|
|
|
|
@ -1,613 +0,0 @@
|
|
|
|
|
Wish list:
|
|
|
|
|
|
|
|
|
|
Things to do before the stable release:
|
|
|
|
|
|
|
|
|
|
Remove this file from the stable release.
|
|
|
|
|
|
|
|
|
|
Things to do after the stable release:
|
|
|
|
|
|
|
|
|
|
When does it pay off to send domains in the active queue
|
|
|
|
|
to a DNS prefetch daemon? Could this generalize to a dynamic
|
|
|
|
|
transport map that piggy-backs domains with the same MX
|
|
|
|
|
host into the same mail delivery transaction?
|
|
|
|
|
|
|
|
|
|
inline table where the "whitespace replacement" character
|
|
|
|
|
is specified in-line. Ex: inline:XYname1Xvalue1Yname2Xvalue2
|
|
|
|
|
would instantiate a table with (name1, value1) and (name2,
|
|
|
|
|
value2). I'm afraid this is just too ugly.
|
|
|
|
|
|
|
|
|
|
tlsproxy(8) should receive TLS preferences from postscreen(8)
|
|
|
|
|
and smtpd(8), instead of reading them from main.cf. This
|
|
|
|
|
means that many tlsproxy_ parameters become postscreen_
|
|
|
|
|
parameters, and that tls_server_init() parameters move to
|
|
|
|
|
to tls_server_start(). That is a significant API change.
|
|
|
|
|
|
|
|
|
|
anvil rate limit for sasl_username.
|
|
|
|
|
|
|
|
|
|
Encapsulate nbbio buffer access and update by tlsproxy.
|
|
|
|
|
|
|
|
|
|
Full-duplex support for tlsproxy(8). This requires updating
|
|
|
|
|
events(3) and nbbio(3).
|
|
|
|
|
|
|
|
|
|
Register automagic destructor for object attached to VSTREAM.
|
|
|
|
|
|
|
|
|
|
smtpd xclient option for sasl_username.
|
|
|
|
|
|
|
|
|
|
Use different ipc time limits for email message transactions
|
|
|
|
|
(smtpd, pickup)->cleanup and for quick query/reply transactions
|
|
|
|
|
such as address rewriting/resolution. Beware of large time
|
|
|
|
|
limits for local or virtual alias expansion.
|
|
|
|
|
|
|
|
|
|
permit_tempfail_action (default: defer_if_reject) to be
|
|
|
|
|
used as the default value for dnswl_tempfail_action and
|
|
|
|
|
rhswl_tempfail_action. Steal liberally from the code that
|
|
|
|
|
implements unverified_recipient_tempfail_action etc.
|
|
|
|
|
|
|
|
|
|
Support filtering of messages that are generated by Postfix:
|
|
|
|
|
This would apply to postmaster notices and bounce messages
|
|
|
|
|
(DKIM), and address verification (BATV).
|
|
|
|
|
|
|
|
|
|
As postscreen implements more ESMTP keywords, need to copy
|
|
|
|
|
inter-operability features from smtpd to filter keywords
|
|
|
|
|
and command syntax.
|
|
|
|
|
|
|
|
|
|
Consistency: in postconf.proto make <dt>..</dt> tags bold.
|
|
|
|
|
|
|
|
|
|
postscreen(8): listen on multiple IP addresses and enforce
|
|
|
|
|
that the client contacts the primary MX address first (i.e.
|
|
|
|
|
punish hosts that contact the secondary before the primary).
|
|
|
|
|
The downside with any approach that relies on temporary
|
|
|
|
|
punishment is that it does not scale to configurations
|
|
|
|
|
with multiple equal-preference MX hosts. Such hosts would
|
|
|
|
|
have to share the postscreen cache, causing an unacceptable
|
|
|
|
|
performance bottleneck and a single point of failure.
|
|
|
|
|
|
|
|
|
|
According to a paper by Ted Unangst at BSDCON09, kqueue
|
|
|
|
|
reports state changes, i.e. kqueue indicates when the socket
|
|
|
|
|
becomes readable. Specifically, he writes when kqueue reports
|
|
|
|
|
a socket becomes readable but no data is read from that
|
|
|
|
|
socket, later kqueue calls won't report the socket as
|
|
|
|
|
readable. That's not what happens on FreeBSD 8.0, where
|
|
|
|
|
kqueue will keep reporting the socket as readable when
|
|
|
|
|
nothing is read. Also, FreeBSD 8.0 kqueue still reports
|
|
|
|
|
the socket as readable after a read operation does not empty
|
|
|
|
|
the kernel buffer. We need a test program for this that
|
|
|
|
|
repeats these tests with OpenBSD and NetBSD (and MacOS X
|
|
|
|
|
once they fix their kqueue implementation).
