In addition to the names listed below, the following people provided useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd. Apologies for any names omitted. 19980105 The compiled-in default value for resolve_smtp_sender was wrong (from the days that it was a boolean), causing smtpd to dump core when the variable was not set in main.cf. The INSTALL instructions now have separate sections for the three basic ways of running vmailer. The INSTALL instructions now have discusses how to deal with chrooted processes. Ported to RedHat 5.0. My, these people have re-organized their include files quite a bit, haven't they. 19980106 On RedHat Linux 4.2/5.0, when a FIFO listener opens the FIFO with mode O_RDONLY, the FIFO remains forever readable after the writer has closed it. Workaround: open the FIFO mode O_RDWR. Test program: util/fifo_rdonly_bug.c Unfortunately, the above fix triggers a bug on BSD/OS 3.1 where opening the FIFO mode O_RDWR causes select() to claim that the FIFO is readable even before any data is written to it, causing read() to block or to fail. Test program: util/fifo_rdwr_bug.c printfck (check arguments of printf-like function calls) found a missing argument in local/command.c Miscellaneous Makefile cleanups that I didn't finish before the first alpha release. 19980107 Sometimes the DNS will claim that a domain does not exist, when in fact it does. Thus, it is a bad idea to reject mail from apparently non-existent domains. I have changed the smtpd so that it produces a soft error responses when a resolve_smtp_sender test fails with HOST_NOT_FOUND. Note: by default, this test is still disabled. The DB and DBM read routines will now automagically figure out if (key, value) pairs were written including a terminating null byte or not. The DB and DBM write routines will use this result to determine how to write, and will fall back to per-system defaults otherwise. Renamed the README to MUSINGS, and wrote up a README that reflects the current status of the software. Added -d (don't disconnect) and -c (show running counter) option to te smtp-source test program. These tools are great torture tests for the mail software, and for the system that it runs on. Turned down the process_limit parameter (# of parallel smtp clients or servers) to avoid unpleasant surprises. You can crank up the process_limit parameter in main.cf. 19980111 Feature: when run by the superuser, mailq now shows the mail queue even when the mail system is down. To this end, mailq (sendmail -bp) runs the showq program directly instead of connecting to the UNIX-domain service socket, and drops privileges etc. as usual. 19980119 Bugfix: Edwin Kremer spotted an oversight in the negated host matching code (for name or address patterns prefixed by !). Bugfix: upon receipt of a SIGHUP signal, the master now disconnects from its child processes, so that the current generation of child processes commits suicide, and so that the next generation of child processes will use the new configuration settings. Bugfix: the smtp server now skips the sender DNS domain lookup test for foo@[address] Bugfix: don't append the local domain to foo@[address] 19980120 Bugfix: old low-priority bug in some list walk code that caused the master to drop core when a service was turned off in master.cf. Robustness: the mail system should be able to start up and to accept local postings even while the naming service is down. For this reason, the mail system no longer uses gethostbyname() to look up its own machine name. Sites that use short hostnames will have to specify their FQDN in main.cf (this will eventually be done by the system installation/configuration procedure). Should the config language support backticks so one can say `domainname`? What about $name stuff between the backtics? Security: the master now creates FIFOs and UNIX-domain sockets as the mail owner instead of as root, for better protection against subverted mail systems. chmod() is susceptible to race conditions. fchmod(), although safer, often does not work on sockets. Portability: anticipate that all major UNIXes will create UNIX-domain sockets with permissions modified by the process umask (required by POSIX). For this reason, we always chmod() UNIX-domain sockets, unless the system allows us to use the safer fchmod() instead. Portability: the semi-resident servers now properly handle EWOULDBLOCK returns from accept() in addition to EGAIN (on some systems, EAGAIN and EWOULDBLOCK have different values). Bugfix: the semi-resident servers now properly handle EINTR returns From accept(). Bugfix: Edwin Kremer found that mynetworks() would compute (32 - mask) instead of mask. 19980121 Feature: /etc/vmailer/relocated is used by the local delivery program and specifies what mail should be bounced with a "user has moved to XXX" message. The main.cf configuration parameter is "relocated_maps". Just like the "virtual_maps" config parameter, this feature is off by default, and the parameter can have values such as "files" or "files, nis" (on hosts equipped with NIS). 19980123 Cleanup: virtual domain support moved from the queue manager to the resolve service, where it belongs. Feature: /etc/vmailer/canonical is used by the rewrite service for all addresses, and maps a canonical address (user@domain) to another address. Typical use is to generate Firstname.Lastname@domain addresses, or to clean up dirty addresses from non-RFC 822 mail systems. The main.cf configuration parameter is "canonical_maps". Just like the "virtual_maps" config parameter, this feature is off by default, and the parameter can have values such as "files" or "files, nis" (on hosts equipped with NIS). 19980124 HPUX10 port and many little fixes from Pieter Schoenmakers. Bugfix: isolated an old mysterious bug that could make the master deaf for new connections while no child process was running. A typical result was that no pickup daemon would be started after the previous one had terminated voluntarily. Bugfix: the NIS lookup code did not mystrdup() the NIS map name and would access free()d memory. 19980125 Bugfix: the vstream routines would sometimes ignore flushing errors. The error would still be reported by vstream_fclose() and vstream_ferror(). Feature: time limit on delivery to shell commands. Config parameter: command_time_limit. Default value: 100 sec. The idea is to prevent one bad .forward file or alias file entry from slowly using up all local delivery process slots. 19980126 Code cleanup: in preparation for SMTP extensions such as SIZE, allow an extended SMTP command to have a variable number of options. 19980127 Bugfix: moved canonical map lookups away from the rewriting module to the cleanup service, so that canonical map lookups do not interfere with address rewriting on behalf of other programs. Back to an older trivial-rewrite program version. Bugfix: moved virtual map lookups away from the resolver back to the queue manager, so that virtual domain lookup does not interfere with address resolution on behalf of other programs. Back to an older qmgr program version. 19980131 Feature: integrated and adapted Guido van Rooij's SIZE option (RFC 1870), carefully avoiding potential problems due to overflow (by multiplying large numbers) or unsigned underflow (by subtracting numbers). Code cleanup: cleaned up the code that parses the server response to the HELO/EHLO command, so that we can more reliably recognize what options a server supports. 19980201 Portability: integrated the IRIX 6 port by Oved Ben-Aroya. Portability: the software now figures out by itself if a server should open its FIFO read-write or read-only, to avoid getting stuck with a FIFO that stays readable forever. Bugfix: the cleanup service would terminate with a fatal vstream_fseek() error when the queue file was too large. Bugfix: the cleanup service could be killed by a signal when the queue file became too large. 19980203 Portability: some systems have statfs(), some have statvfs(), and the relevant include files are in a different place on almost every system. Portability: the makedefs script now nukes the -O compiler flag when building on AIX with IBM's own compiler... 