Postfix 2.11.0 stable release candidate 1 is uploaded to ftp.porcupine.org
and will appear on mirror sites in the next 24 hours.
Below is a copy of the RELEASE_NOTES file. I expect to finalize
Postfix 2.11.0 before the end of this month.
It was unfortunately not possible to support LMDB with this stable
release. LMDB support will continue to mature in the Postfix 2.12
experimental release, of which the first release is made today.
Major changes - tls
[Documentation 20131218] The new FORWARD_SECRECY_README document
conveniently presents all information about Postfix "perfect" forward
secrecy support in one place: what forward secrecy is, how to tweak
settings, and what you can expect to see when Postfix uses ciphers
with forward secrecy.
[Feature 20130602] Support for PKI-less TLS server certificate
verification, where the CA public key or the server certificate is
identified via DNSSEC lookup.
This feature introduces a new TLS security level called "dane"
(DNS-based Authentication of Named Entities) that uses DNSSEC to
look up CA information for a server TLS certificate. The details
of DANE core protocols are still evolving, as are the details of
how DANE should be used in the context of SMTP. Postfix implements
what appears to be a "rational" subset of the DANE profiles.
The problem with PKI is that there are literally hundreds of
organizations world-wide that can provide a certificate in anyone's
name. There have been widely-published incidents in recent history
where a certificate authority gave out an inappropriate certificate
(e.g., a certificate in the name of Microsoft to someone who did
not represent Microsoft), where a CA was compromised (e.g., DigiNotar,
Comodo), or where a CA made operational mistakes (e.g., TURKTRUST).
Another concern is that a legitimate CA might be coerced to provide
a certificate that allows its government to play man-in-the-middle
on TLS traffic and observe the plaintext.
Major changes - postscreen whitelisting
[Feature 20130512] Allow an SMTP client to skip postscreen(8) tests
based on its postscreen_dnsbl_sites score.
Specify a negative "postscreen_dnsbl_whitelist_threshold" to enable
this feature. When a client passes the threshold value without
having failed other tests, all pending or disabled tests are flagged
Major changes - recipient_delimiter
[Feature 20130405] The recipient_delimiter parameter can now specify
a set of characters. A user name is now separated from its address
extension by the first character that matches the recipient_delimiter
For example, specify "recipient_delimiter = +-" to support both the
Postfix-style "+" and the qmail-style "-" extension delimiter.
As before, this implementation recognizes one delimiter character
per email address, and one address extension per email address.
Major changes - smtpd access control
[Feature 20131031] The check_sasl_access feature can be used to
block hijacked logins. Like other check_mumble_acces features it
queries a lookup table (in this case with the SASL login name), and
it supports the same actions as any Postfix access(5) table.
[Feature 20130924] The reject_known_sender_login_mismatch feature
applies reject_sender_login_mismatch only to MAIL FROM addresses
that are known in $smtpd_sender_login_maps.
Major changes - MacOS X
[Feature 20130325] Full support for kqueue() event handling which
scales better with large numbers of file handles, plus a workaround
for timeout handling on file handles (such as /dev/urandom) that
still do not correctly support poll().
[Incompat 20131217] The master_service_disable parameter value
syntax has changed: use "service/type" instead of "service.type".
The new form is consistent with postconf(1) namespaces for master.cf.
The old form is still supported to avoid breaking existing
Major changes - milter
[Feature 20131126] Support for ESMTP parameters NOTIFY and ORCPT
in the SMFIR_ADDRCPT_PAR (add recipient) request. Credits: Andrew
Major changes - mysql
[Feature 20131117] MySQL client support for option_file, option_group,
tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, tls_verify_cert.
Credits: Gareth Palmer.
Major changes - postconf
[Feature 20131217] Support for advanced master.cf query and update
operations. This was implemented primarily to support automated
system management tools.
The goal is to make all Postfix master.cf details accessible as
lists of "name=value" pairs, where the names are organized into
structured name spaces. This allows other programs to query
information or request updates, without having to worry about the
exact layout of master.cf files.
Managing master.cf service attributes
First, an example that shows the smtp/inet service in the traditional
$ postconf -M smtp/inet
smtp inet n - n - - smtpd
Different variants of this command show different amounts of output.
For example, "postconf -M smtp" enumerates all services that have
a name "smtp" and any service type ("inet", "unix", etc.), and
"postconf -M" enumerates all master.cf services.
General rule: each name component that is not present becomes a "*"
Coming back to the above example, the postconf -F option can now
enumerate the smtp/inet service fields as follows: