The stable Postfix release is called postfix-2.7.x where 2=major release number, 7=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called postfix-2.8-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7 before proceeding. Postscreen notes: ================= To turn on postscreen, see "Configuring the postscreen(8) service" in the POSTSCREEN_README file. This allows you to run postscreen without blocking mail first. The code is rock solid, but the user interface has dozens of parameters, so it literally is like using a machine that has wires hanging out on all sides. This makes it possible to do research. The idea is to reduce the number of parameters once things settle down. NOTE: Some postscreen parameters implement stress-dependent behavior. This is supported only when the default value is stress-dependent (that is, the default looks like ${stress?XX}${stress:YY}, or it is the $name of an smtpd_xxx parameter with a stress-dependent default). Other postscreen parameters always evaluate as if the stress value is equal to the empty string. Incompatibility with snapshot 20110111 ====================================== For performance reasons the postscreen_access_list feature replaces the postscreen_whitelist_networks and postscreen_blacklist_networks features. CIDR-style access maps are some 100x faster than the code that implemented the postscreen_white/blacklist_networks support. It can match about 100 million CIDR patterns/second on a modern CPU, which is not blindingly fast but adequate for the near future. Major changes with snapshot 20110105 ==================================== The SMTP server now supports contact information that is appended to "reject" responses. This includes SMTP server responses that aren't logged to the maillog file, such as responses to syntax errors, or unsupported commands. Example: smtpd_reject_footer = For assistance, call 800-555-0101. Server response: 550-5.5.1 Recipient address rejected: User unknown 550 5.5.1 For assistance, call 800-555-0101. This feature supports macro expansion ($client_address, $localtime, etc.), as documented in the postconf(5) manpage. This feature is also supported as postscreen_reject_footer using the same setting as smtpd_reject_footer by default. Incompatibility with snapshot 20110102 ====================================== The smtpd_starttls_timeout default value is now stress-dependent. By default, TLS negotiations must now complete under overload in 10s instead of 300s. The Postfix SMTP server now always re-computes the SASL mechanism list after successful completion of the STARTTLS command. Earlier versions only re-computed the mechanism list when the values of smtp_sasl_tls_security_options and smtp_sasl_security_options differ. This could produce incorrect results, because the Dovecot authentication server may change responses when the SMTP session is encrypted. Major changes with snapshot 20110102 ==================================== STARTTLS support for the postscreen(8) daemon. This is implemented by a new tlsproxy(8) daemon that you will need to enable in master.cf (see POSTSCREEN_README for instructions). tlsproxy(8) implements its own tlsproxy_mumble versions of TLS-related smtpd_mumble parameters. This leaves no confusion about which parameters will affect tlsproxy(8) behavior, but it adds another 25 parameters to the documentation. Major changes with snapshot 20101223 ==================================== The new tls_disable_workarounds parameter specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This may be necessary if one of the work-arounds enabled by default in OpenSSL proves to pose a security risk, or introduces an unexpected interoperability issue. Some bug work-arounds known to be problematic are disabled in the default value of the parameter when linked with an OpenSSL library that could be vulnerable. See postconf(5) and TLS_README for details. With "tls_preempt_cipherlist = yes" the Postfix SMTP server will choose its most preferred cipher that is supported (offered) by the client. This can lead to a more secure or performant cipher choice, but may also introduce interoperability problems when a client announces support for a cipher that does not work. See postconf(5) and TLS_README for details. Major changes with snapshot 20101217 ==================================== The lower-level code in the TLS engine was simplified by removing an unnecessary layer of data copying. OpenSSL now writes directly to the network. The difference in performance should be hardly noticeable. Incompatibility with snapshot 20101206 ====================================== Postfix by default no longer adds a "To: undisclosed-recipients:;" header when no recipient specified in the message header. The Internet mail RFCs have supported messages without recipient header for almost 10 years now. For backwards compatibility, specify: /etc/postfix/main.cf undisclosed_recipients_header = To: undisclosed-recipients:; Note: both the ":" and ";" are required. Incompatibility with snapshot 20101202 ====================================== Postfix now reports a temporary delivery error when the result of virtual alias expansion would exceed the virtual_alias_recursion_limit or virtual_alias_expansion_limit. Previously, Postfix would silently drop the excess recipients and deliver the message. Incompatibility with snapshot 20101130 ====================================== The postscreen(8) daemon now logs the client as [address]:port. The port helps to distinguish between simultaneous sessions from the same address, and the [] allow the same tool to be used with old and new format logfiles, without producing errors for IPv6. Major changes with snapshot 20101126 ==================================== Support for address patterns in DNSBL and DNSWL lookup results. For example, "reject_rbl_client example.com=127.0.0.