The stable Postfix release is called postfix-2.7.x where 2=major
release number, 7=minor release number, x=patchlevel.  The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-2.8-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day).  Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
before proceeding.

Postscreen notes:
=================

To turn on postscreen, see "Configuring the postscreen(8) service"
in the POSTSCREEN_README file. This allows you to run postscreen
without blocking mail first.

The code is rock solid, but the user interface has dozens of
parameters, so it literally is like using a machine that has wires
hanging out on all sides. This makes it possible to do research.
The idea is to reduce the number of parameters once things settle
down.

NOTE: Some postscreen parameters implement stress-dependent behavior.
This is supported only when the default value is stress-dependent
(that is, the default looks like ${stress?XX}${stress:YY}).  Other
postscreen parameters always evaluate as if the stress value is 
equal to the empty string.

Major changes with snapshot 20101105
====================================

The Postfix SMTP server now supports DNS-based whitelisting with
several safety features: permit_dnswl_client whitelists a client
by IP address, and permit_rhswl_client whitelists a client by its
hostname.  These features use the same syntax as reject_rbl_client
and reject_rhsbl_client, respectively. The main difference is that
they return PERMIT instead of REJECT.

Whitelisting is primarily a tool to reduce the false positive rate
of DNS blocklist lookups.  Client name whitelisting should not be
used to make exceptions to access rules. The reason is that client
name lookup can fail unpredictably due to some temporary outage.

For safety reasons, permit_dnswl_client and permit_rhswl_client are
silently ignored when they would override reject_unauth_destination.
Also for safety reasons, the result is DEFER_IF_REJECT when DNS
whitelist lookup fails (this result will be made configurable).

Incompatibility with snapshot 20101103
======================================

Postfix now requests default delivery status notifications when
adding a recipient with the Milter smfi_addrcpt action, instead of
"never notify" as with Postfix automatically-added recipients
(always_bcc and sender/recipient_bcc_maps).

Incompatibility with snapshot 20101006
======================================

To avoid repeated delivery to mailing lists with pathological nested
alias configurations, the local(8) delivery agent now keeps the
owner-alias attribute of a parent alias, when delivering mail to a
child alias that does not have its own owner alias.

With this change, local addresses from that child alias will be
written to a new queue file, and a temporary error with one local
address will no longer result in repeated delivery to other mailing
list members.  Specify "reset_owner_alias = yes" for the older,
more fragile, behavior.

The postconf(5) manpage entry for "reset_owner_alias" has more
background information on this issue.

Incompatibility with snapshot 20100912
======================================

- If your DNSBL queries have a "secret" in the domain name, you
  must now censor this information from the postscreen(8) SMTP
  replies.  For example:

  /etc/postfix/main.cf:
      postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

  /etc/postfix/dnsbl_reply:
      # Secret DNSBL name        Name in postscreen(8) replies
      secret.zen.spamhaus.org    zen.spamhaus.org

  The texthash: format is similar to hash: except that there is no need to
  run postmap(1) before the file can be used, and that it does not detect
  changes after the file is read. It is new with Postfix version 2.8.

- The postscreen "continue" action is now called "ignore".  The old
  name is still supported but no longer documented.

- The postscreen_hangup_action parameter was removed. Postscreen
  now always behaves as if "postscreen_hangup_action = drop".

- The postscreen_cache_retention_time default was increased from
  1d to 7d, to avoid deleting results from expensive deep SMTP
  protocol tests too quickly.

Major changes with snapshot 20100912
====================================

The main change is a new SMTP protocol engine for deep protocol
tests, and for logging the helo/sender/recipient information when
postscreen rejects an attempt to deliver mail.

    CAUTION: when postscreen rejects mail, it replies with the DNSBL
    domain name. Use the postscreen_dnsbl_reply_map feature to hide
    "password" information in DNSBL domain names. See the poststconf(5)
    manpage for a specific example.

