- bnc#981097 config.postfix creates broken main.cf for tls client configuration
- bnc#981099 /etc/sysconfig/postfix: POSTFIX_SMTP_TLS_CLIENT incomplete
- update to 3.1.1:
- The new address_verify_pending_request_limit
parameter introduces a safety limit for the number of address
verification probes in the active queue. The default limit is 1/4
of the active queue maximum size. The queue manager enforces the
limit by tempfailing probe messages that exceed the limit. This
design avoids dependencies on global counters that get out of sync
after a process or system crash.
- Machine-readable, JSON-formatted queue listing with "postqueue -j"
(no "mailq" equivalent).
- The milter_macro_defaults feature provides an optional list of macro
name=value pairs. These specify default values for Milter macros when
no value is available from the SMTP session context.
- Support to enforce a destination-independent delay between email
deliveries. The following example inserts 20 seconds of delay
between all deliveries with the SMTP transport, limiting the delivery
rate to at most three messages per minute.
smtp_transport_rate_delay = 20s
- Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
that a "not found" result from a DNSBL server will be valid for one
hour. This may have been adequate five years ago when postscreen
was first implemented, but nowadays, that one hour can result in
missed opportunities to block new spambots.
To address this, postscreen now respects the TTL of DNSBL "not
found" replies, as well as the TTL of DNSWL replies (both "found"
and "not found"). The TTL for a "not found" reply is determined
according to RFC 2308 (the TTL of an SOA record in the reply).
Support for DNSBL or DNSWL reply TTL values is controlled by two
OBS-URL: https://build.opensuse.org/request/show/397601
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=235
- fix build on sle11 by pointing _libexecdir to /usr/lib all the
time.
- some distros did not pull pkgconfig indirectly. pull it directly.
- fix building the dynamic maps: the old build had postgresql e.g.
with missing symbols.
- convert to AUXLIBS_* instead of plain AUXLIBS which is needed
for proper dynamic maps.
- reordered the CCARGS and AUXLIBS* lines to group by feature
- use pkgconfig or *_config tools where possible
- picked up signed char from fedora spec file
- enable lmdb support: new BR lmdb-devel, new subpackage
postfix-lmdb.
- don't delete vmail user/groups
OBS-URL: https://build.opensuse.org/request/show/376737
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=233
- update to 3.1.0
- Since version 3.0 postfix supports dynamic loading of cdb:, ldap:,
lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients.
Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch
could be removed.
- Adapting all the patches to postfix 3.1.0
- The patch postfix-db6.diff is not more neccessary
- Backwards-compatibility safety net.
With NEW Postfix installs, you MUST install a main.cf file with
the setting "compatibility_level = 2". See conf/main.cf for an
example.
With UPGRADES of existing Postfix systems, you MUST NOT change the
main.cf compatibility_level setting, nor add this setting if it
does not exist.
Several Postfix default settings have changed with Postfix 3.0. To
avoid massive frustration with existing Postfix installations,
Postfix 3.0 comes with a safety net that forces Postfix to keep
running with backwards-compatible main.cf and master.cf default
settings. This safety net depends on the main.cf compatibility_level
setting (default: 0). Details are in COMPATIBILITY_README.
- Major changes - tls
* [Feature 20160207] A new "postfix tls" command to quickly enable
opportunistic TLS in the Postfix SMTP client or server, and to
manage SMTP server keys and certificates, including certificate
signing requests and TLSA DNS records for DANE.
* As of the middle of 2015, all supported Postfix releases no longer
nable "export" grade ciphers for opportunistic TLS, and no longer
use the deprecated SSLv2 and SSLv3 protocols for mandatory or
OBS-URL: https://build.opensuse.org/request/show/373635
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=232
* Fix for DMARC implementations based on SPF policy plus DKIM Milter.
* The Postfix SMTP server logged an incorrect client name in reject
messages for check_reverse_client_hostname_access and check_reverse_client_hostname_{mx,ns}_access.
* The qmqpd daemon crashed with null pointer bug when logging a lost connection while not in a mail transaction.
* The TLS client logged that an anonymous TLS connection was "Untrusted", instead of "Anonymous".
