RELEASE_NOTES-2.1

In the text below, incompatible changes are labeled with the Postfix
snapshot that introduced the change. If you upgrade from a later
Postfix version, then you do not have to worry about that particular
incompatibility.

The official Postfix release is called 2.1.x where 2=major release
number, 1=minor release number, x=patchlevel.  Snapshot releases
are called 2.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day).  The mail_release_date configuration parameter
contains the release date (both for official release and snapshot
release).  Patches are issued for the official release and change
the patchlevel and the release date. Patches are never issued for
snapshot releases.

Major changes - critical
------------------------

If you run Postfix 2.0 or earlier then you must stop Postfix before
upgrading. The master-child protocols have changed between Postfix
1.1 and 2.0, and version 2.1 sometimes writes queue files that the
2.0 and earlier queue managers complain about. If this happens move
the files from the corrupt directory to the maildrop directory and
give them another chance.

[Incompat 20021119] The Postfix upgrade procedure will add two new
services to your master.cf file: "trace" and "verify". These servers
can run inside a chroot jail, have no interaction with users, and
don't talk to the network.  If Postfix complains that "trace" and
"verify" are not found, you made the error of copying your old
Postfix configuration files over the new ones. Execute "postfix
upgrade-configuration" to repair the Postfix configuration files.

[Incompat 20040331] Support for the non-standard Errors-To:  message
header is removed.  This also helps to stop potential attacks that
rely on bouncing mail to a destination that is not directly reachable
by the attacker. Specify "enable_errors_to = yes" to get the old
behavior.

Queue files written by Postfix 2.1 may contain information that
is incompatible with older Postfix versions:

[Incompat 20040120] Queue files creates with "sendmail -v" are no
longer compatible with Postfix versions 2.0 and earlier. A new
record type, "killed", was introduced in order to avoid repeated
mail delivery reports from mail that could not be delivered due to
a temporary error condition.

[Incompat 20030125] This release adds a new queue file record type
for the address specified in "REDIRECT user@domain" actions in
access maps or header/body_checks. Queue files with these records
will be rejected by older Postfix versions.

[Feature 20040120] The new queue manager nqmgr has become the
default qmgr queue manager. For a limited time the old queue manager
remains available under the name oqmgr. The name nqmgr still works
but will cause a warning to be logged.

[Incompat 20040413] The Postfix SMTP server no longer accepts mail
from or to an address ending in "@", including address forms that
rewrite into an address that ends in "@"). Specify "resolve_null_domain
= yes" to get the old behavior.

[Incompat 20031226] Postfix no longer allows mail addresses with
bare numeric IP addresses (user@1.2.3.4).  This is not configurable.
The form user@[ipaddress] is still allowed.

[Incompat 20031226] Bounce messages now have a separate queue life
time.  This is controlled by the bounce_queue_lifetime parameter.

[Incompat 20031019] The authorized_verp_clients parameter was
renamed to smtpd_authorized_verp_clients, and the default value
was changed to disable this feature. You now have to turn it on
explicitly.

Major changes - build environment
---------------------------------

[Incompat 20030112] The Postfix build procedure now uses the
pcre-config utility (part of PCRE version 3) to find out the
pathnames of the PCRE include file and object library, instead of
probing /usr/include and/or /usr/lib. To build with PCRE version
2 support you will have to specify pathnames as described in
PCRE_README. To build without PCRE support, specify:  make Makefiles
CCARGS="-DNO_PRCE".

Major changes - documentation
-----------------------------

[Feature 20040331] Complete documentation rewrite. All parameters
are now described in postconf(5), and all commands and daemons are
shown in their proper context in the OVERVIEW document.
- All documents come as HTML and ASCII text.
- All HTML documents have hyperlinks for every parameter name,
  for every Postfix manual page, and for every README file.  
- All documents specify what feature is available in what release. 
- The sample-*.cf configuration files no longer exist. The information
  is now available in HTML documents, README files and UNIX man pages).
- The mumble_table example configuration files no longer exist.

