambots.
To address this, postscreen now respects the TTL of DNSBL \"not
found\" replies, as well as the TTL of DNSWL replies (both \"found\"
and \"not found\"). The TTL for a \"not found\" reply is determined
according to RFC 2308 (the TTL of an SOA record in the reply).
Support for DNSBL or DNSWL reply TTL values is controlled by two
configuration parameters:
postscreen_dnsbl_min_ttl (default: 60 seconds).
This parameter specifies a minimum for the amount of time that
a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
This prevents an excessive number of postscreen cache updates
when a DNSBL or DNSWL server specifies a very small reply TTL.
postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
This parameter specifies a maximum for the amount of time that
a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
This prevents cache pollution when a DNSBL or DNSWL server
specifies a very large reply TTL.
The postscreen_dnsbl_ttl parameter is now obsolete, and has become
the default value for the new postscreen_dnsbl_max_ttl parameter.
- Major changes - sasl auth safety
[Feature 20151031] New \"smtpd_client_auth_rate_limit\" feature, to
enforce an optional rate limit on AUTH commands per SMTP client IP
address. Similar to other smtpd_client_
*_rate_limit features, this
enforces a limit on the number of requests per $anvil_rate_time_unit.
- Major changes - smtpd policy
[Feature 20150913] New SMTPD policy service attribute \"policy_context\",
with a corresponding \"smtpd_policy_service_policy_context\" configuration
parameter. Originally, this was implemented to share the same SMTPD
policy service endpoint among multiple check_policy_service clients.
Wed Dec 9 13:00:00 2015 varkolyAATTsuse.com
- bnc#958329 postfix fails to start when openslp is not installed
Mon Oct 12 14:00:00 2015 michaelAATTstroeder.com
- upstream update postfix 2.11.7:
* The Postfix Milter client aborted with a panic while adding a
message header, after adding a short message header with the
header_checks PREPEND action. Fixed by invoking the header
output function while PREPENDing a message header.
* False alarms while scanning the Postfix queue. Fixed by resetting
errno before calling readdir(). This defect was introduced
19970309.
* The postmulti command produced an incorrect error message.
* The postmulti command now refuses to create a new MTA instance
when the template main.cf or master.cf file are missing. This
is a common problem on Debian-like systems.
* Turning on Postfix SMTP server HAProxy support broke TLS
wrappermode. Fixed by temporarily using a 1-byte VSTREAM buffer
to read the HAProxy connection hand-off information.
* The xtext_unquote() function did not propagate error reports
from xtext_unquote_append(), causing the decoder to return
partial output, instead of rejecting malformed input. The Postfix
SMTP server uses this function to parse input for the ENVID and
ORCPT parameters, and for XFORWARD and XCLIENT command parameters.
Wed Aug 12 14:00:00 2015 jkeilAATTsuse.de
- boo#934060: Remove quirky hostname logic from config.postfix
* /etc/hostname doesn\'t contain anything useful
* linux.local is no good either
* postfix will use `hostname`.localdomain as fallback
Tue Aug 4 14:00:00 2015 meissnerAATTsuse.com
- postfix-no-md5.patch: replace fingerprint defaults by sha1.
Tue Aug 4 14:00:00 2015 meissnerAATTsuse.com
- %verifyscript is a new section, move it out of the %ifdef
so the fillups are run afterwards.
Wed Jul 22 14:00:00 2015 michaelAATTstroeder.com
- upstream update postfix 2.11.6:
Default settings have been updated so that they no longer enable
export-grade ciphers, and no longer enable the SSLv2 and SSLv3
protocols.
- removed postfix-2.11.5_linux4.patch because it\'s obsolete
Mon Jun 1 14:00:00 2015 crrodriguezAATTopensuse.org
- postfix-SuSE.tar.gz/postfix.service: None of
nss-lookup.target network.target local-fs.target time-sync.target
should be Wanted or Required except by the services
the implement the relevant functionality i.e network.target
is wanted/required by networkmanager, wicked,
systemd-network. other software must be ordered After them,
see systemd.special(7)
Sun May 17 14:00:00 2015 mpluskalAATTsuse.com
- Fix library symlink generation (boo#928662)
Tue Apr 21 14:00:00 2015 mrueckertAATTsuse.de
- added postfix-2.11.5_linux4.patch:
Allow building on kernel 4. Patch taken from:
https://groups.google.com/forum/#!topic/mailing.postfix.users/fufS22sMGWY
Sun Apr 19 14:00:00 2015 mrueckertAATTsuse.de
- update to postfix 2.11.5
- Bugfix (introduced: Postfix 2.6):
sender_dependent_relayhost_maps ignored the relayhost setting
in the case of a DUNNO lookup result. It would use the
recipient domain instead. Viktor Dukhovni. Wietse took the
pieces of code that enforce the precedence of a
sender-dependent relayhost, the global relayhost, and the
recipient domain, and put that code together in once place so
that it is easier to maintain. File:
trivial-rewrite/resolve.c.
- Bitrot: prepare for future changes in OpenSSL API. Viktor
Dukhovni. File: tls_dane.c.
- Incompatibility: specifying \"make makefiles\" with \"CC=command\"
will no longer override the default WARN setting.
Mon Feb 9 13:00:00 2015 michaelAATTstroeder.com
- upstream update postfix 2.11.4:
Postfix 2.11.4 only:
* Fix a core dump when smtp_policy_maps specifies an invalid TLS
level.
* Fix a missing \" in \\%s\\\", in postconf(1) fatal error messages,
which violated the C language spec. Reported by Iain Hibbert.
All supported releases:
* Stop excessive recursion in the cleanup server while recovering
from a virtual alias expansion loop. Problem found at Two Sigma.
* Stop exponential memory allocation with virtual alias expansion
loops. This came to light after fixing the previous problem.
Sun Feb 8 13:00:00 2015 varkolyAATTsuse.com
- correct pf_daemon_directory in spec. This must be /usr/lib/
Thu Jan 22 13:00:00 2015 varkolyAATTsuse.com
- bnc#914086 syntax error in config.postfix
- Adapt config.postfix to be able to run on SLE11 too.
Mon Jan 19 13:00:00 2015 mpluskalAATTsuse.com
- Don\'t install sysvinit script when systemd is used
- Make explicit PreReq dependencies conditional only for older
systems
- Don\'t try to set explicit attributes to symlinks
- Cleanup spec file vith spec-cleaner
Tue Jan 13 13:00:00 2015 varkolyAATTsuse.com
- bnc#912594 config.postfix creates config based on old options
Tue Jan 6 13:00:00 2015 varkolyAATTsuse.com
- bnc#911806 config.postfix does not set up correct saslauthd socket directory for chroot
- bnc#910265 config.postfix does not upgrade the chroot
- bnc#908003 wrong access rights on /usr/sbin/postdrop causes
permission denied when trying to send a mail as non root user
- bnc#729154 wrong permissions for some postfix components
Fri Nov 21 13:00:00 2014 tchvatalAATTsuse.com
- Remove keyring and things as it is md5 based one no longer
accepted by gpg 2.1
Fri Nov 14 13:00:00 2014 dimstarAATTopensuse.org
- No longer perform gpg validation; osc source_validator does it
implicit:
+ Drop gpg-offline BuildRequires.
+ No longer execute gpg_verify.
Mon Oct 27 13:00:00 2014 dmuellerAATTsuse.com
- restore previously lost fix:
Fri Oct 11 13:32:32 UTC 2013 - matzAATTsuse.de
- Ignore errors in %pre/%post.
Mon Oct 20 14:00:00 2014 michaelAATTstroeder.com
- postfix 2.11.3:
* Fix for configurations that prepend message headers with Postfix
access maps, policy servers or Milter applications. Postfix now
hides its own Received: header from Milters and exposes prepended
headers to Milters, regardless of the mechanism used to prepend
a header. This fix reverts a partial solution that was released
on October 13, 2014, and replaces it with a complete solution.
* Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure.
- postfix 2.11.2:
* Fix for DMARC implementations based on SPF policy plus DKIM
Milter. The PREPEND access/policy action added headers ABOVE
Postfix\'s own Received: header, exposing Postfix\'s own Received:
header to Milters (protocol violation) and hiding the PREPENDed
header from Milters. PREPENDed headers are now added BELOW
Postfix\'s own Received: header and remain visible to Milters.
* The Postfix SMTP server logged an incorrect client name in
reject messages for check_reverse_client_hostname_access and
check_reverse_client_hostname_{mx,ns}_access. They replied with
the verified client name, instead of the name that was rejected.
* The qmqpd daemon crashed with null pointer bug when logging a
lost connection while not in a mail transaction.
Sun Sep 14 14:00:00 2014 andreas.stiegerAATTgmx.de
- switch from md5 based signature to one using the SHA-512 digest
algorithm supplied by maintainer on ML to pass source_validator
Sat Sep 13 14:00:00 2014 andreas.stiegerAATTgmx.de
- postfix 2.11.1:
* With connection caching enabled (the default), recipients could
be given to the wrong mail server.
* Enforce TLS when TLSA records exist, but all are unusable.
* Don\'t leak memory when TLSA records exist, but all are unusable.
* Prepend \"-I. -I../../include\" to the compiler command-line
options, to avoid name clashes with non-Postfix header files.
