After 14 months of development, a new stable branch of the Postfix mail server, 3.8.0, was released. At the same time, the end of support for the Postfix 3.4 branch, which was released in early 2019, was announced. Postfix is one of the rare projects that combines high security, reliability and performance at the same time, which was achieved thanks to a well-thought-out architecture and a rather rigid policy for coding and patch auditing. The project code is distributed under EPL 2.0 (Eclipse Public license) and IPL 1.0 (IBM Public License).
According to a January automated survey of about 400 thousand mail servers, Postfix is used on 33.18% (34.08% a year ago) of mail servers, Exim's share is 60.27% (58.95%), Sendmail - 3.62% (3.58%), MailEnable - 1.86% ( 1.99%), MDaemon - 0.39% (0.52%), Microsoft Exchange - 0.19% (0.26%), OpenSMTPD - 0.06% (0.06%).
Main innovations:
- The SMTP/LMTP client implements the ability to check DNS SRV records to determine the host and port of the mail server that will be used to send messages. For example, if you specify "use_srv_lookup = submission" and "relayhost = example.com:submission" in the settings, the SMTP client will query the SRV record for host _submission._tcp.example.com to determine the host and port of the mail gateway. The proposed feature can be used in infrastructures where services with dynamically allocated network port numbers are used to deliver mail messages.
- The list of default algorithms in the TLS settings excludes SEED, IDEA, 3DES, RC2, RC4, and RC5 ciphers, the MD5 hash, and the DH and ECDH key exchange algorithms, which are classified as obsolete or unused. When specifying "export" and "low" cipher types in the settings, the "medium" type is now actually set, since support for the "export" and "low" types has been discontinued in OpenSSL 1.1.1.
- Added a new setting "tls_ffdhe_auto_groups" to enable the FFDHE (Finite-Field Diffie-Hellman Ephemeral) group negotiation protocol in TLS 1.3 when building with OpenSSL 3.0.
- To protect against attacks aimed at exhausting available memory, aggregation of "smtpd_client_*_rate" and "smtpd_client_*_count" statistics in the context of network blocks is provided, the size of which is specified by the "smtpd_client_ipv4_prefix_length" and "smtpd_client_ipv6_prefix_length" directives (default /32 and /84)
- Added protection against attacks that use a TLS connection renegotiation request within an already established SMTP connection to create unnecessary CPU load.
- The postconf command provides a warning for comments set immediately following parameter values in the Postfix configuration file.
- The ability to configure the client encoding for PostgreSQL is provided by specifying the "encoding" attribute in the configuration file (the default value is now set to "UTF8", and previously "LATIN1" was used).
- In the postfix and postlog commands, the output of logs to stderr is now performed regardless of whether the stderr stream is connected to the terminal.
- In the source tree, the "global/mkmap*.[hc]" files have been moved to the "util" directory, leaving only the "global/mkmap_proxy.*" files in the main directory.
Source: opennet.ru