|
|
|
|
|
|
|
|
|
|
Would it help if there were different cleanup_service
|
|
|
|
|
parameter names for different message paths? smtpd(8) uses
|
|
|
|
|
the same cleanup_service value for receiving remote mail
|
|
|
|
|
and for submitting postmaster problem reports. Do we need
|
|
|
|
|
separate mumble_cleanup_service_name parameters for "inject",
|
|
|
|
|
"notify" and "forward" (with backwards compatible defaults)?
|
|
|
|
|
|
|
|
|
|
IF/ENDIF support for CIDR tables.
|
|
|
|
|
|
|
|
|
|
Make postconf aware of magical suffixes (the ones that
|
|
|
|
|
combine with transport names) and show them in "postconf
|
|
|
|
|
-n" output. Making this work with "postconf -d" is trickier.
|
|
|
|
|
|
|
|
|
|
Need a regular expression table to translate address
|
|
|
|
|
verification responses into hard/soft/accept reply codes.
|
|
|
|
|
|
|
|
|
|
Is there a way to make sendmail -V work after local alias
|
|
|
|
|
expansion? Majordomo-like mailing lists would benefit from
|
|
|
|
|
this; the example in VERP_README does not work in the general
|
|
|
|
|
case.
|
|
|
|
|
|
|
|
|
|
When an alias is a member of an :include: list with owner-
|
|
|
|
|
alias, local(8) needs an option to deliver alias or alias->user
|
|
|
|
|
indirectly. What happens when an :include: list with owner-
|
|
|
|
|
alias includes another list?
|
|
|
|
|
|
|
|
|
|
Don't allow empty result values in pcre and regexp maps.
|
|
|
|
|
Postfix doesn't allow them anywhere else (check this).
|
|
|
|
|
|
|
|
|
|
Make PCRE_MAX_CAPTURE configurable.
|
|
|
|
|
|
|
|
|
|
Add some checks for tokens starting with #. A challenge
|
|
|
|
|
is to report sensible context from the guts of some low-level
|
|
|
|
|
parser, without introducing a great deal of clumsiness.
|
|
|
|
|
|
|
|
|
|
Add sendmail macros for {verify} and maybe other TLS info.
|
|
|
|
|
|
|
|
|
|
Find out if we are doing the correct thing by looking at
|
|
|
|
|
state->milter_reject_text when expanding {rcpt_addr} or
|
|
|
|
|
{rcpt_host}.
|
|
|
|
|
|
|
|
|
|
Find out why post_mail() etc. block when the qmgr fifo is
|
|
|
|
|
full (answer: trigger_timeout). How can this cause delays
|
|
|
|
|
in the queue manager? When a recipient bounces during
|
|
|
|
|
(transport, nexthop, address) resolution, it is redirected
|
|
|
|
|
to the error or retry mailer; and bounce-after-delivery is
|
|
|
|
|
asynchrounous so it can't block the queue manager, either.
|
|
|
|
|
|
|
|
|
|
Add smtpd_sender_login_maps to proxy_read_maps, and make
|
|
|
|
|
sure that defaults are set before proxy_read_maps is
|
|
|
|
|
evaluated. What other parameters are worthy of being
|
|
|
|
|
whitelisted for proxy access? Is there a way to automate
|
|
|
|
|
this decision?
|
|
|
|
|
|
|
|
|
|
How to ensure that proxy_read_maps is processed after all
|
|
|
|
|
its dependencies are initialized, or just bite the bullet
|
|
|
|
|
and rewrite the parameter initialization code.
|
|
|
|
|
|
|
|
|
|
The cleanup virtual alias expansion limit does not really
|
|
|
|
|
deliver on its promises. 1) It promises to truncate the
|
|
|
|
|
result without aborting delivery, which would be undesirable
|
|
|
|
|
anyway, but that is not what it does, so that is good. 2)
|
|
|
|
|
It keeps all the recipients from multi-recipient database
|
|
|
|
|
lookup, then terminates further recursion when the result
|
|
|
|
|
exceeds the expansion limit. This behavior achieves the
|
|
|
|
|
original goal that all things shall have a finite size (even
|
|
|
|
|
though but we don'really care how large they are) but may
|
|
|
|
|
result in surprises when recipients are listed in virtual
|
|
|
|
|
alias domains or need expansion for other reasons. In a
|
|
|
|
|
phone call with Victor, a reasonable way out is to set the
|
|
|
|
|
limit to some large number (100000) and abort delivery when
|
|
|
|
|
the result exceeds the limit.