* documentation fixes
* logging fixes
Fri Aug 29 14:00:00 2014 rusjakoAATTrus.uni-stuttgart.de
- fix dynamic_maps patch to enable memcache support, which does not
need any libraries
Thu Jul 31 14:00:00 2014 dimstarAATTopensuse.org
- Rename rpmlintrc to %{name}-rpmlintrc.
Follow the packaging guidelines.
Fri Jun 27 14:00:00 2014 chrisAATTcomputersalat.de
- fix typo in postfix-SuSE/update_chroot.systemd
- fix config.postfix
* \'insserv amavis\' -> \'chkconfig amavis on\'
- rework main.cf patch
* fix virtual stuff
* add some dovecot stuff
- rework master.cf patch
* add some dovecot stuff
Mon Jun 23 14:00:00 2014 jamespAATTvicidial.com
- The included postfix-mysql.tar.bz2 was using a MySQL 4.1 style of
table engine specification. Modified so that the sql uses
\'ENGINE=\' instead of \'TYPE=\' for creating tables.
Mon Jun 23 14:00:00 2014 varkolyAATTsuse.com
- bnc#816769 - config.postfix issues warnings about missing master.cf
Tue Jun 10 14:00:00 2014 varkolyAATTsuse.com
- bnc#882033 - Package postfix has changed files according to rpm
- bnc#855688 - possible systemd bug: postfix & cifs dependency confict
Mon Jun 9 14:00:00 2014 varkolyAATTsuse.com
- bnc#863350 - SuSEconfig.postfix complains about modified /etc/postfix/main.cf after updating postfix
Mon May 26 14:00:00 2014 chrisAATTcomputersalat.de
- replace vda patch:
* add postfix-vda-v13-2.10.0.patch
* remove postfix-vda-v11-2.9.6.patch
- rebase patches
- config.postfix
* add master.cf support for submission (587)
* rework master.cf support for smtps
Wed Feb 12 13:00:00 2014 varkolyAATTsuse.com
- bnc#862662 - Unable to configure postfix SMTP with forced TLS using YaST2
- Update to 2.11.0
* TLS
o Support for PKI-less TLS server certificate verification, where
the CA public key or the server certificate is identified via DNSSEC lookup
* LMDB database support
* master
o The master_service_disable parameter value syntax has changed:
use \"service/type\" instead of \"service.type\".
* postconf:
o Support for advanced master.cf query and update operations.
This was implemented primarily to support automated system management tools.
o The postconf command produces more warnings
* relay safety
New smtpd_relay_restrictions parameter built-in default settings:
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
* postscreen whitelisting
Allow a remote SMTP client to skip postscreen(8) tests based on
its postscreen_dnsbl_sites score.
Fri Oct 11 14:00:00 2013 matzAATTsuse.de
- Ignore errors in %pre/%post.
Thu Oct 3 14:00:00 2013 crrodriguezAATTopensuse.org
- two improvements for 13.1 and factory
* postfix-opensslconfig.patch call openSSL_config
so postfix respects the system\'s openssl configuration
* postfix-SuSE/postfix.service since a few months there
is no mail-transfer-agent.target, units must be ordered
after a list of smtpd implementations instead.
Fri Sep 20 14:00:00 2013 varkolyAATTsuse.com
- Proc is not needed in chroot anymore
Tue Jul 30 14:00:00 2013 schwabAATTsuse.de
- postfix-main.cf.patch: remove duplicate entry for inet_protocols
Mon Jun 17 14:00:00 2013 chrisAATTcomputersalat.de
- fix for warning
* unused parameter: virtual_create_maildirsize=yes
* unused parameter: virtual_mailbox_extended=yes
* rework main.cf.patch
- fix rcpostfix for sysvinit systems
* /etc/postfix/system/update_postmaps: No such file or directory
- rebase patches
* vda-v11-2.9.5 -> vda-v11-2.9.6
- fix file postfix-SuSE.tar.gz
* made a tar.gz
Sun Jun 16 14:00:00 2013 jengelhAATTinai.de
- postfix.spec forces the use of SSL and SASL libraries,
so make sure the BuildRequires are there
Fri Jun 14 14:00:00 2013 jengelhAATTinai.de
- Add postfix-db6.diff to fix compile abort with libdb-6.0
Mon Apr 22 14:00:00 2013 idonmezAATTsuse.com
- Add Source URL, see https://en.opensuse.org/SourceUrls
- Add GPG verification
Sat Apr 20 14:00:00 2013 crrodriguezAATTopensuse.org
- postfix-SuSE/postfix.service do not Require or
order after syslog.target as it no longer exists
postfix will fail to start in the next systemd version.
Sat Feb 23 13:00:00 2013 rmilasanAATTsuse.com
- Install postfix.service accordingly (/usr/lib/systemd for 12.3
and up or /lib/systemd for older versions).
Wed Feb 6 13:00:00 2013 varkolyAATTsuse.com
- update to 2,9.6
Bugfix: the local(8) delivery agent dereferenced a null pointer
while delivering to null command (for example, \"|\" in a .forward file).
Bugfix: memory leak in program initialization. tls/tls_misc.c.
Bugfix: he undocumented OpenSSL X509_pubkey_digest() function is
unsuitable for computing certificate PUBLIC KEY fingerprints.
Postfix now provides a correct procedure that accounts for
the algorithm and parameters in addition to the key data. Specify
\"tls_legacy_public_key_fingerprints = yes\" if you need backwards compatibility.
Thu Jan 17 13:00:00 2013 varkolyAATTsuse.com
- bnc#796162 - script to assign path elements not working in postfix install Build-0284(iso)
Thu Jan 10 13:00:00 2013 chrisAATTcomputersalat.de
- rebase patches
* vda-v10-2.8.12 -> vda-v11-2.9.5 (and to be a p0)
* main, master, post-instal, ssl-release-buffers (remove version)
* dynamic_maps, dynamic_maps_pie, pointer_to_literals
Thu Jan 10 13:00:00 2013 varkolyAATTsuse.com
- update to 2,9.5
* tls support:
Support to turn off the TLSv1.1 and TLSv1.2 protocols:
To temporarily turn off problematic protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
* 20111012 To simplify integration with third-party
applications, the Postfix sendmail command now always transforms
all input lines ending in
into UNIX format (lines ending
in ). Specify \"sendmail_fix_line_endings = strict\" to restore
historical Postfix behavior (i.e. convert all input lines ending
in only if the first line ends in ).
* 20120114 Logfile-based alerting systems may need to be
updated to look for \"error\" messages in addition to \"fatal\" messages.
Specify \"daemon_table_open_error_is_fatal = yes\" to get the historical
behavior (immediate termination with \"fatal\" message).
* enable_long_queue_ids Postfix 2.9 introduces support for non-repeating queue IDs (also
used as queue file names). These names are encoded in a mix of upper
case, lower case and decimal digit characters. Long queue IDs are
disabled by default to avoid breaking tools that parse logfiles and
that expect queue IDs with the smaller [A-F0-9] character set.
* 20111209 memcache lookup and update support. This provides
a way to share postscreen(8) or verify(8) caches between Postfix
instances. See MEMCACHE_README and memcache_table(5) for details
and limitations.
* 20111218 To support external SASL authentication, e.g.,
in an NGINX proxy daemon, the Postfix SMTP server now always checks
the smtpd_sender_login_maps table, even without having
\"smtpd_sasl_auth_enable = yes\" in main.cf.
* ipv6
o The default inet_protocols value is now \"all\" instead of \"ipv4\",
meaning use both IPv4 and IPv6.
o The default smtp_address_preference value is now \"any\" instead
of \"ipv6\", meaning choose randomly between IPv6 and IPv4. With
this the Postfix SMTP client will have more success delivering
mail to sites that have problematic IPv6 configurations.
Sat Dec 15 13:00:00 2012 chrisAATTcomputersalat.de
- update to 2.8.13
* 20121029
Workaround: strip datalink suffix from IPv6 addresses
returned by the system getaddrinfo() routine. Such suffixes
mess up the default mynetworks value, host name/address
verification and possibly more. This change obsoletes the
20101108 change that removes datalink suffixes in the SMTP
and QMQP servers, but we leave that code alone. File:
util/myaddrinfo.c.
* 20121013
Cleanup: to compute the LDAP connection cache lookup key,
join the numeric fields with null, just like string fields.
Viktor Dukhovni. File: global/dict_ldap.c.
* 20121010
Bugfix (introduced: Postfix 2.5): memory leak in program
initialization. Reported by Coverity. File: tls/tls_misc.c.
Bugfix (introduced: Postfix 2.3): memory leak in the unused
oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c.
* 20121003
Bugfix: the postscreen_access_list feature was case-sensitive
in the first character of permit, reject, etc. Reported by
Feancis Picabia. File: global/server_acl.c.
- rebase dynamic_maps_pie patch
- rpmlint
* invalid-suse-version-check 1140
* obsolete-suse-version-check 920 (changes file)
Fri Dec 14 13:00:00 2012 varkolyAATTsuse.com
- bnc#790141 - Command SuSEconfig.postfix reports ERROR -
\"can not find /lib/YaST/SuSEconfig.functions!!\"
Thu Nov 8 13:00:00 2012 varkolyAATTsuse.com
- bnc#782048 - postfix uses /sbin/conf.d
- bnc#784659 - remove SuSEconfig calls from yast2-mail
Fri Aug 10 14:00:00 2012 chrisAATTcomputersalat.de
- update to 2.8.12
* 20120730
Bugfix (introduced: 20000314): AUTH is not allowed after
MAIL. Timo Sirainen. File: smtpd/smtpd_sasl_proto.c.
