mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 01:49:47 +00:00
Code Issues Releases Wiki Activity

postfix-3.11-20250217

Browse Source
This commit is contained in:
Wietse Z Venema 2025-02-17 00:00:00 -05:00 committed by Viktor Dukhovni
parent a5f2cae618
commit e23ff58b7a
11 changed files with 258 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
postfix/HISTORY
View File

@ -28966,9 +28966,9 @@ Apologies for any names omitted.
tls/tls_misc.c.
Bugfix (defect introduced: Postfix 3.4, date 20181113): a
server with multiple TLS certificates could report for a
resumed TLS session, in logging and Received: message
headers, the wrong server-signature and server-digest names.
server with multiple TLS certificates could report, for a
resumed TLS session, the wrong server-signature and
server-digest names in logging and Received: message headers.
Viktor Dukhovni. File: tls/tls_misc.c.
20250213
@ -28982,4 +28982,16 @@ Apologies for any names omitted.
tls_config_file description. File: proto/postconf.proto.
The unused parameters will be deleted in Postfix 3.11.
Postfix 3.10 code freeze.
20250215
Safety: added a TLSRPT library version check. Log a warning
when the run-time TLSRPT library API version is not compatible
with the build-time TLSRPT API version, where 'compatible'
is defined according to the rules of semantic versioning.
This completes the Postfix 3.10 stable release.
20250216
Bugfix (defect introduced: Postfix 3.10): Postfix SMTP
client segfault while reporting a 'certificate expired'
event. Problem reported by Oemer Gueven. File: tls/tls_verify.c.

102
postfix/RELEASE_NOTES
View File

@ -1,19 +1,19 @@
This is the Postfix 3.10 experimental release.
This is the Postfix 3.11 experimental release.
The stable Postfix release is called postfix-3.9.x where 3=major
release number, 9=minor release number, x=patchlevel. The stable
The stable Postfix release is called postfix-3.10.x where 3=major
release number, 10=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
postfix-3.10-yyyymmdd where yyyymmdd is the release date (yyyy=year,
postfix-3.11-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 3.8 or earlier, please read RELEASE_NOTES-3.9
If you upgrade from Postfix 3.9 or earlier, please read RELEASE_NOTES-3.10
before proceeding.
Dual license
@ -25,95 +25,3 @@ now also distributed with the more recent Eclipse Public License
(EPL) 2.0. Recipients can choose to take the software under the
license of their choice. Those who are more comfortable with the
IPL can continue with that license.
[Feature 20250117]
Support for the RFC 8689 "TLS-Required: no" message header to request
delivery of messages such as TLSRPT summaries even if the preferred
TLS security policy cannot be enforced. This limits the Postfix
SMTP client to "smtp_tls_security_level = may" which does not
authenticate server certificates and which allows falling back to
plaintext.
Support for the REQUIRETLS SMTP service extension remains future work.
[Incompat 20250116]
Postfix needs "postfix reload" after upgrade, because of a change in
the delivery agent protocol. If this step is skipped, Postfix delivery
agents will log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
[Incompat 20250106]
The logging of the Milter 'quarantine' action has changed. Instead
of logging "milter triggers HOLD action", it logs the reason given
by a Milter application, or "default_action" if a Milter application
was unavailable and the milter_default_action parameter or Milter
"default_action" property specifies "quarantine".
[Feature 20250106]
The Postfix Milter implementation now logs the reason for a
'quarantine' action, instead of "milter triggers HOLD action".
- If the quarantine action was requested by a Milter application,
Postfix will log the reason given by the application.
- If the quarantine action was requested with the "milter_default_action"
parameter setting or with a Milter "default_action" property,
Postfix will log "default_action".
[Feature 20250105]
Support for automatic RFC 2047 encoding of non-ASCII "full name"
information in Postfix-generated From: message headers. Encoding
non-ASCII full names can avoid the need to use SMTPUTF8, and therefore
can avoid incompatibility with sites that do not support SMTPUTF8.
The encoded result looks like "=?charset?Q?gibberish?=: for
quoted-printable encoding, or "=?charset?B?gibberish?=" for base64
encoding. Postfix uses quoted-printable for a full name that is
short or mostly ASCII, and uses base64 otherwise.
Background: when a message without a From: header is submitted with the
Postfix sendmail(1) command, Postfix will add a From: header and will
try to use the sender's full name specified with the Postfix sendmail(1)
"-F" option, with the sendmail(1) "NAME" environment variable, or
with the GECOS field in the UNIX password database.
This introduces a new configuration parameter "full_name_encoding_charset"
(default: utf8) which specifies the character set of the full name
information in the Postfix sendmail(1) "-F" option or "NAME"
environment variable, or in the GECOS field in the UNIX password
database. The parameter value is also part of the encoded full name,
and informs a Mail User Agent how to display the decoded gibberish.
[Incompat 20250105]
The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors).
[Feature 20250105]
The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors).
[Feature 20241104]
The cleanup server now logs "queueid: canceled" when a message
transaction is started but not completed. This provides a clear
signal to logfile collation tools.
[Feature 20240926]
Support for the TLSRPT protocol (defined in RFC 8460). With this,
an email receiving domain can publish a policy in DNS, and request
daily summary reports for successful and failed SMTP-over-TLS
connections to that domain's MX hosts.
Postfix supports TLSRPT summaries for DANE (built-in) and MTA-STS
(via an smtp_tls_policy_maps plugin). For details, see TLSRPT_README.