[Incompat 20040413] The LMTP, Cyrus and Qmail related README files will
not be included in the Postfix version 2.1 distribution. They will
be made available via http://www.postfix.org/, and in Postfix 2.2
snapshots.

[Feature 20040413] You can install documentation in HTML format
besides the README files.  Installation of README files is now
optional.

Major changes - access control
------------------------------

[Feature 20031215] Easier debugging of SMTPD access restrictions.
The SMTP command "xclient name=xxx addr=yyy" changes Postfix's idea
of the remote client name and address, so that you can pretend to
connect from anywhere on the Internet.  Use of this command is
restricted to clients that match the list of names or addresses
specified with the smtpd_authorized_xclient_hosts parameter.  By
default, XCLIENT is not accepted from anywhere.  More details are
in the XCLIENT_README file.

[Feature 20030715] Support for multi-valued RBL lookup results.
For example, specify "reject_rbl_client foo.bar.tld=127.0.0.3" to
reject clients that are listed with a "127.0.0.3" address record.
More information is in the postconf(5) manual page.

[Feature 20030917] New "check_{helo,sender,recipient}_{ns,mx}_access
type:table" restrictions that apply the specified access table to
the NS or MX hosts of the host/domain given in HELO, EHLO, MAIL
FROM or RCPT TO commands. More information is in the postconf(5)
manual page.

This can be used to block mail from so-called spammer havens (all
domains that are served by the same DNS server, all domains that
resolve to the same MX host), from sender addresses that resolve
to Verisign's wild-card mail responder, or from domains that claim
to have mail servers in reserved networks such as 127.0.0.1.

Note: OK actions are not allowed for security reasons.  Instead of
OK, use DUNNO in order to exclude specific hosts from blacklists.
If an OK result is found for an NS or MX host, Postfix rejects the
SMTP command with "451 Server configuration error".

[Feature 20040413] Support for a "WARN text..." feature in SMTPD
access tables, just like the WARN feature in header/body_checks.

[Feature 20040122] New "PREPEND headername: headervalue" action in
Postfix access maps. Primarily intended for tagging mail by for
example, an external SMTPD policy server. See access(5).

[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks
maps. This action prepends a header or body line immediately before
the line that triggers the action. See header_checks(5) for details.

[Feature 20030125] New "REDIRECT user@domain" action for access
maps and header/body_checks that overrides all the originally
specified recipients of a message.  Wietse would never recommend
that people use this to redirect (bounced) SPAM to the beneficiaries
of an advertisement campaign. See access(5) and header_checks(5).

[Feature 20031215] The reject_sender_login_mismatch feature (used
with SASL authenticated logins) is now implemented in terms of more
basic restrictions:  reject_unauth_sender_login_mismatch (reject
mail when $sender_login_maps lists an owner for the sender address
but the SMTP client is not SASL authenticated) and
reject_auth_sender_login_mismatch (reject mail when the sender
address is not owned by the SASL authenticated user). The
sender_login_maps now support multiple owners per sender address.
See postconf(5) for details.

Major changes - address verification
------------------------------------

[Feature 20021119] Address verification blocks mail from or to
addresses that are not deliverable.  This is turned on with the
reject_unverified_sender UCE restriction. Addresses are verified
by probing, that is, by sending mail that is not actually delivered
(SMTP interruptus).  Detailed information is in the
ADDRESS_VERIFICATION_README file.

Address verification can follow a different route than ordinary
mail, typically to avoid sending probes to a relay host.  To make
this possible, the address resolver supports multiple personalities.
For more detail see the ADDRESS_VERIFICATION_README file.

New "sendmail -bv" option.  Postfix probes the specified recipient
addresses without actually delivering mail, and sends back an email
delivery report.  This is useful for testing address rewriting and
address routing, and shows the final envelope and header addresses.
This feature currently does not access or update the sender address
verification database.

