postfix-2.11 stable release candidate available

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix-2.11 stable release candidate available

Wietse Venema
Postfix 2.11.0 stable release candidate 1 is uploaded to ftp.porcupine.org
and will appear on mirror sites in the next 24 hours.

Below is a copy of the RELEASE_NOTES file.  I expect to finalize
Postfix 2.11.0 before the end of this month.

It was unfortunately not possible to support LMDB with this stable
release.  LMDB support will continue to mature in the Postfix 2.12
experimental release, of which the first release is made today.

        Wietse

Major changes - tls
===================

[Documentation 20131218] The new FORWARD_SECRECY_README document
conveniently presents all information about Postfix "perfect" forward
secrecy support in one place: what forward secrecy is, how to tweak
settings, and what you can expect to see when Postfix uses ciphers
with forward secrecy.

[Feature 20130602] Support for PKI-less TLS server certificate
verification, where the CA public key or the server certificate is
identified via DNSSEC lookup.

This feature introduces a new TLS security level called "dane"
(DNS-based Authentication of Named Entities) that uses DNSSEC to
look up CA information for a server TLS certificate.  The details
of DANE core protocols are still evolving, as are the details of
how DANE should be used in the context of SMTP. Postfix implements
what appears to be a "rational" subset of the DANE profiles.

The problem with PKI is that there are literally hundreds of
organizations world-wide that can provide a certificate in anyone's
name. There have been widely-published incidents in recent history
where a certificate authority gave out an inappropriate certificate
(e.g., a certificate in the name of Microsoft to someone who did
not represent Microsoft), where a CA was compromised (e.g., DigiNotar,
Comodo), or where a CA made operational mistakes (e.g., TURKTRUST).
Another concern is that a legitimate CA might be coerced to provide
a certificate that allows its government to play man-in-the-middle
on TLS traffic and observe the plaintext.

Major changes - postscreen whitelisting
=======================================

[Feature 20130512] Allow an SMTP client to skip postscreen(8) tests
based on its postscreen_dnsbl_sites score.

Specify a negative "postscreen_dnsbl_whitelist_threshold" to enable
this feature.  When a client passes the threshold value without
having failed other tests, all pending or disabled tests are flagged
as completed.

Major changes - recipient_delimiter
===================================

[Feature 20130405] The recipient_delimiter parameter can now specify
a set of characters.  A user name is now separated from its address
extension by the first character that matches the recipient_delimiter
set.

For example, specify "recipient_delimiter = +-" to support both the
Postfix-style "+" and the qmail-style "-" extension delimiter.  

As before, this implementation recognizes one delimiter character
per email address, and one address extension per email address.

Major changes - smtpd access control
====================================

[Feature 20131031] The check_sasl_access feature can be used to
block hijacked logins. Like other check_mumble_acces features it
queries a lookup table (in this case with the SASL login name), and
it supports the same actions as any Postfix access(5) table.

[Feature 20130924] The reject_known_sender_login_mismatch feature
applies reject_sender_login_mismatch only to MAIL FROM addresses
that are known in $smtpd_sender_login_maps.

Major changes - MacOS X
=======================

[Feature 20130325] Full support for kqueue() event handling which
scales better with large numbers of file handles, plus a workaround
for timeout handling on file handles (such as /dev/urandom) that
still do not correctly support poll().

Incompatible changes - master
=============================

[Incompat 20131217] The master_service_disable parameter value
syntax has changed: use "service/type" instead of "service.type".
The new form is consistent with postconf(1) namespaces for master.cf.
The old form is still supported to avoid breaking existing
configurations.

Major changes - milter
======================

[Feature 20131126] Support for ESMTP parameters NOTIFY and ORCPT
in the SMFIR_ADDRCPT_PAR (add recipient) request. Credits: Andrew
Ayer.

Major changes - mysql
=====================

[Feature 20131117] MySQL client support for option_file, option_group,
tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, tls_verify_cert.
Credits: Gareth Palmer.

Major changes - postconf
========================

[Feature 20131217] Support for advanced master.cf query and update
operations.  This was implemented primarily to support automated
system management tools.

The goal is to make all Postfix master.cf details accessible as
lists of "name=value" pairs, where the names are organized into
structured name spaces.  This allows other programs to query
information or request updates, without having to worry about the
exact layout of master.cf files.

