Incompatible change with snapshot 20200705
==========================================
The minimum OpenSSL version is 1.1.1, which will reach the end
of life by 2023-09-11.
The default digest has changed from md5 to sha256 (Postfix 3.6 with
compatibility_level >= 3). With a lower compatibility_level setting,
Postfix defaults to using md5, and logs a warning when a Postfix
configuration specifies no explicit digest type.
Export-grade Diffie-Hellman key exchange is no longer supported,
and the tlsproxy_tls_dh512_param_file parameter is ignored,
- bump PORTEPOCH
- remove deprecated ports from CONFLICTS_INSTALL
- add BLACKLISTD to OPTIONS_DEFAULT
- MYSQL_USES s/=/?=/ to allow testbuild without
defining XX MYSQL dedicated make.conf's in poudriere
- add postlogd to STRIP_LIBEXEC
Incompatibility with snapshot 20190615
====================================
The Postfix TLS library by default no longer waits after sending a
TLS 'close' notification. This should be safe with TLSv1.2 and
later. Specify "tls_fast_shutdown_enable = no" to enable historical
Postfix behavior.
Major changes with snapshot 20190615
====================================
After sending a TLS 'close' notification, the Postfix library by
default no longer waits for the TLS peer to respond. According to
RFC 2246 (TLSv1.2) section 7.2.1, "It is not required for the
initiator of the close to wait for the responding close_notify alert
before closing the read side of the connection."
The SMTP+LMTP delivery agent can now prepend Delivered-To, X-Original-To
and Return-Path headers, just like the pipe(8) delivery agent. This
uses the same "flags=DOR" command-line flags in master.cf. See the
smtp(8) manpage for details.
This obsoletes the "lmtp_assume_final = yes" setting, and replaces
it with "flags=...X...", for consistency with pipe(8).
20190516
Initial search order support for check_ccert_access. The
default behavior is backwards-compatible. This is work in
progress; see the RELEASE_NOTES for examples.
20190517
Bugfix: postconf mis-parsed text starting with "{" such as
"check_ccert_access { inline:{a=b} { search_order=c,d } }".
Fixed by adding another level of recursion.
Note:
----------------------------------------------------------------------
Incompatibility with snapshot 20190427
======================================
Postfix now normalizes IP addresses received with XCLIENT, XFORWARD,
or with the HaProxy protocol, for consistency with direct connections
to Postfix. This may change the appearance of logging, and the way
that check_client_access will match subnets of an IPv6 address.
Changelog:
----------------------------------------------------------------------
20190331
Documentation: tlsext_padding is not a tls_ssl_options
feature. File: proto/postconf.proto.
20190401
Portability: to avoid a compile-time error on Solaris, added
"#undef sun" to util/unix_dgram_connect.c.
20190403
Bugfix (introduced: Postfix 2.3): a censoring filter broke
multiline Milter responses for header/body events. Problem
report by Andreas Thienemann. Files: util/printable.c,
util/stringops.h, smtpd/smtpd.c.
Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit = 0"
no longer meant 'unlimited'. Problem report by Luc Pardon.
File: smtp/smtp_addr.c.
20190427
Cleanup: normalize the IP address string forms received with
XCLIENT, XFORWARD, and HaProxy, for consistency with address
information for direct connections to Postfix, and add unit
tests. This casefolds and removes redundant nulls from the
string representation of an IPv6 address, normalizes the
"IPv6:" address prefix of RFC 2821 IPv6 address forms, and
converts IPv4 address octets with leading zeros (octal form)
into decimal form. Files: global/haproxy.c,
global/normalize_mailhost_addr.[hc], smtpd/smtpd.c.
Incompatibility: this may change the appearance of logging,
and the way that check_client_access will match subnets of
an IPv6 address.