|
|
|
|
|
|
|
|
|
|
Should the postscreen save permanent white/black list lookup
|
|
|
|
|
results to the temporary cache, and query the temporary
|
|
|
|
|
cache first? Skipping white/black list lookups will speed
|
|
|
|
|
up the handling of "good" clients without a permanent
|
|
|
|
|
whitelist entry. Of course, this means that updates to the
|
|
|
|
|
white/black lists do not immediately take effect. Workarounds:
|
|
|
|
|
1) use a shorter temporary cache TTL for clients on the
|
|
|
|
|
permanent black/white lists; 2) ignore cached white/black
|
|
|
|
|
list lookup results after "postfix reload"; 2) adjust the
|
|
|
|
|
logging, for example "WHITELISTED address (cached)" and
|
|
|
|
|
"BLACKLISTED address (cached)" to eliminate surprises.
|
|
|
|
|
Comparing the cache entry time with the white/blacklist
|
|
|
|
|
file modification time is not foolproof: for example, pcre
|
|
|
|
|
or CIDR tables are read only once.
|
|
|
|
|
|
|
|
|
|
It would be nice if the generic dict_cache(3) cache manager
|
|
|
|
|
could postpone process suicide until cache cleanup is
|
|
|
|
|
completed (but that is not possible when postscreen forks
|
|
|
|
|
into the background to finish already-accepted connections,
|
|
|
|
|
and it is not desirable when a host is being shut down).
|
|
|
|
|
|
|
|
|
|
When postscreen drops a connection, a 521 "greeting" should
|
|
|
|
|
be of the form "521 servername..." and not have an enhanced
|
|
|
|
|
status code. The "521 5.7.1" form can be used after EHLO.
|
|
|
|
|
Of course no spammer is going to complain about Postfix
|
|
|
|
|
SMTP compliance.
|
|
|
|
|
|
|
|
|
|
Find a place to document all the mail routing mechanisms
|
|
|
|
|
in one place so people can figure out how Postfix works.
|
|
|
|
|
|
|
|
|
|
Investigate viability of Sendmail socket maps (the moral
|
|
|
|
|
equivalent of tcp_table(5)), and dns maps.
|
|
|
|
|
|
|
|
|
|
The access map BCC action is marked "not stable", perhaps
|
|
|
|
|
because people would also expect BCC actions in header/body_checks.
|
|
|
|
|
How much would it take to make the queue file editing code
|
|
|
|
|
generally usable?
|
|
|
|
|
|
|
|
|
|
Move smtpd_command_filter into smtpd_chat_query() and update
|
|
|
|
|
the session transcript (see smtp_chat_reply() for an example).
|
|
|
|
|
|
|
|
|
|
SMTP connection caching without storing connections, to
|
|
|
|
|
improve TLS mail delivery performance.
|
|
|
|
|
|
|
|
|
|
postscreen has separate socket budgets for whitelisted
|
|
|
|
|
clients and for other clients. If we add a dummy SMTP engine
|
|
|
|
|
then we extend the session length for non-whitelisted clients
|
|
|
|
|
and need to increase the socket budget (or create a new
|
|
|
|
|
budget class, which complicates the user interface).
|
|
|
|
|
|
|
|
|
|
Should not milter8_mail_event() unset the "hold" default
|
|
|
|
|
reply? Better, the default reply should not be used for
|
|
|
|
|
this purpose.
|
|
|
|
|
|
|
|
|
|
Unescape the pregreeter's HELO command argument so that
|
|
|
|
|
<CR><LF> don't show up as ??.
|
|
|
|
|
|
|
|
|
|
Make postscreen logging easier. Always log connect, then log
|
|
|
|
|
why the connection is or is not forwarded.
|
|
|
|
|
|
|
|
|
|
Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server
|
|
|
|
|
runs with process limit of 1. But this means the master
|
|
|
|
|
never learns that the process is successful and will always
|
|
|
|
|
pause $service_throttle_time before restarting a failed service.
|
|
|
|
|
|
|
|
|
|
Don't bother maintaining a per-service lockfile when a
|
|
|
|
|
server runs with process limit of 1. The purpose of the
|
|
|
|
|
lockfile is to avoid thundering herd problems when the kernel
|
|
|
|
|
wakes up multiple processes for each new client connection.
|
|
|
|
|
|
|
|
|
|
Concurrency/speed-matching: invoke a before-queue (smtpd_proxy)
|
|
|
|
|
filter after the entire message is received, so that fewer
|
|
|
|
|
filter processes will be running simultaneously. In some
|
|
|
|
|
parts of the world, after-queue filtering is problematic.
