In the text below, incompatible changes are labeled with the Postfix
snapshot that introduced the change. If you upgrade from a later
Postfix version, then you do not have to worry about that particular
incompatibility.

Official Postfix releases are called a.b.c where a=major release
number, b=minor release number, c=patchlevel.  Snapshot releases
are now called a.b.c-yyyymmdd where yyyymmdd is the release date
(yyyy=year, mm=month, dd=day).  The mail_release_date configuration
parameter contains the release date (both for official release and
snapshot release).  Patches change the patchlevel and the release
date. Snapshots change only the release date, unless they include
the same bugfixes as a patch release.

Incompatible changes with Postfix snapshot 2.0.18-2004122
==========================================================

This release undoes the snapshot 2004120 changes to the Postfix
line reading routines. These changes caused surprises with lines
ending in EOF.

Major changes with Postfix snapshot 2.0.18-20040122
===================================================

New "PREPEND headername: headervalue" action in Postfix access maps
that can be used by external SMTPD policy servers in order to label
mail instead of rejecting it.

Incompatible changes with Postfix snapshot 2.0.17-2004120
==========================================================

The new queue manager nqmgr has become the default qmgr queue
manager. For a limited time the old queue manager remains available
under the name oqmgr. The name nqmgr still works but will cause a
warning to be logged.

Queue files creates with "sendmail -v" are no longer compatible
with earlier Postfix 2.x versions. A new record type, "killed",
was introduced in order to avoid repeated mail delivery reports
from mail that could not be delivered due to a temporary error
condition.

The format of the postfix-files file has changed. There is a new
type for hard links. With hard or symbolic link entries, the first
field is now the destination pathname and the "owner" field is now
the origin pathname, while "group" and "permissions" are ignored.

The SMTP server now rejects non-existent sender addresses in a
local, virtual or relay domain; that is, a sender address must
pass the same "user unknown" test as a recipient would have to
pass.  This is not configurable.

Support for the non-standard Errors-To: message header is removed.
This also helps to stop potential attacks that rely on bouncing
mail to a destination that is not directly reachable by the attacker.

The sample-regexp/pcre-* files are replaced by header_checks(5)
and body_checks(5) manual pages that give more complete information.

The LDAP and SQL clients have been moved to the global directory
in order to eliminate reversed dependencies.

Major changes with Postfix snapshot 2.0.17-20040120
===================================================

The new queue manager nqmgr has become the default qmgr queue
manager. For a limited time the old queue manager remains available
under the name oqmgr. The name nqmgr still works but will cause a
warning to be logged.

The HOSTING_README file now documents most of the methods that can
be used to host domains with a Postfix MTA.

New header_checks(5) and body_checks(5) manual pages that give a
more complete description than the old sample configuration files.

Slightly more agressive delivery to sites that defer a lot of mail.

Incompatible changes with Postfix snapshot 2.0.16-20031226
==========================================================

Postfix no longer allows mail addresses with bare numeric IP
addresses (user@1.2.3.4).  This is not configurable. The form
user@[ipaddress] is still allowed.

Bounce messages now have a separate queue life time.  This is
controlled by the bounce_queue_lifetime parameter.

Incompatible changes with Postfix snapshot 2.0.16-20031223
==========================================================

In mailq (queue listing) output, there no longer is space between
a short queue ID and the "*" (delivery in progress) or ! (mail on
hold) status indicator. This makes the output easier to parse.

The SMTP client now tries to connect to an alternate MX address
when a delivery attempt fails **after the initial SMTP handshake**.
This includes both broken connections and 4XX SMTP replies.  To
get the old behavior, specify "smtp_mx_session_limit = 1" in main.cf.

After delivery failure due to a temporary error condition, the SMTP
client now always connects to the fall-back relay if specified.

Major changes with Postfix snapshot 2.0.16-20031223
===================================================

The SMTP client now tries to connect to an alternate MX address
when a delivery attempt fails **after the initial SMTP handshake**.
This includes both broken connections and 4XX SMTP replies.

Finally, fallback_relay works as promised.

The new SMTP client connection management is controlled by two new
configuration parameters:

- smtp_mx_address_limit (default unlimited): the number of MX (mail
exchanger) IP addresses that can result from mail exchanger lookups.