[2,4,6..8]" will reject clients when the lookup result is 127.0.0.2, 127.0.0.4, 127.0.0.6, 127.0.0.7, or 127.0.0.8. The setting "postscreen_dnsbl_sites = example.com=127.0.0.[2,4,6..8]" rejects the same clients. An IPv4 address pattern has four fields separated by ".". Each field is either a decimal number, or a sequence inside "[]" that contains one or more comma-separated decimal numbers or number..number ranges. Thus, any pattern field can be a sequence inside "[]", but a "[]" sequence cannot span multiple address fields, and a pattern field cannot contain both a number and a "[]" sequence at the same time. This means that the pattern 1.2.[3.4] is not valid (the sequence [3.4] cannot span two address fields) and the pattern 1.2.3.3[6..9] is also not valid (the last field cannot be both number 3 and sequence [6..9] at the same time). The syntax for IPv4 patterns is as follows: v4pattern = v4field "." v4field "." v4field "." v4field v4field = v4octet | "[" v4sequence "]" v4octet = any decimal number in the range 0 through 255 v4sequence = v4seq_member | v4sequence "," v4seq_member v4seq_member = v4octet | v4octet ".." v4octet Major changes with snapshot 20101105 ==================================== The Postfix SMTP server now supports DNS-based whitelisting with several safety features: permit_dnswl_client whitelists a client by IP address, and permit_rhswl_client whitelists a client by its hostname. These features use the same syntax as reject_rbl_client and reject_rhsbl_client, respectively. The main difference is that they return PERMIT instead of REJECT. Whitelisting is primarily a tool to reduce the false positive rate of DNS blocklist lookups. Client name whitelisting should not be used to make exceptions to access rules. The reason is that client name lookup can fail unpredictably due to some temporary outage. For safety reasons, permit_dnswl_client and permit_rhswl_client are silently ignored when they would override reject_unauth_destination. Also for safety reasons, the result is DEFER_IF_REJECT when DNS whitelist lookup fails (this result will be made configurable). Incompatibility with snapshot 20101103 ====================================== Postfix now requests default delivery status notifications when adding a recipient with the Milter smfi_addrcpt action, instead of "never notify" as with Postfix automatically-added recipients (always_bcc and sender/recipient_bcc_maps). Incompatibility with snapshot 20101006 ====================================== To avoid repeated delivery to mailing lists with pathological nested alias configurations, the local(8) delivery agent now keeps the owner-alias attribute of a parent alias, when delivering mail to a child alias that does not have its own owner alias. With this change, local addresses from that child alias will be written to a new queue file, and a temporary error with one local address will no longer result in repeated delivery to other mailing list members. Specify "reset_owner_alias = yes" for the older, more fragile, behavior. The postconf(5) manpage entry for "reset_owner_alias" has more background information on this issue. Incompatibility with snapshot 20100912 ====================================== - If your DNSBL queries have a "secret" in the domain name, you must now censor this information from the postscreen(8) SMTP replies. For example: /etc/postfix/main.cf: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply /etc/postfix/dnsbl_reply: # Secret DNSBL name Name in postscreen(8) replies secret.zen.spamhaus.org zen.spamhaus.org The texthash: format is similar to hash: except that there is no need to run postmap(1) before the file can be used, and that it does not detect changes after the file is read. It is new with Postfix version 2.8. - The postscreen "continue" action is now called "ignore". The old name is still supported but no longer documented. - The postscreen_hangup_action parameter was removed. Postscreen now always behaves as if "postscreen_hangup_action = drop". - The postscreen_cache_retention_time default was increased from 1d to 7d, to avoid deleting results from expensive deep SMTP protocol tests too quickly. Major changes with snapshot 20100912 ==================================== The main change is a new SMTP protocol engine for deep protocol tests, and for logging the helo/sender/recipient information when postscreen rejects an attempt to deliver mail. CAUTION: when postscreen rejects mail, it replies with the DNSBL domain name. Use the postscreen_dnsbl_reply_map feature to hide "password" information in DNSBL domain names. See the poststconf(5) manpage for a specific example. Deep protocol tests are implemented by a new SMTP protocol engine that defers or rejects all attempts to deliver mail. The first, test detects unauthorized SMTP command pipelining (an SMTP client sends multiple commands, instead of sending one command and waiting for the server response); a second deep protocol test implements the Postfix SMTP server's smtpd_forbidden_commands feature (a client sends commands such as CONNECT, GET, POST); and a third deep protocol test detects spambots that send SMTP commands that end in newline instead of carriage-return/newline. Real spambots rarely make this mistake, but poorly-written software often does. Deep protocol tests are disabled by default, because the built-in SMTP engine cannot not hand off the "live" connection from a good SMTP client to a Postfix SMTP server process. Instead, postscreen(8) defers attempts to deliver mail with a 4XX status, and waits for the client to disconnect. The next time a good client connects, it will