19980204 Portability: HP-UX 9.x support by Pieter Schoenmakers. Portability: added SYSV-style ulimit() file size limit support for HP-UX 9.x. Portability: added some #includes that appeared to be missing according to the Digital UNIX cc compiler. Bugfix: sys_defs.h now correctly specifies NIS support for LINUX2, HPUX9 and HPUX10. Security: fixed a file descriptor leak in the local delivery agent that could give shell commands access to the VMailer IPC streams. This should not cause a vulnerability, given the design and implementation of the mailer, but it would be like asking for trouble. Bugfix: the sendmail -B (body type) option did not take a value. 19980205 Bugfix (SUNOS5): should not have deleted the SVID_GETTOD definition from util/sys_defs.h. Bugfix (HPUX9): forgot to specify whether to use statfs() or statvfs(). Bugfix (HPUX9): don't try to raise the file size ulimit. Bugfix (HPUX9): must specify file size limit in 512-blocks. 19980207 Robustness: the master process now raises the file size limit when it is started with a limit that is less than VMailer's file size limit. File: util/file_limit.c. Security: the dns lookup routines now screen all result names with valid_hostname(). Bad names are treated as transient errors. Feature: qmail compatibility: when the home_mailbox parameter is set, mail is delivered to ~/$home_mailbox instead of to /var[/spool]/mail/username. This hopefully makes it easier to lure people away from qmail :-) Robustness: several testers by accident configured relayhost the same as myhostname. The programs now explicitly check for this mistake. Bugfix: deliver_request_read() would free unallocated memory when it received an incomplete delivery request from the queue manager. Robustness: local_destination_concurrency=1 prevents parallel delivery to the same user (with possibly disastrous effects when that user has an expensive pipeline in the .forward or procmail config file). Each transport can have its own XXX_destination_concurrency parameter, to limit the number of simultaneous deliveries to the same destination. 19980208 Robustness: added "slow open" mode, to gradually increase the number of simultaneous connections to the same site as long as delivery succeeds, and to gradually decrease the number of connections while delivery fails. Brad Knowles provided the inspiration to do this. This also solves the "thundering herd" problem (making a bunch of connections to a dead host when it was time to retry that host). Let's see when other mailers fix this. Feature: Added $smtpd_banner and $mail_version, for those who want to show the world what software version they are running. Bugfix: vmailer-script now properly labels each syslog entry. 19980210 Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers Bugfix: the local delivery program now checks that a destination is a regular file before locking it. 19980211 Robustness: the local delivery agent sets HOME, LOGNAME, and SHELL when delivering to a user shell command. PATH is always set, and TZ is passed through if it is set. 19980212 Feature: mailq (sendmail -bp) now also lists the maildrop queue (with mail that hasn't been picked up yet). 19980213 Feature: the smtpd now says: 502 HELP not implemented. This should impress the heck out of the competition :-) 19980214 Feature: local delivery to configurable system-wide command (e.g. procmail) avoids the need for per-user ~/.forward shell commands. Config parameter: mailbox_command. 19980215 Performance: avoid running a shell when a command contains no shell magic characters or built-in shell commands. This speeds up delivery to all commands. File: util/exec_command.c. Bugfix: the local delivery agent, after reading EOF from a child process, now sends SIGKILL only when the child does not terminate within a limited amount of time. This avoids some problems with procmail. File: util/timed_wait.c. 19980217 Portability: folded in NetInfo support from Pieter Schoenmakers. 19980218 Feature: new vmlock command to run a command while keeping an exclusive lock on a mailbox. Feature: with "recipient_delimiter = +", mail for local address "user+foo" is delivered to "foo", with a "Delivered-To: user+foo@domain" message header. Files: qmgr/qmgr_message.c, local/recipient.c. This must be the cheapest feature. 19980219 Code cleanup: moved error handling into functions that should always succeed (non_blocking(), close_on_exec()). 19980223 Bugfix: null pointer bug in the cleanup program after processing a From: header with no mail address (or with only a comment). 19980226 Robustness: now detects when getpwnam() returns a name that differs from the requested name. Feature: Added %p support to the vbuf_print formatting module. Code cleanup: revamped the alias/include/.forward loop detection and duplicate suppression code in the local delivery agent. This must be the fourth iteration, and again the code has been simplified. 19980228 Robustness: don't treat anything starting with whitespace as a header record. Instead, explicitly test for leading whitespace where we permit it. Files: global/is_header.c, bounce/bounce_flush_service.c, local/delivered.c. 19980301 Compatibility: the sendmail program now accepts the -N command-line option (delivery status notification) but ignores it entirely, just like many other sendmail options. Bugfix: dns_lookup.c was too conservative with buffer sizes and would incorrectly report "malformed name server reply". 19980302 Bugfix: the local delivery agent was not null-byte clean. 19980307 Feature: integrated Pieter Schoenmaker's code for transport lookup tables that list (transport, nexthop) by destination. 19980309 Bugfix: delivery agents no longer rename corrupt queue files, because programs might fall over each other doing so. Instead, when a delivery agent detects queue file corruption, it chmods the queue file, simulates a soft error, and lets the queue manager take care of the problem. Bugfix: the SMTP server implemented VRFY incorrectly. Feature: first shot at a pipe mailer, which can be used to extend VMailer with external mail transports such as UUCP (provided that the remote site understands domain addressing, because VMailer version 1 does not rewrite addresses). Cleanup: extended the master/child interface so that the service name (from master.cf) is passed on to the child. The pipe mailer needs the service name so it can look up service-specific configuration parameters (privilege level, recipient limit, time limit, and so on). 19980310-12 Cleanup: factored out the pipe_command() code, so it can be shared between pipe mailer and local delivery agent. 19980314 Compatibility: the sendmail program now parses each command-line recipient as if it were an RFC 822 message header; some MUAs specify comma-separated recipients in a command-line argument; and some MUAs even specify "word word
" forms as command-line arguments. 19980315 Bugfix: VMailer's queue processing randomization wasn't adequate for unloaded systems with small backlogs. Bugfix: smtpd now uses double-buffered stream I/O to prevent loss of input sent ahead of responses. 19980316 Bugfix: the smtpd anti-relay code didn't treat all hosts listed in $mydestinations as local, so it would accept mail only for hosts listed in $relay_domains (default: my own domain). Bugfix: smtpd now replies with 502 when given an unknown command. 19980318 Cleanup: resolve/rewrite clients now automatically disconnect after a configurable amount of idle time (ipc_idle). 19980322 Tolerance: VRFY now permits user@domain, even though the RFC requires that special characters such as @ be escaped. 19980325 Bugfix: a recipient delimiter of "-" could interfere with special addresses such as owner-xxx or double-bounce. Tolerance: the SMTP client now permits blank lines in SMTP server responses. Tolerance: the SMTP client now falls back to SMTP when it apparently mistook an SMTP server as ESMTP capable. Bugfix: eliminated strtok() calls in favor of mystrtok(). Symptom: master.cf parsing would break if $inet_interfaces was more than one word. 19980328 Bugfix: user->addr patterns in canonical and virtual tables matched only $myorigin, not hosts listed in $mydestination or addresses listed in $inet_interfaces. The man pages were wrong too. File: global/addr_match.c. 19980401 Robustness: FIFO file permissions now default to 0622. On some systems, opening a FIFO read-only could deafen the pickup daemon. Only the listener end (which is opened as root) needs read access anyway, so there should not be a loss of functionality by making FIFOs non-readable for non-mail processes. 