Accepting request 373635 from home:varkoly:branches:server:mail

- update to 3.1.0 
- Since version 3.0 postfix supports dynamic loading of cdb:, ldap:, 
  lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients.
  Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch
  could be removed.
- Adapting all the patches to postfix 3.1.0
- The patch postfix-db6.diff is not more neccessary
- Backwards-compatibility safety net.
  With NEW Postfix installs, you MUST install a main.cf file with
  the setting "compatibility_level = 2". See conf/main.cf for an
  example.
  
  With UPGRADES of existing Postfix systems, you MUST NOT change the
  main.cf compatibility_level setting, nor add this setting if it
  does not exist.
  
  Several Postfix default settings have changed with Postfix 3.0.  To
  avoid massive frustration with existing Postfix installations,
  Postfix 3.0 comes with a safety net that forces Postfix to keep
  running with backwards-compatible main.cf and master.cf default
  settings. This safety net depends on the main.cf compatibility_level
  setting (default: 0). Details are in COMPATIBILITY_README.
- Major changes - tls
* [Feature 20160207] A new "postfix tls" command to quickly enable
  opportunistic TLS in the Postfix SMTP client or server, and to
  manage SMTP server keys and certificates, including certificate
  signing requests and TLSA DNS records for DANE.
* As of the middle of 2015, all supported Postfix releases no longer
  nable "export" grade ciphers for opportunistic TLS, and no longer
  use the deprecated SSLv2 and SSLv3 protocols for mandatory or

OBS-URL: https://build.opensuse.org/request/show/373635
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=232

