Postfix 3.2.0 stable release

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Postfix 3.2.0 stable release

Wietse Venema
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.0.html]

Postfix stable release 3.2.0 is available, 20 years after work began
early 1997. This release ends support for legacy release Postfix 2.10.

The main changes in no particular order are:

  * Elliptic curve negotiation with OpenSSL <= 1.0.2. This changes
    the default smtpd_tls_eecdh_grade setting to "auto", and
    introduces a new parameter tls_eecdh_auto_curves with the names
    of curves that may be negotiated.

  * Stored-procedure support for MySQL databases. Contributed by
    John Fawcett. See the mysql_table(5) manpage for details.

  * Cidr: table support for if/endif and negation (by prepending !
    to a pattern), just like regexp: and pcre: tables. See the
    cidr_table(5) manpage for details.

  * The postmap command and the inline: and texthash: maps now
    support spaces in left-hand field of lookup table source text.
    Use double quotes (") around a left-hand field that contains
    spaces, and use backslash (\) to protect quotes in a left-hand
    field.

  * Support for per-client Milter configuration (smtpd_milter_maps)
    that overrides the main.cf smtpd_milters setting, and that has
    the same syntax. A lookup result of "DISABLE" turns off Milter
    support for that client. See MILTER_README.html for details.

  * The local SMTP server IP address and port are available in the
    policy delegation protocol (attribute names: server_address,
    server_port), in the Milter protocol (macro names: {daemon_addr},
    {daemon_port}), and in the XCLIENT protocol (attribute names:
    DESTADDR, DESTPORT).

  * For safety reasons, the Postfix sendmail -C option must specify
    an authorized directory: the default configuration directory,
    a directory that is listed in the default main.cf file with
    alternate_config_directories or multi_instance_directories,
    otherwise the command must be invoked with root privileges.
    This mitigates a recurring "jail break" problem with the PHP
    mail() function.

  * "PASS" and "STRIP" actions in header/body_checks. "STRIP" is
    similar to "IGNORE" but also logs the action, and "PASS" disables
    header, body, and Milter inspection for the remainder of the
    message content. Contributed by Hobbit.

  * The collate.pl script by Viktor Dukhovni for grouping Postfix
    logfile records into "sessions" based on queue ID and process
    ID information, in the auxiliary/collate directory of the Postfix
    source tree.

Disabled or removed behavior:

  * SMTPUTF8 support: Postfix 3.2 disables the 'transitional'
    compatibility between the IDNA2003 and IDNA2008 standards for
    internationalized domain names (domain names beyond the limits
    of US-ASCII). This makes Postfix behavior consistent with
    contemporary web browsers. See RELEASE_NOTES for more.

  * Postfix 3.2 removes tentative features that were implemented
    before the DANE spec was finalized: support for certificate
    usage PKIX-EE(1), the ability to disable digest agility, and
    the ability to disable support for "TLSA 2 [01] [12]" records
    that specify the digest of a trust anchor. See RELEASE_NOTES
    for more.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix 3.2.0 stable release

Viktor Dukhovni

> On Mar 2, 2017, at 7:43 PM, Wietse Venema <[hidden email]> wrote:
>
>  * Elliptic curve negotiation with OpenSSL <= 1.0.2. This changes
>    the default smtpd_tls_eecdh_grade setting to "auto", and
>    introduces a new parameter tls_eecdh_auto_curves with the names
>    of curves that may be negotiated.

Tiny correction.  The EC negotiation is with OpenSSL >= 1.0.2, not
OpenSSL <= 1.0.2.  That is, it requires at *least* OpenSSL 1.0.2,
which currently means some patch level of 1.0.2 or 1.1.0.

--
        Viktor.

Loading...