19980402 Compatibility: sendmail -I and -c options added. 19980403 Feature: virtual lookups are now recursive. File: qmgr/qmgr_message.c 19980405 Implemented sendmail -bs (stand-alone) mode. This mode runs as the user and therefore deposits into the maildrop queue. 19980406 The pickup service now removes malformed maildrop files. 19980407 The pickup service now guards against maildrop files with time stamps dated into the future. 19980408 Bugfix: in the canonical and virtual maps, foo->address would match foo@$myorigin only. This has been fixed to also match hosts listed in main.cf:$mydestination and the addresses listed in main.cf:$inet_interfaces. Bugfix: added double buffering support to the VMailer SMTP server. This makes the SMTP server robust against SMTP clients that talk ahead of time, and should have been in there from day one. 19980409 Bugfix: the VMailer SMTP client now recognizes its own hostname in the SMTP greeting banner only when that name appears as the first word on the first line. 19980410 Feature: smtpd now logs the local queue ID along with the client name/address, and pickup now logs the local queue ID along with the message owner. Bugfix: still didn't do virtual/canonical lookups right (code used the non-case-folded key instead of the case folded one). 19980418 Bugfix: the SMTP server did not flush the "250 OK queued as XXXX" message from the SMTP conversation history. 19980419 Bugfix: qmgr would not notice that a malformed message has multiple senders, and would leak memory (Tom Ptacek). 19980421 Portability: in the mantools scripts, the expr pattern no longer has ^ at the beginning, and the scripts now use the expand program instead of my own detab utility. 19980425 NetBSD 1.x patch by Soren S. Jorvang. 19980511 Feature: the SMTP server now logs the protocol (SMTP or ESMTP) as part of the Received: header. Feature: smtpd now logs the last command when a session is aborted due to timeout, unexpected EOF, or too many client errors. 19980514 Bugfix: the queue manager did not update the counter for in-core message structures, so the in-core message limit had no effect. This can be bad when you have a large backlog with many messages eligible for delivery. Robustness: the queue manager now also limits the total number of in-core recipient structures, so that it won't use excessive amounts of memory on sites that have large mailing lists. 19980518 Bugfix: the SMTP client did not notice that the DNS client received a truncated response. As a result, a backup MX host could incorrectly claim that it was the best MX host and declare a mailer loop. Added start_msg/stop_msg entries to the vmailer startup script, for easy installation. Cleanup: VMailer databases are now explicitly specified as type:name, for example, hash:/etc/aliases or nis:mail.aliases, instead of implicitly as "files", "nis" and so on. Test program: util/dict_open. This change allowed me to eliminate a lot of redundant code from mkmap_xxx.c, and from everything that does map lookups. 19980525 Bugfix: local/dotforward.c compared the result of opening a user's ~/.forward against the wrong error value. 19980526 Bugfix: the smtpd VRFY command could look at free()d memory. Robustness: the smtpd program had a fixed limit on the number of token structures. The code now dynamically allocates token structures. Bugfix: the queue manager still used the deprecated parameter name xxx_deliver_concurrency for concurrency control, but the documentation talks about the preferred parameter name xxx_destination_concurrency. Fix: try xxx_destination_concurrency first, then fall back to xxx_deliver_concurrency. 19980621-19980702 Cleanup: the string read routines now report the last character read or VSTREAM_EOF. This change is necessary for the implementation of the long SMTP line bugfix. Bugfix: the smtp server exited the DATA command prematurely when the client sent long lines. Reason: the smtp server did not remember that it broke long lines, so that '.' could appear to be the first character on a line when in fact it wasn't. Bugfix: the queue manager made lots of stupid errors while reading $qmgr_message_recipient_limit chunks of recipients from a queue file. This code has been restructured. 19980706 Performance: the cleanup program now always adds return-receipt and errors-to records to a queue file, so that the queue manager does not have to plow through huge lists of recipients. Robustness: the initial destination concurrency now defaults to 2, so that one bad message or one bad connection does not stop all mail to a site. The configuration parameter is called initial_destination_concurrency. Performance: the per-message recipient limit is now enforced by the queue manager instead of by the transport. Thus, a large list of recipients for the same site is now mapped onto several delivery requests which can be handled in parallel, instead of being mapped onto one delivery request that is sent to limited numbers of recipients, one group after the other. 19980707 Cleanup: the queue manager now does an additional recipient sort after the recipients have been resolved, so that the code can do better aggregation of recipients by next hop destination. Feature: lines in the master.cf file can now be continued in the same manner as lines in the main.cf file, i.e. by starting the next line with whitespace. Feature: the smtp client now warns that a message may be delivered multiple times when the response to "." is not received (the problem described in RFC 1047). Cleanup: when the queue manager changes its little mind after contacting a delivery agent (for example, it decides to skip the host because a transport or host goes bad), the delivery agent no longer complains about premature EOF. File: global/deliver_request.c 19980709 Bugfix: when breaking long lines, the SMTP client did not escape leading dots in secondary etc. line fragments. Fix: don't break lines. This change makes VMailer line-length transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c. 19980712 Cleanup: the queue manager to deliver agent protocol now distinguishes between domain-specific soft errors and recipient-specific soft errors. Result: many soft errors with SMTP delivery no longer affect other mail the same domain. 19980713 Feature: the file modification time stamp of deferred queue files is set to the nearest wakeup time of their recipient hosts, or if delivery was deferred due to a non-host problem, the time stamp is set into the future by the configurable minimal backoff time. Bugfix: the SMTP client and the MAILQ command would report as message size the total queue file size. That would grossly overestimate the size of a message with many recipients. Bugfix: the 19980709 fix screwed up locally-posted mail that didn't end in newline. 19980714 Robustness: the makedefs script now defaults to no optimization when compiling for purify. 19980715 Robustness: the makedefs script now defaults to no optimization when compiling with gcc 2.8, until this compiler is known to be OK. Workaround: when sending multiple messages over the same SMTP connection, some SMTP servers need an RSET command before the second etc. MAIL FROM command. The VMailer SMTP client now sends a redundant RSET command just in case. The queue manager now logs explicitly when delivery is deferred because of a "dead" message transport. 