* 20120702
Bugfix (introduced: 19990127): the BIFF client leaked an
unprivileged UDP socket. Fix by Jaroslav Skarvada. File:
local/biff_notify.c.
* 20120621
Bugfix (introduced: Postfix 2.8): the unused \"pass\" trigger
client could close the wrong file descriptors. File:
util/unix_pass_trigger.c.
- fix for bnc#771303
* add \'version = 3\' to ldap_aliases.cf
- rebase patches
* main, master, post-install: 2.8.3 -> 2.8.12
* ssl-release-buffers: 2.8.5 -> 2.8.12
* vda-v10: 2.8.9 -> 2.8.12
* dynamic_maps, dynamic_maps_pie, ipv6_disabled, pointer_to_literals
- fix changes file
Thu Jul 19 14:00:00 2012 varkolyAATTsuse.com
- bnc#771811 - postfix update does not regenerate the maps
Mon Jun 11 14:00:00 2012 varkolyAATTsuse.com
- update to 2.8.11
* 20120520
- Bugfix (introduced Postfix 2.4): the event_drain() function
was comparing bitmasks incorrectly causing the program to
always wait for the full time limit. This error affected
the unused postkick command, but only after s/fifo/unix/
in master.cf. File: util/events.c.
- Cleanup: laptop users have always been able to avoid
unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
(this is currently not supported on Solaris systems).
However, to make this work reliably, the \"postqueue -f\"
command must wait until its requests have reached the pickup
and qmgr servers before closing the UNIX-domain request
sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in.
Wed May 9 14:00:00 2012 varkolyAATTsuse.com
- bnc#753910 - {name} instead of %{name} in postfix .spec
- bnc#756452 - VUL-1: postfix: VRFY allows enumerating users
Thu May 3 14:00:00 2012 chrisAATTcomputersalat.de
- update to 2.8.10
* 20120401
Bitrot: shut up useless warnings about Cyrus SASL call-back
function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.
* 20120422
Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
known TLS protocol list so that protocols can be turned off
selectively to work around implementation bugs. Based on
a patch by Victor Duchovni. Files: proto/TLS_README.html,
proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
tls/tls_server.c.
- update to 2.8.9
* 20120217
Cleanup: missing #include statement for bugfix code added
20111226. File: local/unknown.c.
* 20120214
Bugfix (introduced: Postfix 2.4): extraneous null assignment
caused core dump when postlog emitted the \"usage\" message.
Reported by Kant (fnord.hammer). File: postlog/postlog.c.
* 20120202
Bugfix (introduced: Postfix 2.3): the \"change header\" milter
request could replace the wrong header. A long header name
could match a shorter one, because a length check was done
on the wrong string. Reported by Vladimir Vassiliev. File:
cleanup/cleanup_milter.c.
- use latest VDA patch (2.8.9)
Thu Apr 12 14:00:00 2012 varkolyAATTsuse.com
- bnc#756450 - postfix: remove version from banner
Mon Apr 9 14:00:00 2012 brunoAATTioda-net.ch
- add port 587 smtp-auth submission to postfix-fw bnc#756289
Mon Apr 2 14:00:00 2012 dmuellerAATTsuse.de
- set exit code explicitely in cond_slp, systemd checks for it
Tue Mar 13 13:00:00 2012 varkolyAATTsuse.com
- Documentation for bnc#751994 - SuSEconfig module postfix does not exist
Wed Mar 7 13:00:00 2012 varkolyAATTsuse.com
- rcpostfix now updates the aliases too
Mon Feb 27 13:00:00 2012 chrisAATTcomputersalat.de
- update to 2.8.8
Bugfixes:
tlsproxy(8) stored TLS sessions with a serverID of
\"tlsproxy\" instead of \"smtpd\", wasting an opportunity for
session reuse. File: tlsproxy/tlsproxy.c.
missing lookup table entry and terminator, causing
proxymap server segfault when postscreen(8) or verify(8)
attempted to access their cache via the proxymap server.
This could never have worked anyway, because the Postfix
2.8 proxymap protocol does not support cache cleanup. File
util/dict.c.
the Postfix client sqlite
quoting routine returned the unquoted result instead of the
quoted text. The opportunities for misuse are limited,
because Postfix sqlite files are usually owned by root, and
Postfix daemons usually run with non-root privileges so
they can\'t corrupt the database. Problem reported by Rob
McGee (rob0). File: global/dict_sqlite.c.
the trace service did not
distinguish between notifications for a non-bounce or a
bounce message. This code pre-dates DSN support and should
have been updated when it was re-purposed to handle DSN
SUCCESS notifications. Problem reported by Sabahattin
Gucukoglu. File: bounce/bounce_trace_service.c.
- use latest VDA patch (2.8.5)
Wed Jan 25 13:00:00 2012 varkolyAATTsuse.com
- bnc#743369 - yast2 mail module does not open the firewall
- Set MD5DIR in SuSEconfig.postfix to avoid warnings
Tue Jan 17 13:00:00 2012 varkolyAATTsuse.com
- bnc738693 - upgrade from 11.4 enables mysql service for systemd
Thu Jan 12 13:00:00 2012 varkolyAATTsuse.com
- Add postmap rebuild script to systemv init script too
Wed Jan 11 13:00:00 2012 varkolyAATTsuse.com
- bnc#738900 - cyrus-imapd not receiving mail from postfix
Tue Dec 13 13:00:00 2011 varkolyAATTsuse.com
- Move the post map rebuild script into the start script
Tue Dec 6 13:00:00 2011 varkolyAATTsuse.com
- Fix the last change in %post
Fri Dec 2 13:00:00 2011 varkolyAATTsuse.com
- bnc#728308 - warning output after update the postfix package
Wed Nov 9 13:00:00 2011 varkolyAATTsuse.com
- update to 2.8.7
Bugfixes:
smtpd(8) did not sanitize newline characters in cleanup(8)
REJECT messages, causing them to be sent out via SMTP as bare newline characters.
smtpd(8) sent multi-line responses from a before-queue content filter as text with
bare instead of .
Workaround: postscreen sent non-compliant SMTP responses (220- followed by 421)
when it could not give a connection to a real smtpd process, causing some
remote SMTP clients to bounce mail.
Thu Nov 3 13:00:00 2011 varkolyAATTsuse.com
- Use the systemd macros in the spec file
Fri Oct 14 14:00:00 2011 mhruseckyAATTsuse.cz
- only fix files that exists in %post
Sun Oct 9 14:00:00 2011 crrodriguezAATTopensuse.org
- Use SSL_MODE_RELEASE_BUFFERS if available, see
SSL_CTX_set_mode man page and
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
for the full details.
Tue Sep 6 14:00:00 2011 chrisAATTcomputersalat.de
- update to 2.8.5
* Bugfix: allow for Milters that send an SMTP server reply
without RFC 3463 enhanced status code. Reported by Vladimir
Vassiliev. File: milter/milter8.c.
Mon Aug 22 14:00:00 2011 varkolyAATTnovell.com
- bnc#684304 - server:mail/postfix: Bugs in SuSEconfig chroot setup script
- Aplly SASL_SOCKET_DIR patch
Thu Aug 18 14:00:00 2011 varkolyAATTnovell.com
- Move SuSEconfig.postfix into /usr/sbin/
(FATE#311272: Do not rewrite postfix.cf via SuSEconfig)
SuSEconfig.postfix will be executed only once after installation
automaticaly. Afterwards only you can start it manually or via
yast2 mail module.
Fri Aug 12 14:00:00 2011 wernerAATTsuse.de
- Just the first strep forward to systemd, please test out
/etc/postfix/system/update_chroot
/etc/postfix/system/wait_qmgr
/etc/postfix/system/cond_slp
and
/lib/systemd/system/postfix.service
and also fill out the missing description.
Tue Aug 9 14:00:00 2011 chrisAATTcomputersalat.de
- rework SuSE patch
* add missing SASL stuff in rc.postfix
Mon Jul 25 14:00:00 2011 chrisAATTcomputersalat.de
- when chrooted and using SASL
o mount -o bind SASL_SOCKET_DIR into postfix CHROOT
Mon Jul 11 14:00:00 2011 chrisAATTcomputersalat.de
- update to 2.8.4
o Linux kernel version 3 support.
for more info see ChangeLog
Wed Jul 6 14:00:00 2011 varkolyAATTnovell.com
- bnc#686436 - postfix bounces messages with improper use of 8-bit data in message body
- Apply patch
Fri Jul 1 14:00:00 2011 chrisAATTcomputersalat.de
- rework master.cf patch
o fix receive_override_options line
- rework SuSE patch
o sysconfig: remove POSTFIX_WITH_POP_BEFORE_SMTP
o SuSEconfig: fix receive_override_options line
Thu Jun 30 14:00:00 2011 chrisAATTcomputersalat.de
- replace vda patch
o 2.8.1 -> 2.8.3
- fix files doc
o remove \'doc auxiliary\'
instead cp to pf_docdir
Sat May 28 14:00:00 2011 varkolyAATTnovell.com
- fix spec for building on all repos
Tue May 24 14:00:00 2011 varkolyAATTnovell.com
- bnc#679187 - suseconfig/postfix: missing dependency
Tue May 17 14:00:00 2011 chrisAATTcomputersalat.de
- fix master.cf
o fix missing
- amavis unix - - n - 4 smtp
- localhost:10025 inet n - n - - smtpd
o add master.cf patch
- rework patches
o main.cf (add two missing sasl vars)
o postfix-SuSE (SuSEconfig, cleanup those vars,...)