Major changes - content inspection
----------------------------------

[Feature 20030704] The Postfix SMTP server can be configured to
send all mail into a real-time content filter that inspects mail
BEFORE it is queued.  See the SMTPD_PROXY_README file for details.

[Feature 20031022] Improved logging by Postfix daemons behind an
SMTP-based proxy filter. The logging now shows the remote client
name and address, instead of localhost[127.0.0.1].  This uses the
new SMTP command "XFORWARD addr=client-address name=client-hostname",
which specifies remote client information for logging purposes.
This command is restricted to clients that match the list of names
or addresses specified with the smtpd_authorized_xforward_hosts
parameter. By default, XFORWARD is not accepted from anywhere.
For an example, see the SMTPD_PROXY_README file.

[Feature 20030706] New receive_override_options parameter that
eliminates the need for different cleanup service instances before
and after an external content filter. One parameter controls what
happens before or after the content filter: rejecting unknown
recipients, canonical mapping, virtual alias expansion, masquerading,
automatic BCC recipients and header/body checks. See postconf(5)
for the fine details.

[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks
maps. This action prepends a header or body line immediately before
the line that triggers the action. See header_checks(5) for details.

[Feature 20030125] New "REDIRECT user@domain" action for access maps
and header/body_checks that overrides all the originally specified
recipients of a message.  Wietse would never recommend that people
use this to redirect (bounced) SPAM to the beneficiaries of an
advertisement campaign. See header_checks(5) and access(5).

[Incompat 20030915] In header/body_checks actions, the OK action
is being phased out, and the DUNNO action is being phased in. Both
actions still work and do the same thing, but hopefully DUNNO causes
less confusion. See header_checks(5) for details.

Major changes - policy delegation
---------------------------------

[Feature 20030715] Support for SMTP access policy delegation to an
external server.  Greylisting and SPF are provided as examples.
See the SMTPD_POLICY_README file for further information.

Major changes - client rate limiting
------------------------------------

Note: this feature is not included with Postfix 2.1, but it is
documented here so that the information will not be lost.

[Feature 20031111] Preliminary defense against SMTP clients that
hammer an SMTP server with too many connections.  By default, the
number of simultaneous connections per client is limited to half
the default process limit, and no limit is imposed on the number
of successive connections per time unit that a client is allowed
to make.

The new anvil server maintains the connection statistics, and logs
the maximum connection count and connection rate per client every
anvil_status_update_time seconds (10 minutes), or when it terminates
(when there is no work to be done, or when "postfix reload" was
issued). Once you have an idea what the numbers look like, you can
clamp down the limits for your system.

The relevant main.cf configuration parameters are: smtpd_client-
connection_count_limit for the number of simultaneous connections
per client, and smtpd_client_connection_rate_limit for the number
of successive connections per unit time and client. The time unit
is specified with the anvil_rate_time_unit parameter, and is one
minute by default.

When Postfix rejects a client, it sends a 450 status code and
disconnects, and logs a warning with the client name/address and
the service name from master.cf. You can, for example, capture this
information with a logfile watching program that updates a firewall
rule (such a watcher program is not included with Postfix).

To avoid rejecting authorized hosts, the smtpd_client_connection-
limit_exceptions parameter takes a list of network/netmask expressions,
hostnames or .domain names that are excluded from these restrictions.
By default, all clients in $mynetworks are excluded; you will
probably want to use a more restrictive setting.

For further information, see:  smtpd(8) and anvil(8).

Major changes - configuration management
----------------------------------------

[Feature 20040413] New postfix(1) command features: 

- "postfix set-permissions" corrects Postfix file and directory
   permissions and allows you to change mail_owner or setgid_group
   settings after Postfix is installed.

- "postfix upgrade-configuration" fixes Postfix systems after people
   copy over their old configuration files after installing a new
   Postfix system.

See postfix(1) for details.