19980716 Feature: mailq and mail bounces now finally report why mail was deferred (the reason was logged to the syslog file only). Changes were made to the bounce service (generalized to be usable for defer logs), showq service (to show reasons) and the queue manager. As a result the defer directory (with one log per deferred message) may contain many files; also, this directory is accessed each time a message is let into the active queue, in order to delete its old defer log. This means that hashed directories are now a must. 19980718-20 Feature: configurable timeout for establishing smtp connections. Parameter: smtp_connect_timeout (default 0, which means use the timeout as wired into the kernel). Inspired by code from Lamont Jones. For a clean but far from trivial implementation, see util/timed_connect.c Cleaned up the interfaces that implement read/write deadlines. Instead of returning -2, the routines now set errno to ETIMEDOUT; the readable/writable tests are now separate. 19980722 Feature: the default indexed file type (hash, btree, dbm) is now configurable with the "database_type" parameter. The default value for this parameter is system specific. Feature: selectively turn on verbose logging for hosts that match the patterns specified via the "debug_peer_list" config parameter. Syntax is like the "bad_smtp_clients" parameter (see global/peer_list.c). The verbose logging level is specified with "debug_peer_level" (default 2). Security: the local delivery agent no longer delivers to files that have execute permission enabled. 19980723 Workarounds for Solaris 2.x UNIX-domain sockets: they lose data when you close them immediately after writing to them. This could screw up the delivery agent to queue manager protocol. 19980724 Cleanup: spent most of the day cleaning up queue manager code that defers mail when a site or transport dies, and fixed a few obscure problems in the process. 19980726 Feature: the admin can now configure what classes of problems result in mail to the postmaster. Configuration parameter: "notify_classes". Default is backwards compatible: bounce, policy, protocol, resource, and software. 19980726-28 Feature: the admin can now configure what smtp server access control restrictions must be applied, and in what order. Configuration parameters: smtpd_client_restrictions, smtpd_helo_restrictions, smtpd_mail_restrictions and smtpd_rcpt_restrictions. Defaults are intended to be backwards compatible. The bad_senders and bad_clients lists are gone and have become db (dbm, nis, etc) maps. Files: smtpd/smtpd_check.c, config/main.cf. 19980729-31 Feature: hashed queues. Rewrote parts of the mail queue API. Configuration parameters: "hash_queue_names" specifies what queue directories will be hashed (default: the defer log directory), "hash_queue_depth" specifies the number of subdirectories used for hashing (default 2). 19980802 Bugfix: the pipe mailer should expand command-line arguments with $recipient once for every recipient (producing one command-line argument per recipient), instead of replacing $recipient by of all recipients (i.e. producing only one command-line argument). This is required for compatibility with programs that expect to be run from sendmail, such as uux. Thanks to Ollivier Robert for helping me to get this right. Code cleanup: for the above, cleaned up the macro expansion code in dict.c and factored out the parsing into a separate module, mac_parse.c. 19980803 "|command" and /file/name destinations in alias databases are now executed with the privileges of the database owner (unless root or vmailer). Thus, with: "alias_maps = hash:/etc/aliases, hash:/home/majordomo/aliases", and with /home/majordomo/aliases* owned by the majordomo account, you no longer need the majordomo set-uid wrapper program, and you no longer need root privileges in order to install a new mailing list. 19980804 Added support for the real-time blackhole list. Example: "client_restrictions = permit_mynetworks, reject_maps_rbl" All SMTP server "reject" status codes are now configurable: unknown_client_reject_code, mynetworks_reject_code, invalid_hostname_reject_code, unknown_hostname_reject_code, unknown_address_reject_code, relay_domains_reject_code, access_map_reject_code, maps_rbl_reject_code. Default values are documented in the smtpd/smtpd_check.c man page. 19980806-8 Code cleanup: after eye balling line-by line diffs, started deleting code that duplicated functionality because it was at the wrong abstraction level (smtp_trouble.c), moved functionality that was in the wrong place (dictionary reference counts in maps.c instead of dict.c), simplified code that was too complex (password-file structure cache) and fixed some code that was just wrong. 19980808 Robustness: the number of queue manager in-core structures for dead hosts is limited; the limit scales with the limit on the number of in-core recipient structures. The idea is to not run out of memory under conditions of stress. 19980809 Feature: mail to files and commands can now be restricted by class: alias, forward file or include file. The default restrictions are: "allow_mail_to_files = alias, forward" and allow_mail_to_commands = alias, forward". The idea is to protect against buggy mailing list managers that allow intruders to subscribe /file/name or "|command". 19980810-12 Cleanup: deleted a couple hundred lines of code from the local delivery agent. It will never be a great program; sendmail compatibility is asking a severe toll. 19980814 Cleanup: made the program shut up about some benign error conditions that were reported by Daniel Eisenbud. 19980814-7 Documentation: made a start of HTML docs that describe all configuration parameters. Feature: while documenting things, added smtpd_helo_required. 19980817 Bugfix: at startup the queue manager now updates the time stamps of active queue files some time into the future. This eliminates duplicate deliveries after "vmailer reload". Bugfix: the local delivery agent now applies the recipient delimiter after looking in the alias database, instead of before. Documentation bugfixes by Matt Shibla, Tom Limoncelli, Eilon Gishri. 19980819 GLIBC fixes from Myrdraal. Bugfix: applied showq buffer reallocation workaround in the wrong place. Bugfix: can't use shorts in varargs lists. SunOS 4 has short uid_t and gid_t. pipe_command() would complain. Bugfix: can't use signed char in ctype macros. All ctype arguments are now casted to unsigned char. Thanks, Casper Dik. 19980820 Bugfix: save the alias lookup result before looking up the owner. The previous alpha release did this right. Cleanup: mail_trigger() no longer complains when the trigger FIFO or socket is unavailable. This change is necessary to shut up the sendmail mail posting program, so that it can be used on mail clients that mount their maildrop via NFS. Experiment: pickup and pipe now run as vmailer most of the time, and switch to user privileges only temporarily. Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c pickup/pickup.c. Is this more secure/ What about someone manipulating such a process while not root? It still has ruid == 0. 19980822 Portability: with GNU make, commands such as "(false;true)" and "while :; do false; done" don't fail. Workaround: use "set -e" all over the place. Problem found by Jeff Wolfe. Feature: "check_XXX_access maptype:mapname" (XXX = client, helo, sender, recipient). Now you can make recipient and other SPAM restrictions dependent on client or sender access tables lookup results. 19980823 Bugfix: smtpd access table lookup keys were case sensitive. Added "permit" and "reject" operators. These are useful at the end of SPAM restriction lists (smtpd_XXX_restrictions). Added a first implementation of the permit_mx_backup SPAM restriction. This permits mail relaying to any domain that lists this mail system as an MX host (including mail for the local machine). Thanks to Ollivier Robert for useful discussions. 19980824 Bugfix: transport table lookup keys were case sensitive. 19980825 Portability: sa_len is some ugly #define on some SGI systems, so we must rename identifiers (file util/connect.c). Bugfix: uucp delivery errors are now sent to the sender. Thanks, Mark Delany. Bugfix: the pipe delivery agent now replaces empty sender by the mailer daemon address. Mark Delany, again. Portability: GNU getopt looks at all command-line arguments. Fix: insert -- into the pipe/uucp definition in master.cf. Bugfix: the smtp server command tokenizer silently discarded the [] around [text], so that HELO [x.x.x.x] was read as if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand. Bugfix: the HELO unknown hostname/bad hostname restrictions would have treated [text] as a domain name anyway. Bugfix: the $local_duplicate_filter_limit value was not picked up by the local delivery agent. This means the local delivery agent could run out of memory on large mailing list deliveries. 