Sun May 15 14:00:00 2011 chrisAATTcomputersalat.de
- rework TLS stuff
o reworked main.cf patch
o added postfix-SuSE patch
o added post-install patch
Editing /etc/postfix/master.cf, adding missing entry for tlsmgr service
add only if it really does not exist
- removed Author from description
- updated vda patch
o vda-2.7.1 > vda-v10-2.8.1
- fix build for SLE_10
o no fdupes ;)
Wed May 11 14:00:00 2011 varkolyAATTnovell.com
- remove document paths from postfix-files to avoid error messages
when postfix-doc is not installed
Tue May 10 14:00:00 2011 varkolyAATTnovell.com
- update to 2.8.3 - VUL-0: postfix memory corruption
Sun Apr 10 14:00:00 2011 varkolyAATTnovell.com
- bnc#641271 - postfix-2.7.1: init script cannot properly stop
multi-instance configurations
Wed Mar 30 14:00:00 2011 varkolyAATTnovell.com
- update to 2.8.2
* DNSBL/DNSWL:
o Support for address patterns in DNS blacklist and whitelist lookup results.
o The Postfix SMTP server now supports DNS-based whitelisting with several safety features
* Support for read-only sqlite database access.
* Alias expansion:
o Postfix now reports a temporary delivery error when the result
of virtual alias expansion would exceed the virtual_alias_recursion_limit
or virtual_alias_expansion_limit.
o To avoid repeated delivery to mailing lists with pathological
nested alias configurations, the local(8) delivery agent now keeps
the owner-alias attribute of a parent alias, when delivering mail
to a child alias that does not have its own owner alias.
* The Postfix SMTP client no longer appends the local domain when
looking up a DNS name without \".\".
* The SMTP server now supports contact information that is appended
to \"reject\" responses: smtpd_reject_footer
* Postfix by default no longer adds a \"To: undisclosed-recipients:;\"
header when no recipient specified in the message header.
* tls support:
o The Postfix SMTP server now always re-computes the SASL mechanism
list after successful completion of the STARTTLS command.
o The smtpd_starttls_timeout default value is now stress-dependent.
o Postfix no longer appends the system-supplied default CA certificates
to the lists specified with
*_tls_CAfile or with
*_tls_CApath.
* New feature: Prototype postscreen(8) server that runs a number
of time-consuming checks in parallel for all incoming SMTP connections,
before clients are allowed to talk to a real Postfix SMTP server.
It detects clients that start talking too soon, or clients that appear
on DNS blocklists, or clients that hang up without sending any command.
Thu Feb 10 13:00:00 2011 varkolyAATTnovell.com
- bnc#667299 - Postfix LICENSE not marked as documentation
Mon Jan 17 13:00:00 2011 chrisAATTcomputersalat.de
- add some min LDAP support for virtual LDAP-users
o sysconfig \"WITH_LDAP\"
o add ldap_aliases.cf
o SuSEconfig.postfix
virtual_alias_maps = ... ldap:/etc/postfix/ldap_aliases.cf
Tue Jan 4 13:00:00 2011 chrisAATTcomputersalat.de
- update to 2.7.2
* Bugfix (introduced Postfix 2.2): Postfix no longer appends
the system default CA certificates to the lists specified
with
*_tls_CAfile or with
*_tls_CApath. This prevents
third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature. Unfortunately
this may cause compatibility problems with configurations
that rely on certificate verification for other purposes.
To get the old behavior, specify \"tls_append_default_CA =
yes\". Files: tls/tls_certkey.c, tls/tls_misc.c,
global/mail_params.h. proto/postconf.proto, mantools/postlink.
* Compatibility with Postfix < 2.3: fix 20061207 was incomplete
(undoing the change to bounce instead of defer after
pipe-to-command delivery fails with a signal). Fix by Thomas
Arnett. File: global/pipe_command.c.
* Bugfix: the milter_header_checks parser provided only the
actions that change the message flow (reject, filter,
discard, redirect) but disabled the non-flow actions (warn,
replace, prepend, ignore, dunno, ok). File:
cleanup/cleanup_milter.c.
* Performance: fix for poor smtpd_proxy_filter TCP performance
over loopback (127.0.0.1) connections. Problem reported by
Mark Martinec. Files: smtpd/smtpd_proxy.c.
* Cleanup: don\'t apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
* Bugfix: the \"421\" reply after Milter error was overruled
by Postfix 1.1 code that replied with \"503\" for RFC 2821
compliance. We now make an exception for \"final\" replies,
as permitted by RFC. Solution by Victor Duchovni. File:
smtpd/smtpd.c.
Sat Dec 11 13:00:00 2010 chrisAATTcomputersalat.de
- update vda patch
o remove 2.6.1-vda-ng.patch
o remove 2.6.1-vda-ng-64bit.patch
o add vda-2.7.1.patch
- rework main.cf.patch
o remove 2.2.9-main.cf.patch
o add 2.7.1-main.cf.patch
Tue Dec 7 13:00:00 2010 cooloAATTnovell.com
- prereq init scripts network and syslog
Thu Aug 12 14:00:00 2010 varkolyAATTnovell.com
- Remove obsolate postscripts
- bnc#625657 - SuSEconfig.postfix and smtp_use_tls
- bnc#622873 - postfix doesn\'t start if ipv6 is disabled
Tue Jul 6 14:00:00 2010 chrisAATTcomputersalat.de
- reworked bnc#606251 stuff (not checked in to Factory)
o used my_print_defaults command for parsing of /etc/my.cnf
o using quotation marks: \"$PF_CHROOT\"
o added sysconfig option POSTFIX_MYSQL_CONN=(socket,tcp)
Wed Jun 16 14:00:00 2010 chrisAATTcomputersalat.de
- bnc#606251 - postfix chrooted mysql.sock lost on mysql restart
o Now MYSQL_SOCK_DIR is mounted with \'-o bind\' to postfix CHROOT
Thu Jun 10 14:00:00 2010 varkolyAATTnovell.com
- update to 2.7.1
* Bugfix (introduced Postfix 2.6) in the XFORWARD implementation,
which sends remote SMTP client attributes through SMTP-based content filters.
The Postfix SMTP client did not skip \"unknown\" SMTP client attributes,
causing a syntax error when sending an \"unknown\" client PORT attribute.
* Robustness: skip LDAP queries with non-ASCII search strings, instead of failing with a database lookup error.
* Safety: Postfix processes now log a warning when a matchlist has
a #comment at the end of a line (for example mynetworks or relay_domains).
* Portability: OpenSSL 1.0.0 changes the priority of anonymous cyphers.
* Portability: Berkeley DB 5.x is now supported.
Thu May 20 14:00:00 2010 chrisAATTcomputersalat.de
- fix obviously lost POSTFIX_MYHOSTNAME in SuSEconfig.postfix
Wed Apr 7 14:00:00 2010 varkolyAATTnovell.com
- New file check_mail_queue. This script checks if there are some
mails in the queue and starts postfix if necessary. After delivering
the mails postfix will be stoped.
Thu Apr 1 14:00:00 2010 varkolyAATTnovell.com
- bnc#559145 - Changed Domain name not reflected when sending mail
First /var/run/dhcp-hostname will be evaluated
- Now POSTFIX_SMTP_TLS_CLIENT is ternary : no yes must
Sun Feb 28 13:00:00 2010 varkolyAATTnovell.com
- update to 2.7.0
* performance
- Periodic cache cleanup for the verify(8) cache database.
- Improved before-queue filter performance.
* sender reputation
- The FILTER action in access maps or header/body_checks now supports sender
reputation schemes that dynamically choose the SMTP source IP address.
* address verification
- The verify(8) service now uses a persistent cache by default.
* content filter
- The meaning of an empty filter next-hop destination has changed.
- The FILTER action in access maps or header/body_checks now supports sender
reputation schemes that dynamically choose the SMTP source IP address.
* milter
- Support for header checks on Milter-generated message headers.
Please read /usr/share/doc/packages/postfix/RELEASE_NOTES for details.
Thu Feb 11 13:00:00 2010 cooloAATTnovell.com
- revert the change to PreReq openldap-devel, this increases the
default installation several MBs
Tue Feb 2 13:00:00 2010 varkolyAATTnovell.com
- bnc#567569 - Postfix: move ldap support to a separate package
- bnc#557239 - postfix delivers mail to user\'s home instead of /var/spool/mail
Tue Jan 5 13:00:00 2010 chrisAATTcomputersalat.de
- rpmlint fixes
o init-script-undefined-dependency $network-remotefs
- fix for SuSEconfig.postfix
o if use_amavis eq \"yes\"
then content_filter \"amavis:[127.0.0.1]:10024]\" is defined,
so removed \"-o content_filter=smtp:[127.0.0.1]:10024\" for smtp
- s#ldconfig#/sbin/ldconfig#
Tue Dec 22 13:00:00 2009 freespacerAATTgmx.de
- Add support for dovecot as MDA to SuSEconfig.