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=230
- postfix-SuSE.tar.gz/postfix.service: None of
nss-lookup.target network.target local-fs.target time-sync.target
should be Wanted or Required except by the services
the implement the relevant functionality i.e network.target
is wanted/required by networkmanager, wicked,
systemd-network. other software must be ordered After them,
see systemd.special(7)
OBS-URL: https://build.opensuse.org/request/show/309705
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=223
- Bugfix (introduced: Postfix 2.6):
sender_dependent_relayhost_maps ignored the relayhost setting
in the case of a DUNNO lookup result. It would use the
recipient domain instead. Viktor Dukhovni. Wietse took the
pieces of code that enforce the precedence of a
sender-dependent relayhost, the global relayhost, and the
recipient domain, and put that code together in once place so
that it is easier to maintain. File:
trivial-rewrite/resolve.c.
- Bitrot: prepare for future changes in OpenSSL API. Viktor
Dukhovni. File: tls_dane.c.
- Incompatibility: specifying "make makefiles" with "CC=command"
will no longer override the default WARN setting.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=216
- bnc#912594 config.postfix creates config based on old options
- bnc#911806 config.postfix does not set up correct saslauthd socket directory for chroot
- bnc#910265 config.postfix does not upgrade the chroot
- bnc#908003 wrong access rights on /usr/sbin/postdrop causes
permission denied when trying to send a mail as non root user
- bnc#729154 wrong permissions for some postfix components
OBS-URL: https://build.opensuse.org/request/show/280976
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=206
* TLS
o Support for PKI-less TLS server certificate verification, where
the CA public key or the server certificate is identified via DNSSEC lookup
* LMDB database support
* master
o The master_service_disable parameter value syntax has changed:
use "service/type" instead of "service.type".
* postconf:
o Support for advanced master.cf query and update operations.
This was implemented primarily to support automated system management tools.
o The postconf command produces more warnings
* relay safety
New smtpd_relay_restrictions parameter built-in default settings:
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
* postscreen whitelisting
Allow a remote SMTP client to skip postscreen(8) tests based on
its postscreen_dnsbl_sites score.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=180
unsuitable for computing certificate PUBLIC KEY fingerprints.
Postfix now provides a correct procedure that accounts for
the algorithm and parameters in addition to the key data. Specify
"tls_legacy_public_key_fingerprints = yes" if you need backwards compatibility.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=160
* tls support:
Support to turn off the TLSv1.1 and TLSv1.2 protocols:
To temporarily turn off problematic protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
* 20111012 To simplify integration with third-party
applications, the Postfix sendmail command now always transforms
all input lines ending in <CR><LF> into UNIX format (lines ending
in <LF>). Specify "sendmail_fix_line_endings = strict" to restore
historical Postfix behavior (i.e. convert all input lines ending
in <CR><LF> only if the first line ends in <CR><LF>).
* 20120114 Logfile-based alerting systems may need to be
updated to look for "error" messages in addition to "fatal" messages.
Specify "daemon_table_open_error_is_fatal = yes" to get the historical
behavior (immediate termination with "fatal" message).
* enable_long_queue_ids Postfix 2.9 introduces support for non-repeating queue IDs (also
used as queue file names). These names are encoded in a mix of upper
case, lower case and decimal digit characters. Long queue IDs are
disabled by default to avoid breaking tools that parse logfiles and
that expect queue IDs with the smaller [A-F0-9] character set.
* 20111209 memcache lookup and update support. This provides
a way to share postscreen(8) or verify(8) caches between Postfix
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=154
was comparing bitmasks incorrectly causing the program to
always wait for the full time limit. This error affected
the unused postkick command, but only after s/fifo/unix/
in master.cf. File: util/events.c.
- Cleanup: laptop users have always been able to avoid
unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
(this is currently not supported on Solaris systems).
However, to make this work reliably, the "postqueue -f"
command must wait until its requests have reached the pickup
and qmgr servers before closing the UNIX-domain request
sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=143
Bugfixes:
smtpd(8) did not sanitize newline characters in cleanup(8)
REJECT messages, causing them to be sent out via SMTP as bare newline characters.
smtpd(8) sent multi-line responses from a before-queue content filter as text with
bare <LF> instead of <CR><LF>.
Workaround: postscreen sent non-compliant SMTP responses (220- followed by 421)
when it could not give a connection to a real smtpd process, causing some
remote SMTP clients to bounce mail.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=104