19980826 Performance: mkmap/mkalias now run with the same speed as sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte of memory for DB lookups. File: util/dict_db.c. 19980902 Robustness: the reject_unknown_hostname restriction for HELO/EHLO hostnames will now permit names that have an MX record instead of an A record. 19980903 Feature: appending @$myorigin to an unqualified address is configurable with the boolean append_at_myorigin parameter (default: yes). Feature: appending .$mydomain to user@host is configurable with the boolean append_dot_mydomain parameter (default: yes). Feature: site!user is rewritten to user@site, under control of the boolean parameter swap_bangpath (default: yes). Feature: permit a naked IP address in HELO commands (i.e. an address without the enclosing [] as required by the RFC), by specifying "permit_naked_ip_address" as one of the restrictions in the "smtpd_helo_restrictions" config parameter. 19980904 Code cleanup: when an SMTP client aborts a session after sending MAIL FROM, the cleanup service no longer warns that it is "skipping further client input". Files: cleanup/*.c. Thanks, Daniel Eisenbud, for prodding. Code cleanup: when an SMTP server disconnects in the middle of a session, don't try to send QUIT over the non-existing connection. Files: global/smtp_stream.c, smtp/smtp.c. Thanks, Daniel Eisenbud, for prodding, again. Code cleanup: the VMailer version number has moved from mail_params.h (which is included by lots of modules) to a separate file global/mail_version.h, so that a version change no longer results in massive recompilation. Bugfix: Errors-To was flagged as a sender address, so the address never was picked up. Code cleanup: support for Errors-To: headers completed. 19980905 Feature: per-message exponential delivery backoff, by looking at the amount of time a message has been queued. Thanks, Mark Delany. 19980906 Code cleanup: ripped out the per-host exponential backoff code. It was broken by 19980818. It was probably a bad idea anyway, because it required per-host, in-core, state kept by the queue manager. All we do now is to keep state for $minimal_backoff_time seconds, but only for a limited number of hosts. Daniel Eisenbud spotted the problem. Lost feature: the SMTP session transcripts now show who said what. This feature was inadvertently dropped during development. Thanks, Daniel Eisenbud, for reminding. Documentation: the hard-coded rewriting process of the trivial-rewrite program is described in html/rewrite.html. Feature: the local delivery agent now does alias lookups before and after chopping off the recipient subaddress. This allows you to forward user-anything to another user, without losing the ability to redirect specific user-foo addresses. 19980909 Feature: the smtp client now logs a warning that a server sends a greeting banner with the client's hostname, which could imply a mailer loop. 19980910 Feature: separate canonical maps for sender and recipient address rewriting, so that you can rewrite an ugly sender address and still forward mail to that same ugly address without creating a mailer loop. Files: cleanup_envelope.c, cleanup_message.c, cleanup_rewrite.c. 19980911 Feature: virtual maps now support multiple addresses on the right-hand side. In the case of virtual domains this can eliminate the need for address expansion via local aliases, making virtual domains much easier to administer. This required that I moved the virtual table lookups from the queue manager to the cleanup service, so that every recipient has an on-disk status record. Files: qmgr.c, qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c, cleanup_virtual.c. Feature: sendmail/mailq/newaliases pass on the -v flag to the program that they end up running, to make debugging a little easier. 19980914 Bugfix: some anti-spam measures didn't recognize some addresses as local and would do too much work. File: smtpd_check.c. Bugfix: the smtp sender/recipient table lookup restriction destroyed global data, so that other restrictions could break. File: smtpd_check.c. Bugfix: after vmailer reload, single-threaded servers could exit before flushing unwritten data to the client. Example: cleanup would exit before acking success to pickup, so the message would be delivered twice. Bug reported by Brian Candler. Cleanup: removed spurious error output from vmailer-script. Reported by Brian Candler. Tolerance: ignore non-numeric SMTP server responses. There's lot of brain damage out there on the net. 19980915 Feature: the smtp-sink benchmark tool now announces itself with a neutral name so that it can be run on the same machine as VMailer, without causing Postfix to complain about a mailer loop. Robustness: on LINUX, vmailer-script now does chattr +S to force synchronous directory updates. Fix developed with Chris Wedgwood. 19980916 Bugfix: when transforming an RFC 822 address to external form, there is no need to quote " characters in comments. This didn't break anything, it just looked ugly. File: global/tok822_parse.c 19980917 Workaround: with deliveries to /file/name, use fsync() and ftruncate() only on regular files. File: local/file.c Workaround: the plumbing code in master_spawn.c didn't check if it was dup2()/close()ing a descriptor to itself then closing it. Will have to redo the plumbing later. 19980918 Workaround: on multiprocessor Solaris machines, one-second rollover appears to happen on different CPUs at slightly different times. Made the queue manager more tolerant for such things. Problem reported by Daniel Eisenbud. Workaround: in preparation for deployment with a network-shared maildrop directory. make pickup more tolerant against clock drift between clients and servers. 19980921 New vstream_popen() module that opens a two-way channel across a socketpair-based pipe. This module isn't being used yet; it is here only to complete the vstream code. 19980922 Code cleanup: the xxx_server_main() interface for master child processes now uses a name-value argument list instead of an ugly and inflexible data structure. Bugfix: moved the test if a non-interactive process is run by hand, so that the "don't do this" error message can be printed to stderr before any significant processing. Bugfix: smtpd now can talk to unix-domain sockets without bailing out on a peer lookup problem. Files: smtpd/smtpd.c, util/peer_name.c. Safety: by default, the postmaster is no longer informed of protocol problems, policy violations or bounces. Safety: the SMTP server now sleeps before sending a [45]xx error response, in order to prevent clients from hammering the server with a connect/error/disconnect loop. Parameter: smtpd_error_sleep_time (default: 5). Feature: the logging facility is compile-time configurable (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1"). 19980923 Bugfix: changed virtual/canonical map search order from (user@domain, @domain, user) to (user@domain, user, @domain) so the search order is most specific to least specific. File: global/addr_map.c, lots of documentation. Bugfix: after the change of 19980910, cleanup_message extracted recipients from Reply-To: etc. headers. Found by Lamont Jones. 