Postfix stable release 3.10.8 and legacy releases 3.9.9, 3.8.15, 3.7.20

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.8.html]

Fixes for all supported Postfix releases:

• Improved Milter error handling for messages that arrive over a long-lived SMTP connection, by changing the default milter_default_action from "tempfail" to the new "shutdown" action (i.e. disconnect the remote SMTP client).

  The problem was that after a single Milter error, Postfix could tempfail all messages that the client sends over a long-lived connection, even if the Milter error was only temporary. This problem was reported by Ankit Kulkarni.

• Bugfix (defect introduced: Postfix 2.11): "posttls-finger -v -v -v" terminated with a panic, caused by recursive logging. Reported by Geert Hendrickx, diagnosed by Viktor Dukhovni, and fixed by Wietse.

With one simple change, the patch for Postfix 3.7 should also apply to older Postfix versions, because the patch affects code that has not changed in a decade or so. The simple change is to remove the Prereq: line, and to remove the part that updates the HISTORY file.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.7 and legacy releases 3.9.8, 3.8.14, 3.7.19

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.7.html]

Fixes for all Postfix 3.* releases:

• This patch addresses build errors on recent Linux distributions. With the patch, Postfix builds will run the compiler with a backwards compatibility option that is supported by Gcc and Clang. For other compilers, an error message provides hints.

  Background: the build errors are caused by C compilers that by default define a 'bool' type (size=1) that conflicts with Postfix's 'bool' type (an alias for 'int', typically size=4). Postfix 3.11 will support the new bool type, but that change is too large for stable Postfix releases (too many lines in too many files).

  This patch will also apply to Postfix 3.6 all the way back to Postfix 3.0 with a simple change: remove the Prereq: line, and remove the part that updates the HISTORY file.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.6 and legacy releases 3.9.7, 3.8.13, 3.7.18

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.6.html]

Fixes for Postfix 3.10 only:

• Bugfix (defect introduced: Postfix 3.10, date: 20250117). Symptom: warning messages that smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt".
  Root cause: Support for "TLS-Required: no" broke client-side TLS wrappermode support, by downgrading a connection to TLS security level 'may'.
  The fix changes the downgrade level for wrappermode connections to 'encrypt'. Rationale: by design, TLS can be optional only for connections that use STARTTLS. The downgrade to unauthenticated 'encrypt' allows a sender to avoid an email delivery problem. Problem reported by Joshua Tyler Cochran.

• New logging: the Postfix SMTP client will log a warning when an MX hostname does not match STS policy MX patterns, with "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with TLSRPT support enabled in a TLS policy plugin. It will log a successful match only when verbose logging is enabled.

• Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP client null pointer crash when an STS policy plugin sends no policy_string or no mx_pattern attributes. This can happen only during tests with a fake STS plugin.

Fixes for Postfix 3.10, 3.9, 3.8, 3.7:

• Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault when a duplicate parameter name is given to "postconf -X" or "postconf -#'.

• Documentation: removed incorrect text from the parameter description for smtp_cname_overrides_servername. File: proto/postconf.proto.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.5 and legacy releases 3.9.6, 3.8.12, 3.7.17

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.5.html]

Fixes for Postfix 3.10 only:

• Workaround for an interface mis-match between the Postfix SMTP client and MTA-STS policy plugins.

  • The existing behavior is to connect to any MX host listed in DNS, and to match the server certificate against any STS policy MX host pattern.

  • The corrected behavior is to connect to an MX host only if its name matches any STS policy MX host pattern, and to match the server certificate against the MX hostname.

  The corrected behavior must be enabled in two places: in Postfix with a new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in an MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards STS policy attributes to Postfix. This works even if Postfix TLSRPT support is disabled at build time or at runtime.

• TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found", pretend that the TLSRPT policy domain value is equal to the recipient domain. This ignores that different policy types (TLSA, STS) use different policy domains. But this is what Microsoft does, and therefore, what other tools expect.

Fixes for Postfix 3.10, 3.9, 3.8, 3.7:

• Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's connection reuse logic did not distinguish between sessions that require SMTPUTF8 support, and sessions that do not. The solution is 1) to store sessions with different SMTPUTF8 requirements under distinct connection cache storage keys, and 2) to not cache a connection when SMTPUTF8 is required but the server does not support that feature.

