DevHeads.net

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.7.0.html]

Postfix stable release 2.7.0 is available. For the past several
releases, the focus has moved towards improving the code and
documentation, and updating the system for changing environments.

- Improved before-queue content filter performance. With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter.

Postfix 2.7 is being readied for final release. You can find release
candidate 2 on the download sites (release candidate 1 was released
a week ago).

Postfix 2.7 brings performance improvements for before-queue content
filtering, automatic cache cleanup for the verify daemon, and
support for reputation management based on the outgoing source IP
address.

The postscreen daemon is still to rough for a stable release and
will be made "mature" in the Postfix 2.8 development cycle.

Wietse

As the result of repeated requests to make Postfix routing dependent
on envelope or content properties, Postfix now has several mail
delivery features that are not fully orthogonal.

First there are sender_dependent_xxx_maps where xxx is relayhost,
default_transport, and so on. These are "nice" in the sense that
they don't have an effect on mail that should be delivered locally.

Second there is "FILTER transport:". In practice this feature is
suitable only for transit mail. By design the FILTER command
overrides all routing decisions (that is needed for real content
filters to work).

The following solution solves 99% of the problem:

- IF mail is from a local (or authenticated) client

- AND the sender has already passed "reject_unlisted_sender"

- THEN store the (sender, recipient) pair in a whitelist.

This can be done with trivial modification of an existing greylisting
policy daemon.

Occasionally, a sender or recipient address will become invalid,
or a user mis-types.

postfix-2.7-20100117 changes the meaning of content filters of the
form "transport:" (note: no next-hop destination) so that this
form can be used to implement sender reputation schemes. Typically,
mail is split into classes, and all mail in class X is sent out
from an SMTP client IP address that is reserved for class X.

According to discussions on the Postfix list there is a legitimate
need for such functionality. Until now this requires one Postfix
instance per source IP address.

The change introduces one minor incompatibility.

Ralf Hildebrandt:
[ Charset UTF-8 unsupported, converting... ]

New errors, bogus or not, happen after a program is changed so that
it executes code paths that it did not execute before.

I am going to take a very pragmatic decision.

Does not reproduce on Ubuntu 9.10-server with the default Berkeley DB 4.7.

Can you check if this warning (and the warning for postscreen) goes
away when automatic cache cleanup is turned off?

address_verify_cache_cleanup_interval = 0
postscreen_cache_cleanup_interval = 0

This can't be the same bug as discussed last month with "close
database after fork", because verify(8) does not fork.

I'm burning in some new code that I wrote over the past week to
periodically remove old entries from postscreen(8) and verify(8)
caches. This is not a sexy topic, but it helps to keep database
sizes in check, it speeds up database access, and it was time.

If you're courageous you can try postfix-2.7-20091227-nonprod.

Like this?

Dec 5 20:15:25 server postfix/smtpd[16712]: proxy-accept:
END-OF-MESSAGE: 250 2.0.0 Ok: queued as 91BE3547AFE;
from=<<...> at example dot com> to=<<...> at example dot com> proto=ESMTP
helo=

(with the same form for proxy-reject at END-OF-MESSAGE; the format
of the reject message would be consistent with other Postfix reject
messages.)

Wietse

diff --exclude=man --exclude=html --exclude=README_FILES --exclude=.indent.pro --exclude=Makefile.in -r -cr /var/tmp/postfix-2.7-20091115/src/smtpd/smtpd.c ./smtpd.c
*** /var/tmp/postfix-2.7-20091115/src/smtpd/sm

Recently there have been requests for sending mail with source IP
addresses that depend on the envelope sender. Sometimes the request
appeared to be related to showshoe spamming, and sometimes it
appeared to be a legitimate attempt to protect IP-based domain
reputations of different customers.

Current solution
================
The current solution that Postfix offers is to use multiple instances:
one back-end instance per source IP address, and one front-end
instance that uses sender_dependent_relayhost_maps to choose the
right back-end instance.

Last week there was big news about a security hole in the TLS
protocol that allows a man-in-the-middle to prepend data to a
fully-secure TLS session.

That is, the server certificate verifies, and therefore no-one can
read or modify the network traffic. Or so we thought.

http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
http://www.ietf.org/mail-archive/web/tls/current/msg03942.html

This hole was already known and a consortium of industry partners
was already working on solutions.

Wietse Venema:

Attached is a patch that fixes a segfault due to an incomplete API
change.

Postfix 2.7-20091104-nonprod introduces a "speed adjust" feature
that reduces the number of before-queue filter processes, without
reducing the number of before-filter SMTP server processes.

This addresses a concern of people in Europe who want to reject
all bad mail with a before-queue filter, instead of having to use
an after-queue filter and having to discard mail (which is illegal)
or having to bounce mail (which violates good network citizenship).

With "smtpd_proxy_options = speed_adjust", the SMTP server will
receive the entire message before it connects to a content filter.
For more i

Geert Hendrickx:

To avoid becoming a backscatter source,

1) The Postfix SMTP server needs a table that matches all recipient
addresses in the old domain.

2) The Postfix SMTP server needs a table that matches all recipient
addresses in the new domain.

Both tables can be generated from the same source, either with
scripting and plain files, or, if I am not mistaken, with clever
use of *SQL or LDAP queries.

Your suggested "rewrite olddomain to newdomain" feature does not
eliminate the requirement for 1) and 2).

