postfix (3.10.5-1~deb13u1) trixie; urgency=medium
* new upstream stable/bugfix 3.10.5 release, with multiple fixes.
From the upstream release notes:
- Workaround for an interface mis-match between the Postfix SMTP client
and MTA-STS policy plugins.
* The existing behavior is to connect to any MX host listed in DNS, and
to match the server certificate against any STS policy MX host pattern.
* The corrected behavior is to connect to an MX host only if its
name matches any STS policy MX host pattern, and to match the server
certificate against the MX hostname.
The corrected behavior must be enabled in two places: in Postfix with a
new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in
an MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards
STS policy attributes to Postfix. This works even if Postfix TLSRPT
support is disabled at build time or at runtime.
- TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found",
pretend that the TLSRPT policy domain value is equal to the recipient
domain. This ignores that different policy types (TLSA, STS) use different
policy domains. But this is what Microsoft does, and therefore,
what other tools expect.
- Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's
connection reuse logic did not distinguish between sessions that
require SMTPUTF8 support, and sessions that do not. The solution is
1) to store sessions with different SMTPUTF8 requirements
under distinct connection cache storage keys, and
2) to not cache a connection when SMTPUTF8 is required
but the server does not support that feature
- Bugfix (defect introduced: Postfix 3.0, date 20140731):
the smtpd 'disconnect' command statistics did not count commands
with "bad syntax" and "bad UTF-8 syntax" errors
- Postfix 3.11 forward compatibility: to avoid ugly warnings when
Postfix 3.11 is rolled back to an older version, allow a preliminary
'size' record in maildrop queue files created with Postfix 3.11 or later
- Bugfix (defect introduced: Postfix 3.8, date 20220128):
non-reproducible build, because the 'postconf -e' output order
for new main.cf entries was no longer deterministic
- To make builds predictable, add missing meta_directory and
shlib_directory settings to the stock main.cf file
- Bugfix (defect introduced: Postfix 3.9, date 20230517):
posttls-finger(1) logged an incorrectly-formatted port number
* debian/patches/debian-defaults.patch: refresh, update for 2 new
parameters (with defaults) in main.cf, and make it with less context
* configure-instance.in: fix typo which caused recreating
cadir in chroot and excessive logging (Closes: #1115412)
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 28 Oct 2025 13:24:35 +0300
postfix (3.10.4-1~deb13u1) trixie; urgency=medium
* New upstream stable/bugfix version 3.10.4, with a handful of fixes.
From the upstream release notes:
- Fixes for postscreen(8):
* Bugfix (defect introduced: Postfix 2.2, date 20050203): after
detecting a lookup table change, and after starting a new
postscreen process, the old postscreen process logged an ENOTSOCK
error while attempting to accept a connection on a socket that
it was no longer listening on. This error was introduced first
in the multi_server skeleton code, and was five years later
duplicated in the event_server skeleton that was created for
postscreen. Problem reported by Florian Piekert.
* Bugfix (defect introduced: Postfix 2.8, date 20101230):
after detecting a cache table change and before starting a new
postscreen process, the old postscreen process did not close the
postscreen_cache_map, and therefore kept an exclusive lock that
could prevent a new postscreen process from starting. Problem
reported by Florian Piekert.
- Fixes for tlsproxy(8):
* Bugfix (defect introduced: Postfix 3.7): incorrect backwards
compatible support for the legacy configuration parameters
tlsproxy_client_level and tlsproxy_client_policy. This
disabled the tlsproxy TLS client role when a legacy parameter
was set (instead of the newer tlsproxy_client_security_level
or tlsproxy_client_policy_maps). Reported by John Doe,
diagnosed by Viktor Dukhovni.
* Bugfix (defect introduced: Postfix 3.4): with the TLS client role
disabled by configuration, the tlsproxy daemon dereferenced a
null pointer while handling a tlsproxy client request. Reported by
John Doe.
- Reducing process churn: Postfix daemons no longer automatically
restart after a btree:, dbm:, hash:, lmdb:, or sdbm: table file
modification time change, when they opened that table for writing.
- Portability: deleted an <openssl/engine.h> build dependency,
because the feature is being removed from OpenSSL, and Postfix
no longer needs it.