- smtp_mx_session_limit (default 2):  the number of SMTP sessions
per delivery request before giving up or delivering to a fall-back
relay, ignoring IP addresses that fail to complete the SMTP initial
handshake.

Incompatible changes with Postfix snapshot 2.0.16-20031215
==========================================================

XCLIENT is approaching completion.

Major changes with Postfix snapshot 2.0.16-20031215
===================================================

The XCLIENT extension to SMTP implements SMTP client impersonation
for SMTP server access rule testing. Send "xclient name=xxx addr=yyy"
in SMTP sessions and pretend that you are connecting as the specified
client. More details are in the XCLIENT_README file.

The XFORWARD extension to SMTP forwards up-stream MTA information
(and in the future,  message identifying information) to improve
the logging by down-stream mail software.  Send "xclient name=xxx
addr=yyy proto=aaa helo=bbb" to specify the original SMTP client
information that should be recorded with the next MAIL FROM
transaction. More details are in the XFORWARD_README file.

The reject_sender_login_mismatch feature is now implemented in
terms of more basic restrictions: reject_unauth_sender_login_mismatch
(reject mail when $sender_login_maps lists an owner for the sender
address but the SMTP client is not SASL authenticated) and
reject_auth_sender_login_mismatch (reject mail when the sender
address is not owned by the SASL authenticated user). The
sender_login_maps now support multiple owners per sender address.

Incompatible changes with Postfix snapshot 2.0.16-20031203
==========================================================

Many SMTPD reject logfile entries now show NOQUEUE instead of a
queue ID.  This is because Postfix no longer creates a queue file
before the SMTP server has received a valid recipient.

The experimental XADDR and XLOGINFO extensions to SMTP are now
replaced by XCLIENT.

Major changes with Postfix snapshot 2.0.16-20031203
===================================================

The XCLIENT extension to SMTP replaces the short-lived XADDR and
XLOGINFO extensions.  Details are given in the XCLIENT_README file.

XCLIENT supports the following features:

- SMTPD access rule testing. Send "xclient override client_name=xxx
client_addr=yyy" in SMTP sessions and pretend that you are sending
mail as the specified client.

- Remote client information forwarding through a content filter to
improve logging by down-stream mail software. Send "xclient forward
client_name=xxx client_addr=yyy client_proto=aaa client_helo=bbb"
to specify the original client information that should be logged
and stored with the next MAIL FROM transaction.

Incompatible changes with Postfix snapshot 2.0.16-20031111
==========================================================

The demo greylist policy server is now case insensitive.

The demo greylist policy server now uses BTREE files which greatly
improves stability.

Major changes with Postfix snapshot 2.0.16-20031111
===================================================

Preliminary defense against SMTP clients that hammer an SMTP server
with too many connections.  By default, the number of simultaneous
connections per client is limited to half the default process limit,
and no limit is imposed on the number of successive connections
per time unit that a client is allowed to make.

The new anvil server maintains the connection statistics, and logs
the maximum connection count and connection rate per client every
client_connection_status_update_time seconds (10 minutes), or when
it terminates (when there is no work to be done, or when "postfix
reload" was issued). Once you have an idea what the numbers look
like, you can clamp down the limits for your system.

The relevant main.cf configuration parameters are: smtpd_client_-
connection_count_limit for the number of simultaneous connections
per client, and smtpd_client_connection_rate_limit for the number
of successive connections per unit time and client. The time unit
is specified with the client_connection_rate_time_unit parameter,
and is one minute by default.

When Postfix rejects a client, it sends a 450 status code and
disconnects, and logs a warning with the client name/address and
the service name from master.cf. You can, for example, capture this
information with a logfile watching program that updates a firewall
rule (such a watcher program is not included with Postfix).

To avoid rejecting authorized hosts, the smtpd_client_connection_-
limit_exceptions parameter takes a list of network/netmask expressions,
hostnames or .domain names that are excluded from these restrictions.
By default, all clients in $mynetworks are excluded; you will
probably want to use a more restrictive setting.

See also:  sample-smtpd.cf, smtpd(8), and anvil(8).  

