This is the Postfix 3.0 (stable) release. The stable Postfix release is called postfix-3.0.x where 3=major release number, 0=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called postfix-3.1-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.10 or earlier, read RELEASE_NOTES-2.11 before proceeding. Incompatible change with Postfix 3.0.2 -------------------------------------- As of the middle of 2015, all supported Postfix releases no longer enable "export" grade ciphers for opportunistic TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for mandatory or opportunistic TLS. These changes are very unlikely to cause problems with server-to-server communication over the Internet, but they may result in interoperability problems with ancient client or server implementations on internal networks. To address this problem, you can revert the changes with: Postfix SMTP client settings: lmtp_tls_ciphers = export smtp_tls_ciphers = export lmtp_tls_protocols = !SSLv2 smtp_tls_protocols = !SSLv2 lmtp_tls_mandatory_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 Postfix SMTP server settings: smtpd_tls_ciphers = export smtpd_tls_protocols = smtpd_tls_mandatory_protocols = !SSLv2 These settings, if put in main.cf, affect all Postfix SMTP client or server communication, which may be undesirable. To be more selective, use "-o name=value" parameter overrides on specific services in master.cf. Execute the command "postfix reload" to make the changes effective. Notes for distribution maintainers ---------------------------------- * New backwards-compatibility safety net. With NEW Postfix installs, you MUST install a main.cf file with the setting "compatibility_level = 2". See conf/main.cf for an example. With UPGRADES of existing Postfix systems, you MUST NOT change the main.cf compatibility_level setting, nor add this setting if it does not exist. Several Postfix default settings have changed with Postfix 3.0. To avoid massive frustration with existing Postfix installations, Postfix 3.0 comes with a safety net that forces Postfix to keep running with backwards-compatible main.cf and master.cf default settings. This safety net depends on the main.cf compatibility_level setting (default: 0). Details are in COMPATIBILITY_README. * New Postfix build system. The Postfix build/install procedure has changed to support Postfix dynamically-linked libraries and database plugins. These must not be "shared" with non-Postfix programs, and therefore must not be installed in a public directory. To avoid massive frustration due to broken patches, PLEASE BUILD POSTFIX FIRST WITHOUT APPLYING ANY PATCHES. Follow the INSTALL instructions (see "Building with Postfix dynamically-linked libraries and database plugins"), and see how things work and what the dynamically-linked libraries, database plugin, and configuration files look like. Then, go ahead and perform your platform-specific customizations. The INSTALL section "Tips for distribution maintainers" has further suggestions. Major changes - critical ------------------------ [Incompat 20140714] After upgrading Postfix, "postfix reload" (or start/stop) is required. Several Postfix-internal protocols have been extended to support SMTPUTF8. Failure to reload or restart will result in mail staying queued, while Postfix daemons log warning messages about unexpected attributes. Major changes - default settings -------------------------------- [Incompat 20141009] The default settings have changed for relay_domains (new: empty, old: $mydestination) and mynetworks_style (new: host, old: subnet). However the backwards-compatibility safety net will prevent these changes from taking effect, giving the system administrator the option to make an old default setting permanent in main.cf or to adopt the new default setting, before turning off backwards compatibility. See COMPATIBILITY_README for details. [Incompat 20141001] A new backwards-compatibility safety net forces Postfix to run with backwards-compatible main.cf and master.cf default settings after an upgrade to a newer but incompatible Postfix version. See COMPATIBILITY_README for details. While the backwards-compatible default settings are in effect, Postfix logs what services or what email would be affected by the incompatible change. Based on this the administrator can make some backwards-compatibility settings permanent in main.cf or master.cf, before turning off backwards compatibility. See postconf.5.html#compatibility_level for details. [Incompat 20141001] The default settings have changed for append_dot_mydomain (new: no. old: yes), master.cf chroot (new: n, old: y), and smtputf8 (new: yes, old: no). Major changes - access control ------------------------------ [Feature 20141119] Support for BCC actions in header/body_checks and milter_header_checks. There is no limit on the number of BCC actions that may be specified, other than the implicit limit due to finite storage. BCC support will not be implemented in Postfix delivery agent header/body_checks. It works in the same way as always_bcc and sender/recipient_bcc_maps: there can be only one address per action, recipients are added with the NOTIFY=NONE delivery status notification option, and duplicate recipients are ignored (with the same delivery status notification options). [Incompat 20141009] The default settings