This is the Postfix 3.9 experimental release.

The stable Postfix release is called postfix-3.8.x where 3=major
release number, 8=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-3.9-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 3.7 or earlier, please read RELEASE_NOTES-3.8
before proceeding.

Dual license
------------

As of Postfix 3.2.5 this software is distributed with a dual license:
in addition to the historical IBM Public License (IPL) 1.0, it is
now also distributed with the more recent Eclipse Public License
(EPL) 2.0. Recipients can choose to take the software under the
license of their choice. Those who are more comfortable with the
IPL can continue with that license.

Incompatibility with snapshot 20240110
=======================================

Outbound SMTP smuggling: with "cleanup_replace_stray_cr_lf = yes", the
cleanup daemon replaces each stray <CR> or <LF> character in message
content with a space character. The replacement happens before any other
content management.

This prevents outbound SMTP smuggling, where an attacker uses Postfix
to send email with a non-standard End-of-DATA sequence that exploits
inbound SMTP smuggling at a vulnerable SMTP server.

This also ensures that the evaluation of Postfix-added DKIM and
other signatures will not depend on how a remote mail server handles
stray <CR> or <LF> characters.

This feature applies to all email that Postfix locally or remotely
sends out. It is not allowlisted based on client identity.

Major changes with snapshot 20240110
====================================

This updates Postfix fixes for SMTP smuggling attacks, For background,
see https://www.postfix.org/smtp-smuggling.html

This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24.

- Improved logging for rejected input (it now includes queue ID,
  helo, mail, and rcpt, if available).

- The new default setting "smtpd_forbid_bare_newline = normalize"
  requires the standard End-of-DATA sequence <CR><LF>.<CR><LF>, and
  allows bare newlines from local and remote SMTP clients, maintaining
  more compatibility with infrastructure tools such as probers and
  surveys.

- The new setting "smtpd_forbid_bare_newline = reject" requires
  the standard End-of-DATA sequence <CR><LF>.<CR><LF>, and rejects
  a command or message that contains a bare newline. To disconnect
  the client, specify "smtpd_forbid_bare_newline_reject_code = 521".

- The old setting "yes" has become an alias for "normalize".

- The old setting "no" has not changed, and allows SMTP smuggling.

The recommended Postfix 3.9 settings (i.e. the defaults) are now:

    # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    # Allow bare newlines from local and remote SMTP clients.
    #
    # This will cause problems for legitimate clients that send a
    # non-standard End-of-DATA sequence such as web applications, netcat,
    # fax machines, or load balancer health checks. Such clients need
    # to be excluded with smtpd_forbid_bare_newline_exclusions.
    #
    smtpd_forbid_bare_newline = normalize
    smtpd_forbid_bare_newline_exclusions = $mynetworks

Alternative settings:

    # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    # Reject bare newlines from remote SMTP clients.
    #
    # This will cause problems for legitimate clients that send any
    # non-standard line endings such as web applications, netcat, fax
    # machines, or load balancer health checks. Such clients need to be
    # excluded with smtpd_forbid_bare_newline_exclusions.
    #
    smtpd_forbid_bare_newline = reject
    smtpd_forbid_bare_newline_exclusions = $mynetworks

Major changes with snapshot 20240106
====================================

Inbound SMTP smuggling: strip extra <CR> in <CR><LF>.<CR><CR><LF>,
to silence some tools that send attack sequences that are not viable.
Details at https://www.postfix.org/false-smuggling-claims.html

Incompatible changes with snapshot 20231221
===========================================

Postfix 3.9 by default disconnects a client that sends a 'bare
newline' ending in SMTP. This prevents an SMTP smuggling attack
that targets recipients at a Postfix server. For background,
see https://www.postfix.org/smtp-smuggling.html

For compatibility with non-standard clients, Postfix 3.9 by default
excludes clients in mynetworks from this countermeasure.

The Postfix 3.9 default settings are:

    # Disconnect remote SMTP clients that send bare newlines, but
    # allow local clients with non-standard SMTP implementations
    # such as netcat, fax machines, or load balancer health checks.
    #
    smtpd_forbid_bare_newline = yes
    smtpd_forbid_bare_newline_exclusions = $mynetworks

This feature is back-ported to all supported stable releases, with
the difference that "smtpd_forbid_bare_newline = no" by default.