Wed Dec 16 13:00:00 2009 jengelhAATTmedozas.de
- Package documentation as noarch
Thu Dec 10 13:00:00 2009 varkolyAATTsuse.de
- Remove postfixs update script. This does not work now.
Tue Dec 8 13:00:00 2009 varkolyAATTsuse.de
- Fix the %post section add missed %{fillup_only -an mail}
Mon Nov 16 13:00:00 2009 varkolyAATTsuse.de
- bnc#555814 – VUL-0: SMTPD_LISTEN_REMOTE=\"yes\" by default
- bnc#555732 - Invalid $(hostname -i) usage SuSEconfig.postfix
- bnc#547928 – Postfix does not start during boot process
- Avoid append relay multiple times in POSTFIX_MAP_LIST
Mon Oct 26 13:00:00 2009 varkolyAATTsuse.de
- bnc#549612 – SuSEconfig.postfix
Mon Sep 28 14:00:00 2009 varkolyAATTsuse.de
- bnc#540538 – postfix-2.6.1-10.1 installs new files in /etc/postfix and does not generate .db
- bnc#519438 - Postfix: Running chrooted lets qmgr loosing his syslog-socket
- remove obsolate version tests from SuSEconfig.postfix
Mon Sep 28 14:00:00 2009 varkolyAATTsuse.de
- bnc#525825 - when using cyrus in a chroot environment Suseconfig does not
create socket /var/lib/imap/socket/lmtp
Mon Sep 14 14:00:00 2009 chrisAATTcomputersalat.de
- spec
o fdupes if >= 1100
Thu Sep 10 14:00:00 2009 chrisAATTcomputersalat.de
- update to 2.6.1
o merge home:varkoly:Factory and o:F
- spec mods
o use of getent
- rpmlint
o remove unneeded dists from examples/chroot-setup/
o postin-without-ldconfig
o files-duplicate /usr/share/doc/packages/postfix-doc/html/
o files-duplicate /usr/share/man/man?
Mon Apr 13 14:00:00 2009 chrisAATTcomputersalat.de
- added VDA patch
o Mailbox / Maildir size limit, known also as \"soft quota\",
to avoid user take all you disk space
o Customizable \"limit\" message when the soft quota limit is reached.
NOTE: message is sent to senders, but NOT to the owner of the mailbox.
o Limit only \'INBOX\', because some people use IMAP and don\'t want
the same limit in IMAP folder that are differents from INBOX.
o Support for \'Courier\' style Maildir, usefull for people that
use courier as pop3/imap server and to get fast soft quota summary.
Note that it is also compatible with qmail maildir per default.
o Supports for Courier \'maildirsize\' file in Maildir folder that
is used to read quotas quickly. Note that this option is not
actived per default and can be dangerous on some NFS client
implementation
(like for example Solaris that cache some filesystem operations).
o Customisable suffix for Maildir support, when share same external
dict between postfix and pop3/imap server sometime \"Maildir/\" suffix
is needed to avoid extra database handling (eg LDAP, MySQL...).
- some improvements of SuSEconfig.postfix
o POSTFIX_LISTEN: Comma separated list of IP\'s
o POSTFIX_INET_PROTO: ipv4, ipv6, all
o POSTFIX_MYHOSTNAME: define SMTPs FQHOSTNAME
o POSTFIX_WITH_MYSQL: when using MySQL as backend
o POSTFIX_BASIC_SPAM_PREVENTION: \"custom\"
you can now define your own rules
- POSTFIX_SMTPD_CLIENT_RESTRICTIONS
- POSTFIX_SMTPD_HELO_RESTRICTIONS
- POSTFIX_SMTPD_SENDER_RESTRICTIONS
- POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS
- added helo_access for helo checks
- added relay for relaying domain
- added MySQL stuff when using MySQL as backend (virtuser)
o you should consider postfixAdmin as mgmnt interface
o when runninng postfix chrooted:
you have to run SUSEconfig each time when you have restarted MySQL
because of linking mysql.sock
Sun Mar 29 14:00:00 2009 varkolyAATTsuse.de
- bnc#439287 - not all POSTFIX_ADD_
* values are properly handled
by SuSEconfig.postfix
- bnc#483208 - Postfix configuration trashed after update
- bnc#488268 - SuSEconfig.postfix chroot setup misses /etc/ssl/certs
Mon Jan 12 13:00:00 2009 varkolyAATTsuse.de
- bnc#465165 - postfix src package
Fri Jan 9 13:00:00 2009 varkolyAATTsuse.de
- bnc#464869 - SuSEconfig.postfix causes DNS lookup
- bnc#460442 - amavisd-new and Postfix need fqdn-hostname in \"uname -n\"
Mon Jan 5 13:00:00 2009 varkolyAATTsuse.de
- update to 2.5.6
- The SMTP server did not ask for a client certificate
with \"smtpd_tls_req_ccert = yes\". Reported by Rob Foehl.
- Avoid reduced TCP performance when reusing an SMTP connection
with a larger than 4096-byte TCP MSS value. In practice, this
could happen only with loopback (localhost) connections.
Sun Nov 16 13:00:00 2008 varkolyAATTsuse.de
- (bnc#442456) - chrooted postfix and saslauthd
Tue Nov 4 13:00:00 2008 roAATTsuse.de
- fix build
Tue Nov 4 13:00:00 2008 varkolyAATTsuse.de
- upgrade must not be executed during installation
Tue Oct 14 14:00:00 2008 varkolyAATTsuse.de
- (bnc#403976) - permissions on /var/lib/postfix changed
- (bnc#433916) - postfix should be splitted into postfix and postfix-doc
Thu Sep 11 14:00:00 2008 varkolyAATTsuse.de
- (bnc#415216) - Postfix RPM Install Displays Multiple Warnings
- clean up spec file
Tue Sep 9 14:00:00 2008 varkolyAATTsuse.de
- Update to Version 2.5 patchlevel 5
* Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
file descriptor leak when it executes non-Postfix commands
in, for example, user-controlled $HOME/.forward files.
* Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
* Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
Mon Aug 25 14:00:00 2008 mtAATTsuse.de
- init script: copy LSB
*-Start tags to
*-Stop
- spec file: removed obsolete rc.config update hooks
Wed Aug 6 14:00:00 2008 varkolyAATTsuse.de
- (bnc#414959) postfix doesn\'t have any \"Name: \" tag in firewall definition
- (bnc#405900) SuSEconfig.postfix changes owner and permissions of
/tmp if smtpd_tls_CApath is not set
- Update to Version 2.5 patchlevel 3
* Cleanup of code
* defer delivery when a mailbox file is not owned by the recipient.
Requested by Sebastian Krahmer, SuSE.
Specify \"strict_mailbox_ownership=no\" to ignore ownership discrepancies.
* Bugfix: null-terminate CN comment string after sanitization.
* Bugfix (introduced Postfix 2.0): after \"warn_if_reject
reject_unlisted_recipient/sender\", the SMTP server mistakenly
remembered that recipient/sender validation was already done.
Wed Jul 9 14:00:00 2008 varkolyAATTsuse.de
- (fate#305005) Enable SMTPS in postfix ootb
Tue Jun 17 14:00:00 2008 varkolyAATTsuse.de
- (bnc#396985) sending of NUL character disallowed by RFC2822
- (bnc#397127) without relay is silent about undeliverable mails
Tue May 13 14:00:00 2008 varkolyAATTsuse.de
- (bnc#389670) - postfix generates invalid config
Tue Apr 1 14:00:00 2008 mkoenigAATTsuse.de
- remove dir /usr/share/omc/svcinfo.d as it is provided now
by filesystem
Tue Feb 26 13:00:00 2008 varkolyAATTsuse.de
- Update to Version 2.5 patchlevel 1
Changes: The Postfix 2.5 \"postfix upgrade-configuration\" command
now works even with Postfix 2.4 or earlier versions of the
postfix command. When installing Postfix 2.5.0 without upgrading
from an existing master.cf file, the new master.cf file had an
incorrect process limit for the proxywrite service. This service
is used only by the obscure \"smtp_sasl_auth_cache_name\" and
\"lmtp_sasl_auth_cache_name\" configuration parameters. Someone
needed multi-line support for header/body Milter replies. The
LDAP client\'s TLS support was broken in several ways.
Wed Feb 13 13:00:00 2008 varkolyAATTsuse.de
- #360572 - postfix %post script leaves lots of backup files in /etc/postfix/
Wed Jan 30 13:00:00 2008 varkolyAATTsuse.de
- Update to Version 2.5 patchlevel 0
Major changes - critical
- -----------------------
[Incompat 20071224] The protocol to send Milter information from
smtpd(8) to cleanup(8) processes was cleaned up. If you use the
Milter feature, and upgrade a live Postfix system, you may see an
\"unexpected record type\" warning from a cleanup(8) server process.
To prevent this, execute the command \"postfix reload\". The
incompatibility affects only systems that use the Milter feature.
It does not cause loss of mail, just a minor delay until the remote
SMTP client retries.
