- [sle16][postfix] postfix service failed to start due to
"chmod: cannot access '/etc/postfix/virtual.lmdb': No such file or directory"
(bsc#1243409)
- move /var/spool/mail/ to separate package (bsc#1179574)
- [sle16][postfix] postfix service failed to start due to
"chmod: cannot access '/etc/postfix/virtual.lmdb': No such file or directory"
(bsc#1243409)
- move /var/spool/mail/ to separate package (bsc#1179574)
OBS-URL: https://build.opensuse.org/request/show/1279040
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=253
"chmod: cannot access '/etc/postfix/virtual.lmdb': No such file or directory"
(bsc#1243409)
- [sle16][postfix] postfix service failed to start due to
"chmod: cannot access '/etc/postfix/virtual.lmdb': No such file or directory"
(bsc#1243409)
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=517
- update to 3.10.2
* Bugfix (defect introduced: date 19991116): when appending a
setting to a main.cf or master.cf file that did not end in a
newline character, the "postconf -e" command did not add an
extra newline character before appending the new setting, causing
information to become garbled.
* Bugfix (defect introduced: Postfix 2.3, date 20051222): the
Dovecot auth client did not attempt to create a new connection
after an I/O error on an existing connection.
* Improved and corrected error messages when converting (host or
service) information to (symbolic text, numerical text, or
binary) form.
* Documentation: updated link to Dovecot documentation.
OBS-URL: https://build.opensuse.org/request/show/1272024
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=511
- update to 3.10.1
* Bugfix (defect introduced: 20250210): a recent 'fix' for the
default smtp_tls_dane_insecure_mx_policy setting resulted in
unnecessary 'dnssec_probe' warnings, on systems that disable
DNSSEC lookups (which is the default).
- update to 3.10.0
* Internal protocol change: Postfix needs "postfix reload" (or "postfix
stop" and "postfix start") after upgrade, because of a change in the
delivery agent protocol. If this step is skipped, Postfix delivery
agents will log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
* Forward compatibility: Support for OpenSSL 3.5 post-quantum
cryptography. To manage algorithm selection, OpenSSL introduces new
TLS group syntax that Postfix will not attempt to imitate. Instead,
Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set empty, the
algorithm selection can be managed through OpenSSL configuration. For
more, look for "Post-quantum" in the postconf(5) manpage.
* Support for the RFC 8689 "TLS-Required: no" message header to request
delivery of messages (such as TLSRPT summaries) even if the preferred
TLS security policy cannot be enforced. This limits the Postfix SMTP
client to "smtp_tls_security_level = may" which does not authenticate
server certificates and which allows falling back to plaintext.
* Support for the REQUIRETLS SMTP service extension will evolve in
Postfix 3.11.
* Support for the TLSRPT protocol (defined in RFC 8460). With this,
a domain can publish a policy in DNS that requests daily summary
reports for successful and failed SMTP-over-TLS connections to that
domain's MX hosts. This supports both DANE (built-in) and MTA-STS
(via an smtp_tls_policy_maps plugin). The implementation uses a
TLSRPT library and reporting infrastructure that are maintained by
sys4. For details, see TLSRPT_README.
* Privacy: With "smtpd_hide_client_session = yes", the Postfix
SMTP server generates a Received: header without client session
info. This setting may be used with the MUA submission services
(port 465 and 587).
* Support for RFC 2047 encoding of non-ASCII "full name" information
in Postfix-generated From: message headers. Encoding non-ASCII full
names can avoid the need to use SMTPUTF8, and therefore can avoid
incompatibility with sites that do not support SMTPUTF8. See the
full_name_encoding_charset parameter description for details.
* Database performance: When mysql: or pgsql: configuration specifies
a single host, assume that it is a load balancer and reconnect
immediately after a single failure, instead of failing all requests
for 60s.
* The Postfix Milter implementation now logs the reason for a
'quarantine' action, instead of "milter triggers HOLD action".
* The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors),
and the cleanup server now logs "queueid: canceled" when a message
transaction is started but not completed. These changes simplify
logfile analysis.
* Dovecot SASL client logging for "Invalid authentication mechanism"
now includes the name of that mechanism.
* Postfix SMTP server 'reject' logging now shows the sasl_method,
sasl_username, and sasl_sender if available.
