1The stable Postfix release is called postfix-2.5.x where 2=major 2release number, 5=minor release number, x=patchlevel. The stable 3release never changes except for patches that address bugs or 4emergencies. Patches change the patchlevel and the release date. 5 6New features are developed in snapshot releases. These are called 7postfix-2.6-yyyymmdd where yyyymmdd is the release date (yyyy=year, 8mm=month, dd=day). Patches are never issued for snapshot releases; 9instead, a new snapshot is released. 10 11The mail_release_date configuration parameter (format: yyyymmdd) 12specifies the release date of a stable release or snapshot release. 13 14Incompatibility with Postfix 2.3 and earlier 15-------------------------------------------- 16 17If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4 18before proceeding. 19 20Major changes - critical 21------------------------ 22 23[Incompat 20071224] The protocol to send Milter information from 24smtpd(8) to cleanup(8) processes was cleaned up. If you use the 25Milter feature, and upgrade a live Postfix system, you may see an 26"unexpected record type" warning from a cleanup(8) server process. 27To prevent this, execute the command "postfix reload". The 28incompatibility affects only systems that use the Milter feature. 29It does not cause loss of mail, just a minor delay until the remote 30SMTP client retries. 31 32[Incompat 20071212] The allow_min_user feature now applies to both 33sender and recipient addresses in SMTP commands. With earlier Postfix 34versions, only recipients were subject to the allow_min_user feature, 35and the restriction took effect at mail delivery time, causing mail 36to be bounced later instead of being rejected immediately. 37 38[Incompat 20071206] The "make install" and "make upgrade" procedures 39now create a Postfix-owned directory for Postfix-writable data files 40such as caches and random numbers. The location is specified with 41the "data_directory" parameter (default: "/var/lib/postfix"), and 42the ownership is specified with the "mail_owner" parameter. 43 44[Incompat 20071206] The tlsmgr(8) and verify(8) servers no longer 45use root privileges when opening the address_verify_map, 46*_tls_session_cache_database, and tls_random_exchange_name cache 47files. This avoids a potential security loophole where the ownership 48of a file (or directory) does not match the trust level of the 49content of that file (or directory). 50 51[Incompat 20071206] The tlsmgr(8) and verify(8) cache files should 52now be stored as Postfix-owned files under the Postfix-owned 53data_directory. As a migration aid, attempts to open these files 54under a non-Postfix directory are redirected to the Postfix-owned 55data_directory, and a warning is logged. 56 57This is an example of the warning messages: 58 59 Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request 60 to update file /etc/postfix/prng_exch in non-postfix directory 61 /etc/postfix 62 63 Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting 64 the request to postfix-owned data_directory /var/lib/postfix 65 66If you wish to continue using a pre-existing tls_random_exchange_name 67or address_verify_map file, move it to the Postfix-owned data_directory 68and change ownership from root to Postfix (that is, change ownership 69to the account specified with the mail_owner configuration parameter). 70 71[Feature 20071205] The "make install" and "make upgrade" procedures 72now create a Postfix-owned directory for Postfix-writable data files 73such as caches and random numbers. The location is specified with 74the "data_directory" parameter (default: "/var/lib/postfix"), and 75the ownership is specified with the "mail_owner" parameter. 76 77[Incompat 20071203] The "make upgrade" procedure adds a new service 78"proxywrite" to the master.cf file, for read/write lookup table 79access. If you copy your old configuration file over the updated 80one, you may see warnings in the maillog file like this: 81 82 connect #xx to subsystem private/proxywrite: No such file or directory 83 84To recover, run "postfix upgrade-configuration" again. 85 86[Incompat 20070613] The pipe(8) delivery agent no longer allows 87delivery with the same group ID as the main.cf postdrop group. 