[Incompat 20040120] The format of the postfix-files file has changed.
There is a new type for hard links. With hard or symbolic link
entries, the first field is now the destination pathname and the
"owner" field is now the origin pathname, while "group" and
"permissions" are ignored.

Major changes - core functionality
----------------------------------

[Feature 20030704] New enable_original_recipient parameter (default:
yes) to control whether Postfix keeps track of original recipient
address information.  If this is turned off Postfix produces no
X-Original-To: headers and ignores the original recipient when
eliminating duplicates after virtual alias expansion. Code by Victor
Duchovni.

[Feature 20030417] Automatic BCC recipients depending on sender or
recipient address.  The configuration parameters in question are
"sender_bcc_maps" and "recipient_bcc_maps". See postconf(5).

[Incompat 20030415] Too many people mess up their net/mask patterns,
causing open mail relay problems. Postfix processes now abort when
given a net/mask pattern with a non-zero host portion (for example,
168.100.189.2/28), and suggest to specify the proper net/mask
pattern instead (for example, 168.100.189.0/28).

[Feature 20030415] Workaround for file system clock drift that
caused Postfix to ignore new mail (this could happen with file
systems mounted from a server).  Postfix now logs a warning and
proceeds with only slightly reduced performance, instead of ignoring
new mail.

Major changes - database support
--------------------------------

Liviu Daia took the lead in a revision of the LDAP, MySQL and
PostgreSQL clients.  Credits also go to Victor Duchovni and to
Lamont Jones.

[Feature 20030915] LDAP parameters can now be defined in external
files.  Specify the LDAP maps in main.cf as
	ldap:/path/to/ldap.cf
and write the LDAP parameters in /path/to/ldap.cf, without the
"ldapsource_" prefix.  This makes it possible to securely store
bind passwords for plain auth outside of main.cf (which must be
world readable).  The old syntax still works, for backwards
compatibility. 

[Feature 20030915] Support for LDAP URLs in the LDAP parameter
"server_host", if Postfix is linked against OpenLDAP.  LDAP hosts,
ports, and connection protocols to be used as LDAP sources can be
specified as a blank-separated list of LDAP URLs in "server_host".
As with OpenLDAP, specifying a port in a LDAP URL overrides
"server_port".  Examples:
    server_host = ldap://ldap.itd.umich.edu
    server_host = ldaps://ldap.itd.umich.edu:636
    server_host = ldapi://%2Fsome%2Fpath

[Feature 20030915] The LDAP SSL scheme ldaps:// is available if
OpenLDAP was compiled with SSL support.  New parameters "tls_ca_cert_dir",
"tls_ca_cert_file", "tls_cert", "tls_key", "tls_require_cert",
"tls_random_file", "tls_cipher_suite" control the certificates,
source of random numbers, and cipher suites used for SSL connections.
See LDAP_README for further information.

[Feature 20030915] Support for STARTTLS command in LDAP, if Postfix
is linked against OpenLDAP and OpenLDAP was compiled with SSL
support.  STARTTLS is controlled by the "start_tls" parameter.
The above parameters for certificates, source of random numbers,
and cipher suites also apply.  See LDAP_README for further information.

[Incompat 20030704] Support for client side LDAP caching is gone.
OpenLDAP 2.1.13 and later no longer support it, and the feature
never worked well.  Postfix now ignores cache controlling parameters
in an LDAP configuration file and logs a warning.

[Feature 20030415] PostgreSQL table lookups. Specify "pgsql:/file/name"
where "/file/name" defines the database. See "man pgsql_table" for
examples, and the PGSQL_README file for general information.

Major changes - internals
-------------------------

[Incompat 20040120] The format of the postfix-files file has changed.
There is a new type for hard links. With hard or symbolic link
entries, the first field is now the destination pathname and the
"owner" field is now the origin pathname, while "group" and
"permissions" are ignored.

[Incompat 20040120] The LDAP and SQL client source code is moved
to the global directory in order to eliminate reversed dependencies.