200
postfix/RELEASE_NOTES-3.10 Normal file
View File

@ -0,0 +1,200 @@
This is the Postfix 3.10 stable release.
The stable Postfix release is called postfix-3.10.x where 3=major
release number, 10=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
postfix-3.11-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 3.8 or earlier, please read RELEASE_NOTES-3.9
before proceeding.
Dual license
------------
As of Postfix 3.2.5 this software is distributed with a dual license:
in addition to the historical IBM Public License (IPL) 1.0, it is
now also distributed with the more recent Eclipse Public License
(EPL) 2.0. Recipients can choose to take the software under the
license of their choice. Those who are more comfortable with the
IPL can continue with that license.
Major changes - tls
-------------------
[Forward compatibility 20250212] Support for OpenSSL 3.5 post-quantum
cryptography. To manage algorithm selection, OpenSSL introduces new
TLS group syntax that Postfix will not attempt to imitate. Instead,
Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set empty,
the algorithm selection can be managed through OpenSSL configuration.
For more, look for "Post-quantum" in the postconf(5) manpage.
[Feature 20250117] Support for the RFC 8689 "TLS-Required: no"
message header to request delivery of messages such as TLSRPT
summaries even if the preferred TLS security policy cannot be
enforced. This limits the Postfix SMTP client to "smtp_tls_security_level
= may" which does not authenticate server certificates and which
allows falling back to plaintext.
Support for the REQUIRETLS SMTP service extension remains future work.
[Feature 20240926] Support for the TLSRPT protocol (defined in RFC
8460). With this, a domain can publish a policy in DNS, and request
daily summary reports for successful and failed SMTP-over-TLS
connections to that domain's MX hosts.
Postfix supports TLSRPT summaries for DANE (built-in) and MTA-STS
(via an smtp_tls_policy_maps plugin). For details, see TLSRPT_README.
Major changes - privacy
-----------------------
[Feature 20250205] With "smtpd_hide_client_session = yes", the
Postfix SMTP server generates a Received: header without client
session info This setting may be used with the MUA submission
services (port 465 and 587), but it must not be used with the MTA
service (port 25).
Depending on the number of recipients, a redacted Received: header
has one of the following forms:
Received: by mail.example.com (Postfix) id postfix-queue-id
for <user@example.com>; Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
Received: by mail.example.com (Postfix) id postfix-queue-id
Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
The redacted form hides that a message was received with SMTP, and
therefore it does not need to provide the information required by
RFC 5321. It only has to satisfy RFC 5322.
Major changes - rfc2047
-----------------------
[Feature 20250105] Support for automatic RFC 2047 encoding of
non-ASCII "full name" information in Postfix-generated From: message
headers. Encoding non-ASCII full names can avoid the need to use
SMTPUTF8, and therefore can avoid incompatibility with sites that
do not support SMTPUTF8.
The encoded result looks like "=?charset?Q?gibberish?=: for
quoted-printable encoding, or "=?charset?B?gibberish?=" for base64
encoding. Postfix uses quoted-printable for a full name that is
short or mostly ASCII, and uses base64 otherwise.
Background: when a message without a From: header is submitted with
the Postfix sendmail(1) command, Postfix may add a From: header and
use the sender's full name specified with the Postfix sendmail(1)
"-F" option, with the sendmail(1) "NAME" environment variable, or
with the GECOS field in the UNIX password database.
This introduces a new configuration parameter "full_name_encoding_charset"