88 89Major changes - malware defense 90------------------------------- 91 92[Feature 20080107] New "pass" service type in master.cf. Written 93years ago, this allows future front-end daemons to accept all 94connections from the network, and to hand over connections from 95well-behaved clients to Postfix. Since this feature uses file 96descriptor passing, it imposes no overhead once a connection is 97handed over to Postfix. See master(5) for a few details. 98 99[Feature 20070911] Stress-adaptive behavior. When a "public" network 100service runs into an "all processes are busy" condition, the master(8) 101daemon logs a warning, restarts the service, and runs it with "-o 102stress=yes" on the command line (under normal conditions it runs 103the service with "-o stress=" on the command line). This can be 104used to make main.cf parameter settings stress dependent, for 105example: 106 107/etc/postfix/main.cf: 108 smtpd_timeout = ${stress?10}${stress:300} 109 smtpd_hard_error_limit = ${stress?1}${stress:20} 110 111Translation: under conditions of stress, use an smtpd_timeout value 112of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1 113instead of 20. The syntax is explained in the postconf(5) manpage. 114 115The STRESS_README file gives examples of how to mitigate flooding 116problems. 117 118Major changes - tls support 119--------------------------- 120 121[Incompat 20080109] TLS logging output has changed to make it more 122useful. Existing logfile parser regular expressions may need 123adjustment. 124 125- More log entries include the "hostnamename[ipaddress]" of the 126 remote SMTP peer. 127 128- Certificate trust chain error reports show only the first 129 error certificate (closest to the trust chain root), and the 130 reporting is more human-readable for the most likely errors. 131 132- After the completion of the TLS handshake, the session is logged 133 with TLS loglevel >= 1 as either "Untrusted", "Trusted" or 134 "Verified" (SMTP client only). 135 - "Untrusted" means that the certificate trust chain is invalid, 136 or that the root CA is not trusted. 137 - "Trusted" means that the certificate trust chain is valid, and 138 that the root CA is trusted. 139 - "Verified" means that the certificate meets the SMTP client's 140 matching criteria for the destination: 141 - In the case of a destination name match, "Verified" also 142 implies "Trusted". 143 - In the case of a fingerprint match, CA trust is not applicable. 144 145- The logging of protocol states with TLS loglevel >= 2 no longer 146 reports bogus error conditions when OpenSSL asks Postfix to refill 147 (or flush) network I/O buffers. This loglevel is for debugging 148 only; use 0 or 1 in production configurations. 149 150[Feature 20080109] The Postfix SMTP client has a new "fingerprint" 151security level. This avoids dependencies on CAs, and relies entirely 152on bi-lateral exchange of public keys (really self-signed or private 153CA signed X.509 public key certificates). Scalability is clearly 154limited. For details, see the fingerprint discussion in TLS_README. 155 156[Feature 20080109] The Postfix SMTP server can now use SHA1 instead 157of MD5 to compute remote SMTP client certificate fingerprints. For 158backwards compatibility, the default algorithm is MD5. For details, 159see the "smtpd_tls_fingerprint_digest" parameter in the postconf(5) 160manual. 161 162[Feature 20080109] The maximum certificate trust chain depth 163(verifydepth) is finally implemented in the Postfix TLS library. 164Previously, the parameter had no effect. The default depth was 165changed to 9 (the OpenSSL default) for backwards compatibility. 166 167If you have explicity limited the verification depth in main.cf, 168check that the configured limit meets your needs. See the 169"lmtp_tls_scert_verifydepth", "smtp_tls_scert_verifydepth" and 170"smtpd_tls_ccert_verifydepth" parameters in the postconf(5) manual. 171 172[Feature 20080109] The selection of SSL/TLS protocols for mandatory 173TLS can now use exclusion rather than inclusion. Either form is 174acceptable; see the "lmtp_tls_mandatory_protocols", 175"smtp_tls_mandatory_protocols" and "smtpd_tls_mandatory_protocols" 176parameters in the postconf(5) manual. 177 178Major changes - scheduler 179------------------------- 180 181[Feature 20071130] Revised queue manager with separate mechanisms 182for per-destination concurrency control and for dead destination 183detection. The concurrency control supports less-than-1 feedback 184to allow for more gradual concurrency adjustments, and uses hysteresis 185to avoid rapid oscillations. A destination is declared "dead" after 186a configurable number of pseudo-cohorts(*) reports connection or 187handshake failure. 