RELEASE_NOTES-2.8   [plain text]

The stable Postfix release is called postfix-2.8.x where 2=major
release number, 8=minor release number, x=patchlevel.  The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-2.9-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day).  Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
before proceeding.

Major changes - restart Postfix

If you upgrade from Postfix 2.6 or earlier, you must execute "postfix
stop" and "postfix start" before you can use the postscreen(8)
daemon.  This is needed because the Postfix 2.6 "pass" master service
type did not work reliably on some systems.

If you upgrade from Postfix 2.7, or from Postfix 2.8 before July
25, 2010, you must execute "postfix reload" (or "postfix stop"
followed by "postfix start"). This is needed because the queue
manager to delivery agent protocol has changed. Failure to do this
results in repeated logging of warnings with:

    warning: unexpected attribute rewrite_context ...

If the warning does not go away after restarting Postfix, examine
the output from this command:

    strings -af /usr/libexec/postfix/* | grep mail_version=

(where /usr/libexec/postfix is the value of
and update the executables that have a version string that differs
from the other programs.

Major changes - DNSBL/DNSWL support

[Feature 20101126] Support for address patterns in DNS blacklist
and whitelist lookup results.

For example, "reject_rbl_client[2;4;6..8]"
will reject clients when the lookup result is,,,, or

The setting "postscreen_dnsbl_sites =[2;4;6..8]"
rejects the same clients.

An IPv4 address pattern has four fields separated by ".".  Each
field is either a decimal number, or a sequence inside "[]" that
contains one or more ";"-separated decimal numbers or number..number

Thus, any pattern field can be a sequence inside "[]", but a "[]"
sequence cannot span multiple address fields, and a pattern field
cannot contain both a number and a "[]" sequence at the same time.

This means that the pattern 1.2.[3.4] is not valid (the sequence
[3.4] cannot span two address fields) and the pattern[6..9]
is also not valid (the last field cannot be both number 3 and
sequence [6..9] at the same time).

The syntax for IPv4 patterns is as follows:

v4pattern = v4field "." v4field "." v4field "." v4field
v4field = v4octet | "[" v4sequence "]"
v4octet = any decimal number in the range 0 through 255
v4sequence = v4seq_member | v4sequence ";" v4seq_member
v4seq_member = v4octet | v4octet ".." v4octet

[Feature 20101105] The Postfix SMTP server now supports DNS-based
whitelisting with several safety features: permit_dnswl_client
whitelists a client by IP address, and permit_rhswl_client whitelists
a client by its hostname.  These features use the same syntax as
reject_rbl_client and reject_rhsbl_client, respectively. The main
difference is that they return PERMIT instead of REJECT.

Whitelisting is primarily a tool to reduce the false positive rate
of DNS blocklist lookups.  Client name whitelisting should not be
used to make exceptions to access rules. The reason is that client
name lookup can fail unpredictably due to some temporary outage.

For safety reasons, permit_dnswl_client and permit_rhswl_client are
silently ignored when they would override reject_unauth_destination.
Also for safety reasons, the result is DEFER_IF_REJECT when DNS
whitelist lookup fails (this result will be made configurable).

Major changes - sqlite support

[Feature 20100617] Support for read-only sqlite database access,
with code by Axel Steiner and documentation by Jesus Garcia Crespo.
See SQLITE_README and sqlite_table(5) for details.

Major changes - Milter support

[Incompat 20101103] Postfix now requests default delivery status
notifications when adding a recipient with the Milter smfi_addrcpt
action, instead of "never notify" as with Postfix automatically-added
recipients (always_bcc and sender/recipient_bcc_maps).

Major changes - alias expansion

[Incompat 20101202] Postfix now reports a temporary delivery error
when the result of virtual alias expansion would exceed the
virtual_alias_recursion_limit or virtual_alias_expansion_limit.
Previously, Postfix would silently drop the excess recipients and
deliver the message.

[Incompat 20101006] To avoid repeated delivery to mailing lists
with pathological nested alias configurations, the local(8) delivery
agent now keeps the owner-alias attribute of a parent alias, when
delivering mail to a child alias that does not have its own owner

With this change, local addresses from that child alias will be
written to a new queue file, and a temporary error with one local
address will no longer result in repeated delivery to other mailing
list members.  Specify "reset_owner_alias = yes" for the older,
more fragile, behavior.

The postconf(5) manpage entry for "reset_owner_alias" has more
background information on this issue.

Major changes - dns lookup

[Incompat 20100827] The Postfix SMTP client no longer appends the
local domain when looking up a DNS name without ".".  Specify
"smtp_dns_resolver_options = res_defnames" to get the old behavior,
which may produce unexpected results.