- Cleanup: with "tls_required_enable = yes", the Postfix SMTP client
will no longer maintain TLSRPT statistics for messages that contain
a "TLS-Required: no" header. This can prevent TLSRPT notifications
for TLSRPT notifications.
- Bugfix (defect introduced: Postfix 3.6, date 20200710): Postfix TLS
client code logged "Untrusted TLS connection" (wrong) instead of
"Trusted TLS connection" (right), for a new or resumed TLS session,
when a server offered a trusted (valid PKI trust chain) certificate
that did not match the expected server name pattern. Fix by Viktor
Dukhovni.
* d/gbp.conf: debian-branch=debian/trixie
* configure-instance.in: fix typo
* configure-instance.in: limit maxdepth=1 in /etc/ssl/certs dirs
* configure-instance.in: use home-grown file copy procedure to sync chroot
There are a few issues with using cp(1) to update files in chroot, -
a file should be copied even if the source date is *less* than the
target date (eg, if a package has been downgraded), which is not done
by `cp -u` (#1110704), a file should be copied atomically (copy+rename,
not truncate+copy), and care should be taken with extra attributes
(#1100100). Use a simple perl-based script (using just perl-base)
to update files instead, which fixes all this stuff.
(Closes: #1100100, #1110704)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 22 Aug 2025 09:51:46 +0300
postfix (3.10.3-2) unstable; urgency=medium
* d/changelog: fix wrongly formatted previous changelog entry (double email)
* update Portuguese translation (Closes: #1107436)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 11 Jul 2025 00:50:43 +0300
postfix (3.10.3-1) unstable; urgency=medium
[ Michael Tokarev ]
* new upstream stable/bugfix release. From the release announcement:
This release fixes defects that were introduced in Postfix 3.10.
The defects exist only with the default configuration
"tls_required_enable = yes".
* Bugfix (defect introduced: Postfix-3.10, date 20250117): include
the current TLS security level in the SMTP connection cache
lookup key for lookups by next-hop destination, to avoid reusing
the same SMTP connection when sending messages with and without
a "TLS-Required: no" header. Likewise, include the current TLS
security level in the TLS session lookup key, to avoid reusing
the same TLS session info when sending messages with and without
a "TLS-Required: no" header.
* Bugfix (defect introduced: Postfix-3.10, date 20250117): the
Postfix SMTP client attempted to look up TLSA records even with
"TLS-Required: no". This could result in unnecessary failures.
Fix by Viktor Dukhovni & Wietse.
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 11 Jul 2025 00:26:40 +0300
postfix (3.10.2-1) unstable; urgency=medium
[ Michael Tokarev ]
* new upstream minor/bugfix/maintenance release
Closes: #1100449 (postfix: main.cf corrupted after upgrade)
* postfix.service: add CAP_DAC_READ_SEARCH (Closes: #1099891)
[ Carles Pina i Estany ]
* Update po-debconf Catalan translation
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 23 Apr 2025 11:42:50 +0300
postfix (3.10.1-1) unstable; urgency=medium
* new upstream release
* NOTES: remove part about postmulti and postfix@.service
* d/rules: ship /var/spool/postfix/dev (Closes: #1094571)
* gbp.conf: switch to 3.10
* 10_openssl_version_check.diff: remove, not needed anymore
* 40_chroot_by_default.diff: refresh, reduce context
* 50_LANG.diff: rediff, reduce context
* debian/patches/reproducible: remove, applied upstream
* makedefs-fix-RELEASE_MAJOR-expression.patch, sqlite-open-fix.patch:
remove, applied upstream
* debian-fix-manpages-C-font.patch: remove
* enable TLSRPT (+Build-Depends: libtlsrpt0-dev)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 02 Mar 2025 11:20:24 +0300
postfix (3.9.1-10) unstable; urgency=medium
* main.cf.tls: use smtp_tls_CAfile, not smtp_tls_CApath;
add comments for all parameters
* postfix.service: remove not-relevant-anymore comment
* control: Pre-Depends: init-system-helpers, since we run invoke-rc.d