have changed for relay_domains (new: empty, old: $mydestination) and mynetworks_style (new: host, old: subnet). However the backwards-compatibility safety net will prevent these changes from taking effect, giving the system administrator the option to make an old default setting permanent in main.cf or to adopt the new default setting, before turning off backwards compatibility. See COMPATIBILITY_README for details. [Feature 20140618] New INFO action in access(5) tables, for consistency with header/body_checks. [Feature 20140620] New check_xxx_a_access (for xxx in client, reverse_client, helo, sender, recipient) implements access control on all A and AAAA IP addresses for respectively the client hostname, helo parameter, sender domain or recipient domain. This complements the existing check_xxx_mx_access and check_xxx_ns_access features. Major changes - address rewriting --------------------------------- [Incompat 20141001] The default settings have changed for append_dot_mydomain (new: no. old: yes), master.cf chroot (new: n, old: y), and smtputf8 (new: yes, old: no). Major changes - address verification ------------------------------------ [Feature 20141227] The new smtp_address_verify_target parameter (default: rcpt) specifies what protocol stage decides if a recipient is valid. Specify "data" for servers that reject invalid recipients in response to the DATA command. Major changes - database support -------------------------------- [Feature 20140512] Support for Berkeley DB version 6. [Feature 20140618] The "randmap" lookup table performs random selection. This may be used to implement load balancing, for example: /etc/postfix/transport: # Deliver my own domain as usual. example.com : .example.com : /etc/postfix/main.cf: transport_maps = # Deliver my own domain as usual. hash:/etc/postfix/transport # Deliver other domains via randomly-selected relayhosts randmap:{smtp:smtp0.example.com, smtp:smtp1.example.com} A variant of this can randomly select SMTP clients with different smtp_bind_address settings. To implement different weights, specify lookup results multiple times. For example, to choose smtp:smtp1.example.com twice as often as smtp:smtp0.example.com, specify smtp:smtp1.example.com twice. A future version may support randmap:/path/to/file to load a list of results from file. [Feature 20140618] As the name suggests, the "pipemap" table implements a pipeline of lookup tables. The name of the table specifies the pipeline as a sequence of tables. For example, the following prevents SMTP mail to system accounts that have "nologin" as their login shell: /etc/postfix/main.cf: local_recipient_maps = pipemap:{unix:passwd.byname, pcre:/etc/postfix/no-nologin.pcre} alias_maps /etc/postfix/no-nologin.pcre: !/nologin/ whatever Each "pipemap:" query is given to the first table. Each table lookup result becomes the query for the next table in the pipeline, and the last table produces the final result. When any table lookup produces no result, the entire pipeline produces no result. A future version may support pipemap:/path/to/file to load a list of lookup tables from file. [Feature 20140924] Support for unionmap, with the same syntax as pipemap. This sends a query to all tables, and concatenates non-empty results, separated by comma. [Feature 20131121] The "static" lookup table now supports whitespace when invoked as "static:{ text with whitespace }", so that it can be used, for example, at the end of smtpd_mumble_restrictions as "check_mumble_access static:{reject text...}". [Feature 20141126] "inline:{key=value, { key = text with comma/space}}" avoids the need to create a database for just a few entries. Major changes - delivery status notifications --------------------------------------------- [Feature 20140321] Delivery status filter support, to replace the delivery status codes and explanatory text of successful or unsuccessful deliveries by Postfix mail delivery agents. This was originally implemented for sites that want to turn certain soft delivery errors into hard delivery errors, but it can also be used to censor out information from delivery confirmation reports. This feature is implemented as a filter that replaces the three-number enhanced status code and descriptive text in Postfix delivery agent success, bounce, or defer messages. Note: this will not override "soft_bounce=yes", and this will not change a successful delivery status into an unsuccessful status or vice versa. The first example turns specific soft TLS errors into hard errors, by overriding the first number in the enhanced status code. /etc/postfix/main.cf: smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter /etc/postfix/smtp_dsn_filter: /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/ 5$1 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/ 5$1 The second example removes the destination command name and file name from local(8) successful delivery reports, so that they will not be reported when a sender requests confirmation of delivery. /etc/postfix/main.cf: local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter /etc/postfix/local_dsn_filter: /^(2\S+ delivered to file).+/ $1 /^(2\S+ delivered to command).