Incompatible changes with Postfix snapshot 2.0.16-20031022
==========================================================

Postfix no longer retries delivery when no MX host has a valid A
record, for compatibility with most other MTAs. This change is made
in anticipation of a possible Verisign "wild-card MX record without
A record" for unregistered domains. To get the old behavior, specify
"smtp_defer_if_no_mx_address_found = yes".

The Postfix SMTP client no longer looks in /etc/hosts by default.
To get the old behavior, specify "smtp_host_lookup = dns, native".

The authorized_verp_clients configuration parameter has been renamed
to smtpd_authorized_verp_clients. This is for consistency with the
new smtpd_authorized_xaddr_clients and smtpd_authorized_xloginfo_clients
configuration parameters that control the use of the new XADDR and
XLOGINFO commands.

The smtpd_authorized_verp_clients parameter now defaults to nothing
(no XVERP command is accepted).

The Postfix SMTP server no longer allows queue_minfree values that
are less than twice the message_size_limit value.

The Postfix SMTP server no longer accepts mail when the amount of
free queue space is less than twice the message_size_limit value.

Major changes with Postfix snapshot 2.0.16-20031022
===================================================

Easier debugging of SMTPD access restrictions. The SMTP command
"XADDR client-address client-hostname" changes Postfix's idea of
the remote client name and address, so that you can pretend to
connect from anywhere on the Internet.  Use of this command is
restricted to clients that match the list of names or addresses
specified with the smtpd_authorized_xaddr_clients parameter. By
default, XADDR is not accepted from anywhere.

More useful logging by Postfix daemons behind a real-time SMTP
proxy filter (the logging now shows the remote client name and
address, instead of localhost[127.0.0.1]).  This uses the new SMTP
command "XLOGINFO client-address client-hostname", which specifies
the client name and address for logging purposes without changing
the name/address that are used for SMTPD access control.  Use of
this command is restricted to clients that match the list of names
or addresses specified with the smtpd_authorized_xloginfo_clients
parameter. By default, XLOGINFO is not accepted from anywhere.
For an example, see the updated SMTPD_PROXY_README file.

Major changes with Postfix snapshot 2.0.16-20030917
===================================================

New check_{helo,sender,recipient}_{ns,mx}_access maptype:mapname
restriction that applies the specified access table to the NS or
MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT
TO commands.  

This can be used to block mail from so-called spammer havens, from
sender addresses that resolve to Verisign's wild-card mail responder,
or from domains that claim to have mail servers in reserved networks
such as 127.0.0.1.

    /etc/postfix/main.cf:
        smtpd_mumble_restrictions = 
            ...
            reject_unknown_sender_domain 
            check_sender_mx_access hash:/etc/postfix/mx_access
            check_sender_mx_access cidr:/etc/postfix/mx_access.cidr
            ...

    /etc/postfix/mx_access:
        spammer.haven.tld reject spammer mx host
        64.94.110.11      reject mail server in verisign wild-card domain

    /etc/postfix/mx_access.cidr:
        0.0.0.0/8         reject mail server in broadcast network
        10.0.0.0/8        reject mail server in RFC 1918 private network
        127.0.0.0/8       reject mail server in loopback network
        169.254.0.0/16    reject mail server in link local network
        172.16.0.0/12     reject mail server in RFC 1918 private network
        192.0.2.0/24      reject mail server in TEST-NET network
        192.168.0/16      reject mail server in RFC 1918 private network
        224.0.0.0/4       reject mail server in class D multicast network
        240.0.0.0/5       reject mail server in class E reserved network
        248.0.0.0/5       reject mail server in reserved network

Note: OK actions are not allowed for security reasons. Instead of
OK, use DUNNO in order to exclude specific hosts from blacklists.
If an OK result is found for an NS or MX host, Postfix rejects the
SMTP command with "451 Server configuration error".

Incompatible changes with Postfix snapshot 2.0.16-20030915
==========================================================

In header/body_checks actions, the OK action is being phased out,
and the DUNNO action is being phased in. Both actions still work
and do the same thing, but hopefully DUNNO causes less confusion.

Major changes with Postfix snapshot 2.0.16-20030915
===================================================

LDAP parameters can now be defined in external files.  Specify the
LDAP maps in main.cf as

    ldap:/path/to/ldap.cf

and write the LDAP parameters in /path/to/ldap.cf, without the
"ldapsource_" prefix.  This makes it possible to securely store
bind passwords for plain auth outside of main.cf (which must be
world readable).  The old syntax still works, for backwards
compatibility.  By Liviu Daia, based on a suggestion by Victor
Duchovni and Lamont Jones.

