postfix-3.10-20240422

vdukhovni · Apr 22, 2024 · 3a7fa9f · 3a7fa9f
1 parent a6993c3
commit 3a7fa9f
Show file tree

Hide file tree

Showing 33 changed files with 326 additions and 123 deletions.
diff --git a/postfix/HISTORY b/postfix/HISTORY
@@ -26245,7 +26245,7 @@ Apologies for any names omitted.
 
 	Documentation: added LINUX_README sections for logging in
 	a container, and for systemd logging workarounds. File:
-	proto/LINUX_README.hmtl.
+	proto/LINUX_README.html.
 
 20220126
 
@@ -28004,3 +28004,46 @@ Apologies for any names omitted.
 	Documentation: added text that the read-only "service_name"
 	configuration parameter was introduced in Postfix 3.3. File:
 	proto/postconf.proto.
+
+20240402
+
+	Workaround: in the stock master.cf file, disable the feature
+	smtpd_forbid_unauth_pipelining in the submission and
+	submissions services, to work around a 15-year old open
+	Mozilla bug for sending a non-compliant SMTP command:"EHLO
+	we-guess.mozilla.org<CR><LF>QUIT<CR><LF>" (see
+	https://bugzilla.mozilla.org/show_bug.cgi?id=538809). File:
+	conf/master.cf.
+
+20240413
+
+	Documentation: mention in the first aliases(5) and virtual(5)
+	manpage paragraphs that alias_maps is searched only with
+	the email address localpart (no domain) and that
+	virtual_alias_maps is often queried with a full email address
+	(including domain). Add similar text to the parameter
+	descriptions for alias_maps and virtual_alias_maps. Files:
+	proto/aliases, proto/virtual.
+
+	Documentation: workaround for a load balancer paradox. When
+	a destination (relayhost, MySQL server, PostgreSQL server,
+	LDAP server) is a load balancer, and there are no alternative
+	servers, specify the load balancer multiple times. Without
+	this duplication, the Postfix client would not reconnect
+	immediately to the same load balancer after a server failure,
+	and it would defer mail. Files: proto/postconf.proto,
+	proto/mysql_table, proto/pgsql_table, proto/ldap_table.
+
+20240421
+
+	Documentation: replace the obsolete pickup service type
+	fifo with unix, and fix typos. Dilyan Palauzov. Files:
+	HISTORY< proto/BUILTIN_FILTER_README.html,
+	proto/STANDARD_CONFIGURATION_README.html
+
+20240418
+
+	Logging: when the pickup daemon logs a warning for a maildrop
+	queue file, log not only the 'new' name in the incoming
+	queue, but also log the 'old' name in the maildrop queue.
+	File: pickup/pickup.c.
diff --git a/postfix/README_FILES/BUILTIN_FILTER_README b/postfix/README_FILES/BUILTIN_FILTER_README
@@ -235,7 +235,7 @@ server IP addresses in master.cf:
             -o receive_override_options=no_header_body_checks
         127.0.0.1:smtp inet  n       -       n       -       -       smtpd
             -o receive_override_options=no_header_body_checks
-        pickup         fifo  n       -       n       60      1       pickup
+        pickup         unix  n       -       n       60      1       pickup
             -o receive_override_options=no_header_body_checks
 
   * Add some firewall rule to prevent access to 1.2.3.4:smtp from the outside

diff --git a/postfix/README_FILES/STANDARD_CONFIGURATION_README b/postfix/README_FILES/STANDARD_CONFIGURATION_README
@@ -306,9 +306,8 @@ In some installations, there may be separate instances of Postfix processing
 inbound and outbound mail on a multi-homed firewall. The inbound Postfix
 instance has an SMTP server listening on the external firewall interface, and
 the outbound Postfix instance has an SMTP server listening on the internal
-interface. In such a configuration is it is tempting to configure
-$inet_interfaces in each instance with just the corresponding interface
-address.
+interface. In such a configuration it is tempting to configure $inet_interfaces
+in each instance with just the corresponding interface address.
 
 In most cases, using inet_interfaces in this way will not work, because as
 documented in the $inet_interfaces reference manual, the smtp(8) delivery agent

diff --git a/postfix/WISHLIST b/postfix/WISHLIST
@@ -6,10 +6,37 @@ Wish list:
 
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
 
+	migrate rbl -> dnsbl
+
+	migrate smtpd_sasl_tls_security_options to "noanonymous"
+	(drop the "noplaintext" part).
+
+	Safety: restrict sender-dependent features to, for example,
+	mail from an authorized client (SASL, TLS, or IP address).
+	If this becomes the default then it needs to be subject to
+	comptibility_level.
+
+	Make some of the message editing features available for
+	non-Milter configurations (for example, set envelope.from
+	from primary header.from). 
+
 	The postconf command needs more mongodb tests.
 
 	The mongodb client needs tests.
 
+	Change Postfix SMTP debug logging to display the entire
+	input, instead of stopping at the first null byte.
+
+	SRS-friendly envelope.from output rewrite in the SMTP client.
+	TBD: before or after smtp_generic_maps. The two mechanisms
+	are unlikely to be useful in combination.
+
+	Cleanup: In documentation, replace DBM with LMDB (*.lmdb).
+
+	Cleanup: Is it time to remove SDBM support? Its iterator
+	was unusable, when the SDBM client was adopted in Postfix
+	2.2.
+
 	In documentation and configuration file examples, replace
 	IPv4 address prefixes from Cloud9 with 192.168.* from RFC
 	1918, and replace IPv6 address prefixes with unique local

diff --git a/postfix/conf/aliases b/postfix/conf/aliases
@@ -44,30 +44,36 @@ decode:		root
 # SYNOPSIS
 #        newaliases
 # 
+#        postalias -q name [file-type]:[file-name]
+# 
 # DESCRIPTION
 #        The  optional aliases(5) table (alias_maps) redirects mail
 #        for local recipients. The redirections  are  processed  by
-#        the Postfix local(8) delivery agent.
+#        the  Postfix local(8) delivery agent. This table is always
+#        searched with an email address localpart (no  domain  por-
+#        tion).
 # 
 #        This  is  unlike  virtual(5) aliasing (virtual_alias_maps)
 #        which applies to all recipients:  local(8),  virtual,  and
 #        remote, and which is implemented by the cleanup(8) daemon.
+#        That table is often searched with  a  full  email  address
+#        (including domain).
 # 
 #        Normally, the aliases(5) table is specified as a text file
-#        that  serves  as  input  to  the postalias(1) command. The
-#        result, an indexed file in dbm or db format, is  used  for
-#        fast  lookup  by  the  mail  system.  Execute  the command
-#        newaliases in order to  rebuild  the  indexed  file  after
+#        that serves as input  to  the  postalias(1)  command.  The
+#        result,  an  indexed file in dbm or db format, is used for
+#        fast lookup  by  the  mail  system.  Execute  the  command
+#        newaliases  in  order  to  rebuild  the indexed file after
 #        changing the Postfix alias database.
 # 
-#        When  the  table  is provided via other means such as NIS,
-#        LDAP or SQL, the same lookups are  done  as  for  ordinary
+#        When the table is provided via other means  such  as  NIS,
+#        LDAP  or  SQL,  the  same lookups are done as for ordinary
 #        indexed files.
 # 
-#        Alternatively,  the  table  can  be  provided  as  a regu-
-#        lar-expression map where patterns  are  given  as  regular
-#        expressions.  In  this  case,  the  lookups  are done in a
-#        slightly different way as described below  under  "REGULAR
+#        Alternatively, the  table  can  be  provided  as  a  regu-
+#        lar-expression  map  where  patterns  are given as regular
+#        expressions. In this case,  the  lookups  are  done  in  a
+#        slightly  different  way as described below under "REGULAR
 #        EXPRESSION TABLES".
 # 
 #        Users can control delivery of their own mail by setting up
@@ -81,63 +87,64 @@ decode:		root
 # 
 #                    name: value1, value2, ...
 # 
-#        o      Empty  lines and whitespace-only lines are ignored,
-#               as are lines whose first  non-whitespace  character
+#        o      Empty lines and whitespace-only lines are  ignored,
+#               as  are  lines whose first non-whitespace character
 #               is a `#'.
 # 
-#        o      A  logical  line starts with non-whitespace text. A
-#               line that starts with whitespace continues a  logi-
+#        o      A logical line starts with non-whitespace  text.  A
+#               line  that starts with whitespace continues a logi-
 #               cal line.
 # 
-#        The  name is a local address (no domain part).  Use double
-#        quotes when the name contains any special characters  such
-#        as  whitespace,  `#',  `:',  or `@'. The name is folded to
+#        The name is a local address (no domain part).  Use  double
+#        quotes  when the name contains any special characters such
+#        as whitespace, `#', `:', or `@'. The  name  is  folded  to
 #        lowercase, in order to make database lookups case insensi-
 #        tive.
 # 
-#        In  addition,  when  an  alias exists for owner-name, this
-#        will override the envelope sender address, so that  deliv-