• Bugfix (defect introduced: Postfix 3.0, date 20140731): the smtpd 'disconnect' command statistics did not count commands with "bad syntax" and "bad UTF-8 syntax" errors.

• Bugfix: the August 2025 patch broke DBM library support which is still needed on Solaris; and the same change could result in warnings with "database X is older than source file Y".

• Postfix 3.11 forward compatibility: to avoid ugly warnings when Postfix 3.11 is rolled back to an older version, allow a preliminary 'size' record in maildrop queue files created with Postfix 3.11 or later.

• Bugfix (defect introduced: Postfix 3.8, date 20220128): non-reproducible build, because the 'postconf -e' output order for new main.cf entries was no longer deterministic. Problem reported by Oleksandr Natalenko, diagnosis by Eray Aslan.

• To make builds predictable, add missing meta_directory and shlib_directory settings to the stock main.cf file. Problem diagnosed by Eray Aslan.

Fixes for Postfix 3.10, 3.9, 3.8:

• Bugfix (defect introduced: Postfix 3.9, date 20230517): posttls-finger(1) logged an incorrectly-formatted port number. Viktor Dukhovni.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.4 and legacy releases 3.9.5, 3.8.11, 3.7.16

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.4.html]

Fixes for Postfix 3.10, 3.9, 3.8, 3.7:

• Fixes for postscreen(8):

  • Bugfix (defect introduced: postfix-2.2, date 20050203): after detecting a lookup table change, and after starting a new postscreen process, the old postscreen process logged an ENOTSOCK error while attempting to accept a connection on a socket that it was no longer listening on. This error was introduced first in the multi_server skeleton code, and was five years later duplicated in the event_server skeleton that was created for postscreen. Problem reported by Florian Piekert.

  • Bugfix (defect introduced: Postfix 2.8, date 20101230): after detecting a cache table change and before starting a new postscreen process, the old postscreen process did not close the postscreen_cache_map, and therefore kept an exclusive lock that could prevent a new postscreen process from starting. Problem reported by Florian Piekert.

• Fixes for tlsproxy(8):

  • Bugfix (defect introduced: Postfix 3.7): incorrect backwards compatible support for the legacy configuration parameters tlsproxy_client_level and tlsproxy_client_policy. This disabled the tlsproxy TLS client role when a legacy parameter was set (instead of the newer tlsproxy_client_security_level or tlsproxy_client_policy_maps). Reported by John Doe, diagnosed by Viktor Dukhovni.

  • Bugfix (defect introduced: Postfix 3.4): with the TLS client role disabled by configuration, the tlsproxy daemon dereferenced a null pointer while handling a tlsproxy client request. Reported by John Doe.

• Reducing process churn: Postfix daemons no longer automatically restart after a btree:, dbm:, hash:, lmdb:, or sdbm: table file modification time change, when they opened that table for writing.

• Portability: deleted an <openssl/engine.h> build dependency, because the feature is being removed from OpenSSL, and Postfix no longer needs it.

Fixes for Postfix 3.10 only:

• Cleanup: with "tls_required_enable = yes", the Postfix SMTP client will no longer maintain TLSRPT statistics for messages that contain a "TLS-Required: no" header. This can prevent TLSRPT notifications for TLSRPT notifications.

• Bugfix (defect introduced: Postfix 3.6, date 20200710): Postfix TLS client code logged "Untrusted TLS connection" (wrong) instead of "Trusted TLS connection" (right), for a new or resumed TLS session, when a server offered a trusted (valid PKI trust chain) certificate that did not match the expected server name pattern. Fix by Viktor Dukhovni.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.3

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.3.html]

This release fixes defects that were introduced in Postfix 3.10. These were fixed first in the Postfix 3.11 unstable release.

The defects exist only with the default configuration "tls_required_enable = yes".

• Bugfix (defect introduced: Postfix-3.10, date 20250117): include the current TLS security level in the SMTP connection cache lookup key for lookups by next-hop destination, to avoid reusing the same SMTP connection when sending messages with and without a "TLS-Required: no" header. Likewise, include the current TLS security level in the TLS session lookup key, to avoid reusing the same TLS session info when sending messages with and without a "TLS-Required: no" header.

