After a year of development, a new stable branch of the Postfix mail server, 3.6.0, was released. At the same time, the Postfix 3.2 branch, which was released in early 2017, has been deprecated. Postfix is one of the rare projects that combines high security, reliability and performance at the same time, which was achieved thanks to a well-thought-out architecture and a rather rigid policy for coding and patch auditing. The project code is distributed under EPL 2.0 (Eclipse Public license) and IPL 1.0 (IBM Public License).
According to the April automated survey of about 600 thousand mail servers, Postfix is used on 33.66% (34.29% a year ago) of mail servers, Exim's share is 59.14% (57.77%), Sendmail - 3.6% (3.83%), MailEnable - 2.02% ( 2.12%), MDaemon - 0.60% (0.77%), Microsoft Exchange - 0.32% (0.47%).
Main innovations:
- Due to a change in the internal protocols used for interaction between Postfix components, it is mandatory to stop the mail server with the "postfix stop" command before updating. Otherwise, there may be glitches when interacting with the pickup, qmgr, verify, tlsproxy, and postscreen processes, which can delay sending emails until Postfix is restarted.
- Cleaned up mentions of the words "white" and "black", perceived by some members of the community as racial discrimination. Instead of "whitelist" and "blacklist", "allowlist" and "denylist" should now be used (for example, the postscreen_allowlist_interfaces, postscreen_denylist_action and postscreen_dnsbl_allowlist_threshold options). The changes affect the documentation, settings for the postscreen process (built-in firewall) and the reflection of information in the logs. postfix/postscreen[pid]: ALLOWLIST VETO [address]:port postfix/postscreen[pid]: ALLOWLISTED [address]:port postfix/postscreen[pid]: DENYLISTED [address]:port
To preserve the old terms in the logs, the "respectful_logging = no" parameter is provided, which should be specified in main.cf before "compatibility_level = 3.6". Support for the old postscreen setting names has been retained for backwards compatibility. The configuration file “master.cf” has also remained unchanged so far.
- In the "compatibility_level = 3.6" mode, the default transition to the use of the SHA256 hash function instead of MD5 has been made. When setting an earlier version in the compatibility_level parameter, MD5 continues to be used, but for settings related to the use of hashes in which the algorithm is not explicitly defined, a warning will be displayed in the log. The export version of the Diffie-Hellman key exchange protocol has been discontinued (the value of the tlsproxy_tls_dh512_param_file parameter is now ignored).
- Simplified diagnostics of problems associated with specifying an incorrect handler program in master.cf. To detect such errors, every internal service, including postdrop, now announces the protocol name before communication begins, and every client process, including sendmail, checks that the declared protocol name matches a supported variant.
- A new mapping type "local_login_sender_maps" has been added to provide flexible control over the assignment of the sender envelope address (given in the "MAIL FROM" command during an SMTP session) to the sendmail and postdrop processes. For example, to allow local users, with the exception of root and postfix, to specify only their logins in sendmail using a UID to name binding, the following settings can be used: /etc/postfix/main.cf: local_login_sender_maps = inline:{ { root = *} , { postfix = * } }, pcre:/etc/postfix/login_senders /etc/postfix/login_senders: # Both logins and the login@domain form are allowed. /(.+)/ $1 $1…@example.com
- The "smtpd_relay_before_recipient_restrictions=yes" setting has been added and enabled by default, in which the SMTP server will check smtpd_relay_restrictions before smtpd_recipient_restrictions, and not vice versa, as before.
- Added parameter "smtpd_sasl_mechanism_list", set to "!external, static:rest" by default, to prevent confusing errors when the SASL backend claims to support "EXTERNAL" mode, which is not supported by Postfix.
- When determining names in DNS, a new API is used by default that supports multithreading (threadsafe). To build with the old API, you should specify "make makefiles CCARGS="-DNO_RES_NCALLS…" when building.
- Added "enable_threaded_bounces = yes" mode to substitute notifications about delivery problems, delayed delivery or delivery confirmation with the same discussion ID (the notification will be shown by the mail client in the same thread, along with other messages of the conversation).
- By default, the /etc/services system database is no longer used to determine TCP port numbers for SMTP and LMTP. Instead, port numbers are configured via the known_tcp_ports parameter (default lmtp=24, smtp=25, smtps=submissions=465, submission=587). In case some service is missing from known_tcp_ports, /etc/services continues to be used.
- The compatibility level (“compatibility_level”) has been raised to the value “3.6” (in the past, the parameter was changed twice, except for 3.6, the values \u0b\u1b2 (default), 3.10 and 3.9 are supported). From now on, "compatibility_level" will change to the version number in which changes were made that violated compatibility. To check compatibility levels, separate comparison operators have been added to main.cf and master.cf, such as "<=level" and "< level" (regular comparison operators are not suitable, since XNUMX will be considered less than XNUMX).
Source: opennet.ru