+#        In addition, when an alias  exists  for  owner-name,  this
+#        will  override the envelope sender address, so that deliv-
 #        ery diagnostics are directed to owner-name, instead of the
-#        originator   of   the   message    (for    details,    see
-#        owner_request_special,        expand_owner_alias       and
-#        reset_owner_alias).  This  is  typically  used  to  direct
-#        delivery  errors  to the maintainer of a mailing list, who
+#        originator    of    the    message   (for   details,   see
+#        owner_request_special,       expand_owner_alias        and
+#        reset_owner_alias).   This  is  typically  used  to direct
+#        delivery errors to the maintainer of a mailing  list,  who
 #        is in a better position to deal with mailing list delivery
 #        problems than the originator of the undelivered mail.
 # 
 #        The value contains one or more of the following:
 # 
 #        address
-#               Mail  is  forwarded to address, which is compatible
+#               Mail is forwarded to address, which  is  compatible
 #               with the RFC 822 standard.
 # 
 #        /file/name
-#               Mail is appended to /file/name. For details on  how
-#               a  file  is written see the sections "EXTERNAL FILE
-#               DELIVERY" and "DELIVERY  RIGHTS"  in  the  local(8)
-#               documentation.   Delivery is not limited to regular
-#               files.  For example, to dispose of  unwanted  mail,
+#               Mail  is appended to /file/name. For details on how
+#               a file is written see the sections  "EXTERNAL  FILE
+#               DELIVERY"  and  "DELIVERY  RIGHTS"  in the local(8)
+#               documentation.  Delivery is not limited to  regular
+#               files.   For  example, to dispose of unwanted mail,
 #               deflect it to /dev/null.
 # 
 #        |command
-#               Mail  is  piped into command. Commands that contain
-#               special characters, such as whitespace,  should  be
-#               enclosed  between double quotes. For details on how
-#               a command is executed see "EXTERNAL COMMAND  DELIV-
+#               Mail is piped into command. Commands  that  contain
+#               special  characters,  such as whitespace, should be
+#               enclosed between double quotes. For details on  how
+#               a  command is executed see "EXTERNAL COMMAND DELIV-
 #               ERY" and "DELIVERY RIGHTS" in the local(8) documen-
 #               tation.
 # 
 #               When the command fails, a limited amount of command
-#               output  is  mailed  back  to  the sender.  The file
-#               /usr/include/sysexits.h defines the  expected  exit
-#               status  codes. For example, use "|exit 67" to simu-
-#               late a "user  unknown"  error,  and  "|exit  0"  to
+#               output is mailed back  to  the  sender.   The  file
+#               /usr/include/sysexits.h  defines  the expected exit
+#               status codes. For example, use "|exit 67" to  simu-
+#               late  a  "user  unknown"  error,  and  "|exit 0" to
 #               implement an expensive black hole.
 # 
 #        :include:/file/name
-#               Mail  is  sent  to  the  destinations listed in the
+#               Mail is sent to  the  destinations  listed  in  the
 #               named file.  Lines in :include: files have the same
-#               syntax as the right-hand side of alias entries.
+#               syntax  as  the  right-hand  side   of   aliases(5)
+#               entries.
 # 
 #               A  destination  can  be  any  destination  that  is
 #               described in this manual page. However, delivery to

diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf
@@ -18,6 +18,7 @@ smtp      inet  n       -       n       -       -       smtpd
 #127.0.0.1:submission inet n -   n       -       -       smtpd
 #submission inet n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/submission
+#  -o smtpd_forbid_unauth_pipelining=no
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_tls_auth_only=yes
@@ -37,6 +38,7 @@ smtp      inet  n       -       n       -       -       smtpd
 #127.0.0.1:submissions inet n  -       n       -       -       smtpd
 #submissions     inet  n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/submissions
+#  -o smtpd_forbid_unauth_pipelining=no
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 #  -o local_header_rewrite_clients=static:all