If you can provide 1) and 2), then you can also provide the one-on-o

Work on Postfix continues to make it more scalable, after the system
was made feature-complete in the past couple years.

Postfix snapshot 20091008 includes an updated version of the
postscreen daemon. This means it is no longer limited to the
non-production releases.

To make postscreen safe to deploy, it has a permanent whitelist
(default: $mynetworks) that avoids running SMTP protocol tests on
broken network appliances.

There are some problems with one Cloud9 majordomo server as the
result of some software upgrades. I thought all the missing files
were put back yesterday.

Meanwhile, if mail bounces, just resend it until it hits one of
the other servers...

Wietse

The stable release Postfix 2.6.5 addresses the defects described
below (some already addressed with the not-announced Postfix 2.6.3
release). These defects are also addressed in the legacy releases
that are still maintained: Postfix 2.5.9, 2.4.13 and 2.3.19.

Do not use Postfix 2.6.4, 2.5.8, 2.4.12, 2.3.18, 2.7-20090807, and
2.7-20090807-nonprod. These contain a DNS workaround that causes
more trouble than it prevents.

The postscreen versions in non-production snapshots 20090803 and
20090805 drop connections due to an incorrect code change. This
is fixed with non-production snapshot 20090806.

Wietse

Postscreen is the code name for a new daemon that sits in front of
Postfix and that does connection-level filtering. The program is
is currently available as unsupported, non-production code.

Early results for seven days of spam were presented at the 2009
Mailserver conference in Berlin:

* Anomalies in spammer SMTP client implementations. Spammers
are in a hurry to send spam, and therefore they cut corners
in the SMTP protocol. Postscreen currently detects SMTP
clients that start talking too early.

Mail systems may send the occasional bounce, but that is not the
point here. The point here is that Steve will terrorize the list
until he gets what he wants, and that is not going to happen.
Therefore I terminate this thread (and anyone who continutes it).

Wietse

Matthias Andree:

I have a trivial tool that gropes the sources of individual Postfix
programs, however a non-trivial number of parameters is loaded
implicitly by library routines. Accurately determining these
dependencies is non-trivial, because not every program uses every
library routine.

And once parameters are read in one place, even these tricks will
no longer work.

In addition, the mapping is not fixed; parameters have moved from
one program to another (e.b. always_bcc). I want to keep the
documentation meaningful for several Postfix versions.

Wietse

Jiri Veselsky:

I have added header checks for Milter-generated mail headers.
The feature is called "milter_header_checks".

It is available from Postfix mirrors as postfix-2.7-20090607, and
also available as an optional patch for Postfix 2.6.

Wietse

milter_header_checks (default: empty)

Optional lookup tables for content inspection of message headers that
are produced by Milter applications. See the header_checks(5) manual
page available actions.

Postfix stable release 2.6.2 fixes one defect in SASL support.
This does not affect Postfix versions 2.5 and earlier.

With plaintext SMTP sessions AND smtpd_tls_auth_only=yes AND
smtp_sasl_auth_enable=yes, the SMTP server logged warnings for
reject_*_sender_login_mismatch, instead of enforcing them.

You can find Postfix version 2.6.2 at the mirrors listed at
http://www.postfix.org/

The same fix is also available in Postfix snapshot 2.7-20090528.
Postfix versions 2.5 and earlier are not affected.

Wietse

Wietse Venema:

I'll post some numbers today, based on domain names found in open
mailing lists.

Wietse

Postfix stable release 2.6.1 fixes one defect in Milter support.
This does not affect Postfix versions 2.5 and earlier.

- Queue file corruption under very specific conditions: (smtpd_milters
or non_smtpd_milters) enabled, AND delay_warning_time enabled,
AND mail delivery delays, AND short envelope sender addresses
(e.g., sendmail command-line submissions with bare usernames as
the sender, but not bounce messages).

The queue file would be corrupted when the delay_warning_time
record was marked as "done" after sending the "your mail is
delayed" notice.

Postfix legacy releases 2.5.7, 2.4.11 and 2.3.17 contain fixes that
were already included with Postfix versions 2.6 and 2.7.

Postfix 2.5.7:

- (low) The installation/upgrade procedure did not automatically
create the data_directory.

- (medium) In the "new queue manager", the _destination_rate_delay
code needed to postpone the job scheduler updates after delivery
completion, otherwise the scheduler could loop on blocked jobs.

- (low) The queue manager used _concurrency_failed_cohort_limit
instead of _destination_concurrency_failed_cohort_limit
as documented.

Reinaldo de Carvalho:

Specify "always_add_missing_headers=yes" to always add (Resent-)
From:, Date:, Message-ID: or To: headers when these are not present.

Wietse

Postfix stable release 2.6.0 is available. After Postfix was declared
"complete" with version 2.3, the focus has moved towards improving
the code/documentation, and updating it for changing environments.

- Multi-instance support introduces a new postmulti(1) command to
create/add/remove/etc. additional Postfix instances. The familiar
"postfix start" etc. commands now automatically start multiple
Postfix instances. The good news: nothing changes when you use
only one Postfix instance.

Postfix 2.6 stable release candidate 3 is available. If this has
no problems, then Postfix 2.6.0 will happen soon. The same code is
also available as Postfix 2.7 experimental release 20090428.

Wietse

TLS changes since release candidate 2:
======================================

The Postfix SMTP client(!) no longer tries to use the obsolete SSLv2
protocol by default, as this may prevent the use of modern SSL
features.