[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.7.0.html]
Postfix stable release 3.7.0 is available. This ends the support for legacy release Postfix 3.3. The main changes are below. See the RELEASE_NOTES file for further details. * Support to inline the content of small cidr:, pcre:, and regexp: tables in Postfix parameter values. An example is the new smtpd_forbidden_commands default value, "CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}}", to quickly drop connections from clients that send garbage. * To make the maillog_file feature more useful, including stdout logging from a container, the postlog(1) command is now set-gid postdrop, so that unprivileged programs can use it to write logging through the postlogd(8) daemon. This required hardening the postlog(1) command against privilege escalation attacks. * Support for library APIs: OpenSSL 3.0.0, PCRE2, Berkeley DB 18. * Postfix programs now randomize the initial state of in-memory hash tables, to defend against hash collision attacks involving a large number of attacker-chosen lookup keys. Presently, the only known opportunity for such attacks involves remote SMTP client IPv6 addresses in the anvil(8) service, and requires making hundreds of short-lived connections per second while cycling through thousands of different client IP addresses. * Updated defense against remote clients or servers that 'trickle' SMTP or LMTP traffic. This replaces the old per-record deadlines with per-request deadlines and minimum data rates. * Many typofixes by raf and Wietse. You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/. Wietse