[Incompat 20071212] The allow_min_user feature now applies to both
sender and recipient addresses in SMTP commands. With earlier Postfix
versions, only recipients were subject to the allow_min_user feature,
and the restriction took effect at mail delivery time, causing mail
to be bounced later instead of being rejected immediately.
[Incompat 20071206] The \"make install\" and \"make upgrade\" procedures
now create a Postfix-owned directory for Postfix-writable data files
such as caches and random numbers. The location is specified with
the \"data_directory\" parameter (default: \"/var/lib/postfix\"), and
the ownership is specified with the \"mail_owner\" parameter.
[Incompat 20071206] The tlsmgr(8) and verify(8) servers no longer
use root privileges when opening the address_verify_map,
* _tls_session_cache_database, and tls_random_exchange_name cache
files. This avoids a potential security loophole where the ownership
of a file (or directory) does not match the trust level of the
content of that file (or directory).
[Incompat 20071206] The tlsmgr(8) and verify(8) cache files should
now be stored as Postfix-owned files under the Postfix-owned
data_directory. As a migration aid, attempts to open these files
under a non-Postfix directory are redirected to the Postfix-owned
data_directory, and a warning is logged.
This is an example of the warning messages:
Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request
to update file /etc/postfix/prng_exch in non-postfix directory
/etc/postfix
Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting
the request to postfix-owned data_directory /var/lib/postfix
If you wish to continue using a pre-existing tls_random_exchange_name
or address_verify_map file, move it to the Postfix-owned data_directory
and change ownership from root to Postfix (that is, change ownership
to the account specified with the mail_owner configuration parameter).
[Feature 20071205] The \"make install\" and \"make upgrade\" procedures
now create a Postfix-owned directory for Postfix-writable data files
such as caches and random numbers. The location is specified with
the \"data_directory\" parameter (default: \"/var/lib/postfix\"), and
the ownership is specified with the \"mail_owner\" parameter.
[Incompat 20071203] The \"make upgrade\" procedure adds a new service
\"proxywrite\" to the master.cf file, for read/write lookup table
access. If you copy your old configuration file over the updated
one, you may see warnings in the maillog file like this:
connect #xx to subsystem private/proxywrite: No such file or directory
To recover, run \"postfix upgrade-configuration\" again.
[Incompat 20070613] The pipe(8) delivery agent no longer allows
delivery with the same group ID as the main.cf postdrop group.
Major changes - malware defense
- ------------------------------
[Feature 20080107] New \"pass\" service type in master.cf. Written
years ago, this allows future front-end daemons to accept all
connections from the network, and to hand over connections from
well-behaved clients to Postfix. Since this feature uses file
descriptor passing, it imposes no overhead once a connection is
handed over to Postfix. See master(5) for a few details.
[Feature 20070911] Stress-adaptive behavior. When a \"public\" network
service runs into an \"all processes are busy\" condition, the master(8)
daemon logs a warning, restarts the service, and runs it with \"-o
stress=yes\" on the command line (under normal conditions it runs
the service with \"-o stress=\" on the command line). This can be
used to make main.cf parameter settings stress dependent, for
example:
/etc/postfix/main.cf:
smtpd_timeout = ${stress?10}${stress:300}
smtpd_hard_error_limit = ${stress?1}${stress:20}
Translation: under conditions of stress, use an smtpd_timeout value
of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1
instead of 20. The syntax is explained in the postconf(5) manpage.
The STRESS_README file gives examples of how to mitigate flooding
problems.
Major changes - tls support
- --------------------------
[Incompat 20080109] TLS logging output has changed to make it more
useful. Existing logfile parser regular expressions may need
adjustment.
- More log entries include the \"hostnamename[ipaddress]\" of the
remote SMTP peer.
- Certificate trust chain error reports show only the first
error certificate (closest to the trust chain root), and the
reporting is more human-readable for the most likely errors.
- After the completion of the TLS handshake, the session is logged
with TLS loglevel >= 1 as either \"Untrusted\", \"Trusted\" or
\"Verified\" (SMTP client only).
- \"Untrusted\" means that the certificate trust chain is invalid,
or that the root CA is not trusted.
- \"Trusted\" means that the certificate trust chain is valid, and
that the root CA is trusted.
- \"Verified\" means that the certificate meets the SMTP client\'s
matching criteria for the destination:
- In the case of a destination name match, \"Verified\" also
implies \"Trusted\".
- In the case of a fingerprint match, CA trust is not applicable.
- The logging of protocol states with TLS loglevel >= 2 no longer
reports bogus error conditions when OpenSSL asks Postfix to refill
(or flush) network I/O buffers. This loglevel is for debugging
only; use 0 or 1 in production configurations.
[Feature 20080109] The Postfix SMTP client has a new \"fingerprint\"
security level. This avoids dependencies on CAs, and relies entirely
on bi-lateral exchange of public keys (really self-signed or private
CA signed X.509 public key certificates). Scalability is clearly
limited. For details, see the fingerprint discussion in TLS_README.
[Feature 20080109] The Postfix SMTP server can now use SHA1 instead
of MD5 to compute remote SMTP client certificate fingerprints. For
backwards compatibility, the default algorithm is MD5. For details,
see the \"smtpd_tls_fingerprint_digest\" parameter in the postconf(5)
manual.
[Feature 20080109] The maximum certificate trust chain depth
(verifydepth) is finally implemented in the Postfix TLS library.
Previously, the parameter had no effect. The default depth was
changed to 9 (the OpenSSL default) for backwards compatibility.
If you have explicity limited the verification depth in main.cf,
check that the configured limit meets your needs. See the
\"lmtp_tls_scert_verifydepth\", \"smtp_tls_scert_verifydepth\" and
\"smtpd_tls_ccert_verifydepth\" parameters in the postconf(5) manual.
[Feature 20080109] The selection of SSL/TLS protocols for mandatory
TLS can now use exclusion rather than inclusion. Either form is
acceptable; see the \"lmtp_tls_mandatory_protocols\",
\"smtp_tls_mandatory_protocols\" and \"smtpd_tls_mandatory_protocols\"
parameters in the postconf(5) manual.
Major changes - scheduler
- ------------------------
[Feature 20071130] Revised queue manager with separate mechanisms
for per-destination concurrency control and for dead destination
detection. The concurrency control supports less-than-1 feedback
to allow for more gradual concurrency adjustments, and uses hysteresis
to avoid rapid oscillations. A destination is declared \"dead\" after
a configurable number of pseudo-cohorts(
*) reports connection or
handshake failure.
(
*) A pseudo-cohort is a number of delivery requests equal to a
destination\'s delivery concurrency.
The drawbacks of the old +/-1 feedback scheduler are a) overshoot
due to exponential delivery concurrency growth with each pseudo-cohort(
*)
(5-10-20...); b) throttling down to zero concurrency after a single
pseudo-cohort(
*) failure. The latter was especially an issue with
low-concurrency channels where a single failure could be sufficient
to mark a destination as \"dead\", and suspend further deliveries.
New configuration parameters: destination_concurrency_feedback_debug,
default_destination_concurrency_positive_feedback,
default_destination_concurrency_negative_feedback,
default_destination_concurrency_failed_cohort_limit, as well as
transport-specific versions of the same.
The default parameter settings are backwards compatible with older
Postfix versions. This may change after better defaults are field
tested.
The updated SCHEDULER_README document describes the theory behind
the new concurrency scheduler, as well as Patrik Rak\'s preemptive
job scheduler. See postconf(5) for more extensive descriptions of
the configuration parameters.
Major changes - small/home office
- --------------------------------
[Feature 20080115] Preliminary SOHO_README document that combines
bits and pieces from other document in one place, so that it is
easier to find. This document describes the \"mail sending\" side
only.
[Feature 20071202] Output rate control in the queue manager. For
example, specify \"smtp_destination_rate_delay = 5m\", to pause five
minutes between message deliveries. More information in the postconf(5)
manual under \"default_destination_rate_delay\".
Major changes - smtp client
- --------------------------
[Incompat 20080114] The Postfix SMTP client now by default defers
mail after a remote SMTP server rejects a SASL authentication
attempt. Specify \"smtp_sasl_auth_soft_bounce = no\" for the old
behavior.
[Feature 20080114] The Postfix SMTP client can now avoid making
repeated SASL login failures with the same server, username and
password. To enable this safety feature, specify for example
\"smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache\"
(access through the proxy service is required). Instead of trying
to SASL authenticate, the Postfix SMTP client defers or bounces
mail as controlled with the new smtp_sasl_auth_soft_bounce configuration
parameter.
[Feature 20071111] Header/body checks are now available in the SMTP
client, after the implementation was moved from the cleanup server
to a library module. The SMTP client provides only actions that
don\'t change the message delivery time or destination: warn, replace,
prepend, ignore, dunno, ok.
[Incompat 20070614] By default, the Postfix Cyrus SASL client no
longer sends a SASL authoriZation ID (authzid); it sends only the
SASL authentiCation ID (authcid) plus the authcid\'s password. Specify
\"send_cyrus_sasl_authzid = yes\" to get the old behavior.
Major changes - smtp server
- --------------------------
[Feature 20070724] Not really major. New support for RFC 3848
(Received: headers with ESMTPS, ESMTPA, or ESMTPSA); updated SASL
support according to RFC 4954, resulting in small changes to SMTP
reply codes and (DSN) enhanced status codes.