[Feature 20030606] Complete rewrite of the queue file record reading
loops in the pickup, cleanup and in the queue manager daemons. This
code had deteriorated over time.  The new code eliminates an old
problem where the queue manager had to read most queue file records
twice in the case of an alias/include file expansion with more than
qmgr_message_recipient_limit recipients.

[Feature 20030125] Code cleanup up of queue manager internals.
Queue names are no longer mixed up with the next-hop destination,
and the address resolver loop is now easier to understand.

[Feature 20030104] Multi-server daemons (servers that accept
simultaneous connections from multiple clients) will now stop
accepting new connections after serving $max_use clients. This
allows multi-server daemons to automatically restart even on busy
mail systems.

[Feature 20030104] Clients of multi-server daemons such as
trivial-rewrite and the new proxymap service now automatically
disconnect after $ipc_ttl seconds of activity (default: 1000s).
This allows multi-server daemons to automatically restart even on
busy mail systems.

[Incompat 20021119] The file format of bounce/defer logfiles has
changed from the old one-line ad-hoc format to a more structured
multi-line format. For backwards compatibility, Postfix now creates
bounce/defer logfile entries that contain both the old and the new
format, so that you can go back to an older Postfix release without
losing information.  Old Postfix versions will warn about malformed
logfile entries, but should work properly. To disable backwards
compatibility specify "backwards_bounce_logfile_compatibility =
no" in main.cf.

[Feature 20021119] Both "sendmail -bv" and "sendmail -v" use the
new "trace" daemon that is automatically added to master.cf when
you upgrade.

Major changes - logging
-----------------------

[Incompat 20040413] The postmap and postalias commands now report
errors to syslogd in addition to reporting them to the standard
error output. This makes logfile analysis easier.

[Incompat 20031203] Many SMTPD "reject" logfile entries now show
NOQUEUE instead of a queue ID.  This is because Postfix no longer
creates a queue file before the SMTP server has received a valid
recipient.

Major changes - lookup table support
------------------------------------

[Feature 20030704] New CIDR-based lookup table, remotely based on
code by Jozsef Kadlecsik.  For details and examples, see "man
cidr_table".

[Feature 20030704] The TCP-based table lookup protocol is finished.
For details and examples, see "man tcp_table". This will allow you
to implement your own greylisting, or to do your own open proxy
tests before accepting mail. This table will not be included with
Postfix 2.1 because the protocol is obsoleted by the policy delegation
(see elsewhere in this document) which does a much better job.

[Feature 20030704] Support for !/pattern/ (negative matches) in
PCRE lookup tables by Victor Duchovni. See "man pcre_table" and
"man regexp_table" for more.

Major changes - resource control
--------------------------------

[Incompat 20031022] The Postfix SMTP server no longer accepts mail
when the amount of free queue space is less than 1.5 times the
message_size_limit value.

Major changes - security
------------------------

[Incompat 20040413] The Postfix SMTP server no longer accepts mail
from or to an address ending in "@", including address forms that
rewrite into an address that ends in "@"). Specify "resolve_null_domain
= yes" to get the old behavior.

[Incompat 20040331] Support for the non-standard Errors-To:  message
header is removed.  This also helps to stop potential attacks that
rely on bouncing mail to a destination that is not directly reachable
by the attacker. Specify ""enable_errors_to = yes" to get the old
behavior.

[Incompat 20040331] Tarpit delays are reduced. The Postfix SMTP
server no longer delays responses until the client has made
$smtpd_soft_error_limit errors, and the delay is fixed at
$smtpd_error_sleep_time seconds.  Postfix still disconnects after
$smtpd_hard_error_limit errors.

[Incompat 20040120] The SMTP server can reject non-existent sender
addresses in a local, virtual or relay domain; specify
"reject_unlisted_sender=yes" in order to require that a sender
address passes the same "user unknown" test as a recipient would
have to pass. This is optional in Postfix 2.1, likely to be turned
on by default in Postfix 2.2.