Incompatible changes with snapshot 20230903
===========================================

The MySQL client no longer supports MySQL versions < 4.0. MySQL
version 4.0 was released in 2003.

Major changes with snapshot 20230901
====================================

New parameter force_mime_input_conversion (default: no) to convert
body content that claims to be 8-bit into quoted-printable, before
header_checks, body_checks, Milters, and before after-queue content
filters. This feature does not affect messages that are sent into
smtpd_proxy_filter.

The typical use case is an MTA that applies this conversion before
signing outbound messages, so that the signatures will remain valid
when a message is later handled by an MTA that does not announce
8BITMIME support, or when a message line exceeds the SMTP length
limit.

Major changes with snapshot 20230807
====================================

Optional Postfix TLS support to request an RFC7250 raw public key
instead of an X.509 public-key certificate. The configuration
settings for raw key public support will be ignored when there is
no raw public key support in the local TLS implementation (i.e.
Postfix with OpenSSL versions before 3.2).

- With "smtpd_tls_enable_rpk = yes", the Postfix SMTP server will
  request that a remote SMTP client sends an RFC7250 raw public key
  instead of an X.509 certificate when asking for or requiring TLS
  client authentication. The Postfix SMTP server will still accept
  a client public-key certificate instead of a public key.

- With "smtp_tls_enable_rpk = yes" (or "enable_rpk = yes" in an
  smtp policy table) at the security levels "may", "encrypt" or
  "fingerprint", the Postfix SMTP client will request that a remote
  SMTP server sends an RFC7250 raw public key instead of an X.509
  certificate. The Postfix SMTP client will still accept a server
  public key certificate instead of a public key.

- At the "secure" and "verify" security level, the Postfix SMTP
  client will ignore smtp_tls_enable_rpk or enable_rpk settings,
  because these levels require a server certificate.

- At the "dane" and "dane-only" security levels, the Postfix SMTP
  client will ignore smtp_tls_enable_rpk or enable_rpk settings,
  and will request that a remote SMTP server sends an RFC7250 raw
  public key instead of an X.509 certificate when all valid TLSA
  records specify only server public keys (no certificates). The
  Postfix SMTP client will still accept a server public key
  certificate.

- The Postfix SMTP client and server always send a raw public key
  instead of a certificate, if solicited by the remote SMTP peer
  and the local TLS implementation supports raw public keys.

- If a remote SMTP client sends a server name indication with an
  SNI TLS extension, and tls_server_sni_maps is configured, the
  Postfix SMTP server will extract a raw public key from the indicated
  certificate.

Caution: enabling Postfix raw key support will break authentication
based on certificate fingerprints in check_ccert_access or
smtp_tls_policy_maps, when a remote peer's TLS implementation starts
to send a raw public key instead of a certificate. The solution is
to always use public key fingerprint patterns; these will match not
only a "raw" public key, but also the public key in a certificate.

To detect such problems before they happen, the Postfix SMTP server
will log a warning when it requests an RFC7250 raw public key instead
of an X.509 certificate, the remote peer sends a certificate instead
of a public key, and check_ccert_access has a matching fingerprint
for the certificate but not for the public key in that certificate.
There is no corresponding warning from the Postfix SMTP client.

For instructions to generate public-key fingerprints, see the
postconf(5) man pages for smtp_tls_enable_rpk and smtpd_tls_enable_rpk.

Incompatible changes with snapshot 20230603
===========================================

Security: the Postfix SMTP server by default disconnects remote
SMTP clients that violate RFC 2920 (or 5321) command pipelining
constraints. The server replies with "554 5.5.0 Error: SMTP protocol
synchronization" and logs the unexpected remote SMTP client input.
Specify "smtpd_reject_unauth_pipelining = no" to disable.

Major changes with snapshot 20230522
====================================

Preliminary support for OpenSSL configuration files, primarily
OpenSSL 1.1.1b and later. This introduces two new parameters
"tls_config_file" and "tls_config_name", which can be used to limit
collateral damage from OS distributions that crank up security to
11, increasing the number of plaintext email deliveries. Details
are in the postconf(5) manpage under "tls_config_file" and
"tls_config_name".

Incompatible changes with snapshot 20230419
===========================================

The MySQL client default characterset is now configurable with the
"charset" configuration file attribute. The default is "utf8mb4",
consistent with the MySQL 8.0 built-in default, but different from
earlier MySQL versions where the built-in default was "latin1".