manually from triggers and ${misc:Pre-Depends} is not set
* postfix.postinst: remove --skip-systemd-native from invoke-rc.d call
since we checked for systemd already
* postfix.maintscript: convert to conffiles
* postfix-doc: rm conffile /etc/postfix/postfix-files.d/doc.files
(Closes: #1091839)
* configure-instance: remove dev/u?random in chroot when upgrading
* rules: do not install makedefs.1 manpage
* debian-fix-manpages-C-font.patch: use different manpage formatting for
examples (fixes roff being unable to find C font)
* d/tests: replace "useradd -p" with chpasswd (Closes: #1092751)
* sqlite-open-fix.patch: fix opening of sqlite map files
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 11 Jan 2025 15:46:36 +0300
postfix (3.9.1-9) unstable; urgency=medium
* the "let's break the toys" release part 2:
* postfix.service: first step at possible hardening at the systemd level
Drop as much privileges as seem safe for postfix operations
Use ProtectSystem=full, let's see what happens
* split startup procedure into two halves, setup+runtime, so that the runtime
half can be run with restricted privs, while setup part needs chown etc
* stop ordering postfix.service after network-online.target, but keep it
after network.target, and mention how to enable this if needed
(finally Closes: #854475)
* tests: show logging from failed startup phase too
* debian-postfix-chroot-cmd.patch: update
* README.Debian: recommend un-chrooting postfix
* README.Debian: rewrite notes about chroot and proxy: map
* configure-instance: use "postfix chroot -c" to include custom services too
* hurd.patch: update to include more libdirs like in linux case
* debian-re-run-startup-through-systemd.patch: a few updates
* rules: stop renaming postfix *.8 manpages to *.8postfix
* rules: stop shipping /etc/postfix/dynamicmaps.cf.d
* rules: hide dpkg-maintscript-helper calls from lintian. It produces
maintainer-script-should-not-use-dpkg-maintscript-helper, which is rather
pointless, and other ways to avoid this warning results in uglier d/rules
with this place being split into pieces. Fighting with the tools.. :(
* configure-instance: avoid removing ca-certificates.crt from the certs dir
in chroot (Closes: #1003982), add comment explaining certs storages
* 03_ldap3_by_default.diff: do not patch generated man/man5/ldap_table.5 -
it is regenerated by "make manpages"
* postfix.lintian-overrides: drop 2 now-unused overrides
* changelog: add missing newline in an old (2001) entry
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 24 Dec 2024 21:21:04 +0300
postfix (3.9.1-8) unstable; urgency=medium
* the "let's get chroot under control" release, plus some bugfixes
for minor issues in previous release, and more cleanups
* debian-postfix-chroot-cmd.patch: new 'chroot' subcommand for postfix
command, to set/unset/query chroot status of postfix services in
master.cf. It helps to configure current master.cf to enable/disable
chroot easily
* source/options: man/ is also autogenerated, ignore it in source-diff
* README.Debian: add a note about chroot and "postfix chroot"
* configure-instance: use "postfix chroot" to query for chroot status
* postfix.maintscript: rm_conffile /etc/network/ip-down.d/postfix
(temporary, Closes: #1090820)
* postinst: fixup html_directory=no on upgrade too (Closes: #1090852)
* patches: remove hunks changing paths in master.cf from
40_chroot_by_default.diff to 05_debian_defaults.diff
* rules,05_debian_defaults.diff: move postfix-files patching to rules
* patches: update debian-defaults.patch: rename from 05_debian_defaults.diff,
get parts from 06_debian_paths.diff to it
* rules: stop shipping doc.files in postfix-doc package, there's no need to
* 06_debian_paths.diff: remove
* main.cf.in: add comments and fill in some default values, so the new
main.cf has comments near the values which are set in postinst
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 20 Dec 2024 22:10:35 +0300
postfix (3.9.1-7) unstable; urgency=medium