- update to 3.10.1
* Bugfix (defect introduced: 20250210): a recent 'fix' for the
default smtp_tls_dane_insecure_mx_policy setting resulted in
unnecessary 'dnssec_probe' warnings, on systems that disable
DNSSEC lookups (which is the default).
- update to 3.10.0
* Internal protocol change: Postfix needs "postfix reload" (or "postfix
stop" and "postfix start") after upgrade, because of a change in the
delivery agent protocol. If this step is skipped, Postfix delivery
agents will log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
* Forward compatibility: Support for OpenSSL 3.5 post-quantum
cryptography. To manage algorithm selection, OpenSSL introduces new
TLS group syntax that Postfix will not attempt to imitate. Instead,
Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set empty, the
algorithm selection can be managed through OpenSSL configuration. For
more, look for "Post-quantum" in the postconf(5) manpage.
* Support for the RFC 8689 "TLS-Required: no" message header to request
delivery of messages (such as TLSRPT summaries) even if the preferred
TLS security policy cannot be enforced. This limits the Postfix SMTP
client to "smtp_tls_security_level = may" which does not authenticate
server certificates and which allows falling back to plaintext.
* Support for the REQUIRETLS SMTP service extension will evolve in
Postfix 3.11.
* Support for the TLSRPT protocol (defined in RFC 8460). With this,
a domain can publish a policy in DNS that requests daily summary
reports for successful and failed SMTP-over-TLS connections to that
domain's MX hosts. This supports both DANE (built-in) and MTA-STS
(via an smtp_tls_policy_maps plugin). The implementation uses a
TLSRPT library and reporting infrastructure that are maintained by
sys4. For details, see TLSRPT_README.
* Privacy: With "smtpd_hide_client_session = yes", the Postfix
SMTP server generates a Received: header without client session
info. This setting may be used with the MUA submission services
(port 465 and 587).
* Support for RFC 2047 encoding of non-ASCII "full name" information
in Postfix-generated From: message headers. Encoding non-ASCII full
names can avoid the need to use SMTPUTF8, and therefore can avoid
incompatibility with sites that do not support SMTPUTF8. See the
full_name_encoding_charset parameter description for details.
* Database performance: When mysql: or pgsql: configuration specifies
a single host, assume that it is a load balancer and reconnect
immediately after a single failure, instead of failing all requests
for 60s.
* The Postfix Milter implementation now logs the reason for a
'quarantine' action, instead of "milter triggers HOLD action".
* The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors),
and the cleanup server now logs "queueid: canceled" when a message
transaction is started but not completed. These changes simplify
logfile analysis.
* Dovecot SASL client logging for "Invalid authentication mechanism"
now includes the name of that mechanism.
* Postfix SMTP server 'reject' logging now shows the sasl_method,
sasl_username, and sasl_sender if available.
OBS-URL: https://build.opensuse.org/request/show/1248481
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=501
- update to 3.9.1
* The mail_version configuration parameter did not have a three-number
value (3.9 instead of 3.9.0; it still had the two-number version
from the development releases postfix-3.9-yyyymmdd). This broke
pathnames derived from the mail_version value, such as
shlib_directory.
* Bugfix (defect introduced: Postfix 2.9, date 20111218): with
"smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature
ignored information that was received with the XCLIENT LOGIN
command, so that the client was treated as unauthenticated. This was
fixed by removing an unnecessary test.
* Bugfix (defect introduced: postfix 3.0): the default master.cf
syslog_name setting for the relay service did not preserve
multi-instance information, which complicated logfile analysis.
* Bugfix (defect introduced: Postfix 2.3, date 20051222): file
descriptor leak after failure to connect to a Dovecot auth server.
The impact is limited because Dovecot auth failures are rare, there
are limits on the number of retries (one), on the number of errors
per SMTP session (smtpd_hard_error_limit), on the number of sessions
per SMTP server process (max_use), and on the number of file handles
per process (managed with sysctl).
* Bugfix (defect introduced: Postfix 3.4, date 20190121): the
postsuper command failed with "open logfile '/path/to/file':
Permission denied" when the maillog_file parameter specified a
filename and Postfix was not running. This was fixed by opening the
maillog_file before dropping root privileges.
* Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8
text when missing message headers were automatically added by
Postfix (for example, a From: header with UTF8 full name information
from the password file). This caused Postfix to send UTF8 in message
headers without using the SMTPUTF8 protocol.