+/ $1 This feature is supported in the lmtp(8), local(8), pipe(8), smtp(8) and virtual(8) delivery agents. That is, all delivery agents that actually deliver mail. It will not be implemented in the error and retry pseudo-delivery agents. The new main.cf parameters and default values are: default_delivery_status_filter = lmtp_delivery_status_filter = $default_delivery_status_filter local_delivery_status_filter = $default_delivery_status_filter pipe_delivery_status_filter = $default_delivery_status_filter smtp_delivery_status_filter = $default_delivery_status_filter virtual_delivery_status_filter = $default_delivery_status_filter See the postconf(5) manpage for more details. [Incompat 20140618] The pipe(8) delivery agent will now log a limited amount of command output upon successful delivery, and will report that output in "SUCCESS" delivery status reports. This is another good reason to disable inbound DSN requests at the Internet perimeter. [Feature 20140907] With "confirm_delay_cleared = yes", Postfix informs the sender when delayed mail leaves the queue (this is in addition to the delay_warning_time feature that warns when mail is still queued). This feature is disabled by default, because it can result in a sudden burst of notifications when the queue drains at the end of a prolonged network outage. Major changes - dns ------------------- [Feature 20141128] Support for DNS server reply filters in the Postfix SMTP/LMTP client and SMTP server. This helps to work around mail delivery problems with sites that have incorrect DNS information. Note: this has no effect on the implicit DNS lookups that are made by nsswitch.conf or equivalent mechanisms. This feature renders each lookup result as one line of text in standard zone-file format as shown below. The class field is always "IN", the preference field exists only for MX records, the names of hosts, domains, etc. end in ".", and those names are in ASCII form (xn--mumble form for internationalized domain names). name ttl class type preference value --------------------------------------------------------- postfix.org. 86400 IN MX 10 mail.cloud9.net. Typically, one would match this text with a regexp: or pcre: table. When a match is found, the table lookup result specifies an action. By default, the table query and the action name are case-insensitive. Currently, only the IGNORE action is implemented. For safety reasons, Postfix logs a warning or defers mail delivery when a DNS reply filter removes all lookup results from a successful query. The Postfix SMTP/LMTP client uses the smtp_dns_reply_filter and lmtp_dns_reply_filter features only for Postfix SMTP client lookups of MX, A, and AAAAA records to locate a remote SMTP or LMTP server, including lookups that implement the features reject_unverified_sender and reject_unverified_recipient. The filters are not used for lookups made through nsswitch.conf and similar mechanisms. The Postfix SMTP server uses the smtpd_dns_reply_filter feature only for Postfix SMTP server lookups of MX, A, AAAAA, and TXT records to implement the features reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*. The filter is not used for lookups made through nsswitch.conf and similar mechanisms, such as lookups of the remote SMTP client name. [Feature 20141126] Nullmx support (MX records with a null hostname). This change affects error messages only. The Postfix SMTP client already bounced mail for such domains, and the Postfix SMTP server already rejected such domains with reject_unknown_sender/recipient_domain. This feature introduces a new SMTP server configuration parameter nullmx_reject_code (default: 556). Major changes - dynamic linking ------------------------------- [Feature 20140530] Support to build Postfix with Postfix dynamically-linked libraries, and with dynamically-loadable database clients. These MUST NOT be used by non-Postfix programs. Postfix dynamically-linked libraries introduce minor runtime overhead and result in smaller Postfix executable files. Dynamically-loadable database clients are useful when you distribute or install pre-compiled packages. Postfix 3.0 supports dynamic loading for CDB, LDAP, LMDB, MYSQL, PCRE, PGSQL, SDBM, and SQLITE database clients. This implementation is based on Debian code by LaMont Jones, initially ported by Viktor Dukhovni. Currently, support exists for recent versions of Linux, FreeBSD, MacOS X, and for the ancient Solaris 9. To support Postfix dynamically-linked libraries and dynamically-loadable database clients, the Postfix build procedure had to be changed (specifically, the files makedefs and Makefile.in, and the files postfix-install and post-install that install or update Postfix). [Incompat 20140530] The Postfix 3.0 build procedure expects that you specify database library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc. With Postfix 3.0 and later, the old AUXLIBS variable still supports building a statically-loaded CDB etc. database client, but only the new AUXLIBS_CDB etc. variables support building a dynamically-loaded or statically-loaded CDB etc. database client. See CDB_README, LDAP_README, etc. for details. Failure to follow this advice will defeat the purpose of dynamic database client loading. Every Postfix executable file will have database library dependencies. And that was exactly what dynamic database client loading was meant to avoid. Major changes - future proofing ------------------------------- [Cleanup 20141224] The changes described