* the "let's break the toys" release part 1:
* completelty redesign postfix multi-instance systemd setup;
regular postfix service is back (and journalctl -u postfix etc);
postfix@- is gone. Pleas see the NEWS file for more details
(Closes: #1088862, #928187)
* `postfix start' now starts systemd postfix service and updates chroot
* do not ship /etc/postfix/makedefs.out symlink (to /usr/share/postfix/)
* do not include doc directories in postfix maps packages anymore, link to
the main package doc dir instead
* more cleanups for chroot setup and packaging
* packaging changes:
* maintscript: remove package names (defaults to $DPKG_MAINTSCRIPT_PACKAGE)
* d/.gitignore: ignore debian/files
* control: remove lsb-release build dep (forgotten after ${DEB_VENDOR} change
* postinst: postconf -hx not -h (to expand names)
* preinst: debconf is not used anymore
* rules: only install listed examples from conf/, not everything
* rules: use ${package} (in form of $mapbase) in foo-MAP generation script
too (another place previously forgotten)
* rules: move generated main.cf.debian & main.cf.dist from conf/ to meta/ -
avoids cleaning them up
* rules: keep original meta/postfix-files, create debian-specific in debian/
* rules: make install-map a macro (readability)
* rules: make doc dir for dynamic maps to be symlinks to main postfix package
* rules: fixup manpage naming (8postfix) at install time
* 41_rmail.diff: do not uncomment master.cf entry for uucp in 2024
* collapse various dynamic map README files into main README.Debian
* postinst &Co: perform (re)start in dpkg trigger
* postinst,main.cf.in: fix clarify cyrus_sasl_config_path setting
* d/main.cf.in: compatibility=3.9 for new install
* d/main.cf.in: reword myorigin comment
* d/postfix_groups.pl: drop, postfix can expand LDAP groups for a long time
* make main.cf.proto & master.cf.proto to be regular conffiles
* prerm: remove more dirs; rewrite
* postinst: remove very old (<<2.5) sasl-smtp[d]->smtp[d] rename
* postinst: drop permission fix from 2008 (2.5.0) for /var/lib/postfix
* postinst: drop pre-historic update-inetd call disabling smtp
* postinst,postrm: simplify file/dir permissions handling
* postinst: note we should create /etc/aliases on new install
even if no configuration is requested
* rules: it is /etc/network/if-down.d, not ip-down.d (thanks axhn)
* postinst,postrm,etc: stop messing with readme_directory
* suggest to use proxy: map for chrooted config in README.Debian
(Closes: #429742, #1003982)
* README.Debian: review /dev/log situation in chroot
* configure-instance: remove $queue_directory/etc/ssl/certs if chroot
is not in use
* configure-instance: do not copy nss modules from glibc (these are built-in);
add comments
* configure-instance: assume cleanup service is safe to be in chroot
(no extra setup needed)
* debian-run-configure-instance-from-create-missing.patch: move
configure-instance invocation to post-install script
* switch from postfix@-.service to postfix.service: breaking change
(#1088862 #928187)
* debian-re-run-startup-through-systemd.patch: redirect `postfix start'
to systemd
* postinst: detect if multi-instance was in use and warn the user
* add NEWS and README about changes wrt multiple instances
* control: remove systemd-dev build dependency
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 19 Dec 2024 12:13:23 +0300
postfix (3.9.1-6) unstable; urgency=medium
* a "making some clean-ups, part 4" release (plus a bugfix)
* cp isn't able to cope with dangling symlinks when copying certs left
from the previous release. Fix by using find(1) to traverse the dest dir
and delete anything which does not look like a regular hashed cert file,
since we process the directory anyway. Closes: #1089836)
* simplify ip-up.d/ip-down.d/update-libc.d to just one line (cp -pLu)
and instal it everywhere. Do not trigger queue run in ifup, it is
not our job to know which interfaces to use for the trigger.
Just copy the file, glibc will pick it up on the next query.