• Bugfix (defect introduced: Postfix-3.10, date 20250117): the Postfix SMTP client attempted to look up TLSA records even with "TLS-Required: no". This could result in unnecessary failures. Fix by Viktor Dukhovni & Wietse.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.2 and legacy releases 3.9.4, 3.8.10, 3.7.15

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.2.html]

Fixes for Postfix 3.10, 3.9, 3.8, 3.7:

• Bugfix (defect introduced: date 19991116): when appending a setting to a main.cf or master.cf file that did not end in a newline character, the "postconf -e" command did not add an extra newline character before appending the new setting, causing information to become garbled. Fix by Michael Tokarev.

• Bugfix (defect introduced: Postfix 2.3, date 20051222): the Dovecot auth client did not attempt to create a new connection after an I/O error on an existing connection. Reported by Oleksandr Kozmenko.

• Improved and corrected error messages when converting (host or service) information to (symbolic text, numerical text, or binary) form.

• Documentation: updated link to Dovecot documentation.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.1 and legacy releases 3.9.3, 3.8.9, 3.7.14, 3.6.18

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.1.html]

Fix for Postfix 3.10, 3.9, 3.8, 3.7, 3.6:

• Bugfix (defect introduced: 20250210): a recent 'fix' for the default smtp_tls_dane_insecure_mx_policy setting resulted in unnecessary 'dnssec_probe' warnings, on systems that disable DNSSEC lookups (which is the default).

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.10.0

[An updated version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.0.html]

Postfix stable release 3.10.0 is available. Postfix 3.6 - 3.9 were updated earlier this week; after that, Postfix 3.6 will no longer be updated.

The main changes are below. See the RELEASE_NOTES file for further details.

Changes that need a restart:

• Internal protocol change: Postfix needs "postfix reload" (or "postfix stop" and "postfix start") after upgrade, because of a change in the delivery agent protocol. If this step is skipped, Postfix delivery agents will log a warning:

  unexpected attribute smtputf8 from xxx socket (expecting: sendopts)

  where xxx is the delivery agent service name.

Changes in TLS support:

• Forward compatibility: Support for OpenSSL 3.5 post-quantum cryptography. To manage algorithm selection, OpenSSL introduces new TLS group syntax that Postfix will not attempt to imitate. Instead, Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups parameter values to have an empty value. When both are set empty, the algorithm selection can be managed through OpenSSL configuration. For more, look for "Post-quantum" in the postconf(5) manpage.

• Support for the RFC 8689 "TLS-Required: no" message header to request delivery of messages (such as TLSRPT summaries) even if the preferred TLS security policy cannot be enforced. This limits the Postfix SMTP client to "smtp_tls_security_level = may" which does not authenticate server certificates and which allows falling back to plaintext.

  Support for the REQUIRETLS SMTP service extension will evolve in Postfix 3.11.

• Support for the TLSRPT protocol (defined in RFC 8460). With this, a domain can publish a policy in DNS that requests daily summary reports for successful and failed SMTP-over-TLS connections to that domain's MX hosts. This supports both DANE (built-in) and MTA-STS (via an smtp_tls_policy_maps plugin). The implementation uses a TLSRPT library and reporting infrastructure that are maintained by sys4. For details, see TLSRPT_README.

Miscellaneous changes:

• Privacy: With "smtpd_hide_client_session = yes", the Postfix SMTP server generates a Received: header without client session info. This setting may be used with the MUA submission services (port 465 and 587).

• Support for RFC 2047 encoding of non-ASCII "full name" information in Postfix-generated From: message headers. Encoding non-ASCII full names can avoid the need to use SMTPUTF8, and therefore can avoid incompatibility with sites that do not support SMTPUTF8. See the full_name_encoding_charset parameter description for details.

• Database performance: When mysql: or pgsql: configuration specifies a single host, assume that it is a load balancer and reconnect immediately after a single failure, instead of failing all requests for 60s.

Changes in logging:

• The Postfix Milter implementation now logs the reason for a 'quarantine' action, instead of "milter triggers HOLD action".

• The SMTP server now logs the queue ID (or "NOQUEUE") when a connection ends abnormally (timeout, lost connection, or too many errors), and the cleanup server now logs "queueid: canceled" when a message transaction is started but not completed. These changes simplify logfile analysis.

• Dovecot SASL client logging for "Invalid authentication mechanism" now includes the name of that mechanism.

• Postfix SMTP server 'reject' logging now shows the sasl_method, sasl_username, and sasl_sender if available.