Major changes - logging

[Incompat 20100728] The format of the "postfix/smtpd[pid]: queueid:
client=host[addr]" logfile record has changed. When available, the
before-filter client information and the before-filter queue ID are
now appended to the end of the record.

[Feature 20100728] Improved message tracking across SMTP-based
content filters.  The logging example below is from an after-filter
SMTP server. Here, 951F692462F is a before-filter queue ID, is a before-filter SMTP client, while 6B4A9924782
is the after-filter queue ID, and localhost[] is the
SMTP-based content filter that sends mail into the after-filter
SMTP server.

    postfix/smtpd[4074]: 6B4A9924782: 

Major changes - reply footer

[Feature 20110105] The SMTP server now supports contact information
that is appended to "reject" responses. This includes SMTP server
responses that aren't logged to the maillog file, such as responses
to syntax errors, or unsupported commands.

   smtpd_reject_footer = For assistance, call 800-555-0101.

Server response:
   550-5.5.1 <user@example> Recipient address rejected: User unknown
   550 5.5.1 For assistance, call 800-555-0101.

This feature supports macro expansion ($client_address, $localtime,
etc.), as documented in the postconf(5) manpage.

This feature is also supported as postscreen_reject_footer using
the same setting as smtpd_reject_footer by default.

Major changes - rfc compliance

[Incompat 20101206] Postfix by default no longer adds a "To:
undisclosed-recipients:;" header when no recipient specified in the
message header.  The Internet mail RFCs have supported messages
without recipient header for almost 10 years now.

For backwards compatibility, specify:

   undisclosed_recipients_header = To: undisclosed-recipients:;

Note: both the ":" and ";" are required.

Major changes - tls support

[Incompat 20110102] The Postfix SMTP server now always re-computes
the SASL mechanism list after successful completion of the STARTTLS
command. Earlier versions only re-computed the mechanism list when
the values of smtp_sasl_tls_security_options and smtp_sasl_security_options
differ.  This could produce incorrect results, because the Dovecot
authentication server may change responses when the SMTP session
is encrypted.

[Incompat 20110102] The smtpd_starttls_timeout default value is now
stress-dependent.  By default, TLS negotiations must now complete
under overload in 10s instead of 300s.

[Feature 20101223] The new tls_disable_workarounds parameter specifies
a list or bit-mask of OpenSSL bug work-arounds to disable. This may
be necessary if one of the work-arounds enabled by default in OpenSSL
proves to pose a security risk, or introduces an unexpected
interoperability issue. Some bug work-arounds known to be problematic
are disabled in the default value of the parameter when linked with
an OpenSSL library that could be vulnerable. See postconf(5) and
TLS_README for details.

With "tls_preempt_cipherlist = yes" the Postfix SMTP server will
choose its most preferred cipher that is supported (offered) by the
client. This can lead to a more secure or performant cipher choice,
but may also introduce interoperability problems when a client
announces support for a cipher that does not work.  See postconf(5)
and TLS_README for details.

[Feature 20101217] The lower-level code in the TLS engine was
simplified by removing an unnecessary layer of data copying. OpenSSL
now writes directly to the network. The difference in performance
should be hardly noticeable.

[Incompat 20100610] Postfix no longer appends the system-supplied
default CA certificates to the lists specified with *_tls_CAfile
or with *_tls_CApath. This prevents third-party certificates from
getting mail relay permission with the permit_tls_all_clientcerts

Unfortunately this change may cause compatibility problems when
configurations rely on certificate verification for other purposes.
Specify "tls_append_default_CA = yes" for backwards compatibility.

Major changes - postscreen

See html/POSTSCREEN_README.html for an introduction to postscreen
(or the text version, README_FILES/POSTSCREEN_README). The text
below summarizes milestones in reverse chronological order.

[Incompat 20110111] The postscreen_access_list feature replaces the
postscreen_whitelist_networks and postscreen_blacklist_networks
features. Reason: CIDR-style access maps are some 100x faster than
the code that implemented the postscreen_white/blacklist_networks
support.  CIDR maps can match about 100 million CIDR patterns/second
on a modern CPU, which is not blindingly fast but adequate for the
near future.

[Feature 20110102] STARTTLS support for the postscreen(8) daemon.
This is implemented by a new tlsproxy(8) daemon that you will need
to enable in (see POSTSCREEN_README for instructions).
tlsproxy(8) implements its own tlsproxy_mumble versions of TLS-related
smtpd_mumble parameters. This leaves no confusion about which
parameters will affect tlsproxy(8) behavior, but it adds another
25 parameters to the documentation.