* d/postfix.postfix-resolvconf.service: use the same simple cp command
here too, with Conditions
* install NetworkManager hook to update resolv.conf too
(Closes: 1070120, #1054064)
* d/rules rework:
- stop passing $CPPFLAGS $CFLAGS to PLUGIN_LD
- move common CCARGS/CONFARGS/AUXLIBS definition further up
- move shared-build options to separate place
- clean the cleaning
- drop custom $(DISTRO), use ${DEB_VENDOR} everywhere in an uniform way
- drop execute_before_dh_gencontrol (move to install)
- reorder install target to better group things together
- stop exporting buildflags - specify CC, the only var we use, directly
* d/control: actually mark postfix-mongodb as linux-any
(forgotten in previous upload)
* d/patches: 2 patches to support building on hurd
* postfix now builds on hurd, let's see how it works there
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 13 Dec 2024 19:41:09 +0300
postfix (3.9.1-5) unstable; urgency=medium
* a "making some clean-ups, part 3" release
* rewrite of d/configure-instance.sh chroot setup script:
- remove some old files which shouldn't be there, like lib/libnss_s.so
or lib/mozilla/libnss.3 or lib/$otherarch/libnssdbm3.so
- stop re-writing whole chroot each time, use cp -u
- copy /etc/ssl/certs by hash only, so the result matches those on
host, not all of them like before
- copy just libnss_*.so.2 for the correct architecture
- stop creating dev/[u]random in chroot, device nodes in /var was
a long-standing issue. Cf. #572841
* d/{update-libc,ip-{up,down}}.d: just copy resolv.conf, no reload needed
(postfix uses system resolver, glibc picks up changes automatically)
add a note we only support default/main instance
* postfix-resolvconf: some updates
* remove cpio from Depends, downgrade ssl-cert to Recommends
(postfix uses ssl-snakeoil by default);
add ssl-cert dependency to tests, so it checks smtps
* drop very old (before buster) versioned deps
* d/rules,d/control: do not build postfix-mongodb on hurd
* provide (shorter) long Description for all packages directly in d/control
* stop moving dynamic maps manpages to postfix-MAP subpackages, provide
them in main postfix package
* remove stray debian-differences-main-cf.diff which was added mistakenly
* d/README.Debian: spelling: synchronizing
* d/po: run debconf-updatepo
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 13 Dec 2024 00:09:16 +0300
postfix (3.9.1-4) unstable; urgency=medium
* a "making some clean-ups, part 2" release
* big changes in chroot setup (d/configure-instance.sh et al):
- rework ssl cert (/etc/ssl/certs et al) copying to chroot:
- simplify it, unroll the function
- remember and skip dirs we already handled
- copy just one directory deep
- more advanced master.cf reading; skip simple services: chroot wont be
updated if only postfix internal services are chrooted
- do not ship chroot files in /var/spool/postix/ (dev, etc, lib),
create them in configure-instance.sh for every instance instead
- remove /etc/passwd copying to chroot (was a hack for #65473)
- exit early if !SYNC_CHROOT or !NEED_CHROOT
- many small cleanups
* stop shipping var/spool/postfix/usr/lib/zoneinfo (long unused)
* run configure-instance.sh (for chroot) from within postfix-script,
so every invocation of `postfix start' will run it, not just the
startup scripts. Add a patch to upstream postfix-script.
This is to prepare for multiple instances mostly, and for consistency
* do not ship /etc/postfix/postfix-script & /etc/postfix/post-install
files anymore: they're long unused: actual files are /usr/share/postfix/.
rm_conffile for them
* drop main.cf.default & bounce.cf.default entirely - these are just
outputs of `postconf -d' and `postconf -b'.
* debian/postfix.init: rewrite the init script (simplify and normalize)
* d/tests:
- consolidate check and set-permissions tests
- run all tests (do not stop on first filure)
- show postfix logfile
* patches:
- add debian/gen-manpage-diff.sh
- regenerate 05_debian_manpage_differences.diff
- 05_debian_defaults.diff: refresh using diff -U1
- split out main.cf.tls to debian/main.cf.tls
* d/rules:
- fix old typo shlibs_directory => shlib_directory
- fix bad line split in previous upload
- sample_directory was never recognized by makedefs
- use ${package} in last few places
- always provide postfix:Provides variable
* d/NOTES: more notes, formatting
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 11 Dec 2024 17:01:58 +0300
postfix (3.9.1-3) unstable; urgency=medium
* a "making some clean-ups, part 1" release
* rewrite d/rules install targets, making the install process more
understandable, grouping related parts together, adding comments, using
various variables in a consistent way, using available tools in consistent
manner, remove unnecessary indirection, clean up things here and there
* rework and simplify dynamic maps installation part further
* stop running newaliases on every install, attempt to run it just when
we modified aliases, and do it only once - if fails, print a warning
and continue. There's no need to run it on every upgrade or especially
at map installation time, since neither the format changed nor there
were any modifications in the input file during install. This allowed
to drop a lot of complexity in initscripts in alias handling part and
make whole thing much more robust in the end
* consolidate /etc/aliases handling in a single place. More work needed
* stop creating /etc/aliases on every install/upgrade when the user asked
for no debconf-based configuration
* stop building binaries when doing arch-indep build, only
run `make makefiles' and make manpages out of this.