be allowed to talk to a Postfix SMTP server process to deliver mail. Incompatibility with snapshot 20100830 ====================================== Use "postfix reload" after installing this code, otherwise the dnsblog(8) daemon may complain. The postscreen-to-dnsblog protocol had to be changed to support DNSBL query result filters. Major changes with snapshot 20100830 ==================================== Postscreen DNSBL support is extended with optional fixed-string filters, with optional integral weight factors, and with an adjustable threshold to block SMTP clients with DNSBL score >= that threshold. Support for wild-card patterns will be added later. The updated postscreen configuration syntax is: postscreen_dnsbl_sites = domain[=ipaddr][*weight] ... postscreen_dnsbl_threshold = score Elements inside [] are optional, ipaddr is an IPv4 address, and weight and score are integral numbers. The [] are not part of the postscreen_dnsbl_sites input. By default, weight and score are equal to 1, and entries without filter will match any non-error DNSBL reply. Use a negative weight value for whitelisting. Examples: To use example.com as a high-confidence blocklist, and to block mail with example.net and example.org only when both agree, use: postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = example.com*2, example.net, example.org To filter only DNSBL replies containing 127.0.0.4, use: postscreen_dnsbl_sites = example.com=127.0.0.4 See also postconf(5) for the fine details. Incompatibility with snapshot 20100827 ====================================== The Postfix SMTP client no longer appends the local domain when looking up a DNS name without ".". Specify "smtp_dns_resolver_options = res_defnames" to get the old behavior, which may produce unexpected results. Incompatibility with snapshot 20100728 ====================================== The format of the "postfix/smtpd[pid]: queueid: client=host[addr]" logfile record has changed. When available, the before-filter client information and the before-filter queue ID are now appended to the end of the record. Major changes with snapshot 20100728 ==================================== Improved message tracking across SMTP-based content filters. The logging example below is from an after-filter SMTP server. Here, 951F692462F is a before-filter queue ID, hades.porcupine.org is a before-filter SMTP client, while 6B4A9924782 is the after-filter queue ID, and localhost[127.0.0.1] is the SMTP-based content filter that sends mail into the after-filter SMTP server. postfix/smtpd[4074]: 6B4A9924782: client=localhost[127.0.0.1], orig_queue_id=951F692462F orig_client=hades.porcupine.org[168.100.189.10] Incompatibility with snapshot 20100610 ====================================== Postfix no longer appends the system-supplied default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately this change may cause compatibility problems when configurations rely on certificate verification for other purposes. Specify "tls_append_default_CA = yes" for backwards compatibility. Incompatibility with snapshot 20100101 ====================================== When periodic cache cleanup is enabled (the default), the postscreen(8) server now requires that the cache database supports the "delete" and "sequence" operations. To disable periodic cache cleanup specify a zero postscreen_cache_cleanup_interval value. Major changes with snapshot 20100101 ==================================== Periodic cache cleanup for the postscreen(8) cache database. The time between cache cleanup runs is controlled with the postscreen_cache_cleanup_interval (default: 12h) parameter. Cache cleanup increases the database access latency, so this should not be run more often than necessary. In addition, the postscreen_cache_retention_time (default: 1d) parameter specifies how long to keep an expired entry in the cache. This prevents a client from being logged as "NEW" after its record expired only a little while ago. Incompatibility with snapshot 20091209 ====================================== The postscreen daemon now checks the permanent whitelist before the permanent blacklist. This makes the whitelist easier to use for its intended purpose, which is to receive mail. Incompatibility with snapshot 20091008 ====================================== NOTE: You must stop and start the Postfix master daemon before you can use the postscreen(8) daemon. This is needed because the Postfix "pass" master service type did not work reliably on some systems. Major changes with snapshot 20091008 ==================================== Prototype postscreen(8) server that runs a number of time-consuming checks in parallel for all incoming SMTP connections, before clients are allowed to talk to a real Postfix SMTP server. It detects clients that start talking too soon, or clients that appear on DNS blocklists, or clients that hang up without sending any command. By doing these checks in a single postscreen(8) process, Postfix can avoid wasting one SMTP server process per connection. A side benefit of postscreen(8)'s DNSBL lookups is that DNS records are already cached before the Postfix SMTP server looks them up later. postscreen(8) maintains a temporary whitelist of positive decisions. Once an SMTP client is whitelisted, it is immediately forwarded to a real Postfix SMTP server process without further checking. By default, the program logs only statistics, and it does not run any checks on clients in mynetworks (primarily, to avoid problems with buggy SMTP implementations in network appliances). The logging function alone is already useful for research. postscreen(8) has been tested on FreeBSD and Linux systems. It probably needs additional work before it can be used on Solaris.