You can find the Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix legacy releases 3.9.2, 3.8.8, 3.7.13, 3.6.17

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.9.2.html]

These releases add forward compatibility with upcoming Postfix and OpenSSL versions, improve PostgreSQL and MySQL performance, and fix minor bugs. This will be the last update for Postfix 3.6.

Fixes for Postfix 3.9.2, 3.8.8, 3.7.13, 3.6.17:

• Forward compatibility: Support for OpenSSL 3.5 post-quantum cryptography. To manage algorithm selection, OpenSSL introduces new TLS group syntax that Postfix will not attempt to imitate. Instead, Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups parameter values to have an empty value. When both are set empty, the algorithm selection can be managed through OpenSSL configuration. Viktor Dukhovni.

• Forward compatibility: ignore new queue file flag bits that may be used with Postfix 3.10 and later. This is a safety in case a Postfix 3.10 upgrade needs to be rolled back, after the new TLS-Required feature has been used.

• Performance: when a mysql: or pgsql: configuration specifies a single host, assume that it is a load balancer and reconnect immediately after a single failure, instead of failing all requests for 60s.

• Bugfix (defect introduced: Postfix 3.4, date 20181113): a server with multiple TLS certificates could report, for a resumed TLS session, the wrong server-signature and server-digest names in logging and Received: message headers. Viktor Dukhovni.

• Bugfix (defect introduced: Postfix 3.3, date 20180107) small memory leak in the cleanup daemon when generating a "From: full-name &quot; message header. The impact is limited because the number of requests is bounded by the &quot;max_use&quot; configuration parameter. Found during code maintenance.

• Bugfix (defect introduced: Postfix 3.0): the bounce daemon mangled a non-ASCII address localpart in the "X-Postfix-Sender:" field of a delivery status notification. It backslash-escaped each byte in a multi-byte character. This behavior was implemented in Postfix 2.1 (no support for UTF8 local-parts), but it became incorrect after SMTPUTF8 support was implemented in Postfix 3.0.

• Bugfix (defect introduced: Postfix 3.6): Reverted the default smtp_tls_dane_insecure_mx_policy setting to "dane" as of Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and 3.10.0. By mistake the default was dependent on the smtp_tls_security_level setting. Problem reported by Ömer Güven.

• Portability: added "include <sys_socket.h>" for a SUNOS5 workaround. Gary R. Schmidt.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

Postfix stable release 3.9.1, and legacy releases 3.8.7, 3.7.12, 3.6.16

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.9.1.html]

Fixed with Postfix 3.9.1:

• The mail_version configuration parameter did not have a three-number value (3.9 instead of 3.9.0; it still had the two-number version from the development releases postfix-3.9-yyyymmdd). This broke pathnames derived from the mail_version value, such as shlib_directory. Problem reported by Michael Orlitzky.

Fixed with Postfix 3.9.1, 3.8.7, 3.7.12, 3.6.16:

• Bugfix (defect introduced: Postfix 2.9, date 20111218): with "smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature ignored information that was received with the XCLIENT LOGIN command, so that the client was treated as unauthenticated. This was fixed by removing an unnecessary test. Problem reported by Antonin Verrier.

• Bugfix (defect introduced: postfix 3.0): the default master.cf syslog_name setting for the relay service did not preserve multi-instance information, which complicated logfile analysis. Found during a support discussion.

• Bugfix (defect introduced: Postfix 2.3, date 20051222): file descriptor leak after failure to connect to a Dovecot auth server. The impact is limited because Dovecot auth failures are rare, there are limits on the number of retries (one), on the number of errors per SMTP session (smtpd_hard_error_limit), on the number of sessions per SMTP server process (max_use), and on the number of file handles per process (managed with sysctl). Found during code maintenance.

• Bugfix (defect introduced: Postfix 3.4, date 20190121): the postsuper command failed with "open logfile '/path/to/file': Permission denied" when the maillog_file parameter specified a filename and Postfix was not running. This was fixed by opening the maillog_file before dropping root privileges. Found during code maintenance.

• Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8 text when missing message headers were automatically added by Postfix (for example, a From: header with UTF8 full name information from the password file). This caused Postfix to send UTF8 in message headers without using the SMTPUTF8 protocol. Problem reported by Michael Tokarev.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.