* stop making makefiles for pure clean target when we haven't
run configure (make makefiles) step yet
* move RELEASE_NOTES from postfix-doc package to the main postfix package
* install older RELEASE_NOTES-* files in postfix-doc (Closes: #626648)
There's no good reason to omit them (they're rather small) but it is
handy to have them in the package. Can move them to main postfix
* move examples/main.cf.default and examples/bounce.cf.default from
postfix-doc package to the main postfix package because they're
built in arch-dependent build. Maybe we should stop shipping
main.cf.default entirely (it is just `postconf -d` output), but
bounce.cf.default should be in main package because it is a good
starting template for customizing bounce messages.
* drop postfix Build-Depends on e2fsprogs (chattr usaga has been removed)
* stop shipping README.proto
* d/rules: note html2text -nobs: we can not recreate original docs!
* remove some old, long-unneeded pieces from the postinst & preinst scripts
* d/NOTES: add random notes/thoughts
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 08 Dec 2024 10:28:58 +0300
postfix (3.9.1-2) unstable; urgency=medium
* d/gbp.conf: create, with the naming scheme like current practice
* d/postfix.lintian-overrides: update line numbers for template overrides
* d/rules: install only libpostfix-foo.so libs, not all static libs
(stop shipping libmilter.a and libxsasl.a uselessly)
* d/rules,d/clean: stop renaming and removing collate.pl
* d/postfix.dirs: stop shipping var/log (it is not used by postfix)
* d/rules: remove unused variable TLSDOCFILES
* d/rules,d/functions: fix stupid typos in map installation scripts
(Closes: #1089170)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 06 Dec 2024 19:51:22 +0300
postfix (3.9.1-1) unstable; urgency=medium
[ Michael Tokarev ]
* New upstream version 3.9.1
* 40_chroot_by_default.diff: refresh
* postfix.postrm: stop removing /etc/systemd/system/postfix.service.d
(cf #851521)
* postfix.postrm: stop removing user and groups at package purge
(Closes: #705754)
* remove question about synchronous directory updates (Closes: #832953)
* d/rules: fix date -s vs -d in txt2man invocation
* d/rules: introduce ${prvlibdir} and ${daemondir} vars
and use them consistently; also use install -D in changed lines
* d/rules: simplify map installation and make it more robust
- use ${maps} to list dynamic map types
- replace a series of grep/mv invocation with a single sed -i
- make sample/readme/html stripping more robust - match by
/^\$readme_directory/ instead of just /readme/
(should invent some helper for postfix-files splitting)
- use stricter pattern in dynamicmaps instead of single-word "cdb"
- use install -D to create directory
- install manpages in the same place as maps
- make whole thing a bit easier to read
- remove d/postfix-*.dirs for maps
* consolidate and symplify dynamic-maps package creation (#1075756)
Fold all postfix-{cdb,lmdb,...}.{postinst,prerm} scripts into functions
in d/functions, and generate individual package scripts in d/rules as
calls to these functions. This reduces number of files in debian/
significantly, and makes the same code to be in single place so it's
easy to modify. Changes in behavior:
- treat alias_database as multi-element list, not a single
entry as before (it always has been plural despite the name).
It is still treated as singular in postfix.postinst.
- stop unregistering the map types during package upgrades
since it will be re-added back immediately (Closes: #1075756).
- nicer alignment of columns in the dynamicmaps.cf file.
* d/rules: set SHELL to "/bin/sh -e" to catch possible build errors
* d/triggers: rename to postfix.triggers
* d/init.d: rename to postfix.init
[ Andika Triwidada ]
* [INTL:id] Update Indonesian debconf translation for postfix
(Closes: #1084490)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 06 Dec 2024 11:13:30 +0300
postfix (3.9.0-4) unstable; urgency=medium
[ Scott Kitterman ]
* Disable Salsa CI reprotest job due to false positives
* Disable Salsa CI cross-build job due to we know it won't work,
so there's no point
* Remove obsolete d/postfix.postinst fixup content
* Restore add_root_alias, deleted in error
* Note that cyrus_sasl_config_path fixup in postinst can be removed
after Trixie release
* Add patch header to d/p/reproducible
[ Christian Göttsche ]
* salsa-ci: enable build_twice job
[ Michael Tokarev ]
* d/control: set Maintainer to team+postfix@tracker.d.o
* d/control: add myself to Uploaders
* Closes: #1087594
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 30 Nov 2024 10:19:24 +0300
postfix (3.9.0-3) unstable; urgency=medium
* Replace hard coding of config path for Cyrus SASL in
d/p/07_sasl_config.diff with setting the Debian location via
cyrus_sasl_config_path.