[Incompat 20031226] Postfix no longer allows mail addresses with
bare numeric IP addresses (user@1.2.3.4).  This is not configurable.
The form user@[ipaddress] is still allowed.

[Incompat 20030305] Postfix truncates non-address information in message
address headers (comments, etc.) to 250 characters per address, in
order to protect vulnerable Sendmail systems against exploitation
of a remote buffer overflow problem (CERT advisory CA-2003-07).

[Incompat 20030227] The smtpd_hard_error_limit and smtpd_soft_error_limit
values now behave as documented, that is, smtpd_hard_error_limit=1
causes Postfix to disconnect upon the first client error. Previously,
there was an off-by-one error causing Postfix to change behavior
after smtpd_hard/soft_error_limit+1 errors.

Major changes - smtp client
---------------------------

[Incompat 20031223] The SMTP client now tries to connect to an
alternate MX address when a delivery attempt fails **after the
initial SMTP handshake**.  This includes both broken connections
and 4XX SMTP replies.  To get the old behavior, specify
"smtp_mx_session_limit = 1" in main.cf.

[Feature 20031223] The SMTP client now tries to connect to an
alternate MX address when a delivery attempt fails after the
initial SMTP handshake.  This includes both broken connections
and 4XX SMTP replies.

As a benefit, fallback_relay now works as promised, not just for
sessions that fail during the initial handshake.

The new SMTP client connection management is controlled by two new
configuration parameters:

- smtp_mx_address_limit (default unlimited): the number of MX (mail
  exchanger) IP addresses that can result from mail exchanger
  lookups.

- smtp_mx_session_limit (default 2):  the number of SMTP sessions
  per delivery request before giving up or delivering to a fall-back
  relay, ignoring IP addresses that fail to complete the SMTP
  initial handshake.

[Incompat 20031022] Postfix no longer retries delivery when no MX
host has a valid A record, for compatibility with many other MTAs.
This change is made in anticipation of a possible Verisign "wild-card
MX record without A record" for unregistered domains. To get the
old behavior, specify "smtp_defer_if_no_mx_address_found = yes".

[Incompat 20031022] The Postfix SMTP client no longer looks in
/etc/hosts by default.  To get the old behavior, specify
"smtp_host_lookup = dns, native".

[Feature 20030417] Support for sending mail to hosts not in the
DNS, without having to turn off DNS lookups. The "smtp_host_lookup"
parameter controls how the Postfix SMTP client looks up hosts.  In
order to use /etc/hosts besides DNS, specify "smtp_host_lookup =
dns, native". The default is to use DNS only.

Major changes - user interface
------------------------------

[Incompat 20040418] The non-delivery report format has changed.
The "sorry" message and the DSN formatted report now include the
original recipient address, when that address is different from
the final recipient address.  This makes it easier to diagnose some
mail delivery problems that happen after mail forwarding.

[Incompat 20031223] In mailq (queue listing) output, there no longer
is space between a short queue ID and the "*" (delivery in progress)
or ! (mail on hold) status indicator. This makes the output easier
to parse.

[Incompat 20030417] "sendmail -t" no longer complains when recipients
are given on the command line. Instead, it now adds recipients from
headers to the recipients from the command-line.

[Incompat 20030126] The maildir file naming algorithm has changed
according to an updated version of http://cr.yp.to/proto/maildir.html.
The name is now TIME.VdevIinum.HOST

[Incompat 20021119] The behavior of "sendmail -v" has changed. One
-v option now produces one email report with the status of each
recipient.  Multiple -v options behave as before: turn on verbose
logging in the sendmail and postdrop commands.

[Feature 20021119] New "sendmail -bv" option.  Postfix probes the
specified recipient addresses without actually delivering mail,
and sends back an email delivery report.  This is useful for testing
address rewriting and address routing of both envelope and header
addresses. This feature currently does not access or update the
sender address verification database.