|
|
|
|
|
|
|
|
|
|
This is different than the MailChannels patented solution
|
|
|
|
|
to multiplex many slow SMTP connections over a few fast
|
|
|
|
|
SMTP connections. We simply postpone opening the connection
|
|
|
|
|
to the filter, and rely on the before-filter SMTP server
|
|
|
|
|
to reject invalid recipients. MailChannels uses one
|
|
|
|
|
connection-to-MTA to discover invalid recipients, receives
|
|
|
|
|
the email message with a potentially reduced bitrate, and
|
|
|
|
|
then uses another connection-to-MTA to deliver the message
|
|
|
|
|
quickly.
|
|
|
|
|
|
|
|
|
|
Implement PREPEND action for milter_header_checks. Save the
|
|
|
|
|
to-be-prepended text to buffer, then emit it along with the
|
|
|
|
|
new header.
|
|
|
|
|
|
|
|
|
|
Fix the header_body_checks API, so that the name of the map
|
|
|
|
|
class (e.g. milter_header_checks) is available for logging.
|
|
|
|
|
|
|
|
|
|
Fix the mime_state and header_body_checks APIs, so that
|
|
|
|
|
they use VSTRINGs. This simplifies REPLACE actions.
|
|
|
|
|
|
|
|
|
|
Update FILTER_README for multi-instance support, and rename
|
|
|
|
|
the old document to FILTER_LEGACY_README.
|
|
|
|
|
|
|
|
|
|
Need to sign delivery status notifications, to avoid surprises
|
|
|
|
|
when eventually people start enforcing DKIM etc. signatures.
|
|
|
|
|
|
|
|
|
|
Either document or remove the internal_mail_filter_classes
|
|
|
|
|
feature (it's disabled by default).
|
|
|
|
|
|
|
|
|
|
"postconf -N" option to print user-defined parameter names
|
|
|
|
|
(these have no defaults, since they exist only when
|
|
|
|
|
specified in main.cf or with "-o name=value").
|
|
|
|
|
|
|
|
|
|
Make the "unknown recipient" test configurable as
|
|
|
|
|
first|last|never, with "yes"=="last" for backwards
|
|
|
|
|
compatibility. The "first" setting is good for performance
|
|
|
|
|
(stress=yes) when all users are defined in local files; but
|
|
|
|
|
it may perform worse when users are in networked tables.
|
|
|
|
|
|
|
|
|
|
Cleanup: make DNSBL query format configurable beyond the
|
|
|
|
|
client's reversed IP address.
|
|
|
|
|
|
|
|
|
|
With 'final delivery' in the LMTP client, need an option
|
|
|
|
|
to also add delivered-to and other pipe(8) features. This
|
|
|
|
|
requires making mail_copy() functionality available in
|
|
|
|
|
non-mailbox context.
|
|
|
|
|
|
|
|
|
|
Cleanup: modernize the "add missing From: header" code, to
|
|
|
|
|
``phrase <addr>'' form. Most likely, quote the entire phrase
|
|
|
|
|
if it contains any text that is special, then rfc822_externalize
|
|
|
|
|
the whole thing.
|
|
|
|
|
|
|
|
|
|
SMTP server: make the server_addr and server_port available
|
|
|
|
|
to policy server, Dovecot, and perhaps Milters.
|
|
|
|
|
|
|
|
|
|
Med: local and remote source port and IP address for smtpd
|
|
|
|
|
policy hook.
|
|
|
|
|
|
|
|
|
|
Maybe change maps_rbl_reject_code default to 521, and
|
|
|
|
|
update wording in STRESS_README.
|
|
|
|
|
|
|
|
|
|
Encapsulate time_t comparisons so that they can be made
|
|
|
|
|
system dependent (use difftime() where available).
|
|
|
|
|
|
|
|
|
|
Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that
|
|
|
|
|
they can be made system dependent.
|
|
|
|
|
|
|
|
|
|
Plan for time_t larger than long, or wait for LP64 to
|
|
|
|
|
dominate the world?
|
|
|
|
|
|
|
|
|
|
Make "AUTH=<>" appendage to MAIL FROM configurable, enabled
|
|
|
|
|
by default.
|
|
|
|
|
|
|
|
|
|
To support ternary operator without a huge parsing effort,
|
|
|
|
|
consider ${value?{xxx}:{yyy}} where ${name} is existing
|
|
|
|
|
syntax, and where ?{text} and :{text} are new syntax that
|
|
|
|
|
is unlikely to break existing configurations. Or perhaps
|
|
|
|
|
it's just too ugly.
