The stable Postfix release is called postfix-2.7.x where 2=major
release number, 7=minor release number, x=patchlevel.  The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-2.8-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day).  Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
before proceeding.

Debian Exim before 4.80-3 interoperability workaround
-----------------------------------------------------

Debian Exim versions before 4.80-3 may fail to communicate with
Postfix and possibly other MTAs, with the following Exim SMTP client
error message:

    TLS error on connection to server-name [server-address]
    (gnutls_handshake): The Diffie-Hellman prime sent by the server
    is not acceptable (not long enough)

This problem may affect Debian Exim versions before 4.80-3 that use
TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563

To restore Postfix SMTP server interoperability with affected Exim
SMTP clients, configure the Postfix SMTP server to use a 2048-bit
prime number instead of 1024:

    # cd /etc/postfix
    # openssl dhparam -out dh2048.pem 2048
    # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'

This change increases the CPU cost of EDH key exchanges (rarely a
problem for SMTP servers) and is unlikely to cause problems with
other SMTP client implementations.

This problem should not affect EECDH (Ephemeral Elliptic Curve
Diffie-Hellman) key exchanges.

Major changes with Postfix 2.7.9
--------------------------------

This release adds support to turn off the TLSv1.1 and TLSv1.2
protocols.  Introduced with OpenSSL version 1.0.1, these are known
to cause inter-operability problems with for example hotmail.

The radical workaround is to temporarily turn off problematic
protocols globally:

/etc/postfix/main.cf:
    smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
    smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

    smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
    smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

However, it may be better to temporarily turn off problematic
protocols for broken sites only:

/etc/postfix/main.cf:
    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

/etc/postfix/tls_policy:
    example.com         may protocols=!SSLv2:!TLSv1.1:!TLSv1.2

Important:

- Note the use of ":" instead of comma or space. Also, note that
  there is NO space around the "=" in "protocols=".

- The smtp_tls_policy_maps lookup key must match the "next-hop"
  destination that is given to the Postfix SMTP client. If you 
  override the next-hop destination with transport_maps, relayhost,
  sender_dependent_relayhost_maps, or otherwise, you need to specify
  the same destination for the smtp_tls_policy_maps lookup key.

Incompatibility with Postfix 2.7.2
----------------------------------

Postfix no longer appends the system-supplied default CA certificates
to the lists specified with *_tls_CAfile or with *_tls_CApath. This
prevents third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature.
 
Unfortunately this change may cause compatibility problems when
configurations rely on certificate verification for other purposes.
Specify "tls_append_default_CA = yes" for backwards compatibility.

Major changes - performance
---------------------------

[Feature 20100101] Periodic cache cleanup for the verify(8) cache
database. The time between cache cleanup runs is controlled with
the address_verify_cache_cleanup_interval (default: 12h) parameter.
Cache cleanup increases the database access latency, so this should
not be run more often than necessary.

[Feature 20091109] Improved before-queue filter performance.  With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. This means you can run more SMTP server processes
with the same number of running content filter processes, and thus,
handle more mail. This feature is off by default until it is proven
to create no new problems.

This addresses a concern of people in Europe who want to reject all
bad mail with a before-queue filter. The alternative, an after-queue
filter, means they would have to discard bad mail (which is illegal)
or bounce bad mail (which violates good network citizenship).

NOTE 1: When this feature is turned on, a filter cannot selectively
reject recipients of a multi-recipient message.  It is OK to reject
all recipients of the same multi-recipient message, as is deferring
or accepting all recipients of the same multi-recipient message.

NOTE 2: This feature increases the minimum amount of free queue
space by $message_size_limit. The extra space is needed to save the
message to a temporary file.

To keep the performance overhead low, the same temporary file is
reused with successive mail transactions (the file is of course
truncated before reuse, so there is no information leakage).

Major changes - sender reputation
---------------------------------

[Feature 20100117] The FILTER action in access maps or header/body_checks
now supports sender reputation schemes that dynamically choose the
SMTP source IP address. Typically, mail is split into classes, and
all mail in class X is sent out from an SMTP client IP address that
is reserved for class X.

