"Fossies" - the Fresh Open Source Software Archive

Member "postfix-3.4.7/RELEASE_NOTES" (27 Jun 2019, 8582 Bytes) of package /linux/misc/postfix-3.4.7.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "RELEASE_NOTES": 3.4.5_vs_3.4.6.

    1 This is the Postfix 3.4 (stable) release.
    2 
    3 The stable Postfix release is called postfix-3.4.x where 3=major
    4 release number, 4=minor release number, x=patchlevel.  The stable
    5 release never changes except for patches that address bugs or
    6 emergencies. Patches change the patchlevel and the release date.
    7 
    8 New features are developed in snapshot releases. These are called
    9 postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
   10 mm=month, dd=day).  Patches are never issued for snapshot releases;
   11 instead, a new snapshot is released.
   12 
   13 The mail_release_date configuration parameter (format: yyyymmdd)
   14 specifies the release date of a stable release or snapshot release.
   15 
   16 If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
   17 before proceeding.
   18 
   19 TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13
   20 -----------------------------------------------------------
   21 
   22 This release introduces a workaround for implementations that hang
   23 Postfix while shutting down a TLS session, until Postfix times out.
   24 With "tls_fast_shutdown_enable = yes" (the default), Postfix no
   25 longer waits for a remote TLS peer to respond to a TLS 'close'
   26 request. This behavior is recommended with TLSv1.0 and later. Specify
   27 "tls_fast_shutdown_enable = no" to get historical Postfix behavior.
   28 
   29 License change
   30 ---------------
   31 
   32 This software is distributed with a dual license: in addition to the
   33 historical IBM Public License 1.0, it is now also distributed with the
   34 more recent Eclipse Public License 2.0. Recipients can choose to take
   35 the software under the license of their choice. Those who are more
   36 comfortable with the IPL can continue with that license.
   37 
   38 Summary of changes
   39 ------------------
   40 
   41 Incompatible changes, bdat support, containers, database support,
   42 logging, safety, tls connection pooling, tls support, usability,
   43 
   44 Incompatible changes
   45 --------------------
   46 
   47 [Incompat 20180826] The Postfix SMTP server announces CHUNKING (BDAT
   48 command) by default. In the unlikely case that this breaks some
   49 important remote SMTP client, disable the feature as follows:
   50 
   51 /etc/postfix/main.cf:
   52     # The logging alternative:
   53     smtpd_discard_ehlo_keywords = chunking
   54     # The non-logging alternative:
   55     smtpd_discard_ehlo_keywords = chunking, silent_discard
   56 
   57 See BDAT_README for more.
   58 
   59 [Incompat 20190126] This introduces a new master.cf service 'postlog'
   60 with type 'unix-dgram' that is used by the new postlogd(8) daemon.
   61 Before backing out to an older Postfix version, edit the master.cf
   62 file and remove the postlog entry.
   63 
   64 [Incompat 20190106] Postfix 3.4 drops support for OpenSSL 1.0.1
   65 (end-of-life was December 31, 2016) and all earlier releases.
   66 
   67 [Incompat 20180701] To avoid performance loss under load, the
   68 tlsproxy(8) daemon now requires a zero process limit in master.cf
   69 (this setting is provided with the default master.cf file). By
   70 default, a tlsproxy(8) process will retire after several hours.
   71 
   72 To set the tlsproxy process limit to zero:
   73 
   74 # postconf -F tlsproxy/unix/process_limit=0
   75 # postfix reload
   76 
   77 Major changes - bdat support
   78 --------------------
   79 
   80 [Feature 20180826] Postfix SMTP server support for RFC 3030 CHUNKING
   81 (the BDAT command) without BINARYMIME, in both smtpd(8) and
   82 postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions,
   83 and smtpd_proxy_filter. See BDAT_README for more.
   84 
   85 Major changes - containers
   86 --------------------------
   87 
   88 [Feature 20190126] Support for logging to file or stdout, instead
   89 of using syslog.
   90 
   91 - Logging to file solves a usability problem for MacOS, and
   92   eliminates multiple problems with systemd-based systems.
   93 
   94 - Logging to stdout is useful when Postfix runs in a container, as
   95   it eliminates a syslogd dependency.
   96 
   97 See MAILLOG_README for configuration examples and logfile rotation.
   98 
   99 [Feature 20180422] Better handling of undocumented(!) Linux behavior
  100 whether or not signals are delivered to a PID=1 process.
  101 
  102 Major changes - database support
  103 --------------------------------
  104 
  105 [Feature 20181105] Support for (key, list of filenames) in map
  106 source text.
  107 
  108 - Currently, this feature is used only by tls_server_sni_maps.