19980925 Bugfix: the change in virtual/canonical map search order broke @domain entries; they would never be looked up if the address matched $myorigin or $mydestinations. Found by Chip Christian who now regrets asking for the change. Bugfix: cleanup initialized an error mask incorrectly, so that it would keep writing to a file larger than the queue file size limit, and so it would treat the error as a recoverable one instead of sending a bounce. Thanks, Pieter Schoenmakers. Bugfix: the "queue file cleanup on fatal error" action was no longer enabled in the sendmail mail posting agent. Feature: the sendmail mail posting program now returns EX_UNAVAILABLE when the size of the input exceeds the queue file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN. 19980926 Code cleanup: the dotlock file locking routine is no longer derived from Eric Allman's 4.3BSD port of mail.local. Code cleanup: the retry strategy of the file locking routines dot_lockfile() and deliver_flock() is now configurable (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale). Code cleanup: the master.pid lock file is now created with symlink paranoia, and is properly locked so that PID rollover will not cause false matches. Bugfix: the vbuf_print() formatting engine did not know about the '+' format specifier. Cleanup: replaced unnecessary instances of stdio calls by vstream ones. 19980929-19981002 Compatibility: added support for "sendmail -q". This required a change to the queue manager trigger protocol, and a code reorganization of the way queue scans were done. The queue manager socket now has become public. 19981002 SMTPD now logs "lost connection after end-of-message" instead of "lost connection after DATA". 19981005 More bullet proofing: timeouts on all triggers. 19981006 Bugfix: make the number of cleanup processes unlimited, in order to avoid deadlock. The number of instances needed is one per smtp/pickup process, and an indeterminate number per local delivery agent. Thanks, Thanks, David Miller and Terry Lorrah for cleueing me in. Bugfix: "sendmail -t" extracted recipients weren't subjected to virtual mapping. Daniel Eisenbud strikes again. 19981007 Compatibility: if the first input line ends in CRLF, the sendmail posting agent will treat all CRLF as LF. Otherwise, CRLF is left alone. This is a compromise between sendmail compatibility (all lines end in CRLF) and binary transparency (some, but not all, lines contain CRLF). 19981008 Robustness: stop recursive virtual expansion when the left-hand side appears in its own expansion. 19981009 Portability: trigger servers such as pickup and qmgr can now use either FIFOs or UNIX-domain sockets; hopefully at least one of them works properly. Trigger clients were already capable of using either form of local IPC. 19981011 Feature: masquerading. Strip subdomains from domains listed in $masquerade_domains. Exception: envelope recipients are left alone, in order to not screw up routing. 19981015 Code cleanup: moved the recipient duplicate filter from the user-level sendmail posting agent to the semi-resident cleanup service, so that the filter operates on the output from address canonicalization and of virtual expansion, instead of operating on their inputs. 19981016 Bugfix: after kill()ing a bunch of child processes, wait() sometimes fails before all children have been reaped, and must be called again, or the master will SIGSEGV later. Problem reported by Scott Cotton. Workaround: don't log a complaint when an SMTP client goes away without sending QUIT. 19981018 Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard error (EINVAL) when the result buffer is not large enough. This can happen on systems with many real or virtual interfaces. File: util/inet_addr_local.c. Problem reported by Scott Cotton. Workaround: the optional HELO/EHLO hostname syntax check now allows a single trailing dot. Workaround: with UNIX-domain sockets, LINUX connect() blocks until the server calls accept(). File: qmgr/qmgr_transport.c. Terry Lorrah and Scott Cotton provided the necessary evidence. 19981020 Robustness: recursive canonical mapping terminates when the result stops changing. Code cleanup: reorganized the address rewriting and mapping code in the cleanup service, to make it easier to implement the previous enhancement. 19981022 Code cleanup: more general queue scanning programming interface, in preparation for hashed queues. File: qmgr/qmgr_scan.c. Bugfix: a non-FIFO server with a process limit of 1 has a too short listen queue. Until now this was not a problem because only FIFO servers had a process limit of 1, and FIFOs have no listen queue. Fix: always configure a listen queue of proc_limit or more. File: master/master_listen.c. 19981023 Feature: by popular request, mail delay is logged when delivering, bouncing or deferring mail. 19981024 Cleanup: double-bounce mail is now absorbed by the queue manager, instead of the local delivery agent, so that the mail system will not go mad when no local delivery agent is configured. 19981025 Cleanup: moved the relocated table from the local delivery agent to the queue manager, so that the table can also be used for virtual addresses. Code reorg: in order for the queue manager to absorb recipients, the queue file has to stay open until all recipients have been assigned to a destination queue. 19981026 vmlogger command, so that vmailer-script logging becomes consistent with the rest of the VMailer system. Code reorg: logger interface now can handle multiple output handlers (e.g. syslog and stderr stream). Bugfix: a first line starting with whitespace is no longer treated as an extension of our own Received: header. Files: smtpd/smtpd.c, pickup/pickup.c. 19981027 Bugfix: the bang-path swapping code went into a loop on an address consisting of just a single !. Eilon Gishri had the privilege of finding this one. Workaround: the non-blocking UNIX-domain socket connect is now enabled only on systems that need it. It may cause kernel trouble on Solaris 2.x. Bugfix: the resolver didn't implement bangpath swapping, so that mail for site!user@mydomain would be delivered to a local user named "site!user". 19981028 Cleanup: a VSTREAM can now use different file descriptors for reading and writing. This was necessary to prevent "sendmail -bs" and showq from writing to stdin. Eilon Gishri observed the problem. 19981029 The RFC 822 address manipulation routines no longer give special attention to 8-bit data. Files: global/tok822_parse.c, global/quote_822_local.c. Bugfix: host:port and other non-domain stuff is no longer allowed in mail addresses. File: qmgr/qmgr_message.c. Workaround: LINUX accept() wakes up before the three-way handshake is complete, so it can fail with ECONNRESET. Files: master/single_server.c, master/multi_server.c. Feature: when delivering to user+foo, try ~user/.forward+foo before trying ~user/.forward. Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't clean up when terminated by a signal. Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should not try to enforce spam controls because it cannot access the address rewriting machinery. Cleanup: the percent hack (user%domain -> user@domain) is now configurable (allow_percent_hack, default: yes). Bugfix: daemons in -S (stand-alone) mode didn't change directory to the queue. This was no problem with daemons run by the sendmail compatibility program. 19981030 Feature: when virtual/canonical/relocated lookup fails for an address that contains the optional recipient delimiter (e.g., user+foo@domain), the search is done again with the unextended address (e.g., user@domain). File: global/addr_find.c. Code reorg: the address searching is now implemented by a separate module global/addr_find.c, so that the same code can be used for both (non-mapping) relocated table lookups and for canonical and virtual mapping. The actual mapping is still done in the global/addr_map.c module. Robustness: the SMTP client now skips hosts that don't send greeting banner text. File: smtp/smtp_connect.c Feature: preliminary support to disable delivered-to. This is desirable for mailing list managers that don't want to advertise internal aliases. Generic support: when the recipient_feature_delimiter configuration parameter is set, the local delivery agent uses it to split the recipient localpart into fields. Any field that has a known name such as "nodelivered" enables the corresponding delivery feature. 