Major changes - milter
- ---------------------
[Incompat 20071224] The protocol to send Milter information from
smtpd(8) to cleanup(8) processes was cleaned up. If you use the
Milter feature, and upgrade a live Postfix system, you may see an
\"unexpected record type\" warning from a cleanup(8) server process.
To prevent this, execute the command \"postfix reload\". The
incompatibility affects only systems that use the Milter feature.
It does not cause loss of mail, just a minor delay until the remote
SMTP client retries.
[Feature 20071221] Support for most of the Sendmail 8.14 Milter
protocol features.
To enable the new features specify \"milter_protocol = 6\" and link
the filter application with a libmilter library from Sendmail 8.14
or later.
Sendmail 8.14 Milter features supported at this time:
- NR_CONN, NR_HELO, NR_MAIL, NR_RCPT, NR_DATA, NR_UNKN, NR_HDR,
NR_EOH, NR_BODY: The filter can tell Postfix that it won\'t reply
to some of the SMTP events that Postfix sends. This makes the
protocol less chatty and improves performance.
- SKIP: The filter can tell Postfix to skip sending the rest of
the message body, which also improves performance.
- HDR_LEADSPC: The filter can request that Postfix does not delete
the first space character between header name and header value
when sending a header to the filter, and that Postfix does not
insert a space character between header name and header value
when receiving a header from the filter. This fixes a limitation
in the old Milter protocol that can break DKIM and DK signatures.
- SETSYMLIST: The filter can override one or more of the main.cf
milter_xxx_macros parameter settings.
Sendmail 8.14 Milter features not supported at this time:
- RCPT_REJ: report rejected recipients to the mail filter.
- CHGFROM: replace sender, with optional ESMTP command parameters.
- ADDRCPT_PAR: add recipient, with optional ESMTP command parameters.
It is unclear when (if ever) the missing features will be implemented.
SMFIP_RCPT_REJ requires invasive changes in the SMTP server recipient
processing and error handling. SMFIR_CHGFROM and SMFIR_ADDRCPT_PAR
require ESMTP command-line parsing in the cleanup server. Unfortunately,
Sendmail\'s documentation does not specify what ESMTP options are
supported, but only discusses examples of things that don\'t work.
Major changes - address verification
- -----------------------------------
[Incompat 20070514] The default sender address for address verification
probes was changed from \"postmaster\" to \"double-bounce\", so that
the Postfix SMTP server no longer causes surprising behavior by
excluding \"postmaster\" from SMTP server access controls.
Major changes - ldap
- -------------------
[Incompat 20071216] Due to an incompatible API change between
OpenLDAP 2.0.11 and 2.0.12, an LDAP client compiled for OpenLDAP
version <= 2.0.11 will refuse to work with an OpenLDAP library
version >= 2.0.12 and vice versa.
Major changes - logging
- ----------------------
[Incompat 20080109] TLS logging output has changed to make it more
useful. Existing logfile parser regular expressions may need
adjustment.
- More log entries include the \"hostnamename[ipaddress]\" of the
remote SMTP peer.
- Certificate trust chain error reports show only the first
error certificate (closest to the trust chain root), and the
reporting is more human-readable for the most likely errors.
- After the completion of the TLS handshake, the session is logged
with TLS loglevel >= 1 as either \"Untrusted\", \"Trusted\" or
\"Verified\" (SMTP client only).
- \"Untrusted\" means that the certificate trust chain is invalid,
or that the root CA is not trusted.
- \"Trusted\" means that the certificate trust chain is valid, and
that the root CA is trusted.
- \"Verified\" means that the certificate meets the SMTP client\'s
matching criteria for the destination:
- In the case of a destination name match, \"Verified\" also
implies \"Trusted\".
- In the case of a fingerprint match, CA trust is not applicable.
- The logging of protocol states with TLS loglevel >= 2 no longer
reports bogus error conditions when OpenSSL asks Postfix to refill
(or flush) network I/O buffers. This loglevel is for debugging
only; use 0 or 1 in production configurations.
[Incompat 20071216] The SMTP \"transcript of session\" email now
includes the remote SMTP server TCP port number.
Major changes - loop detection
- -----------------------------
[Incompat 20070422] [Incompat 20070422] When the pipe(8) delivery
agent is configured to create the optional Delivered-To: header,
it now first checks if that same header is already present in the
message. If so, the message is returned as undeliverable. This test
should have been included with Postfix 2.0 when Delivered-To: support
was added to the pipe(8) delivery agent.
Tue Jan 8 13:00:00 2008 varkolyAATTsuse.de
- Remove previous fix
Sun Dec 30 13:00:00 2007 varkolyAATTsuse.de
- #301335 - [SuSEconfig]: Postfix module uses stderr
Tue Dec 4 13:00:00 2007 varkolyAATTsuse.de
- Update to Version 2.4 patchlevel 6
Bugfix (introduced Postfix 2.2.11): TLS client certificate
with unparsable canonical name caused the SMTP server\'s
policy client to allocate zero-length memory, triggering
an assertion that it shouldn\'t do such things. File:
smtpd/smtpd_check.c.
Bugfix (introduced Postfix 2.4) missing initialization of
event mask in the event_mask_drain() routine (used by the
obsolete postkick(1) command). Found by Coverity. File:
util/events.c.
Workaround: the flush daemon forces an access time update
for the per-destination logfile, to prevent an excessive
rate of delivery attempts when the queue file system is
mounted with \"noatime\". File: flush/flush.c.
- #330276 – /sbin/conf.d/SuSEconfig.postfix could copy certs into smtpd_tls_CApath
Mon Oct 22 14:00:00 2007 sbrabecAATTsuse.cz
- Use correct SuSEfirewall2 rule directory.
Wed Oct 17 14:00:00 2007 varkolyAATTsuse.de
- #333629 - saslauthd typo in SuSEconfig.postfix
Mon Oct 8 14:00:00 2007 varkolyAATTsuse.de
- #331044 - Postfix uses receive_override_options in main.cf
Sun Sep 9 14:00:00 2007 varkolyAATTsuse.de
- fix the last fix
Mon Sep 3 14:00:00 2007 cthielAATTsuse.de
- fix the last fix
Mon Sep 3 14:00:00 2007 varkolyAATTsuse.de
- Fixing bug: #297622 - SMTPD_LISTEN_REMOTE has no effect
Sun Aug 5 14:00:00 2007 mrueckertAATTsuse.de
- Update to Version 2.4 patchlevel 5
Bugfix: the loopback TCP performance workaround was ineffective
due to a wetware bit-flip during code cleanup. File:
util/vstream_tweak.c.
(patch level 4)
Bugfix: the Milter client assumed that a Milter application
does not modify the message header or envelope, after that
same Milter application has modified the message body of
that same email message. This is not a problem with updates
by different Milter applications. Problem was triggered
by Jose-Marcio Martins da Cruz. Also simplified the handling
of queue file update errors. File: milter/milter8.c.
Workaround: some non-Cyrus SASL SMTP servers require SASL
login without authzid (authoriZation ID), i.e. the client
must send only the authcid (authentiCation ID) + the authcid\'s
password. In this case the server is supposed to derive
the authzid from the authcid. This works as expected when
authenticating to a Cyrus SASL SMTP server. To get the old
behavior specify \"send_cyrus_sasl_authzid = yes\", in which
case Postfix sends the (authzid, authcid, password), with
the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.
Portability: /dev/poll support for Solaris chroot jail setup
scripts. Files: examples/chroot-setup/Solaris8,
examples/chroot-setup/Solaris10.
Cleanup: Milter client error handling, so that the (Postfix
SMTP server\'s Milter client) does not get out of sync with
Milter applications after the (cleanup server\'s Milter
client) encounters some non-recoverable problem. Files:
milter/milter8.c, smtpd/smtpd.c.
Performance: workaround for poor TCP performance on loopback
(127.0.0.1) connections. Problem reported by Mark Martinec.
Files: util/vstream_tweak.c, milter/milter8.c, smtp/smtp_connect.c,
smtpstone/
*source.c.
Bugfix: when a milter replied with ACCEPT at or before the
first RCPT command, the cleanup server would apply the
non_smtpd_milters setting as if the message was a local
submission. Problem reported by Jukka Salmi. Also, the
cleanup server would get out of sync with the milter when
a milter replied with ACCEPT at the DATA command. Files:
cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.
- rediffed patches
Tue Jul 31 14:00:00 2007 varkolyAATTsuse.de
- Update to Version 2.4 patchlevel 3
(patch level 1)
Bugfix (introduced Postfix 2.3): segfault with HOLD action
in access/header_checks/body_checks on 64-bit platforms.
File: cleanup/cleanup_api.c.
Portability (introduced 20070325): the fix for hardlinks
and symlinks in postfix-install forgot to work around shells
where \"IFS=/ command\" makes the IFS setting permanent. This
is allowed by some broken standard, and affects Solaris.
File: postfix-install.
Portability (introduced 20070212): the workaround for
non-existent library bugs with descriptors >= FD_SETSIZE
broke with \"fcntl F_DUPFD: Invalid argument\" on 64-bit
Solaris. Files: master/multi_server.c,
*qmgr/qmgr_transport.c.
Cleanup: on (Linux) platforms that cripple signal handlers
with deadlock, \"postfix stop\" now forcefully stops all the
processes in the master\'s process group, not just the master
process alone. File: conf/postfix-script.