(default: utf8) which specifies the character set of the full name
information in the Postfix sendmail(1) "-F" option or "NAME"
environment variable, or in the GECOS field in the UNIX password
database. The parameter value becomes part of the encoded full name,
and informs a Mail User Agent how to display the decoded gibberish.
Major changes - bugfix
----------------------
[Incompat 20241130] The spawn(8) daemon failed to enforce the command
time limit. It was sending the SIGKILL signal using the wrong
effective UID and GID. The pipe(8) daemon has always done this
right.
Major changes - database
------------------------
[Feature 20250207] When mysql: or pgsql: configuration specifies
a single host, assume that it is a load balancer and reconnect
immediately after a single failure, instead of failing all requests
for 60s.
[Feature 20250114] first/next iterator support for cdb: tables, and
other cdb: table code cleanups by Michael Tokarev.
[Feature 20241024] In a pgsql: client configuration, the setting
"dbname" is required, but ignored when the setting "hosts" contains
an URI with a database name.
[Feature 20241025] The Postfix pgsql: client configuration now
allows any well-formed URI prefix as a pgsql: client connection
target (the PostgreSQL URI parser decides what is allowed). The
dbname setting is now optional if the hosts setting specifies only
URIs.
Major changes - internal protocol
---------------------------------
[Incompat 20250116] Postfix needs "postfix reload" after upgrade,
because of a change in the delivery agent protocol. If this step
is skipped, Postfix delivery agents will log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
Major changes - milter
----------------------
[Incompat 20250106] The logging of the Milter 'quarantine' action
has changed. Instead of logging "milter triggers HOLD action", it
logs the reason given by a Milter application, or "default_action"
if a Milter application was unavailable and the milter_default_action
parameter or per-Milter "default_action" property specifies
"quarantine".
[Feature 20250106] The Postfix Milter implementation now logs the
reason for a 'quarantine' action, instead of "milter triggers HOLD
action".
- If the quarantine action was requested by a Milter application,
Postfix will log the reason given by the application.
- If the quarantine action was requested with the "milter_default_action"
parameter setting or with a per-Milter "default_action" property,
Postfix will log "default_action".
Major changes - logging
-----------------------
[Feature 20250106] The Postfix Milter implementation now logs the
reason for a 'quarantine' action, instead of "milter triggers HOLD
action".
- If the quarantine action was requested by a Milter application,
Postfix will log the reason given by the application.
- If the quarantine action was requested with the "milter_default_action"
parameter setting or with a per-Milter "default_action" property,
Postfix will log "default_action".
[Incompat 20250105] The SMTP server now logs the queue ID (or
"NOQUEUE") when a connection ends abnormally (timeout, lost connection,
or too many errors).
[Feature 20250105] The SMTP server now logs the queue ID (or
"NOQUEUE") when a connection ends abnormally (timeout, lost connection,
or too many errors).
[Incompat 20241104] The cleanup server now logs "queueid: canceled"
when a message transaction is started but not completed.
[Feature 20241104] The cleanup server now logs "queueid: canceled"
when a message transaction is started but not completed. This
provides a clear signal to logfile collation tools.
[Incompat 20241031] the Dovecot SASL client logging for "Invalid
authentication mechanism" now includes the name of that mechanism.
[Incompat 20241023] Postfix SMTP server 'reject' logging now shows
the sasl_method, sasl_username, and sasl_sender if available.