|
|
|
|
|
|
|
|
|
|
Write delivery rate delay example (which _README?) and auth
|
|
|
|
|
failure cache example (SASL_README). Then include them in
|
|
|
|
|
SOHO_README.
|
|
|
|
|
|
|
|
|
|
Look for alternatives for the use of non_smtpd_milters.
|
|
|
|
|
This involves some way to force local submissions to go
|
|
|
|
|
through a local SMTP client and server, without triggering
|
|
|
|
|
"mail loops back to myself" false alarms. The advantage is
|
|
|
|
|
that it makes smtpd_mumble_restrictions available for local
|
|
|
|
|
and remote mail; the disadvantage is that it makes local
|
|
|
|
|
submissions more dependent on networking. One possibility
|
|
|
|
|
is to use "pickup -o content_filter=smtp:127.0.0.1:10025",
|
|
|
|
|
or a dedicated SMTP client/server on UNIX-domain sockets;
|
|
|
|
|
we could also decide to always suppress "mail loop" detection
|
|
|
|
|
for loopback connections. Another option is to have the
|
|
|
|
|
pickup or cleanup server drive an SMTP client directly;
|
|
|
|
|
this would require extension of the mail_stream() interface,
|
|
|
|
|
plus a way to handle bounced/deferred recipients intelligently,
|
|
|
|
|
but it would be at odds with Postfix design where delivery
|
|
|
|
|
agents access queue files directly; exposing delivery agents
|
|
|
|
|
to raw queue files violates another Postfix design principle.
|
|
|
|
|
|
|
|
|
|
Consolidate duplicated code in *_server_accept_{pass,inet}().
|
|
|
|
|
|
|
|
|
|
Consolidate duplicated code in {inet,unix,upass}_trigger.c.
|
|
|
|
|
|
|
|
|
|
In the SMTP client, handle 421 replies in smtp_loop() by
|
|
|
|
|
having the input function raise a flag after detecting 421
|
|
|
|
|
(kill connection caching and be sure to do the right thing
|
|
|
|
|
with RSET probes), leave the smtp_loop() per-command reply
|
|
|
|
|
handlers unchanged, and have the smtp_loop() reader loop
|
|
|
|
|
bail out with smtp_site_fail("server disconnected after
|
|
|
|
|
%s", where), but only in the case that it isn't already in
|
|
|
|
|
the final state. But first we need to clean up the handling
|
|
|
|
|
of do/don't cache, expired, bad and dead sessions.
|
|
|
|
|
|
|
|
|
|
Combine smtpd_peer.c and qmqpd_peer.c into a single function
|
|
|
|
|
that produces a client context object, and provide attribute
|
|
|
|
|
print/scan routines that pass these client context objects
|
|
|
|
|
around. With this, we no longer have to update multiple
|
|
|
|
|
pieces of code when a client attribute is added. Ditto for
|
|
|
|
|
SASL and TLS context.
|
|
|
|
|
|
|
|
|
|
Make TLS_BIO_BUFSIZE run-time adjustable, to future-proof
|
|
|
|
|
Postfix for remote connections with MSS > 8 kbytes.
|
|
|
|
|
|
|
|
|
|
Don't log "warning: XXXXX: undeliverable postmaster
|
|
|
|
|
notification discarded" for spam from outside.
|
|
|
|
|
|
|
|
|
|
Really need a cleanup driver that allows testing against
|
|
|
|
|
Milter applications instead of synthetic events. This would
|
|
|
|
|
have to provide stubs for clients that talk to Postfix
|
|
|
|
|
daemon processes. See if this approach can also be used for
|
|
|
|
|
other daemons.
|
|
|
|
|
|
|
|
|
|
smtpd(8) exempts $address_verify_sender from access controls,
|
|
|
|
|
but it doesn't know whether cleanup(8) or delivery agents
|
|
|
|
|
modify the sender. Would it be possible to "calibrate" this
|
|
|
|
|
exemption, perhaps by having delivery agents pass the probe
|
|
|
|
|
sender to the verify server, keeping in mind that the probe
|
|
|
|
|
sender may differ per delivery agent due to output rewriting.
|
|
|
|
|
|
|
|
|
|
Update attr_print/scan() so they can send/receive file
|
|
|
|
|
descriptors. This simplifies kludgy code in many daemons.
|
|
|
|
|
|
|
|
|
|
Would there be a problem adding $smtpd_mumble_restrictions
|
|
|
|
|
and $smtpd_sender_login_maps to the default proxy_read_maps
|
|
|
|
|
settings?