  109 
  110 - When a map is created from source with "postmap -F maptype:mapname",
  111   the command processes each key as usual and processes each value
  112   as a list of filenames, concatenates the content of those files
  113   (with one newline character in-between files), and stores an entry
  114   with (key, base64-encoded result).
  115 
  116 - When a map is queried with "postmap -F -q ...", the command
  117   base64-decodes each value. It reports an error when a value is
  118   not in base64 form.
  119 
  120   This "postmap -F -q ..." behavior also works when querying the
  121   memory-resident map types cidr:, inline:, pcre:, randmap:, regexp:,
  122   and static:. Postfix reads the files specified as table values,
  123   stores base64-encoded content, and base64-decodes content upon
  124   table lookup.
  125 
  126   Internally, Postfix will turn on this behavior for lookups (not
  127   updates) when a map is opened with the DICT_FLAG_RHS_IS_FILE flag.
  128 
  129 Major changes - logging
  130 -----------------------
  131 
  132 [Feature 20190126] Support for logging to file or stdout, instead
  133 of using syslog.
  134 
  135 - Logging to file solves a usability problem for MacOS, and
  136   eliminates multiple problems with systemd-based systems.
  137 
  138 - Logging to stdout is useful when Postfix runs in a container, as
  139   it eliminates a syslogd dependency.
  140 
  141 See MAILLOG_README for configuration examples and logfile rotation.
  142 
  143 Major changes - safety
  144 ----------------------
  145 
  146 [Feature 20180623] Automatic retirement: dnsblog(8) and tlsproxy(8) process
  147 will now voluntarily retire after after max_idle*max_use, or some
  148 sane limit if either limit is disabled. Without this, a process
  149 could stay busy for days or more.
  150 
  151 Major changes - tls connection pooling
  152 --------------------------------------
  153 
  154 [Feature 20180617] Postfix SMTP client support for multiple deliveries
  155 per TLS-encrypted connection. This is primarily to improve mail
  156 delivery performance for destinations that throttle clients when
  157 they don't combine deliveries.
  158 
  159 This feature is enabled with "smtp_tls_connection_reuse=yes" in
  160 main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
  161 It supports all Postfix TLS security levels including dane and
  162 dane-only.
  163 
  164 The implementation of TLS connection reuse relies on the same
  165 scache(8) service as used for delivering plaintext SMTP mail, the
  166 same tlsproxy(8) daemon as used by the postscreen(8) service for
  167 inbound connections, and relies on the same hints from the qmgr(8)
  168 daemon. It reuses the configuration parameters described in
  169 CONNECTION_CACHE_README.
  170 
  171 The Postfix SMTP client now logs whether an SMTP-over-TLS connection
  172 is newly established ("TLS connection established") or whether the
  173 connection is reused ("TLS connection reused").
  174 
  175 The following illustrates how TLS connections are reused:
  176 
  177     Initial plaintext SMTP handshake:
  178       smtp(8) -> remote SMTP server
  179 
  180     Reused SMTP/TLS connection, or new SMTP/TLS connection:
  181       smtp(8) -> tlsproxy(8) -> remote SMTP server
  182 
  183     Cached SMTP/TLS connection:
  184       scache(8) -> tlsproxy(8) -> remote SMTP server
  185 
  186 Major changes - tls support
  187 ---------------------------
  188 
  189 [Feature 20190106] SNI support in the Postfix SMTP server, the
  190 Postfix SMTP client, and in the tlsproxy(8) daemon (both server and
  191 client roles). See the postconf(5) documentation for the new
  192 tls_server_sni_maps and smtp_tls_servername parameters.
  193 
  194 [Feature 20190106] Support for files that contain multiple (key,
  195 certificate, trust chain) instances. This was required to implement
  196 server-side SNI table lookups, but it also eliminates the need for
  197 separate cert/key files for RSA, DSA, Elliptic Curve, and so on.
  198 The file format is documented in the TLS_README sections "Server-side
  199 certificate and private key configuration" and "Client-side certificate
  200 and private key configuration", and in the postconf(5) documentation
  201 for the parameters smtp_tls_chain_files, smtpd_tls_chain_files,
  202 tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.
  203 
  204 Note: the command "postfix tls" does not yet support the new
  205 consolidated certificate chain format.  If you switch to the new
  206 format, you'll need to manage your keys and certificates directly,
  207 rather than via postfix-tls(1).
  208 
  209 Major changes - usability
  210 -------------------------
  211 
  212 [Feature 20180812] Support for smtpd_reject_footer_maps (as well
  213 as the postscreen variant postscreen_reject_footer_maps) for more
  214 informative reject messages. This is indexed with the Postfix SMTP
  215 server response text, and overrides the footer specified with
  216 smtpd_reject_footer.  One will want to use a pcre: or regexp: map
  217 with this.
  218