2
postfix/conf/main.cf
View File

@ -31,7 +31,7 @@
#
# The level below is what should be used with new (not upgrade) installs.
#
compatibility_level = 3.10
compatibility_level = 3.11
# SOFT BOUNCE
#

12
postfix/html/postconf.5.html
View File

@ -20119,13 +20119,11 @@ openssl.cnf:
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
</pre>
<p> Caution: It is typically best to just use the default group
settings, for which no $<a href="postconf.5.html#tls_config_file">tls_config_file</a> is required (you can set
"<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none", to avoid unwanted leakage of system-wide
settings that strive to harden HTTPS against mostly browser-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS). </p>
<p> Caution: It is typically best to just use the default OpenSSL
group settings, by setting "<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none". Overly strict
system-wide TLS settings will conflict with Postfix's opportunistic
TLS, where being less restrictive is better than downgrading to
cleartext SMTP. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>

12
postfix/man/man5/postconf.5
View File

@ -13988,13 +13988,11 @@ openssl.cnf:
.fi
.ad
.PP
Caution: It is typically best to just use the default group
settings, for which no $tls_config_file is required (you can set
"tls_config_file = none", to avoid unwanted leakage of system\-wide
settings that strive to harden HTTPS against mostly browser\-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS).
Caution: It is typically best to just use the default OpenSSL
group settings, by setting "tls_config_file = none". Overly strict
system\-wide TLS settings will conflict with Postfix's opportunistic
TLS, where being less restrictive is better than downgrading to
cleartext SMTP.
.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20.

12
postfix/proto/postconf.proto
View File

@ -19245,13 +19245,11 @@ openssl.cnf:
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
</pre>
<p> Caution: It is typically best to just use the default group
settings, for which no $tls_config_file is required (you can set
"tls_config_file = none", to avoid unwanted leakage of system-wide
settings that strive to harden HTTPS against mostly browser-specific
security and privacy issues into Postfix use of opportunistic TLS,
where they're they can be counterproductive, leading to downgrades
to cleartext, rather than more "secure" TLS). </p>
<p> Caution: It is typically best to just use the default OpenSSL
group settings, by setting "tls_config_file = none". Overly strict
system-wide TLS settings will conflict with Postfix's opportunistic
TLS, where being less restrictive is better than downgrading to
cleartext SMTP. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>

2
postfix/proto/stop.spell-history
View File

@ -100,3 +100,5 @@ Roessner
bitflags
Schulze
tlspol
Gueven
Oemer

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20250215"
#define MAIL_VERSION_NUMBER "3.10"
#define MAIL_RELEASE_DATE "20250217"
#define MAIL_VERSION_NUMBER "3.11"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

2
postfix/src/tls/tls_verify.c
View File

@ -315,7 +315,7 @@ void tls_log_verify_error(TLS_SESS_STATE *TLScontext,
if (tlsrpt)
trw_report_failure(tlsrpt, TLSRPT_CERTIFICATE_EXPIRED,
/* additional_info= */ (char *) 0,
/* failure_code= */ (char *) 8);
/* failure_code= */ (char *) 0);
#endif
break;
case X509_V_ERR_INVALID_PURPOSE:

16
postfix/src/tls/tlsrpt_wrapper.c
View File

@ -252,6 +252,13 @@
#include <tlsrpt.h>
#endif
#if !defined(TLSRPT_PREREQ)
#define TLSRPT_PREREQ(maj, min) \
(defined(TLSRPT_VERSION_MAJOR) && \
((TLSRPT_VERSION_MAJOR << 16) + TLSRPT_VERSION_MINOR >= \
((maj) << 16) + (min)))
#endif
/*
* Utility library.
*/
@ -321,6 +328,15 @@ TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name,
myname, rpt_socket_name, rpt_policy_domain,
rpt_policy_string, skip_reused_hs);
#if TLSRPT_PREREQ(0, 6)
if (tlsrpt_version_check(TLSRPT_VERSION_MAJOR, TLSRPT_VERSION_MINOR,
TLSRPT_VERSION_PATCH) == 0)
msg_warn("run-time library vs. compile-time header version mismatch: "
"libtlsrpt API version '%s' is not compatible with "
"libtlsrpt API version '%s' ", tlsrpt_version(),
TLSRPT_VERSION_STRING);
#endif
/*
* memset() is not portable for pointer etc. types.
*/