here have no visible effect on Postfix behavior, but they make Postfix code easier to maintain, and therefore make new functionality easier to add. * Compile-time argument typechecks of non-printf/scanf-like variadic function argument lists. * Deprecating the use of "char *" for non-text purposes such as memory allocation and pointers to application context for call-back functions. This dates from long-past days before void * became universally available. * Replace integer types for counters and sizes with size_t or ssize_t equivalents. This eliminates some wasteful 64<->32bit conversions on 64-bit systems. Major changes - installation pathnames -------------------------------------- [Incompat 20140625] For compliance with file system policies, some non-executable files have been moved from $daemon_directory to the directory specified with the new meta_directory configuration parameter which has the same default value as the config_directory parameter. This change affects non-executable files that are shared between multiple Postfix instances such as postfix-files, dynamicmaps.cf, and multi-instance template files. For backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory = $daemon_directory" in main.cf before installing or upgrading Postfix, or specify "meta_directory = /path/name" on the "make makefiles", "make install" or "make upgrade" command line. Major changes - milter ---------------------- [Feature 20140928] Support for per-Milter settings that override main.cf parameters. For details see the section "Advanced policy client configuration" in the SMTPD_POLICY_README document. Here is an example that uses both old and new syntax: smtpd_milters = { inet:127.0.0.1:port1, default_action=accept, ... }, inet:127.0.0.1:port2, ... The supported attribute names are: command_timeout, connect_timeout, content_timeout, default_action, and protocol. These have the same names as the corresponding main.cf parameters, without the "milter_" prefix. The per-milter settings are specified as attribute=value pairs separated by comma or space; specify { name = value } to allow spaces around the "=" or within an attribute value. [Feature 20141018] DMARC compatibility: when a Milter inserts a header ABOVE Postfix's own Received: header, Postfix no longer exposes its own Received: header to Milters (violating protocol) and Postfix no longer hides the Milter-inserted header from Milters (wtf). Major changes - parameter syntax -------------------------------- [Feature 20140921] In preparation for configurable mail headers and logging, new main.cf support for if-then-else expressions: ${name?{text1}:{text2}} and for logical expressions: ${{text1}=={text2}?{text3}:{text4}} ${{text1}!={text2}?{text3}:{text4}} Whitespace before and after {text} is ignored. This can help to make complex expressions more readable. See the postconf(5) manpage for further details. [Feature 20140928] Support for whitespace in daemon command-line arguments. For details, see the "Command name + arguments" section in the master(5) manpage. Example: smtpd -o { parameter = value containing whitespace } ... The { ... } form is also available for non-option command-line arguments in master.cf, for example: pipe ... argv=command { argument containing whitespace } ... In both cases, whitespace immediately after "{" and before "}" is ignored. [Feature 20141005] Postfix import_environment and export_environment now allow "{ name=value }" to protect whitespace in attribute values. [Feature 20141006] The new message_drop_header parameter replaces a hard-coded table that specifies what message headers the cleanup daemon will remove. The list of supported header names covers RFC 5321, 5322, MIME RFCs, and some historical names. Major changes - pipe daemon --------------------------- [Incompat 20140618] The pipe(8) delivery agent will now log a limited amount of command output upon successful delivery, and will report that output in "SUCCESS" delivery status reports. This is another good reason to disable inbound DSN requests at the Internet perimeter. Major changes - policy client ----------------------------- [Feature 20140703] This release introduces three new configuration parameters that control error recovery for failed SMTPD policy requests. * smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration problem): The default action when an SMTPD policy service request fails. * smtpd_policy_service_try_limit (default: 2): The maximal number of attempts to send an SMTPD policy service request before giving up. This must be a number greater than zero. * smtpd_policy_service_retry_delay (default: 1s): The delay between attempts to resend a failed SMTPD policy service request. This must be a number greater than zero. See postconf(5) for details and limitations. [Feature 20140928] Support for per-policy service settings that override main.cf parameters. For details see the section "Different settings for different Milter applications" in the MILTER_README document. Here is an example that uses both old and new syntax: smtpd_recipient_restrictions = ... check_policy_service { inet:127.0.0.1:port3, default_action=DUNNO } check_policy_service inet:127.0.0.1:port4 ... The per-policy service settings are specified as attribute=value pairs separated by comma or space; specify { name = value } to allow