-
Notifications
You must be signed in to change notification settings - Fork 3
/
RELEASE_NOTES
206 lines (149 loc) · 7.56 KB
/
RELEASE_NOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
The stable Postfix release is called postfix-2.9.x where 2=major
release number, 9=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
postfix-2.10-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9
before proceeding.
Incompatible changes with snapshot 20121007
===========================================
As part of a forward compatibility safety net, the Postfix installation
procedure adds the following smtpd_relay_restrictions entry to
main.cf when there is none:
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
If your site has a complex mail relay policy configured under
smtpd_recipient_restrictions, this safety net will defer mail that
the built-in smtpd_relay_restrictions setting would bounce.
To eliminate this safety net, take one of the following three
actions:
- Set smtpd_relay_restrictions empty, and keep using the existing
mail relay authorization policy in smtpd_recipient_restrictions.
- Copy the existing mail relay authorization policy from
smtpd_recipient_restrictions to smtpd_relay_restrictions.
- Set smtpd_relay_restrictions by hand to the new built-in
policy: permit_mynetworks reject_unauth_destination.
There is no need to change the value of smtpd_recipient_restrictions.
Major changes with snapshot 20121007
====================================
This version introduces the smtpd_relay_restrictions feature
for mail relay control. The new built-in default settings are:
smtpd_relay_restrictions =
permit_mynetworks
reject_unauth_destination
smtpd_recipient_restrictions =
( optional spam blocking rules would go here )
For comparison, this is the Postfix before 2.10 default:
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
( optional spam blocking rules would go here )
With Postfix versions before 2.10, the mail relay policy and spam
blocking policy were combined under smtpd_recipient_restrictions,
resulting in error-prone configuration.
As of Postfix 2.10, the mail relay policy is preferably implemented
with smtpd_relay_restrictions, so that a permissive spam blocking
policy under smtpd_recipient_restrictions will not unexpectedly
result in a permissive mail relay policy.
As usual, this new feature is introduced with safety nets to prevent
surprises when a site upgrades from an earlier Postfix release.
1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation
procedure adds the following smtpd_relay_restrictions entry to
main.cf when there is none:
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
If your site has a complex mail relay policy configured under
smtpd_recipient_restrictions, this safety net will defer mail
that the built-in smtpd_relay_restrictions setting would bounce.
To eliminate this safety net, take one of the following three
actions:
- Set smtpd_relay_restrictions empty, and keep using the existing
mail relay authorization policy in smtpd_recipient_restrictions.
- Copy the existing mail relay authorization policy from
smtpd_recipient_restrictions to smtpd_relay_restrictions.
- Set smtpd_relay_restrictions by hand to the new built-in
policy: permit_mynetworks reject_unauth_destination.
There is no need to change the value of smtpd_recipient_restrictions.
2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from
Postfix versions before 2.10 can set smtpd_relay_restrictions
to the empty value, and use smtpd_recipient_restrictions exactly
as they used it before.
Incompatible changes with snapshot 20120924
===========================================
Postfix no longer uses FIFOs to emulate UNIX-domain sockets on
Solaris 9 (Vintage 2002!) and later. If you install Postfix for
the first time on an older Solaris system, edit the master.cf file
and replace "unix" with "fifo" for the pickup and qmgr services.
Major changes with snapshot 20120924
====================================
Laptop-friendliness: the default master.cf file now uses "unix"
instead of "fifo" for the pickup and qmgr services. This avoids
periodic disk drive spin-up.
Incompatible changes with snapshot 20120625
===========================================
The postscreen(8)-to-smtpd(8) protocol has changed. To avoid "cannot
receive connection attributes" warnings and dropped connections,
execute the command "postfix reload". No mail will be lost as long
as the remote SMTP client tries again later.
Major changes with snapshot 20120625
====================================
Support for upstream proxy agent in the postscreen(8) and smtpd(8)
daemons. To enable the haproxy protocol, specify one of the
following:
postscreen_upstream_proxy_protocol = haproxy
smtpd_upstream_proxy_protocol = haproxy
Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes
that are behind postscreen. Configure postscreen_upstream_proxy_protocol
instead.
Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT
protocol with smtpd_authorized_xclient_hosts. This supports SASL
authentication in the proxy agent (Postfix 2.9 and later).
Major changes with snapshot 20120422
====================================
This release adds support to turn off the TLSv1.1 and TLSv1.2
protocols. Introduced with OpenSSL version 1.0.1, these are known
to cause inter-operability problems with for example hotmail.
The radical workaround is to temporarily turn off problematic
protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Important:
- Note the use of ":" instead of comma or space. Also, note that
there is NO space around the "=" in "protocols=".
- The smtp_tls_policy_maps lookup key must match the "next-hop"
destination that is given to the Postfix SMTP client. If you
override the next-hop destination with transport_maps, relayhost,
sender_dependent_relayhost_maps, or otherwise, you need to specify
the same destination for the smtp_tls_policy_maps lookup key.
Major changes with snapshot 20120306
====================================
New master "-w" option, to wait for daemon process initialization
to complete. This feature returns an error exit status if master
daemon initialization fails, or if it does not complete in a
reasonable amount of time. The exit status is used by "postfix
start" to provide more accurate information to system start-up
scripts.
Major changes with snapshot 20120303
====================================
New control for "permit" logging in smtpd_mumble_restrictions.
Specify "smtpd_log_access_permit_actions = static:all" to log all
"permit"-style actions, or specify a list of explicit names. More
details are in the postconf(5) manpage.