Deep protocol tests are implemented by a new SMTP protocol engine
that defers or rejects all attempts to deliver mail. The first,
test detects unauthorized SMTP command pipelining (an SMTP client
sends multiple commands, instead of sending one command and waiting
for the server response); a second deep protocol test implements
the Postfix SMTP server's smtpd_forbidden_commands feature (a client
sends commands such as CONNECT, GET, POST); and a third deep protocol
test detects spambots that send SMTP commands that end in newline
instead of carriage-return/newline.  Real spambots rarely make this
mistake, but poorly-written software often does.

Deep protocol tests are disabled by default, because the built-in
SMTP engine cannot not hand off the "live" connection from a good
SMTP client to a Postfix SMTP server process. Instead, postscreen(8)
defers attempts to deliver mail with a 4XX status, and waits for
the client to disconnect. The next time a good client connects,
it will be allowed to talk to a Postfix SMTP server process to
deliver mail.

Incompatibility with snapshot 20100830
======================================

Use "postfix reload" after installing this code, otherwise the
dnsblog(8) daemon may complain.  The postscreen-to-dnsblog protocol
had to be changed to support DNSBL query result filters.

Major changes with snapshot 20100830
====================================

Postscreen DNSBL support is extended with optional fixed-string
filters, with optional integral weight factors, and with an adjustable
threshold to block SMTP clients with DNSBL score >= that threshold.
Support for wild-card patterns will be added later.

The updated postscreen configuration syntax is:

    postscreen_dnsbl_sites = domain[=ipaddr][*weight] ...
    postscreen_dnsbl_threshold = score

Elements inside [] are optional, ipaddr is an IPv4 address, and
weight and score are integral numbers. The [] are not part of the
postscreen_dnsbl_sites input.  By default, weight and score are
equal to 1, and entries without filter will match any non-error
DNSBL reply.  Use a negative weight value for whitelisting.

Examples:

To use example.com as a high-confidence blocklist, and to block
mail with example.net and example.org only when both agree, use:

    postscreen_dnsbl_threshold = 2
    postscreen_dnsbl_sites = example.com*2, example.net, example.org

To filter only DNSBL replies containing 127.0.0.4, use:

    postscreen_dnsbl_sites = example.com=127.0.0.4

See also postconf(5) for the fine details.

Incompatibility with snapshot 20100827
======================================

The Postfix SMTP client no longer appends the local domain when
looking up a DNS name without ".".  Specify "smtp_dns_resolver_options
= res_defnames" to get the old behavior, which may produce unexpected
results.

Incompatibility with snapshot 20100728
======================================

The format of the "postfix/smtpd[pid]: queueid: client=host[addr]"
logfile record has changed. When available, the before-filter client
information and the before-filter queue ID are now appended to the
end of the record.

Major changes with snapshot 20100728
====================================

Improved message tracking across SMTP-based content filters.  The
logging example below is from an after-filter SMTP server. Here,
951F692462F is a before-filter queue ID, hades.porcupine.org is a
before-filter SMTP client, while 6B4A9924782 is the after-filter
queue ID, and localhost[127.0.0.1] is the SMTP-based content filter
that sends mail into the after-filter SMTP server.

    postfix/smtpd[4074]: 6B4A9924782: 
	client=localhost[127.0.0.1],
	orig_queue_id=951F692462F
	orig_client=hades.porcupine.org[168.100.189.10]

Incompatibility with snapshot 20100610
======================================

Postfix no longer appends the system-supplied default CA certificates
to the lists specified with *_tls_CAfile or with *_tls_CApath. This
prevents third-party certificates from being trusted and given mail
relay permission with permit_tls_all_clientcerts.

Unfortunately this change may break certificate verification on
sites that don't use permit_tls_all_clientcerts.  Specify
"tls_append_default_CA = yes" for backwards compatibility.

Incompatibility with snapshot 20100101
======================================

When periodic cache cleanup is enabled (the default), the postscreen(8)
server now requires that the cache database supports the "delete"
and "sequence" operations.  To disable periodic cache cleanup specify
a zero postscreen_cache_cleanup_interval value.

