[An updated version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.10.0.html]
Postfix stable release 3.10.0 is available. Postfix 3.6 - 3.9 were updated
earlier this week; after that, Postfix 3.6 will no longer be updated.
The main changes are below. See the RELEASE_NOTES file for further
details.
Changes that need restart:
* Internal protocol change: Postfix needs "postfix reload" (or "postfix
stop" and "postfix start") after upgrade, because of a change in the
delivery agent protocol. If this step is skipped, Postfix delivery
agents will log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
Changes in TLS support:
* Forward compatibility: Support for OpenSSL 3.5 post-quantum
cryptography. To manage algorithm selection, OpenSSL introduces new
TLS group syntax that Postfix will not attempt to imitate. Instead,
Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set empty, the
algorithm selection can be managed through OpenSSL configuration. For
more, look for "Post-quantum" in the postconf(5) manpage.
* Support for the RFC 8689 "TLS-Required: no" message header to request
delivery of messages (such as TLSRPT summaries) even if the preferred
TLS security policy cannot be enforced. This limits the Postfix SMTP
client to "smtp_tls_security_level = may" which does not authenticate
server certificates and which allows falling back to plaintext.
* Support for the REQUIRETLS SMTP service extension will evolve in
Postfix 3.11.
* Support for the TLSRPT protocol (defined in RFC 8460). With this,
a domain can publish a policy in DNS that requests daily summary
reports for successful and failed SMTP-over-TLS connections to that
domain's MX hosts. This supports both DANE (built-in) and MTA-STS
(via an smtp_tls_policy_maps plugin). The implementation uses a
TLSRPT library and reporting infrastructure that are maintained by
sys4. For details, see TLSRPT_README.
Miscellaneous changes:
* Privacy: With "smtpd_hide_client_session = yes", the Postfix
SMTP server generates a Received: header without client session
info. This setting may be used with the MUA submission services
(port 465 and 587).
* Support for RFC 2047 encoding of non-ASCII "full name" information
in Postfix-generated From: message headers. Encoding non-ASCII full
names can avoid the need to use SMTPUTF8, and therefore can avoid
incompatibility with sites that do not support SMTPUTF8. See the
full_name_encoding_charset parameter description for details.
* Database performance: When mysql: or pgsql: configuration specifies
a single host, assume that it is a load balancer and reconnect
immediately after a single failure, instead of failing all requests
for 60s.
Changes in logging:
* The Postfix Milter implementation now logs the reason for a
'quarantine' action, instead of "milter triggers HOLD action".
* The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors),
and the cleanup server now logs "queueid: canceled" when a message
transaction is started but not completed. These changes simplify
logfile analysis.
* Dovecot SASL client logging for "Invalid authentication mechanism"
now includes the name of that mechanism.
* Postfix SMTP server 'reject' logging now shows the sasl_method,
sasl_username, and sasl_sender if available.
You can find the Postfix source code at the mirrors listed at
https://www.postfix.org/.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