|
|
|
|
|
|
|
|
|
|
Remove defer(8) and trace(8) references and man pages. These
|
|
|
|
|
are services not program names. On the other hand we have
|
|
|
|
|
man pages for lmtp(8) and smtp(8), but not for relay(8).
|
|
|
|
|
Likewise, retry(8) does not have a man page.
|
|
|
|
|
|
|
|
|
|
Bind all deliveries to the same local delivery process,
|
|
|
|
|
making Postfix perform as poorly as monolithic mailers, but
|
|
|
|
|
giving a possibility to eliminate duplicate deliveries.
|
|
|
|
|
|
|
|
|
|
Maybe declare loop when resolve_local(mxhost) is true?
|
|
|
|
|
|
|
|
|
|
Update message content length when adding/removing headers.
|
|
|
|
|
|
|
|
|
|
Need scache size limit.
|
|
|
|
|
|
|
|
|
|
Make postcat header/body aware so people can grep headers.
|
|
|
|
|
What headers? primary, mime, nested? What body? Does it
|
|
|
|
|
include the mime and attached headers?
|
|
|
|
|
|
|
|
|
|
REDIRECT should override original recipient info, and
|
|
|
|
|
probably override DSN as well.
|
|
|
|
|
|
|
|
|
|
Find out if with Sendmail, a Milter "add recipient" request
|
|
|
|
|
results in NOTIFY=NONE as Postfix does now.
|
|
|
|
|
|
|
|
|
|
Update FILTER_README with mailing list suggestions to tag
|
|
|
|
|
with a badness indicator and then filter down-stream.
|
|
|
|
|
|
|
|
|
|
Make null local-part handling configurable: either expand
|
|
|
|
|
into mailer-daemon (current bahavior) or disallow (strict
|
|
|
|
|
behavior, currently implemented only in the SMTP server).
|
|
|
|
|
|
|
|
|
|
The type of var_message_limit (and other file size/offset
|
|
|
|
|
configuration parameters or internal protocol attributes)
|
|
|
|
|
should be changed from int to off_t. This also requires
|
|
|
|
|
checking all expressions in which var_message_limit etc.
|
|
|
|
|
appears: qmqpd, netstring, deliver_request, ...
|
|
|
|
|
|
|
|
|
|
Add M flag (enable multi-recipient delivery) to pipe daemon.
|
|
|
|
|
|
|
|
|
|
The usage of TLScontext->cache_type is unclear. It specifies
|
|
|
|
|
a TLS session cache type (smtpd, smtp, or lmtp), but it is
|
|
|
|
|
sometimes used as an indicator that TLS session caching is
|
|
|
|
|
unavailable. In reality, that decision is made by not
|
|
|
|
|
registering call-back functions for cache maintenance.
|
|
|
|
|
|
|
|
|
|
Postfix TLS library code should copy any strings that it
|
|
|
|
|
receives from the application, instead of passing them
|
|
|
|
|
around as pointers. TLScontext->cache_type is a case in
|
|
|
|
|
point.
|
|
|
|
|
|
|
|
|
|
Are transport:nexthop null fields the same as in the case
|
|
|
|
|
of default_transport etc. parameters?
|
|
|
|
|
|
|
|
|
|
Don't lose bits when converting st_dev into maildir file
|
|
|
|
|
name. It's 64 bits on Linux. Found with the BEAM source
|
|
|
|
|
code analyzer. Is this really a problem, or are they just
|
|
|
|
|
using 64 bits for upwards compatibility with LP64 systems?
|
|
|
|
|
|
|
|
|
|
Do or don't introduce unknown_reverse_client_reject_code.
|
|
|
|
|
|
|
|
|
|
Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
|
|
|
|
|
UNIX).
|
|
|
|
|
|
|
|
|
|
Tempfail when a Milter application tries to negotiate content
|
|
|
|
|
access, while it is configured in an SMTP server that runs
|
|
|
|
|
before the smtpd_proxy filter.
|
|
|
|
|
|
|
|
|
|
Log DSN original recipient when rejecting mail.
|
|
|
|
|
|
|
|
|
|
Keep whitespace between label and ":"?
|
|
|
|
|
|
|
|
|
|
Make the map case folding/locking options configurable, if
|
|
|
|
|
not at run-time then at least at compile time so we get
|
|
|
|
|
consistent behavior across applications.
|
|
|
|
|
|
|
|
|
|
Investigate what it would take to eliminate oqmgr, and to
|
|
|
|
|
make the old behavior configurable in a unified queue
|
|
|
|
|
manager. This would shave another 2.7 KLOC from the source
|
|
|
|
|
footprint.