Support for LDAP URLs in the LDAP parameter "server_host", if
Postfix is linked against OpenLDAP.  LDAP hosts, ports, and connection
protocols to be used as LDAP sources can be specified as a
blank-separated list of LDAP URLs in "server_host".  As with
OpenLDAP, specifying a port in a LDAP URL overrides "server_port".
Examples:

    server_host = ldap://ldap.itd.umich.edu
    server_host = ldaps://ldap.itd.umich.edu:636
    server_host = ldapi://%2Fsome%2Fpath

The LDAP SSL scheme ldaps:// is available if OpenLDAP was compiled
with SSL support.  New parameters "tls_ca_cert_dir", "tls_ca_cert_file",
"tls_cert", "tls_key", "tls_require_cert", "tls_random_file",
"tls_cipher_suite" control the certificates, source of random
numbers, and cipher suites used for SSL connections.  See LDAP_README
for further information.  By Liviu Daia.

Support for STARTTLS command in LDAP, if Postfix is linked against
OpenLDAP and OpenLDAP was compiled with SSL support.  STARTTLS is
controlled by the "start_tls" parameter.  The above parameters for
certificates, source of random numbers, and cipher suites also
apply.  See LDAP_README for further information.  By Liviu Daia,
amended by Victor Duchovni.

Major changes with Postfix snapshot 2.0.13-20030715
===================================================

Support for SMTP access policy delegation to an external server.
Greylisting is used as an example.  See the SMTPD_POLICY_README
file for further information.

Support for multi-valued RBL lookup results. For example, specify
"reject_rbl_client foo.bar.tld=127.0.0.3" to reject clients that
are listed with a "127.0.0.3" address record.

Major changes with Postfix snapshot 2.0.13-20030706
===================================================

New receive_override_options parameter that eliminates the need
for different cleanup service instances before and after an external
content filter. One parameter controls what happens before or after
the content filter: rejecting unknown recipients, canonical mapping,
virtual alias expansion, masquerading, automatic BCC recipients
and header/body checks. See sample-filter.cf for details.

Incompatible changes with Postfix snapshot 2.0.13-20030704
==========================================================

Support for client side LDAP caching is gone.  OpenLDAP 2.1.13 and
later no longer support it, and the feature never worked well.
Postfix now ignores cache controlling parameters in an LDAP
configuration file and logs a warning. Credits to Victor Duchovni
and Lamont Jones.

Major changes with Postfix snapshot 2.0.13-20030704
===================================================

The Postfix SMTP server can be configured to send all mail into a
proxy server, for example a real-time SPAM filter. This proxy is
expected to send the mail into another Postfix SMTP server process
for normal delivery.  See the SMTPD_PROXY_README file for details.

Improved LDAP client robustness. Given suitable invalid database
contents, LDAP lookups can produce too many results, enter an
infinite loop in the expansion of "special result attributes" (LDAP
DNs and LDAP URLs) or can simply consume excessive server resources.
Credits to Victor Duchovni and Lamont Jones.

New CIDR-based lookup table, remotely based on code by Jozsef
Kadlecsik.  For details and examples, see "man cidr_table".

The TCP-based table lookup protocol is finished.  For details and
examples, see "man tcp_table". This will allow you to implement
your own greylisting, or to do your own open proxy tests before
accepting mail.

Support for !/pattern/ (negative matches) in PCRE lookup tables by
Victor Duchovni. See "man pcre_table" for more.

New enable_original_recipient parameter (default: yes) to control
whether Postfix keeps track of original recipient address information.
If this is turned off Postfix produces no X-Original-To: headers
and ignores the original recipient when eliminating duplicates
after virtual alias expansion. Code by Victor Duchovni.

Finer control over how long Postfix SMTPD waits for completion of
address verification probes: the address_verify_poll_{count,delay}
parameters control how often to query the verify server and how
long to wait between queries. Specify address_verify_poll_count=1
to implement a crude form of greylisting.