- update to 3.9.1
* The mail_version configuration parameter did not have a three-number
value (3.9 instead of 3.9.0; it still had the two-number version
from the development releases postfix-3.9-yyyymmdd). This broke
pathnames derived from the mail_version value, such as
shlib_directory.
* Bugfix (defect introduced: Postfix 2.9, date 20111218): with
"smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature
ignored information that was received with the XCLIENT LOGIN
command, so that the client was treated as unauthenticated. This was
fixed by removing an unnecessary test.
* Bugfix (defect introduced: postfix 3.0): the default master.cf
syslog_name setting for the relay service did not preserve
multi-instance information, which complicated logfile analysis.
* Bugfix (defect introduced: Postfix 2.3, date 20051222): file
descriptor leak after failure to connect to a Dovecot auth server.
The impact is limited because Dovecot auth failures are rare, there
are limits on the number of retries (one), on the number of errors
per SMTP session (smtpd_hard_error_limit), on the number of sessions
per SMTP server process (max_use), and on the number of file handles
per process (managed with sysctl).
* Bugfix (defect introduced: Postfix 3.4, date 20190121): the
postsuper command failed with "open logfile '/path/to/file':
Permission denied" when the maillog_file parameter specified a
filename and Postfix was not running. This was fixed by opening the
maillog_file before dropping root privileges.
* Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8
text when missing message headers were automatically added by
Postfix (for example, a From: header with UTF8 full name information
from the password file). This caused Postfix to send UTF8 in message
headers without using the SMTPUTF8 protocol.
OBS-URL: https://build.opensuse.org/request/show/1228585
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=499
- config.postfix needs updating (bsc#1224207)
* chkconfig -> systemctl
* Link Cyrus lmtp only if this exsists
* /usr/lib64/sasl2 does not need to exist
* Fetch timezone via readlink from /etc/localtime
- config.postfix needs updating (bsc#1224207)
* chkconfig -> systemctl
* Link Cyrus lmtp only if this exsists
* /usr/lib64/sasl2 does not need to exist
* Fetch timezone via readlink from /etc/localtime
OBS-URL: https://build.opensuse.org/request/show/1174920
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=239
* chkconfig -> systemctl
* Link Cyrus lmtp only if this exsists
* /usr/lib64/sasl2 does not need to exist
* Fetch timezone via readlink from /etc/localtime
- config.postfix needs updating (bsc#1224207)
* chkconfig -> systemctl
* Link Cyrus lmtp only if this exsists
* /usr/lib64/sasl2 does not need to exist
* Fetch timezone via readlink from /etc/localtime
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=483
- update to 3.9.0
* As described in DEPRECATION_README, the SMTP server features
"permit_naked_ip_address", "check_relay_domains", and
"reject_maps_rbl" have been removed, after they have been logging
a warning for some 20 years. These features now log a warning
and return a "server configuration error" response.
* The MySQL client no longer supports MySQL versions < 4.0. MySQL
version 4.0 was released in 2003.
* As covered in DEPRECATION_README, the configuration parameter
"disable_dns_lookup" and about a dozen TLS-related parameters
are now officially obsolete. These parameters still work, but
the postconf command logs warnings that they will be removed
from Postfix.
* As covered in DEPRECATION_README, "permit_mx_backup" logs a
warning that it will be removed from Postfix.
* In message headers, Postfix now formats numerical days as
two-digit days, i.e. days 1-9 have a leading zero instead of a
leading space. This change was made because the RFC 5322 date
and time specification recommends (i.e. SHOULD) that a single
space be used in each place that folding white space appears.
This change avoids a breaking change in the length of a date
string.
* The MySQL client default characterset is now configurable with
the "charset" configuration file attribute. The default is
"utf8mb4", consistent with the MySQL 8.0 built-in default, but
different from earlier MySQL versions where the built-in default
was "latin1".
* Support to query MongoDB databases, contributed by Hamid Maadani,
based on earlier code by Stephan Ferraro. See MONGODB_README
and mongodb_table(5)
* The RFC 3461 envelope ID is now exported in the local(8) delivery
agent with the ENVID environment variable, and in the pipe(8)
delivery agent with the ${envid} command-line attribute.
* Configurable idle and retry timer settings in the mysql: and
pgsql: clients. A shorter than default retry timer can sped up
the recovery after error, when Postfix is configured with only
one server in the "hosts" attribute. After the code was frozen
for release, we have learned that Postfix can recover faster
from some errors when the single server is specified multiple
times in the "hosts" attribute.