Major changes with snapshot 20100101
====================================

Periodic cache cleanup for the postscreen(8) cache database. The
time between cache cleanup runs is controlled with the
postscreen_cache_cleanup_interval (default: 12h) parameter.  Cache
cleanup increases the database access latency, so this should not
be run more often than necessary.

In addition, the postscreen_cache_retention_time (default: 1d)
parameter specifies how long to keep an expired entry in the cache.
This prevents a client from being logged as "NEW" after its record
expired only a little while ago.

Incompatibility with snapshot 20091209
======================================

The postscreen daemon now checks the permanent whitelist before
the permanent blacklist. This makes the whitelist easier to use
for its intended purpose, which is to receive mail.

Incompatibility with snapshot 20091008
======================================

NOTE: You must stop and start the Postfix master daemon before you
can use the postscreen(8) daemon.  This is needed because the Postfix
"pass" master service type did not work reliably on some systems.

Major changes with snapshot 20091008
====================================

Prototype postscreen(8) server that runs a number of time-consuming
checks in parallel for all incoming SMTP connections, before clients
are allowed to talk to a real Postfix SMTP server.  It detects
clients that start talking too soon, or clients that appear on DNS
blocklists, or clients that hang up without sending any command.

By doing these checks in a single postscreen(8) process, Postfix
can avoid wasting one SMTP server process per connection. A side
benefit of postscreen(8)'s DNSBL lookups is that DNS records are
already cached before the Postfix SMTP server looks them up later.

postscreen(8) maintains a temporary whitelist of positive decisions.
Once an SMTP client is whitelisted, it is immediately forwarded
to a real Postfix SMTP server process without further checking.

By default, the program logs only statistics, and it does not run
any checks on clients in mynetworks (primarily, to avoid problems
with buggy SMTP implementations in network appliances).  The logging
function alone is already useful for research.

postscreen(8) can be configured to drop clients that start talking
too soon, or clients that appear on DNS blocklists. For details,
see below.

postscreen(8) has been tested on FreeBSD and Linux systems.  It
probably needs additional work before it can be used on Solaris.

This snapshot adds three new entries to the master.cf file. 

To enable the postscreen(8) service and log client information
without blocking mail:

1 - Comment out the "smtp  inet ... smtpd" service in master.cf,
    including any "-o parameter=value" entries that follow.

2 - Uncomment the new "smtpd pass ... smtpd" service in master.cf,
    and duplicate any "-o parameter=value" entries from the smtpd
    service that was commented out in step 1.

3 - Uncomment the the new "smtp inet ... postscreen" service in
    master.cf.

4 - Uncomment the new "dnsblog  unix ... dnsblog" service in
    master.cf.  This service does DNSBL lookups for postscreen(8)
    and logs results.

5 - To enable DNSBL lookups, list some DNS blocklist sites in
    main.cf, e.g., "postscreen_dnsbl_sites = zen.spamhaus.org".
    Separate domain names with comma or whitespace.

Note: you must stop and start the master daemon.  This is needed
because the Postfix "pass" master service type did not work reliably
on all systems.

To use the postscreen(8) service to block mail, edit main.cf and
specify one or more of:

- "postscreen_greet_action = drop", to drop clients that talk before
  their turn. This alone stops about one third of all known-to-be
  illegitimate connections to Wietse's mail server.

- "postscreen_hangup_action = drop", to waste no time on clients
  that hang up without sending a command. On Wietse's server, only
  one percent of illegitimate connections behaves like this.

- "postscreen_dnsbl_action = drop", to drop clients that are on DNS
  blocklists. Different blocklists cover different client categories.

There is also support for permanent blacklists and whitelists; see
the postscreen(8) manual page for details.

Note: right now, postscreen(8) "drop" actions disconnect the client
without reporting sender and recipient information. In a future
implementation, the connection may instead be passed to a dummy
SMTP protocol engine that logs sender and recipient information
before dropping the connection.