19981031 Code reorg: address splitting on recipient delimiter is now centralized in global/split_addr.c, which knows about all reserved names that should never be split. Robustness: when a request for an internal service cannot be satisfied because the master has terminated, terminate instead of trying to reach the service every 30 seconds. Safety: the local delivery agent now runs as vmailer most of the time, just like pickup and pipe. Files: local/local.c, local/mailbox.c 19981101 Compatibility: the tokenizer for alias/forward/etc. expansion now updates an optional counter with the number of destinations found; If no destinations is found in a .forward file, deliver to the mailbox instead. Thanks, Daniel Eisenbud, for showing the way to go. Robustness: the pickup daemon should always include a posting-time record, even when the sendmail posting agent didn't. However, just like before, user-provided posting times will be ignored. Ollivier Robert found this one. Robustness: duplicate entries in aliases or maps now cause a warning instead of a fatal error (and an incomplete file). Robustness: mkmap now prints a warning when an entry is in "key: value" format, which is the format expected for alias databases, not for maps. Portability: on LINUX, prepend "+" to the getopt() options string so that getopt() will stop at the first non-option argument. Suggestion by Marco d'Itri. 19981103 Cleaned up the set_eugid() and open_as() implementations, and added stat_as() and fstat_as() so that the local delivery agent would look up include files and .forward files with the right privileges. 19981104 Bugfix: the :include: routine now stat()s/open()s files included by root-owned aliases as root, not as nobody. Bugfix: the master crashed when a service with wakeup timer was disabled or renamed. Fix: eliminate some pathological coupling between process management and wakeup management. Feature: partial implementation of ETRN (causes a full deferred queue scan). Thanks Lamont Jones for reminding me that things can be useful already before they are perfect. Cleanup: simplified the SMTPD tokenizer. Bugfix: sendmail -bs didn't properly notify the mail system of new mail. Compatibility: the MAIL FROM and RCPT TO commands now accept the most common address forms without enclosing <>. The <> is still needed for addresses that contain a "string", an [address], or a colon (:). 19981105 Bugfix: "master -t" would claim that the master runs when in fact the pid directory does not exist, causing trouble with first time startup (reported by several). Portability: added a sane_accept() module that maps all beneficial accept() error results to EAGAIN. According to private communication with Alan Cox, Linux 2.0.x accept() can return a variety of error conditions, so we play safe and allow for any error that may happen because SYN+ACK could not be sent. Portability: NETBSD1 uses dotlock files (Perry Metzger). Bugfix: the local delivery agent did not canonicalize owner-foo sender addresses, so that local users would see owner-foo instead of owner-foo@$myorigin (Perry Metzger). OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda). 19981106 Portability: the master startup would take a long time on AIX because AIX has a very large per-process open file limit. Fix is to check the status of only the first couple hundred file descriptors instead. File: master/master.c. Bugfix: mail to user@[net.work.addr.ess] was broken because of a reversed test. File: qmgr/qmgr_message.c. 19981107 Compatibility: don't clobber the envelope sender address when an alias has no owner-foo alias (problem diagnosed by Christophe Kalt). Bugfix: mail to local users in include files would be delivered directly if the alias didn't have an owner-foo alias, and if the alias database and include file were owned by root. Feature: with user+foo addresses, any +foo address extension that is not explicitly matched in canonical, virtual or alias databases is propagated to the table lookup result. 19981108 Bugfix: minor memory leak in the user+foo table lookup code. Configurability: specify virtual.domain in the virtual map, and mail for unknown@virtual.domain will bounce automatically. The $relay_domains default value now includes $virtual_maps, so the SMTP server will accept mail for the domain. Marco d'Itri put me on the right track. Configurability: The mydestinations configuration parameter now accepts /file/name expressions and type:name lookup tables. Code cleanup: in order to make the previous two enhancements possible, revised the string/host/address matching engine so it can handle any mixture of strings, /file/name patterns and type:name lookup tables. Files: util/match_{list,ops}.c, global/{domain,namadr,string}_list.c. 19981110 Code cleanup: replaced remaining isxxx() calls by ISXXX(). 19981111 Bugfix: the "bounce unknown virtual user" code was in the wrong place. Problem tackled with help of Chip Christian. Portability: reportedly, Solaris 2.5.1 can hang waiting for a UNIX-domain connection to be accepted, so it gets the same workaround that was designed for LINUX. Problem reported by Scott Cotton. 19981112 Management: "vmailer stop" now allows delivery agents to finish what they are doing, like "vmailer reload". Management; "vmailer abort" causes immediate termination. Workaround: zombie processes pile up with HP-UX. Reason: select() does not return upon SIGCHLD when SA_RESTART is specified to sigaction(). Workaround: shorten the select() timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS. Thanks, Lamont Jones. 19981117 Rename: VMailer is now Postfix. Sigh. 19981118 Cleanup: generalized the safe_open() routine so that it is no longer limited to mailbox files, lock files, etc. Bugfix (found during code review): vstream*printf() could run off the end of a stream buffer after an I/O error, because vbuf_print() ignored the result from VBUF_SPACE(). Bugfix (found during code review): resolve_local() could clobber its argument, but the docs didn't say so. 19981121 Cleanup: the is_header() routine now allows 8-bit data in header labels. 19981123 Bugfix (found during code review): the mail_queue_enter() path argument wasn't optional. File: global/mail_queue.c 19981124 Cleanup: eliminated redundant tests for a zero result from vstream_fdopen(). Unlike the stdio fdopen() routine, the vstream_fdopen() routine either succeeds or never returns. Bugfix: the queue manager now looks at the clock before examining a file time stamp, to avoid spurious complaints about time warps on busy machines. File: qmgr/qmgr_active.c. 19981125 Compatibility: allow trailing dot at the end of user@domain. Address canonicalization now strips it off. Issue brought forward by Eilon Gishri. File: trivial-rewrite/rewrite.c. Robustness: changed DNS lookup order of MAIL FROM etc. domains from MX then A to A then MX, just in case the MX lookup fails with a server error. Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat, postlock, postlog, postkick. Also renamed mkmap and mkalias to postmap and postalias. 19981126 Workaround: Lamont Jones found a way for HP-UX to terminate select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN. Files: util/sys_defs.h, master/master_sig.c. Bugfix: the Delivered-To: loop detection code had stopped working, when long ago the is_header() routine was changed. File: local/delivered.c. 19981128 Bugfix: postcat opened queue files read-write, where only read access was needed. File: postcat/postcat.c. 19981129 Safety: added a sleep(1) to all fatal and panic exits. File: util/msg.c. 19981201 Robustness: postcat now insists that a file starts with a time record. Consistency: added "-c config_dir" command-line options where appropriate. 19981202 Man pages, on-line version. 19981203 Man pages, html version; overview documentation. 19981206 Sendmail silently accepted the unsupported -qRsite and -qSsite options. It now prints an error message and terminates. Separated the contributed tree from the IBM code; moved the LDAP and NEXTSTEP/OPENSTEP code to the contributed source tree because obviously I didn't write it. 19981206-9 Had to write a postconf configuration utility in order to reliably find out about all configuration parameters and their defaults. Documentation bugfixes by Matt Shibla, Scott Drassinower, Greg A. Woods. 19981209 On machines with short hostnames, postconf -d cored while reporting a fatal error. It should not report that error in the first place. Thanks, Eilon Gishri. Changed the FAQ entry about rejecting mail for *.my.domain on a firewall. Chip Christian was right, I was wrong. 