[A hyperlinked version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.11.0.html]
Postfix stable release 3.11.0 is available. Postfix 3.7 - 3.10 were
updated a few weeks ago; after that, Postfix 3.7 will no longer be
updated.
The main changes are below. See the RELEASE_NOTES file for further
details.
Berkeley DB migration:
* Some (Linux) distributions are removing support for BerkeleyDB
databases (In Postfix, this means we lose support for the hash:
and btree: lookup tables). See NON_BERKELEYDB_README for manual and
partially automatic migration from btree: to lmdb:, and from hash:
to lmdb: or cdb:.
* The loss of BerkeleyDB affects Mailman versions that want to execute
commands like "postmap hash:/path/to/file" when a mailing list is
added or removed. Postfix provides a way to redirect such commands
to a supported database type.
* You don't have to wait until BerkeleyDB support is removed. It can
make sense to migrate while BerkeleyDB support is still available
(mainly, less downtime).
Changes in TLS support:
* Default TLS security. The Postfix SMTP client smtp_tls_security_level
default value is "may" if Postfix was built with TLS support, and
the compatibility_level is 3.11 or higher.
* Support for the RFC 8689 "REQUIRETLS" verb in ESMTP. This requires
that every SMTP (and LMTP) server in the forward path is strongly
authenticated with DANE, STS, or equivalent, and that every server
announces REQUIRETLS support.
See REQUIRETLS_README for suggestions to carefully enforce REQUIRETLS
without causing massive mail delivery problems.
* Logging the TLS security level. This shows the desired and actual
TLS security level enforcement status and, if a message requests
REQUIRETLS, the REQUIRETLS policy enforcement status. For a list of
examples see smtp_log_tls_feature_status
* Workaround for an interface mismatch between the Postfix SMTP
client and MTA-STS policy plugins. This introduces a new parameter
smtp_tls_enforce_sts_mx_patterns (default: "yes"). The MTA-STS
plugin configuration needs to enable TLSRPT support, so that it
forwards STS policy attributes to Postfix. Both postfix-tlspol and
postfix-mta-sts-resolver have been updated accordingly.
With this, the Postfix SMTP client will connect to an MX host only
if its name matches any STS policy MX host pattern, and will match
a server certificate against the MX hostname. Otherwise, the old
behavior stays in effect: connect to any MX host listed in DNS,
and match a server certificate against any STS policy MX host pattern.
* Post-quantum cryptography support. With OpenSSL 3.5 and later, change
the tls_eecdh_auto_curves default value to avoid problems with network
infrastructure that mishandles TLS hello messages larger than one
(Ethernet) TCP segment. This problem is more generally known as
"protocol ossification".
Miscellaneous changes:
* Deprecation of obsolete parameters. Postfix programs log a warning
that these parameters will be removed. See DEPRECATION_README for
a list of deprecated parameters.
* JSON output support with "postconf -j|-jM|-jF|-jP", "postalias
-jq|-js", "postmap -jq|-js", and "postmulti -jl". No support is
planned for JSON input support.
* Milter support: improved Milter error handling for messages that
arrive over a long-lived SMTP connection, by changing the default
milter_default_action from "tempfail" to the new "shutdown" action
(i.e. disconnect the remote SMTP client). This was already back-ported
to earlier stable releases.
There are more changes; see RELEASE_NOTES for those.
You can find the Postfix source code at the mirrors listed at
https://www.postfix.org/.
Wietse
_______________________________________________
Postfix-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