[Incompat 20100912] If your DNSBL queries have a "secret" in the
domain name, you must now censor this information from the postscreen(8)
SMTP replies.  For example:

      postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

      # Secret DNSBL name        Name in postscreen(8) replies

The texthash: format is similar to hash: except that there is no need to
run postmap(1) before the file can be used, and that it does not detect
changes after the file is read. It is new with Postfix version 2.8.

[Incompat 20100912] The postscreen "continue" action is now called
"ignore".  The old name is still supported but no longer documented.

[Incompat 20100912] The postscreen_hangup_action parameter was
removed. Postscreen now always behaves as if "postscreen_hangup_action
= drop".

[Incompat 20100912] The postscreen_cache_retention_time default was
increased from 1d to 7d, to avoid deleting results from expensive
deep SMTP protocol tests too quickly.

[Feature 20100912] SMTP protocol engine for deep protocol tests,
and for logging the helo/sender/recipient information when postscreen
rejects an attempt to deliver mail.

The postscreen SMTP protocol engine implements a number of deep
protocol tests and defers or rejects all attempts to deliver mail.
The first test detects unauthorized SMTP command pipelining (an
SMTP client sends multiple commands, instead of sending one command
and waiting for the server response); a second deep protocol test
implements the Postfix SMTP server's smtpd_forbidden_commands feature
(a client sends commands such as CONNECT, GET, POST); and a third
deep protocol test detects spambots that send SMTP commands that
end in newline instead of carriage-return/newline.  Real spambots
rarely make this mistake, but poorly-written software often does.

Deep protocol tests are disabled by default, because the built-in
SMTP engine cannot not hand off the "live" connection from a good
SMTP client to a Postfix SMTP server process. To work around this,
postscreen(8) defers attempts to deliver mail with a 4XX status,
and waits for the client to disconnect. The next time a good client
connects, it will be allowed to talk to a Postfix SMTP server process
to deliver mail.

[Feature 20100830] Postscreen DNSBL support is extended with optional
fixed-string filters, with optional integral weight factors, and
with an adjustable threshold to block SMTP clients with DNSBL score
>= that threshold. Reply filters will be implemented later.

The updated postscreen configuration syntax is:

    postscreen_dnsbl_sites = domain[=ipaddr][*weight] ...
    postscreen_dnsbl_threshold = score

Elements inside [] are optional, ipaddr is an IPv4 address, and
weight and score are integral numbers. The [] are not part of the
postscreen_dnsbl_sites input.  By default, weight and score are
equal to 1, and entries without filter will match any non-error
DNSBL reply.  Use a negative weight value for whitelisting.


To use as a high-confidence blocklist, and to block
mail with and only when both agree, use:

    postscreen_dnsbl_threshold = 2
    postscreen_dnsbl_sites =*2,,

To filter only DNSBL replies containing, use:

    postscreen_dnsbl_sites =

See also postconf(5) for the fine details.

[Incompat 20100101] When periodic cache cleanup is enabled (the
default), the postscreen(8) server now requires that the cache
database supports the "delete" and "sequence" operations.  To disable
periodic cache cleanup specify a zero postscreen_cache_cleanup_interval

[Feature 20100101] Periodic cache cleanup for the postscreen(8)
cache database. The time between cache cleanup runs is controlled
with the postscreen_cache_cleanup_interval (default: 12h) parameter.
Cache cleanup increases the database access latency, so this should
not be run more often than necessary.

In addition, the postscreen_cache_retention_time (default: 1d)
parameter specifies how long to keep an expired entry in the cache.
This prevents a client from being logged as "NEW" after its record
expired only a little while ago.

[Feature 20091008] Prototype postscreen(8) server that runs a number
of time-consuming checks in parallel for all incoming SMTP connections,
before clients are allowed to talk to a real Postfix SMTP server.
It detects clients that start talking too soon, or clients that
appear on DNS blocklists, or clients that hang up without sending
any command.

By doing these checks in a single postscreen(8) process, Postfix
can avoid wasting one SMTP server process per connection. A side
benefit of postscreen(8)'s DNSBL lookups is that DNS records are
already cached before the Postfix SMTP server looks them up later.

postscreen(8) maintains a temporary whitelist of positive decisions.
Once an SMTP client is whitelisted, it is immediately forwarded to
a real Postfix SMTP server process without further checking.

By default, the program logs only statistics, and it does not run
any checks on clients in mynetworks (primarily, to avoid problems
with buggy SMTP implementations in network appliances).  The logging
function alone is already useful for research.