|
|
|
|
|
|
|
|
|
|
Document the case folding strategy for match_list like
|
|
|
|
|
features.
|
|
|
|
|
|
|
|
|
|
Eliminate the (incoming,deferred)->active rename operation.
|
|
|
|
|
This requires an in-memory hash of queue file names to avoid
|
|
|
|
|
duplicate open() operations.
|
|
|
|
|
|
|
|
|
|
Softbounce fallback-to-ISP for SOHO users. This heuristic
|
|
|
|
|
assumes that when direct-to-MX delivery fails with 5XX,
|
|
|
|
|
delivery via the ISP may still succeed. This could be
|
|
|
|
|
implemented by enabling soft bounces for destinations other
|
|
|
|
|
than the smtp_fallback_relay. So the only benefit of this
|
|
|
|
|
over the existing soft_bounce feature is that it has no
|
|
|
|
|
effect on smtp_fallback_relay deliveries.
|
|
|
|
|
|
|
|
|
|
Centralize main.cf parameter input so that defaults work
|
|
|
|
|
consistently. What about parameter names that are prefixed
|
|
|
|
|
with mail delivery transport names?
|
|
|
|
|
|
|
|
|
|
Fix default time unit handling so that we can have a default
|
|
|
|
|
bounce lifetime of $maximal_queue_lifetime, without causing
|
|
|
|
|
panics when a non-default maximal_queue_lifetime setting
|
|
|
|
|
includes no time unit.
|
|
|
|
|
|
|
|
|
|
After the 20051222 ISASCII paranoia, lowercase() lowercases
|
|
|
|
|
ASCII text only.
|
|
|
|
|
|
|
|
|
|
Privacy: remove local command/pathname details from remote
|
|
|
|
|
delivery status reports, and log them via local msg_warn().
|
|
|
|
|
|
|
|
|
|
Is it safe to cache a connection after it has been used for
|
|
|
|
|
more than some number of address verification probes?
|
|
|
|
|
|
|
|
|
|
Try to recognize that Resent- headers appear in blocks,
|
|
|
|
|
newest block first. But don't break on incorrect header
|
|
|
|
|
block organization.
|
|
|
|
|
|
|
|
|
|
Hard limits on cache sizes (anvil, specifically).
|
|
|
|
|
|
|
|
|
|
Laptop friendliness: make the qmgr remember when the next
|
|
|
|
|
deferred queue scan needs to be done, and have the pickup
|
|
|
|
|
server stat() the maildrop directory before searching it.
|
|
|
|
|
|
|
|
|
|
Low: replace_sender/replace_recipient actions in access
|
|
|
|
|
maps, so they can be used in policy servers?
|
|
|
|
|
|
|
|
|
|
Low: configurable order of local(8) delivery methods.
|
|
|
|
|
|
|
|
|
|
Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
|
|
|
|
|
to limit the total time spent trying to connect.
|
|
|
|
|
|
|
|
|
|
Med: transform IPv4-in-IPv6 address literals to IPv4 form
|
|
|
|
|
when comparing against local IP addresses?
|
|
|
|
|
|
|
|
|
|
Med: transform IPv4-in-IPv6 address literals to IPv4 form
|
|
|
|
|
when eliminating MX mailer loops?
|
|
|
|
|
|
|
|
|
|
Med: Postfix requires [] around IPv6 address information
|
|
|
|
|
in match lists such as mynetworks, debug_peer_list etc.,
|
|
|
|
|
but the [] must not be specified in access(5) maps. Other
|
|
|
|
|
places don't care. For now, this gotcha is documented in
|
|
|
|
|
IPV6_README and in postconf(5) with each feature that may
|
|
|
|
|
use IPv6 address information. The general recommendation
|
|
|
|
|
is not to use [] unless absolutely necessary.
|
|
|
|
|
|
|
|
|
|
Med: the partial address matching of IPv6 addresses in
|
|
|
|
|
access(5) maps is a bit lame: it repeatedly truncates the
|
|
|
|
|
last ":octetpair" from the printable address representation
|
|
|
|
|
until a match is found or until truncation is no longer
|
|
|
|
|
possible. Since one or more ":" are usually omitted from
|
|
|
|
|
the printable IPv6 address representation, this does not
|
|
|
|
|
really try all the possibilities that one might expect to
|
|
|
|
|
be tried. For now, this gotcha is documented in access(5).
|
|
|
|
|
|
|
|
|
|
Low: reject HELO with any domain name or IP address that
|
|
|
|
|
this MTA is the final destination for.
|
|
|
|
|
|
|
|
|
|
Low: should the Delivered-To: test in local(8) be configurable?