Managing master.cf service attributes
-------------------------------------

First, an example that shows the smtp/inet service in the traditional
form:

    $ postconf -M smtp/inet
    smtp       inet  n       -       n       -       -       smtpd

Different variants of this command show different amounts of output.
For example, "postconf -M smtp" enumerates all services that have
a name "smtp" and any service type ("inet", "unix", etc.), and
"postconf -M" enumerates all master.cf services.  

General rule: each name component that is not present becomes a "*"
wildcard.

Coming back to the above example, the postconf -F option can now
enumerate the smtp/inet service fields as follows:

    $ postconf -F smtp/inet
    smtp/inet/service = smtp
    smtp/inet/type = inet
    smtp/inet/private = n
    smtp/inet/unprivileged = -
    smtp/inet/chroot = n
    smtp/inet/wakeup = -
    smtp/inet/process_limit = -
    smtp/inet/command = smtpd

This form makes it very easy to change one field in master.cf.
For example to turn on chroot on the smtp/inet service you use:

    $ postconf -F smtp/inet/chroot=y
    $ postfix reload

Moreover, with "-F" you can specify "*" for service name or service
type to get a wild-card match.  For example, to turn off chroot on
all Postfix daemons, use this:

    $ postconf -F '*/*/chroot=n'
    $ postfix reload

Managing master.cf service "-o parameter=value" settings
--------------------------------------------------------

For a second example, let's look at the submission service.  This
service typically has multiple "-o parameter=value" overrides. First
the traditional view:

    $ postconf -Mf submission
    submission inet  n       -       n       -       -       smtpd
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        ...

The postconf -P option can now enumerate these parameters as follows:

    $ postconf -P submission
    submission/inet/smtpd_sasl_auth_enable = yes
    submission/inet/smtpd_tls_security_level = encrypt
    ...

Again, this form makes it very easy to modify one parameter
setting. For example, to change the smtpd_tls_security_level setting
for the submission/inet service:

    $ postconf -P 'submission/inet/smtpd_tls_security_level=may'

You can create or remove a parametername=parametervalue setting:

Create:
    $ postconf -P 'submission/inet/parametername=parametervalue'

Remove:
    $ postconf -PX submission/inet/parametername

Finally, always execute "postfix reload" after updating master.cf.

Managing master.cf service entries
----------------------------------

Finally, adding master.cf entries is possible, but currently this
does not yet have "advanced" support. It can only be done at the
level of the traditional master.cf file format.

Suppose that you need to configure a Postfix SMTP client that will
handle slow email deliveries.  To implement this you need to clone
the smtp/unix service settings and create a new delay/unix service.

First, you would enumerate the smtp/unix service like this:

    $ postconf -M smtp/unix
    smtp      unix  -       -       n       -       -       smtp

Then you would copy those fields (except the first field) by hand
to create the delay/unix service:

    $ postconf -M delay/unix="delay   unix   -   -   n   -   -   smtp"

To combine the above steps in one command:

    $ postconf -M delay/unix="`postconf -M smtp/unix|awk '{$1 = "delay"}'`"

This is perhaps not super-convenient for manual cloning, but it
should be sufficient for programmatic configuration management.

Again, always execute "postfix reload" after updating master.cf.

Deleting or commenting out master.cf entries
--------------------------------------------

The -X (delete entry) and -# (comment out entry) options already
exist for main.cf, and they now also work work for entire master.cf
entries:

Remove main.cf or master.cf entry:
    $ postconf -X parametername
    $ postconf -MX delay/unix

Comment out main.cf or master.cf entry:
    $ postconf -# parametername
    $ postconf -M# delay/unix

As with main.cf, there is no support to "undo" master.cf changes
that are made with -X or -#.

Again, always execute "postfix reload" after updating master.cf.
Reply | Threaded
Open this post in threaded view
|

Re: postfix-2.11 stable release candidate available

A. Schulze

Zitat von [hidden email]:

> Postfix 2.11.0 stable release candidate 1 is uploaded to ftp.porcupine.org
> and will appear on mirror sites in the next 24 hours.

2.11x is running here on different hosts without problems.

Andreas