188 189(*) A pseudo-cohort is a number of delivery requests equal to a 190 destination's delivery concurrency. 191 192The drawbacks of the old +/-1 feedback scheduler are a) overshoot 193due to exponential delivery concurrency growth with each pseudo-cohort(*) 194(5-10-20...); b) throttling down to zero concurrency after a single 195pseudo-cohort(*) failure. The latter was especially an issue with 196low-concurrency channels where a single failure could be sufficient 197to mark a destination as "dead", and suspend further deliveries. 198 199New configuration parameters: destination_concurrency_feedback_debug, 200default_destination_concurrency_positive_feedback, 201default_destination_concurrency_negative_feedback, 202default_destination_concurrency_failed_cohort_limit, as well as 203transport-specific versions of the same. 204 205The default parameter settings are backwards compatible with older 206Postfix versions. This may change after better defaults are field 207tested. 208 209The updated SCHEDULER_README document describes the theory behind 210the new concurrency scheduler, as well as Patrik Rak's preemptive 211job scheduler. See postconf(5) for more extensive descriptions of 212the configuration parameters. 213 214Major changes - small/home office 215--------------------------------- 216 217[Feature 20080115] Preliminary SOHO_README document that combines 218bits and pieces from other document in one place, so that it is 219easier to find. This document describes the "mail sending" side 220only. 221 222[Feature 20071202] Output rate control in the queue manager. For 223example, specify "smtp_destination_rate_delay = 5m", to pause five 224minutes between message deliveries. More information in the postconf(5) 225manual under "default_destination_rate_delay". 226 227Major changes - smtp client 228--------------------------- 229 230[Incompat 20080114] The Postfix SMTP client now by default defers 231mail after a remote SMTP server rejects a SASL authentication 232attempt. Specify "smtp_sasl_auth_soft_bounce = no" for the old 233behavior. 234 235[Feature 20080114] The Postfix SMTP client can now avoid making 236repeated SASL login failures with the same server, username and 237password. To enable this safety feature, specify for example 238"smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache" 239(access through the proxy service is required). Instead of trying 240to SASL authenticate, the Postfix SMTP client defers or bounces 241mail as controlled with the new smtp_sasl_auth_soft_bounce configuration 242parameter. 243 244[Feature 20071111] Header/body checks are now available in the SMTP 245client, after the implementation was moved from the cleanup server 246to a library module. The SMTP client provides only actions that 247don't change the message delivery time or destination: warn, replace, 248prepend, ignore, dunno, ok. 249 250[Incompat 20070614] By default, the Postfix Cyrus SASL client no 251longer sends a SASL authoriZation ID (authzid); it sends only the 252SASL authentiCation ID (authcid) plus the authcid's password. Specify 253"send_cyrus_sasl_authzid = yes" to get the old behavior. 254 255Major changes - smtp server 256--------------------------- 257 258[Feature 20070724] Not really major. New support for RFC 3848 259(Received: headers with ESMTPS, ESMTPA, or ESMTPSA); updated SASL 260support according to RFC 4954, resulting in small changes to SMTP 261reply codes and (DSN) enhanced status codes. 262 263Major changes - milter 264---------------------- 265 266[Incompat 20071224] The protocol to send Milter information from 267smtpd(8) to cleanup(8) processes was cleaned up. If you use the 268Milter feature, and upgrade a live Postfix system, you may see an 269"unexpected record type" warning from a cleanup(8) server process. 270To prevent this, execute the command "postfix reload". The 271incompatibility affects only systems that use the Milter feature. 272It does not cause loss of mail, just a minor delay until the remote 273SMTP client retries. 274 275[Feature 20071221] Support for most of the Sendmail 8.14 Milter 276protocol features. 277 278To enable the new features specify "milter_protocol = 6" and link 279the filter application with a libmilter library from Sendmail 8.14 280or later. 