(patch level 2)
Bugfix: don\'t falsely report \"lost connection from
localhost[127.0.0.1]\" when Postfix is being portscanned.
Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
Robustness: recommend a \"0\" process limit for policy servers
to avoid \"connection refused\" problems when the smtpd process
limit exceeds the default process limit. File:
proto/SMTPD_POLICY_README.html.
Safety: when IPv6 (or IPv4) is turned off, don\'t treat an
IPv6 (or IPv4) connection from e.g. inetd as if it comes
from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
Bugfix: Content-Transfer-Encoding: attribute values are
case insensitive. File: src/cleanup/cleanup_message.c.
Bugfix: mailbox_transport(_maps) and fallback_transport(_maps)
were broken when used with the error(8) or discard(8)
transports. Cause: insufficient documentation. Files:
error/error.c, discard/discard.c.
Bugfix (problem introduced Postfix 2.3): when DSN support
was introduced it broke \"agressive\" recipient duplicate
elimination with \"enable_original_recipient = no\". File:
cleanup/cleanup_out_recipient.c.
Bugfix (introduced Postfix 2.3): the sendmail/postdrop
commands would hang when trying to submit a message larger
than the per-message size limit. File: postdrop/postdrop.c.
Sabotage the saboteur who insists on breaking Postfix by
adding gethostbyname() calls that cause maildir delivery
to fail when the machine name is not found in /etc/hosts,
or that cause Postfix processes to hang when the network
is down.
(patch level 3)
Portability: Victor helpfully pointed out that change
20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
Thu Jun 21 14:00:00 2007 varkolyAATTsuse.de
- Bug 285553 amavisd inconsistency
Tue Jun 19 14:00:00 2007 dmuellerAATTsuse.de
- provide smtp meta-service as well
Mon Jun 11 14:00:00 2007 lruppAATTsuse.de
- don\'t PreRequire /sbin/ip: removed call in SuSEconfig.postfix
Thu May 3 14:00:00 2007 varkolyAATTsuse.de
- dynamic_maps.patch: readded the chunk for dict_tcp and dict_pcre
- replaced prereq for postfix with a prereq on
%{name} = %{version}
- updated to postfix 2.4, patchlevel 0
Major changes - safety
* As a safety measure, Postfix now by default creates mailbox dotlock
files on all systems. This prevents problems with GNU POP3D which
subverts kernel locking by creating a new mailbox file and deleting
the old one
Major changes - Milter support
* The support for Milter header modification
requests was revised. With minimal change in the on-disk representation,
the code was greatly simplified, and regression tests were updated
to ensure that old errors were not re-introduced. The queue file
format is entirely backwards compatible with Postfix 2.3.
* Support for Milter requests to replace the message
body. Postfix now implements all the header/body modification
requests that are available with Sendmail 8.13.
* A new field is added to the queue file \"size\"
record that specifies the message content length. Postfix 2.3 and
older Postfix 2.4 snapshots will ignore this field, and will report
the message size as it was before the body was replaced.
Major changes - TLS support
* The check_smtpd_policy client sends TLS certificate
attributes (client ccert_subject, ccert_issuer) only after successful
client certificate verification. The reason is that the certification
verification status itself is not available in the policy request.
* The check_smtpd_policy client sends TLS certificate
fingerprint information even when the certificate itself was not
verified.
* The remote SMTP client TLS certificate fingerprint
can be used for access control even when the certificate itself was
not verified.
* The format of SMTP server TLS session cache
lookup keys has changed. The lookup key now includes the master.cf
service name.
Major changes - performance
* Better support for systems that run thousands
of Postfix processes. Postfix now supports FreeBSD kqueue(2),
Solaris poll(7d) and Linux epoll(4) as more scalable alternatives
to the traditional select(2) system call, and uses poll(2) when
examining a single file descriptor for readability or writability.
These features are supported on sufficiently recent versions of
FreeBSD, NetBSD, OpenBSD, Solaris and Linux; support for other
systems will be added as evidence becomes available that usable
implementations exist.
Major changes - delivery status notifications
* Small changes were made to the default bounce
message templates, to prevent HTML-aware software from hiding or
removing the text \"\", and producing misleading text.
* Postfix no longer announces its name in delivery
status notifications. Users believe that Wietse provides a free
help desk service that solves all their email problems.
Major changes - ETRN support
* More precise queue flushing with the ETRN,
\"postqueue -s site\", and \"sendmail -qRsite\" commands, after
minimization of race conditions. New per-queue-file flushing with
\"postqueue -i queueid\" and \"sendmail -qIqueueid\".
Major changes - small office/home office support
* Postfix no longer requires a domain name. It
uses \"localdomain\" as the default Internet domain name when no
domain is specified via main.cf or via the machine\'s hostname.
Major changes - SMTP access control
* The check_smtpd_policy client sends TLS certificate
attributes (client ccert_subject, ccert_issuer) only after successful
client certificate verification. The reason is that the certification
verification status itself is not available in the policy request.
* The check_smtpd_policy client sends TLS certificate
fingerprint information even when the certificate itself was not
verified.
* The remote SMTP client TLS certificate fingerprint can be used for
access control even when the certificate itself was not verified.
* The Postfix installation procedure no longer
updates main.cf with \"unknown_local_recipient_reject_code = 450\".
Four years after the introduction of mandatory recipient validation,
this transitional tool is no longer neeed.
Thu Mar 29 14:00:00 2007 rguentherAATTsuse.de
- Add pwdutils BuildRequires to allow postinst script to succeed.
- Add /usr/share/omc directory.
Mon Feb 26 13:00:00 2007 varkolyAATTsuse.de
- #247351 - postfix - Ports for SuSEfirewall added via packages
- Move postfix.xml into the postfix-SuSE tarball
- #228479 - Postfix is configured for inet_protocols=all if
selecting ipv4 only support during installation.
Now we set both inet_protocols and inet_interfaces to all.
This means the available interfaces and protocols will be used.
To avoid bogus warnings inet_proto.c was patched.
- #251598 - postfix use pointers for literals
Mon Jan 15 13:00:00 2007 varkolyAATTsuse.de
- #144104 - postfix does not start
- Implementing Fate #301840: Postfix XML Service Description Document
- Enhancing /etc/sysconfig/postfix descripton to avoid problems
like Bug 228678 - Problems with setting up chroot environment if
/var/spool is not on same filesystem as /var
Wed Nov 22 13:00:00 2006 mrueckertAATTsuse.de
- moved the dict handling into a preun script instead of postun
and do not remove the dict entry on upgrade (#223176)
- removed duplicates in the filelists.
Fri Nov 10 13:00:00 2006 varkolyAATTsuse.de
- #218229 - Postfix SuSEconfig script increases the max_proc line each run in master.cf
Sat Oct 28 14:00:00 2006 varkolyAATTsuse.de
- #206414 - /usr/lib/sasl2/smtpd.conf misplaced
Tue Oct 24 14:00:00 2006 varkolyAATTsuse.de
- #202119 – SuSEconfig script for Postfix incomplete
- #202162 – Postfix 2.3.2 slightly incorrect, Cyrus SASL unavailable
- #203174 – /sbin/conf.d/SuSEconfig.postfix should configure a TLS session cache for postfix 2.2
- #203575 – postfix-2.2.9-10 chokes without scache
- #213589 - No development package/headers for postfix
Tue Aug 15 14:00:00 2006 roAATTsuse.de
- also add libpostfix-milter.so
*
Mon Aug 14 14:00:00 2006 varkolyAATTsuse.de
- updated to postfix 2.3, patchlevel 2
- Major changes
- Name server replies that contain a malformed hostname are now flagged
as permanent errors instead of transient errors.
- DSN support as described in RFC 3461 .. RFC 3464.
- The SMTP client now implements the LMTP protocol.
- Milter (mail filter) application support, compatible with Sendmail
version 8.13.6 and earlier.
- Major changes - SASL authentication
- Plug-in support for SASL authentication in the SMTP server and in the
SMTP/LMTP client.
- The Postfix-with-Cyrus-SASL build procedure has changed.
- Support for sender-dependent ISP accounts.
- Major changes - SMTP client
- The SMTP client now implements the LMTP protocol.
- This version addresses a performance stability problem with remote
SMTP servers.
- Major changes - SMTP server
- The Postfix SMTP server now refuses to receive mail from the network
if it isn\'t running with postfix mail_owner privileges.
- Optional suppression of remote SMTP client hostname lookup and hostname
verification.
- SMTPD Access control based on the existence of an address->name mapping
- Major changes - TLS
- New concept: TLS security levels (\"none\", \"may\", \"encrypt\", \"verify\"
or \"secure\") in the Postfix SMTP client.
- Both the Postfix SMTP client and server can be configured without a
client or server certificate.
- See
/usr/share/doc/packages/postfix/RELEASE_NOTES
/usr/share/doc/packages/postfix/TLS_CHANGES
/usr/share/doc/packages/postfix/README_FILES/SASL_README
for detailed informations.
Wed Aug 2 14:00:00 2006 varkolyAATTsuse.de
- Only %{conf_backup_dir} is contained by the package not /var/adm/backup
Mon Jul 10 14:00:00 2006 varkolyAATTsuse.de
- Bugfix: #190639 Default number of processes for postfix
- Bugfix: #190270 postfix-postgresql