This is implemented by specifying FILTER actions with empty next-hop
destinations in access maps or header/body_checks, and by configuring
in master.cf one Postfix SMTP client for each SMTP source IP address,
where each client has its own "-o myhostname" and "-o smtp_bind_address"
settings.

[Feature 20091209] sender_dependent_default_transport_maps, a
per-sender override for default_transport. The original motivation
is to use different output channels (with different source IP
addresses) for different sender addresses, in order to keep their
IP-based reputations separate from each other.

The result value syntax is that of default_transport, not transport_maps.
Thus, sender_dependent_default_transport_maps does not support the
special transport_maps result value syntax for null transport, null
nexthop, or null email address.

This feature makes sender_dependent_relayhost_maps pretty much
redundant (though sender_dependent_relayhost_maps will often be
easier to use because that is the only thing people want to override).

Major changes - address verification
------------------------------------

[Incompat 20100101] The verify(8) service now uses a persistent
cache by default (address_verify_map = btree:$data_directory/verify_cache).
To disable, specify "address_verify_map =" in main.cf.

When periodic cache cleanup is enabled (the default), the verify(8)
server now requires that the cache database supports the "delete"
and "sequence" operations.  To disable periodic cache cleanup specify
a zero address_verify_cache_cleanup_interval value.

[Feature 20100101] Periodic cache cleanup for the verify(8) cache
database. The time between cache cleanup runs is controlled with
the address_verify_cache_cleanup_interval (default: 12h) parameter.
Cache cleanup increases the database access latency, so this should
not be run more often than necessary.

Major changes - content filter
------------------------------

[Incompat 20100117] The meaning of an empty filter next-hop destination
has changed (for example, "content_filter = foo:" or "FILTER foo:").
Postfix now uses the recipient domain, instead of using $myhostname
as in Postfix 2.6 and earlier.  To restore the old behavior specify
"default_filter_nexthop = $myhostname", or specify a non-empty
next-hop content filter destination.

This compatibility option is not needed with SMTP-based content
filters, because these always have an explicit next-hop destination.

With pipe-based filters that specify no next-hop destination, the
compatibility option restores the FIFO order of deliveries. Without
the compatibility option, the delivery order for filters without
next-hop destination changes to round-robin domain selection.

[Feature 20100117] The FILTER action in access maps or header/body_checks
now supports sender reputation schemes that dynamically choose the
SMTP source IP address. Typically, mail is split into classes, and
all mail in class X is sent out from an SMTP client IP address that
is reserved for class X.

This is implemented by specifying FILTER actions with empty next-hop
destinations in access maps or header/body_checks, and by configuring
in master.cf one Postfix SMTP client for each SMTP source IP address,
where each client has its own "-o myhostname" and "-o smtp_bind_address"
settings.

[Feature 20091109] Improved before-queue filter performance.  With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. This means you can run more SMTP server processes
with the same number of running content filter processes, and thus,
handle more mail. This feature is off by default until it is proven
to create no new problems.

This addresses a concern of people in Europe who want to reject all
bad mail with a before-queue filter. The alternative, an after-queue
filter, means they would have to discard bad mail (which is illegal)
or bounce bad mail (which violates good network citizenship).

NOTE 1: When this feature is turned on, a filter cannot selectively
reject recipients of a multi-recipient message.  It is OK to reject
all recipients of the same multi-recipient message, as is deferring
or accepting all recipients of the same multi-recipient message.

NOTE 2: This feature increases the minimum amount of free queue
space by $message_size_limit. The extra space is needed to save the
message to a temporary file.

To keep the performance overhead low, the same temporary file is
reused with successive mail transactions (the file is of course
truncated before reuse, so there is no information leakage).

Major changes - milter
----------------------

[Feature 20090606] Support for header checks on Milter-generated
message headers.  This can be used, for example, to control mail
flow with Milter-generated headers that carry indicators for badness
or goodness. For details, see the postconf(5) section for
"milter_header_checks". Currently, all header_checks features are
implemented except PREPEND.  

Major changes - multi-instance support
--------------------------------------

[Incompat 20090606] The "postmulti -e destroy" command no longer
attempts to remove files that are created AFTER "postmulti -e
create".  It still works as expected immediately after creating an
instance by mistake.  Trying to automatically remove other files
is too risky because Postfix-owned directories are by design not
trusted.