281 282Sendmail 8.14 Milter features supported at this time: 283 284- NR_CONN, NR_HELO, NR_MAIL, NR_RCPT, NR_DATA, NR_UNKN, NR_HDR, 285 NR_EOH, NR_BODY: The filter can tell Postfix that it won't reply 286 to some of the SMTP events that Postfix sends. This makes the 287 protocol less chatty and improves performance. 288 289- SKIP: The filter can tell Postfix to skip sending the rest of 290 the message body, which also improves performance. 291 292- HDR_LEADSPC: The filter can request that Postfix does not delete 293 the first space character between header name and header value 294 when sending a header to the filter, and that Postfix does not 295 insert a space character between header name and header value 296 when receiving a header from the filter. This fixes a limitation 297 in the old Milter protocol that can break DKIM and DK signatures. 298 299- SETSYMLIST: The filter can override one or more of the main.cf 300 milter_xxx_macros parameter settings. 301 302Sendmail 8.14 Milter features not supported at this time: 303 304- RCPT_REJ: report rejected recipients to the mail filter. 305 306- CHGFROM: replace sender, with optional ESMTP command parameters. 307 308- ADDRCPT_PAR: add recipient, with optional ESMTP command parameters. 309 310It is unclear when (if ever) the missing features will be implemented. 311SMFIP_RCPT_REJ requires invasive changes in the SMTP server recipient 312processing and error handling. SMFIR_CHGFROM and SMFIR_ADDRCPT_PAR 313require ESMTP command-line parsing in the cleanup server. Unfortunately, 314Sendmail's documentation does not specify what ESMTP options are 315supported, but only discusses examples of things that don't work. 316 317Major changes - address verification 318------------------------------------ 319 320[Incompat 20070514] The default sender address for address verification 321probes was changed from "postmaster" to "double-bounce", so that 322the Postfix SMTP server no longer causes surprising behavior by 323excluding "postmaster" from SMTP server access controls. 324 325Major changes - ldap 326-------------------- 327 328[Incompat 20071216] Due to an incompatible API change between 329OpenLDAP 2.0.11 and 2.0.12, an LDAP client compiled for OpenLDAP 330version <= 2.0.11 will refuse to work with an OpenLDAP library 331version >= 2.0.12 and vice versa. 332 333Major changes - logging 334----------------------- 335 336[Incompat 20080109] TLS logging output has changed to make it more 337useful. Existing logfile parser regular expressions may need 338adjustment. 339 340- More log entries include the "hostnamename[ipaddress]" of the 341 remote SMTP peer. 342 343- Certificate trust chain error reports show only the first 344 error certificate (closest to the trust chain root), and the 345 reporting is more human-readable for the most likely errors. 346 347- After the completion of the TLS handshake, the session is logged 348 with TLS loglevel >= 1 as either "Untrusted", "Trusted" or 349 "Verified" (SMTP client only). 350 - "Untrusted" means that the certificate trust chain is invalid, 351 or that the root CA is not trusted. 352 - "Trusted" means that the certificate trust chain is valid, and 353 that the root CA is trusted. 354 - "Verified" means that the certificate meets the SMTP client's 355 matching criteria for the destination: 356 - In the case of a destination name match, "Verified" also 357 implies "Trusted". 358 - In the case of a fingerprint match, CA trust is not applicable. 359 360- The logging of protocol states with TLS loglevel >= 2 no longer 361 reports bogus error conditions when OpenSSL asks Postfix to refill 362 (or flush) network I/O buffers. This loglevel is for debugging 363 only; use 0 or 1 in production configurations. 364 365[Incompat 20071216] The SMTP "transcript of session" email now 366includes the remote SMTP server TCP port number. 367 368Major changes - loop detection 369------------------------------ 370 371[Incompat 20070422] [Incompat 20070422] When the pipe(8) delivery 372agent is configured to create the optional Delivered-To: header, 373it now first checks if that same header is already present in the 374message. If so, the message is returned as undeliverable. This test 375should have been included with Postfix 2.0 when Delivered-To: support 376was added to the pipe(8) delivery agent. 377