diff --git a/postfix/conf/virtual b/postfix/conf/virtual
@@ -14,10 +14,12 @@
 #        The  optional  virtual(5) alias table (virtual_alias_maps)
 #        applies to all recipients: local(8), virtual, and  remote.
 #        This feature is implemented in the Postfix cleanup(8) dae-
-#        mon before mail is queued.
+#        mon before mail is queued.  These tables are often queried
+#        with a full email address (including domain).
 # 
-#        This is unlike the  aliases(5)  table  (alias_maps)  which
-#        applies only to local(8) recipients.
+#        This  is  unlike  the  aliases(5) table (alias_maps) which
+#        applies only to local(8) recipients. That  table  is  only
+#        queried with the email address localpart (no domain).
 # 
 #        Virtual  aliasing is recursive; to terminate recursion for
 #        a specific address, alias that address to itself.
@@ -256,46 +258,48 @@
 #        command after a configuration change.
 # 
 #        virtual_alias_maps ($virtual_maps)
-#               Optional lookup tables with aliases that  apply  to
-#               all recipients: local(8), virtual, and remote; this
-#               is unlike alias_maps that apply  only  to  local(8)
-#               recipients.
+#               Optional lookup tables that are often searched with
+#               a  full  email  address (including domain) and that
+#               apply to all  recipients:  local(8),  virtual,  and
+#               remote;  this  is  unlike  alias_maps that are only
+#               searched  with  an  email  address  localpart   (no
+#               domain) and that apply only to local(8) recipients.
 # 
 #        virtual_alias_domains ($virtual_alias_maps)
-#               Postfix  is the final destination for the specified
+#               Postfix is the final destination for the  specified
 #               list of virtual alias domains, that is, domains for
-#               which  all  addresses  are  aliased to addresses in
+#               which all addresses are  aliased  to  addresses  in
 #               other local or remote domains.
 # 
 #        propagate_unmatched_extensions (canonical, virtual)
-#               What address lookup tables copy an  address  exten-
+#               What  address  lookup tables copy an address exten-
 #               sion from the lookup key to the lookup result.
 # 
 #        Other parameters of interest:
 # 
 #        inet_interfaces (all)
-#               The  local  network  interface  addresses that this
+#               The local network  interface  addresses  that  this
 #               mail system receives mail on.
 # 
 #        mydestination  ($myhostname,  localhost.$mydomain,  local-
 #        host)
-#               The list of domains  that  are  delivered  via  the
+#               The  list  of  domains  that  are delivered via the
 #               $local_transport mail delivery transport.
 # 
 #        myorigin ($myhostname)
 #               The domain name that locally-posted mail appears to
-#               come from, and that locally posted mail  is  deliv-
+#               come  from,  and that locally posted mail is deliv-
 #               ered to.
 # 
 #        owner_request_special (yes)
 #               Enable special treatment for owner-listname entries
 #               in the aliases(5) file, and don't split owner-list-
-#               name  and  listname-request address localparts when
+#               name and listname-request address  localparts  when
 #               the recipient_delimiter is set to "-".
 # 
 #        proxy_interfaces (empty)
-#               The remote network interface  addresses  that  this
-#               mail  system  receives mail on by way of a proxy or
+#               The  remote  network  interface addresses that this
+#               mail system receives mail on by way of a  proxy  or
 #               network address translation unit.
 # 
 # SEE ALSO
@@ -305,14 +309,14 @@
 #        canonical(5), canonical address mapping
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        ADDRESS_REWRITING_README, address rewriting guide
 #        DATABASE_README, Postfix lookup table overview
 #        VIRTUAL_README, domain hosting guide
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)

diff --git a/postfix/html/BUILTIN_FILTER_README.html b/postfix/html/BUILTIN_FILTER_README.html
@@ -377,7 +377,7 @@ <h2><a name="remote_only">Configuring header/body checks for mail from outside u
         -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_header_body_checks">no_header_body_checks</a>
     127.0.0.1:smtp inet  n       -       n       -       -       smtpd
         -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_header_body_checks">no_header_body_checks</a>
-    pickup         fifo  n       -       n       60      1       pickup
+    pickup         unix  n       -       n       60      1       pickup
         -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_header_body_checks">no_header_body_checks</a>
 </pre>
 

diff --git a/postfix/html/STANDARD_CONFIGURATION_README.html b/postfix/html/STANDARD_CONFIGURATION_README.html
@@ -423,7 +423,7 @@ <h2><a name="firewall">Postfix email firewall/gateway</a></h2>
 processing inbound and outbound mail on a multi-homed firewall. The
 inbound Postfix instance has an SMTP server listening on the external
 firewall interface, and the outbound Postfix instance has an SMTP server
-listening on the internal interface. In such a configuration is it is
+listening on the internal interface. In such a configuration it is
 tempting to configure $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> in each instance with just the
 corresponding interface address. </p>