Major changes with Postfix snapshot 2.0.11-20030611
===================================================

Better verify server performance on busy servers by avoiding some
operations that can block the verify server process temporarily.
Probe messages are no longer subject to cleanup server in_flow_delay
settings when message arrival rates exceed message delivery rates.
However, probe messages are still subject to trigger_timeout delays
when the queue manager FIFO fills up; this is hopefully very rare.

Major changes with Postfix snapshot 2.0.11-20030609
===================================================

Address verification probes can now follow a different route than
ordinary mail.  To make this possible, the address resolver supports
multiple personalities.  The regular personality is used for regular
mail, and the alternate personality is used for address verification
probes. The alternate personality is controlled by parameters named
address_verify_X with X = relayhost, transport_maps, local_transport,
virtual_transport, relay_transport, and default_transport. These
alternate parameters have by default the same values as the regular
parameters. For more detail see the ADDRESS_VERIFICATION_README file.

Major changes with Postfix snapshot 2.0.11-20030606
===================================================

Complete rewrite of the queue file record reading loops in the
pickup, cleanup and in the queue manager daemons. This code had
deteriorated over time.  The new code eliminates an old problem
where the queue manager had to read most queue file records twice
in the case of an alias/include file expansion with more than
qmgr_message_recipient_limit recipients.

Incompatible changes with Postfix snapshot 2.0.8-20030417
=========================================================

"sendmail -t" no longer complains when recipients are given on the
command line. Instead, it now adds recipients from headers to the
recipients from the command-line.

Major changes with Postfix snapshot 2.0.8-20030417
==================================================

Automatic BCC recipients depending on sender or recipient address.
The configuration parameters in question are "sender_bcc_maps" and
"recipient_bcc_maps". See conf/sample-misc.cf for details.

Support for sending mail to hosts not in the DNS, without having
to turn off DNS lookups. The "smtp_host_lookup" parameter controls
how the Postfix SMTP client looks up hosts.  The default is to use
DNS and then the native mechanism. See conf/sample-smtp.cf.

Incompatible changes with Postfix snapshot 2.0.8-20040415
=========================================================

Too many people mess up their net/mask patterns, causing open
mail relay problems. Postfix processes now abort when given a
net/mask pattern with a non-zero host portion (for example,
168.100.189.2/28), and suggest to specify the proper net/mask
pattern instead (for example, 168.100.189.0/28).

Major changes with Postfix snapshot 2.0.8-20040415
==================================================

PostgreSQL table lookups. Specify "pgsql:/file/name" where "/file/name"
defines the database. See the sample-pgsql-aliases.cf file for
examples, and the PGSQL_README file for general information.

Workaround for file system clock drift that caused Postfix to ignore
new mail (this could happen with file systems mounted from a server).
Postfix now logs a warning and proceeds with only slightly reduced
performance, instead of ignoring new mail.

Incompatible changes with Postfix snapshot 2.0.6-20030305
=========================================================

Postfix truncates non-address information in message address headers
(comments, etc.) to 250 characters per address, in order to protect
vulnerable Sendmail systems against exploitation of a remote buffer
overflow problem (CERT advisory CA-2003-07).

Incompatible changes with Postfix snapshot 2.0.3-20030227
=========================================================

The smtpd_hard_error_limit and smtpd_soft_error_limit values now
behave as documented, that is, smtpd_hard_error_limit=1 causes
Postfix to disconnect upon the first client error. Previously,
there was an off-by-one error causing Postfix to change behavior
after smtpd_hard/soft_error_limit+1 errors.

Incompatible changes with Postfix snapshot 2.0.3-20030125
=========================================================

This release adds a new queue file record type for the address
specified in "REDIRECT user@domain" actions in access maps or
header/body_checks.

Major changes with Postfix snapshot 2.0.3-20030125
==================================================

Code cleanup up of queue manager internals. Queue names are no
longer mixed up with the next-hop destination, and the address
resolver loop is now easier to understand.

New "REDIRECT user@domain" action for access maps and header/body_checks
that overrides all the originally specified recipients of a message.
I would never recommend that people use this to redirect (bounced)
SPAM to the beneficiaries of an advertisement campaign. It would
have helped when someone began spamming the network with sender
addresses in one of my domains, and I got all the bounces.