* Optional Postfix TLS support to request an RFC7250 raw public
key instead of an X.509 public-key certificate. The configuration
settings for raw key public support will be ignored when there
is no raw public key support in the local TLS implementation
(i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
for more information.
* Preliminary support for OpenSSL configuration files, primarily
OpenSSL 1.1.1b and later. This introduces two new parameters
"tls_config_file" and "tls_config_name", which can be used to
limit collateral damage from OS distributions that crank up
security to 11, increasing the number of plaintext email
deliveries. Details are in the postconf(5) manpage under
"tls_config_file" and "tls_config_name".
* With "smtpd_forbid_unauth_pipelining = yes" (the default),
Postfix defends against multiple "blind" SMTP attacks. This
feature was back-ported to older stable releases but disabled
by default.
* With "smtpd_forbid_bare_newline = normalize" (the default)
Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
for details. This feature was back-ported to older stable
releases but disabled by default.
* Prevent outbound SMTP smuggling, where an attacker uses Postfix
to send email containing a non-standard End-of-DATA sequence,
to exploit inbound SMTP smuggling at a vulnerable remote SMTP
server. With "cleanup_replace_stray_cr_lf = yes" (the default),
the cleanup daemon replaces each stray <CR> or <LF> character
in message content with a space character. This feature was
back-ported to older stable releases with identical functionality.
* The Postfix DNS client now limits the total size of DNS lookup
results to 100 records; it drops the excess records, and logs
a warning. This limit is 20x larger than the number of server
addresses that the Postfix SMTP client is willing to consider
when delivering mail, and is far below the number of records
that could cause a tail recursion crash in dns_rr_append() as
reported by Toshifumi Sakaguchi. This also introduces a similar
limit on the number of DNS requests that a check_*_*_access
restriction can make. All this was back-ported to older stable
releases with identical functionality.
- refreshed patch:
% postfix-no-md5.patch
- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level"
% postfix-SUSE.tar.gz
% postfix-main.cf.patch
% postfix-master.cf.patch
OBS-URL: https://build.opensuse.org/request/show/1156371
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=481
- update to 3.8.6
* Bugfix (defect introduced: Postfix 2.3, date 20051222): the
Dovecot auth client did not reset the 'reason' from a previous
Dovecot auth service response, before parsing the next Dovecot
auth server response in the same SMTP session, resulting in a
nonsensical "authentication failed" warning message. Reported
by Stephan Bosch.
* Bugfix (defect introduced: Postfix 3.1, date: 20151128):
"postqueue -j" produced broken JSON when escaping a control
character as \uXXXX. Found during code maintenance.
* Cleanup: this fixes posttls-finger certificate match expectations
for all TLS security levels, including warnings for levels that
don't implement certificate matching. By Viktor Dukhovni.
* Bugfix (defect introduced: Postfix 2.3): after prepending a
header at the top of a message (with an access(5), header_checks(5)
or Milter action), the Postfix Milter "delete header" or "update
header" action was skipping the prepended header, instead of
skipping the Postfix-generated Received: header. Problem report
by Carlos Velasco.
* Workaround: tlsmgr logfile spam. Reportedly, some OS lies under
load: it says that a socket is readable, then it says that the
socket has unread data, and then it says that read returns EOF,
causing Postfix to spam the log with a warning message.
* Bugfix (defect introduced: Postfix 3.4): the SMTP server's BDAT
command handler could be tricked to read $message_size_limit
bytes into memory. Found during code maintenance.
* Safety: limit the total size of DNS lookup results to 100
records; drop the excess records, and log a warning. This limit
is 20x larger than the number of server addresses that the
Postfix SMTP client is willing to consider when delivering mail,
and is far below the number of records that could cause a tail
recursion crash in dns_rr_append() as reported by Toshifumi
Sakaguchi. This fix also limits the number of DNS requests that
a check_*_*_access restriction can make.
* Performance, related to the previous problem: eliminate worst-case
behavior where the queue manager could defer delivery to all
destinations over a specific delivery transport, after only a
single delivery agent crash. The scheduler now throttles
deliveries to one destination, and allows other deliveries to
keep making progress.
- change to functioning mirror (http://cdn.postfix.johnriley.me/
has been dead for a while although it is still listed upstream)
- make output of %setup less verbose by restoring -q option
OBS-URL: https://build.opensuse.org/request/show/1155290
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=477