|
|
|
|
|
|
|
|
|
|
Low: make mail_addr_find() lookup configurable.
|
|
|
|
|
|
|
|
|
|
Low: update events.c so that 1-second timer requests do not
|
|
|
|
|
suffer from rounding errors. This is needed for 1-second
|
|
|
|
|
SMTP session caching time limits. A 1-second interval would
|
|
|
|
|
become arbitrarily short when an event is scheduled just
|
|
|
|
|
before the current second rolls over.
|
|
|
|
|
|
|
|
|
|
Low: configurable internal/system locking method.
|
|
|
|
|
|
|
|
|
|
Low: add INSTALL section for pre-existing Postfix systems.
|
|
|
|
|
|
|
|
|
|
Low: add INSTALL section for pre-existing RPM Postfixes.
|
|
|
|
|
|
|
|
|
|
Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
|
|
|
|
|
|
|
|
|
|
Low: noise filter: allow smtp(8) to retry immediately if
|
|
|
|
|
all MXes return a quick ECONNRESET or 4xx reply during the
|
|
|
|
|
initial handshake. Retry once? How many times?
|
|
|
|
|
|
|
|
|
|
Low: make post-install a "postfix-only script" so it can
|
|
|
|
|
take data from the environment instead of main.cf.
|
|
|
|
|
|
|
|
|
|
Low: randomize deferred mail backoff.
|
|
|
|
|
|
|
|
|
|
Med: separate ulimit for delivery to command?
|
|
|
|
|
|
|
|
|
|
Med: postsuper -r should do something with recipients in
|
|
|
|
|
bounce logfiles, to make sure the sender will be notified.
|
|
|
|
|
To be perfectly safe, no process other than the queue manager
|
|
|
|
|
should move a queue file away from the active queue.
|
|
|
|
|
|
|
|
|
|
This could involve tagging a queue file, and use up another
|
|
|
|
|
permission bit (postsuper tags a "hot" file, qmgr requeues it).
|
|
|
|
|
|
|
|
|
|
Low: postsuper re-run after renaming files, but only a
|
|
|
|
|
limited number of times.
|
|
|
|
|
|
|
|
|
|
Low: smtp-source may block when sending large test messages.
|
|
|
|
|
|
|
|
|
|
Med: find a way to log the sender address when MAIL FROM
|
|
|
|
|
is rejected due to lack of disk space.
|
|
|
|
|
|
|
|
|
|
Low: revise other local delivery agent duplicate filters.
|
|
|
|
|
|
|
|
|
|
Low: all table lookups should consistently use internalized
|
|
|
|
|
(unquoted) or externalized (quoted) forms as lookup keys.
|
|
|
|
|
smtpd, qmgr, local, etc. use unquoted address forms as keys.
|
|
|
|
|
cleanup uses quoted forms.
|
|
|
|
|
|
|
|
|
|
Low: have a configurable list of errno values for mailbox
|
|
|
|
|
or maildir delivery that result in deferral rather than
|
|
|
|
|
bouncing mail. What about "killed by signal" exits?
|
|
|
|
|
|
|
|
|
|
Low: after reorganizing configuration parameters, add flags
|
|
|
|
|
to all parameters whose value can be read from file.
|
|
|
|
|
|
|
|
|
|
Medium: need in-process caching for map lookups. LDAP servers
|
|
|
|
|
seem to need this in particular. Need a way to expire cached
|
|
|
|
|
results that are too old.
|
|
|
|
|
|
|
|
|
|
Low: generic showq protocol, to allow for more intelligent
|
|
|
|
|
processing than just mailq. Maybe marry this with postsuper.
|
|
|
|
|
|
|
|
|
|
Low: default domain for appending to unqualified recipients,
|
|
|
|
|
so that unqualified names can be delivered locally.
|
|
|
|
|
|
|
|
|
|
Low: The $process_id_directory setting is not used anywhere
|
|
|
|
|
in Postfix. Problem reported by Michael Smith, texas.net.
|
|
|
|
|
This should be documented, or better, the code should warn
|
|
|
|
|
about attempts to set read-only parameters.
|
|
|
|
|
|
|
|
|
|
Low: postconf -e edits parameters that postconf won't list.
|
|
|
|
|
|
|
|
|
|
Low: while converting 8bit text to quoted-printable, perhaps
|
|
|
|
|
use =46rom to avoid having to produce >From when delivering
|
|
|
|
|
to mailbox.
|
|
|
|
|
|
|
|
|
|
virtual_mailbox_path expression like forward_path, so that
|
|
|
|
|
people can specify prefix and suffix.
|
Wietse Venema
Viktor Dukhovni