Incompatible changes with Postfix snapshot 2.0.3-20030126
=========================================================

The maildir file naming algorithm has changed in accordance with
an updated version of http://cr.yp.to/proto/maildir.html. The name
is now TIME.VdevIinum.HOST

Incompatible changes with Postfix snapshot 2.0.3-20030124
=========================================================

The maildir file naming algorithm has changed. Pending a usable
version of http://cr.yp.to/proto/maildir.html, the name is now
TIME.DEV_INUM.HOST.

Incompatible changes with Postfix snapshot 2.0.1-20030112
=========================================================

The Postfix build procedure now uses the pcre-config utility (part
of PCRE version 3) to find out the pathnames of the PCRE include
file and object library, instead of probing /usr/include and/or
/usr/lib. To build with PCRE version 2 support you will have to
specify pathnames as described in PCRE_README. To build without
PCRE support, specify:  make Makefiles CCARGS="-DNO_PRCE".

Incompatible changes with Postfix snapshot 2.0.0-20030104
=========================================================

This release adds the new proxymap service (table lookup via a
proxy process) to the master.cf file. If you get warnings about
problems connecting to the proxymap service, then you did not
properly upgrade Postfix.

Major changes with Postfix snapshot 2.0.0-20030104
==================================================

This release introduces the proxymap service for Postfix lookup
table access. This can be used to overcome chroot restrictions in
the Postfix SMTP server (specify proxy:unix:passwd.byname for
password file lookup through the proxymap server) and can be used
to consolidate the number of open tables by sharing one open table
among multiple processes (specify proxy:mysql:/file/name to avoid
"too many connections" conditions). The proxy_read_maps parameter
specifies what maps are approved for access via the proxy service
(only map references starting with "proxy:" are considered approved).

Multi-server daemons (servers that accept simultaneous connections
from multiple clients) will now stop accepting new connections
after serving $max_use clients. This allows multi-server daemons
to automatically restart even on busy mail systems.

Clients of multi-server daemons such as trivial-rewrite and the
new proxymap service now automatically disconnect after $ipc_ttl
seconds of activity (default: 1000s). This allows multi-server
daemons to automatically restart even on busy mail systems.

Incompatible changes with Postfix snapshot 1.1.11-trace-20021119
================================================================

After upgrading an existing system you must use "postfix reload".
This is because many internal protocols have changed.

The file format of bounce/defer logfiles has changed from the old
one-line ad-hoc format to a more structured multi-line format. For
backwards compatibility, Postfix now creates bounce/defer logfile
entries that contain both the old and the new format, so that you
can go back to an older Postfix release without losing information.
Old Postfix versions will warn about malformed logfile entries,
but should work properly. To disable backwards compatibility specify
"backwards_bounce_logfile_compatibility = no" in main.cf.

The behavior of "sendmail -v" has changed. One -v option now sends
an email report with the status of each delivery attempt.  Multiple
-v options behave as before: turn on verbose logging in the sendmail
and postdrop commands.

The Postfix upgrade procedure will add two new services to your
master.cf file: "trace" and "verify". These servers can run inside
a chroot jail, have no interaction with users, and don't talk to
the network.

Major changes with Postfix snapshot 1.1.11-trace-20021119
=========================================================

New sender address verification blocks mail from addresses that
are not deliverable.  This is turned on with the reject_unverified_sender
UCE restriction. Addresses are verified by probing, that is, by
sending mail that is not actually delivered (SMTP interruptus).
Detailed information is in the SENDER_VERIFICATION_README file
and sample-verify.cf.

Address verification uses the new "verify" daemon that maintains
a database. The necessary entry is automatically added to master.cf
when you upgrade.

New "sendmail -bv" option. Postfix probes the specified recipient
addresses without actually delivering mail, and sends back an email
delivery report.  This is useful for testing address rewriting and
address routing of both envelope and header addresses. This feature
currently does not access or update the sender address verification
database.

Improved "sendmail -v" behavior. Postfix delivers mail as usual,
and emails a report of all the delivery attempts to the originator.

Bounce reports now show the original recipient information in
addition to the final recipient that was already available.

Both "sendmail -bv" and "sendmail -v" use the new "trace" daemon
that is automatically added to master.cf when you upgrade.