spaces around the "=" or within an attribute value. The supported attribute names are: default_action, max_idle, max_ttl, request_limit, retry_delay, timeout, try_limit. These have the same names as the corresponding main.cf parameters, without the "smtpd_policy_service_" prefix. [Feature 20140505] A client port attribute was added to the policy delegation protocol. [Feature 20140630] New smtpd_policy_service_request_limit feature to limit the number of requests per Postfix SMTP server policy connection. This is a workaround to avoid error-recovery delays with policy servers that cannot maintain a persistent connection. Major changes - position-independent executables ------------------------------------------------ [Feature 20150205] Preliminary support for building position-independent executables (PIE), tested on Fedora Core 20, Ubuntu 14.04, FreeBSD 9 and 10, and NetBSD 6. Specify: $ make makefiles pie=yes ...other arguments... On some systems, PIE is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout Randomization). Whether specifying "pie=yes" has any effect at all depends on the compiler. Reportedly, some compilers always produce PIE executables. Major changes - postscreen -------------------------- [Feature 20140501] Configurable time limit (postscreen_dnsbl_timeout) for DNSBL or DNSWL lookups. This is separate from the timeouts in the dnsblog(8) daemon which are controlled by system resolver(3) routines. Major changes - session fingerprint ----------------------------------- [Feature 20140801] The Postfix SMTP server now logs at the end of a session how many times an SMTP command was successfully invoked, followed by the total number of invocations if some invocations were unsuccessful. This logging will enough to diagnose many problems without using verbose logging or network sniffer. Normal session, no TLS: disconnect from name[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1 Normal session. with TLS: disconnect from name[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 All recipients rejected, no ESMTP command pipelining: disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 quit=1 All recipients rejected, with ESMTP command pipelining: disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 Password guessing bot, hangs up without QUIT: disconnect from name[addr] ehlo=1 auth=0/1 Mis-configured client trying to use TLS wrappermode on port 587: disconnect from name[addr] unknown=0/1 Logfile analyzers can trigger on the presence of "/". It indicates that Postfix rejected at least one command. [Feature 20150118] As a late addition, the SMTP server now also logs the total number of commands (as "commands=x/y") even when the client did not send any commands. This helps logfile analyzers to recognize sessions without commands. Major changes - smtp client --------------------------- [Feature 20141227] The new smtp_address_verify_target parameter (default: rcpt) determines what protocol stage decides if a recipient is valid. Specify "data" for servers that reject recipients after the DATA command. Major changes - smtputf8 ------------------------ [Incompat 20141001] The default settings have changed for append_dot_mydomain (new: no, old: yes), master.cf chroot (new: n, old: y), and smtputf8 (new: yes, old: no). [Incompat 20140714] After upgrading Postfix, "postfix reload" (or start/stop) is required. Several Postfix-internal protocols have been extended to support SMTPUTF8. Failure to reload or restart will result in mail staying queued, while Postfix daemons log warning messages about unexpected attributes. [Feature 20140715] Support for Email Address Internationalization (EAI) as defined in RFC 6531..6533. This supports UTF-8 in SMTP/LMTP sender addresses, recipient addresses, and message header values. The implementation is based on initial work by Arnt Gulbrandsen that was funded by CNNIC. See SMTPUTF8_README for a description of Postfix SMTPUTF8 support. [Feature 20150112] UTF-8 Casefolding support for Postfix lookup tables and matchlists (mydestination, relay_domains, etc.). This is enabled only with "smtpuf8 = yes". [Feature 20150112] With smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors are rejected, table lookup results with invalid UTF-8 syntax are handled as configuration errors, and UTF-8 syntax errors in policy server replies result in execution of the policy server's default action. Major changes - tls support --------------------------- (see "Major changes - delivery status notifications" above for turning 4XX soft errors into 5XX bounces when a remote SMTP server does not offer STARTTLS support). [Feature 20140209] the Postfix SMTP client now also falls back to plaintext when TLS fails AFTER the TLS protocol handshake. [Feature 20140218] The Postfix SMTP client now requires that a queue file is older than $minimal_backoff_time, before falling back from failed TLS to plaintext (both during or after the TLS handshake). [Feature 20141021] Per IETF TLS WG consensus, the tls_session_ticket_cipher default setting was changed from aes-128-cbc to aes-256-cbc. [Feature 20150116] TLS wrappermode support in the Postfix smtp(8) client (new smtp_tls_wrappermode parameter) and in posttls-finger(1) (new -w option). There still is life in that deprecated protocol, and people should not have to jump hoops with stunnel.