postfix.changes

@@ -1,3 +1,168 @@
+-------------------------------------------------------------------
+Wed Mar  9 13:06:35 UTC 2016 - varkoly@suse.com
+
+- update to 3.1.0 
+- Since version 3.0 postfix supports dynamic loading of cdb:, ldap:, 
+  lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients.
+  Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch
+  could be removed.
+- Adapting all the patches to postfix 3.1.0
+- The patch postfix-db6.diff is not more neccessary
+
+- Backwards-compatibility safety net.
+  With NEW Postfix installs, you MUST install a main.cf file with
+  the setting "compatibility_level = 2". See conf/main.cf for an
+  example.
+  
+  With UPGRADES of existing Postfix systems, you MUST NOT change the
+  main.cf compatibility_level setting, nor add this setting if it
+  does not exist.
+  
+  Several Postfix default settings have changed with Postfix 3.0.  To
+  avoid massive frustration with existing Postfix installations,
+  Postfix 3.0 comes with a safety net that forces Postfix to keep
+  running with backwards-compatible main.cf and master.cf default
+  settings. This safety net depends on the main.cf compatibility_level
+  setting (default: 0). Details are in COMPATIBILITY_README.
+
+- Major changes - tls
+* [Feature 20160207] A new "postfix tls" command to quickly enable
+  opportunistic TLS in the Postfix SMTP client or server, and to
+  manage SMTP server keys and certificates, including certificate
+  signing requests and TLSA DNS records for DANE.
+* As of the middle of 2015, all supported Postfix releases no longer
+  nable "export" grade ciphers for opportunistic TLS, and no longer
+  use the deprecated SSLv2 and SSLv3 protocols for mandatory or
+  opportunistic TLS.
+* [Incompat 20150719] The default Diffie-Hellman non-export prime was
+  updated from 1024 to 2048 bits, because SMTP clients are starting
+  to reject TLS handshakes with primes smaller than 2048 bits.
+* [Feature 20160103] The Postfix SMTP client by default enables DANE
+  policies when an MX host has a (DNSSEC) secure TLSA DNS record,
+  even if the MX DNS record was obtained with insecure lookups.  The
+  existence of a secure TLSA record implies that the host wants to
+  talk TLS and not plaintext. For details see the
+  smtp_tls_dane_insecure_mx_policy configuration parameter.
+
+- Major changes - default settings
+  [Incompat 20141009] The default settings have changed for relay_domains
+  (new: empty, old: $mydestination) and mynetworks_style (new: host,
+  old: subnet).  However the backwards-compatibility safety net will
+  prevent these changes from taking effect, giving the system
+  administrator the option to make an old default setting permanent
+  in main.cf or to adopt the new default setting, before turning off
+  backwards compatibility. See COMPATIBILITY_README for details.
+  
+  [Incompat 20141001] A new backwards-compatibility safety net forces
+  Postfix to run with backwards-compatible main.cf and master.cf
+  default settings after an upgrade to a newer but incompatible Postfix
+  version. See COMPATIBILITY_README for details.
+  
+  While the backwards-compatible default settings are in effect,
+  Postfix logs what services or what email would be affected by the
+  incompatible change. Based on this the administrator can make some
+  backwards-compatibility settings permanent in main.cf or master.cf,
+  before turning off backwards compatibility.
+
+- Major changes - address verification safety
+  [Feature 20151227] The new address_verify_pending_request_limit
+  parameter introduces a safety limit for the number of address
+  verification probes in the active queue.  The default limit is 1/4
+  of the active queue maximum size. The queue manager enforces the
+  limit by tempfailing probe messages that exceed the limit. This
+  design avoids dependencies on global counters that get out of sync
+  after a process or system crash.
+  
+  Tempfailing verify requests is not as bad as one might think.  The
+  Postfix verify cache proactively updates active addresses weeks
+  before they expire. The address_verify_pending_request_limit affects
+  only unknown addresses, and inactive addresses that have expired
+  from the address verify cache (by default, after 31 days).
+  
+- Major changes - json support
+  [Feature 20151129] Machine-readable, JSON-formatted queue listing
+  with "postqueue -j" (no "mailq" equivalent).  The output is a stream
+  of JSON objects, one per queue file.  To simplify parsing, each
+  JSON object is formatted as one text line followed by one newline
+  character. See the postqueue(1) manpage for a detailed description
+  of the output format.
+  
+- Major changes - milter support
+  [Feature 20150523] The milter_macro_defaults feature provides an
+  optional list of macro name=value pairs. These specify default
+  values for Milter macros when no value is available from the SMTP
+  session context.
+  
+  For example, with "milter_macro_defaults = auth_type=TLS", the
+  Postfix SMTP server will send an auth_type of "TLS" to a Milter,
+  unless the remote client authenticates with SASL.
+  
+  This feature was originally implemented for a submission service
+  that may authenticate clients with a TLS certificate, without having
+  to make changes to the code that implements TLS support.
+  
+- Major changes - output rate control
+  
+  [Feature 20150710] Destination-independent delivery rate delay
+  
+  Support to enforce a destination-independent delay between email
+  deliveries.  The following example inserts 20 seconds of delay
+  between all deliveries with the SMTP transport, limiting the delivery
+  rate to at most three messages per minute.
+  
+  /etc/postfix/main.cf:
+      smtp_transport_rate_delay = 20s
+  
+  For details, see the description of default_transport_rate_delay
+  and transport_transport_rate_delay in the postconf(5) manpage.
+  
+- Major changes - postscreen dnsbl
+  [Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL
+  lookup results
+  
+  Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
+  that a "not found" result from a DNSBL server will be valid for one
+  hour.  This may have been adequate five years ago when postscreen
+  was first implemented, but nowadays, that one hour can result in
+  missed opportunities to block new spambots.
+  
+  To address this, postscreen now respects the TTL of DNSBL "not
+  found" replies, as well as the TTL of DNSWL replies (both "found"
+  and "not found").  The TTL for a "not found" reply is determined
+  according to RFC 2308 (the TTL of an SOA record in the reply).
+  
+  Support for DNSBL or DNSWL reply TTL values is controlled by two
+  configuration parameters:
+  
+  postscreen_dnsbl_min_ttl (default: 60 seconds).
+  
+      This parameter specifies a minimum for the amount of time that
+      a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
+      This prevents an excessive number of postscreen cache updates
+      when a DNSBL or DNSWL server specifies a very small reply TTL.
+  
+  postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
+  
+      This parameter specifies a maximum for the amount of time that
+      a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
+      This prevents cache pollution when a DNSBL or DNSWL server
+      specifies a very large reply TTL.
+  
+  The postscreen_dnsbl_ttl parameter is now obsolete, and has become
+  the default value for the new postscreen_dnsbl_max_ttl parameter.
+  
+- Major changes - sasl auth safety
+  [Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to
+  enforce an optional rate limit on AUTH commands per SMTP client IP
+  address.  Similar to other smtpd_client_*_rate_limit features, this
+  enforces a limit on the number of requests per $anvil_rate_time_unit.
+  
+- Major changes - smtpd policy
+  [Feature 20150913] New SMTPD policy service attribute "policy_context",
+  with a corresponding "smtpd_policy_service_policy_context" configuration
+  parameter.  Originally, this was implemented to share the same SMTPD
+  policy service endpoint among multiple check_policy_service clients.
+
 -------------------------------------------------------------------
 Wed Dec  9 14:05:22 UTC 2015 - varkoly@suse.com