19981214 Portability: with GNU getopt, optind is not initially 1, breaking an assumption in sendmail/sendmail.c. Liviu Daia. Annoyance: on non-networked systems, don't warn that only one network interface was found. File: global/inet_addr_local.c. Reported by several. Bugfix: on non-networked systems, the smtp client assumed that it was running in virtual host mode, and would bind to the loopback interface. File smtp/smtp_connect.c. Liviu Daia, again. 19981220 Robustness: when looking up an A or MX record, do not give up when the A query fails because of a server error. File dns/dns_lookup.c. Reported by Scott Drassinower. 19981221 Bugfix: "bounce mail for non-existent virtual user" didn't work when a non-default relay host was configured in main.cf or in the transport table. File: qmgr/qmgr_message.c. Bugfix: the maildrop directory should not be world-readable. Files: conf/postfix-script, showq/showq.c. Documentation: fixed several omissions and errors. Documentation: removed references to the broken recipient feature delimiter configuration parameter. Bugfix: write mailbox file as the recipient, so that file quota work as expected. Bugfix: pickup would die when it tried to remove a non-file in the maildrop directory (Jeff Wolfe). 19981222 Sendmail no longer logs the queue ID when it is unable to notify the pickup daemon. This is a late addition to the "unreadable maildrop queue" patch. user.lock files are now created as root, so that postfix needs no group directory write permission. 19981224 Security: allow queue file link counts > 1, to avoid non-delivery of maildrop files with links to a non-maildrop directory. Files: global/mail_open_ok.c, and anything that calls this code (qmgr, pickup, showq). If multiple hard links are a problem, see the set-gid "postdrop" utility below. 19981225 Robustness: the queue manager no longer aborts when a queue file suddenly disappears (e.g. because the file was removed by hand). Feature: when a writable maildrop directory is a problem, sites can make the new "postdrop" utility set-gid. This command is never used when the maildrop directory is world-writable. Robustness: make the queue file creation routine more resistant against denial of service race attack. File: global/mail_queue.c 19981226 New suid_priv module to enable/disable privileges in a set-uid/gid program. In the end I decided to not use it. 19981228 Robustness: make the pickup daemon more resistant against non-file race attack. Cleanup: generic mail_stream.c interface for writing queue file streams to files, daemons or commands. This simplifies the code in smtpd and in sendmail that must be able to pipe mail through the postdrop command. The cleanup daemon has been modified to use the same interface. Result: less code. Feature: smtpd now logs the only recipient in Received: headers. Feature: separate command and daemon directories. Both default to $program_directory. Install conf/postfix-script if you want to use this feature. 19981230 Patch to avoid conflict with non-writable top-level Makefile (Lamont Jones). 19981231 Portability: port to UnixWare 7 by Ronald Joe Record, SCO. 19990104 Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions Ltd.) Files: quote_82[12]_local.c. Bugfix: wrong default for relay_domains (Juergen Kirschbaum, Bayerische Landesbank). File: mail_params.h. Bugfix: changed 5xx response for "too may recipients" to 4xx. File: smtpd.c. 19990106 Feature: defer_transports specifies the names of transports that should be used only when "sendmail -q" (or equivalent) is issued. For example, "defer_transports = smtp" is useful for sites that are disconnected most of the time. File: qmgr_message.c. 19990107 Feature: local_command_shell specifies a non-default shell for delivery to command by the local delivery agent. For example, "local_command_shell = /some/where/smrsh -c" restricts what may appear in "|command" destinations. File: global/pipe_command.c. 19990112-16 Feature: SMTP command pipelining support based on an initial version by Jon Ribbens, Oaktree Internet Solutions Ltd. This one took several days of massaging before I felt comfortable about it. Files: smtp.c, smtp_proto.c. Bugfix: the SMTP server would flush responses one-by-one, which caused suboptimal performance with pipelined clients. The vstream routines now flush the write buffer when the read() routine is called, instead of flushing when the application changes from writing to reading. Delayed flush prevents the SMTP server from flushing responses one-by-one and thus triggering Nagle's algorithm. File: util/vstream.c. 19990117 Bugfixes and enhancements to the smtpstone tools by Drew Derbyshire, Kendra Electronic Wonderworks: send helo command, send message headers, format the message content to lines < 80, work around NT stacks, make "." recognition more robust. Files: smtp-source.c, smtp-sink.c. Strategy: look at the deferred queue only when the incoming queue is empty; limit the number of recipients read from a queue file depending on the number of recipients already in core. Files: qmgr.c, qmgr_message.c. Feature: postponed anti-UCE restrictions. The decision to reject junk mail on the basis of the client name/address, HELO hostname or sender address can now be postponed until the RCPT TO command (or HELO or MAIL FROM if you like). File: smtpd_check.c. 19990118 Feature: incremental updates of alias databases and of other lookup tables. Both postalias and postmap now take a -i option for incremental updates from standard input. Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c. Compatibility: newaliases can now update multiple alias databases: list them in the "alias_database" parameter in main.cf. By the same token, postalias can now update multiple maps in one command. Files: post{map,alias}/post{map,alias}.c Feature: mail to <> is now sent to the address specified with the "empty_address_recipient" configuration parameter which defaults to MAILER-DAEMON (idea by Lamont Jones, Hewlett-Packard). File: cleanup/cleanup_envelope.c. Compatibility: the transport table now uses .domain.name to match subdomains, just like sendmail mailer tables (patch by Lamont Jones, Hewlett-Packard). Feature: mailq now ends with a total queue size summary (Eilon Gishri, Israel Inter University Computation Center). 19990119 Feature: address masquerade exceptions for user names listed in the "masquerade_exceptions" configuration parameter. File: cleanup/cleanup_masquerade.c. Feature: qmail-style maildir support, based on initial code by Kevin W. Brown, Quantum Internet Services Inc. Workaround: Solaris 2.something connect() fails with ECONNREFUSED when the system is busy (Chris Cappuccio, Empire Net). File: global/mail_connect.c. Feature: the cleanup service now adds a Return-Path: header when none is present. This header is needed for some mail delivery programs (see below). File: cleanup_message.c. Feature: the pipe mailer now supports $user, $extension and $mailbox macros in command-line expansions. This, plus the Return-Path: header (see above), should be sufficient to support cyrus IMAP out of the box. Based on initial code by Joerg Henne, Cogito Informationssysteme GMBH. File: pipe/pipe.c. Bugfix: with address extensions enabled, canonical and virtual lookups now are done in the proper order: user+foo@domain, user@domain, user+foo, user, @domain. File: global/mail_addr_find.c. 19990119 Feature: the local mailer now prepends a Received: message header with the queue ID to forwarded mail, in order to make message tracing easier. File: local/forward.c. Cleanup: after "postfix reload", no more broken pipe complaints from resolve/rewrite clients. 19990121 Feature: pickup (again) logs uid and sender address. On repeated request by Scott Cotton, Internet Consultants Group, Inc. Portability: doze() function for systems without usleep(). Cleanup: clients are now consistently logged as host[address]. 19990122 Maildir support changed: specify "home_mailbox = Maildir/". The magic is the trailing /. Suggested by Daniel Eisenbud, University of California at Berkeley. Maildir support from aliases, :include: and .forward files. Specify /file/name/ - the trailing / is required. Suggested by Daniel Eisenbud, University of California at Berkeley. Workaround: watchdog timer to prevent the queue manager from locking up on some systems. Bugfix: in Received: headers, the "for