* Update creation of /var/spool/postfix in preinst to include -Z option so
that SE Linux security context is properly applied when SE Linux is
actived. Closes: #781776
* Bump standards-version to 4.7.0 without further change.
* Use raw strings in d/tests/testlib.py to fix SyntaxWarnings with Python
3.12.
-- Scott Kitterman <scott@kitterman.com> Thu, 18 Jul 2024 17:06:30 -0400
postfix (3.9.0-2) unstable; urgency=medium
* Add debian/postfix-collate to debian/clean
* Restart postfix via trigger after new map type packages are added.
Closes: #1063772
* Add d/p/reproducible to restore AUXLIBS sort missed when original patch
was upstreamed. Closes: #1067483
-- Scott Kitterman <scott@kitterman.com> Tue, 02 Apr 2024 09:08:31 -0400
postfix (3.9.0-1) unstable; urgency=medium
[Scott Kitterman]
* Upload to unstable
[Christian Göttsche]
* Update lintian overrides
-- Scott Kitterman <scott@kitterman.com> Mon, 18 Mar 2024 23:56:50 -0400
postfix (3.9.0-1~exp1) experimental; urgency=medium
[Scott Kitterman]
* Refresh patches
* Delete d/p/Sort-list-of-AUXLIBS-for-reproducible-builds.patch,
incorporated upstream
* Update test-postfix.py for implementation of HELP in postfix 3.9
* Add support for mongodb
- New postfix-mongodb binary
- Add libmongoc-dev to build-depends
[Wietse Venema]
* 3.9.0
-- Scott Kitterman <scott@kitterman.com> Sun, 10 Mar 2024 04:47:22 -0400
postfix (3.8.6-1) unstable; urgency=medium
[Scott Kitterman]
* Remove lib/systemd/system-generators from d/postfix.dirs. Closes: #1059760
* Update with wrap-and-sort
* Refactor d/p/Sort-list-of-AUXLIBS-for-reproducible-builds.patch based on
upstream feedback
* Mark d/p/Sort-list-of-AUXLIBS-for-reproducible-builds.patch as forwarded
* Add libnsl-dev to build-depends, split from libc6-dev. Closes: #1065158
* Build-depend on pkgconf instead of obsolete pkg-config
[localization folks]
* l10n: Updated Swedish debconf translations. (Martin Bagge, Anders
Jonsson). Closes: #1061564
[Wietse Venema]
* 3.8.6
-- Scott Kitterman <scott@kitterman.com> Tue, 05 Mar 2024 10:24:36 -0500
postfix (3.8.5-1) unstable; urgency=medium
[Wietse Venema]
* 3.8.5
[Christian Göttsche]
* Drop unnecessary manual hardening CFLAGS, drop unused variables,
drop obsolete suidunregister handling, and use generic destination
variable in more places
* Install systemd generator into canonical directory (Closes: #1059760)
* Rely on dh_lintian to install Lintian overrides
* Sort list of AUXLIBS for reproducible builds
* Add Documentation key to resolvconf service
-- Scott Kitterman <scott@kitterman.com> Mon, 22 Jan 2024 09:47:09 -0500
postfix (3.8.4-1) unstable; urgency=medium
[Wietse Venema]
* 3.8.4 Closes: #1059230
-- Scott Kitterman <scott@kitterman.com> Fri, 22 Dec 2023 13:02:36 -0500
postfix (3.8.3-1) unstable; urgency=medium
[Helmut Grohne]
* Install units using dh_installsystemd only. Closes: #1054485
[Wietse Venema]
* 3.8.3
-- Scott Kitterman <scott@kitterman.com> Thu, 21 Dec 2023 13:43:33 -0500
postfix (3.8.2-1) unstable; urgency=medium
[Scott Kitterman]
* Correct 3.8.1-2 debian/changelog entry
[Wietse Venema]
* 3.8.2
[localization folks]
* l10n: Update Romanian debconf translations. (Remus-Gabriel Chelu)
-- Scott Kitterman <scott@kitterman.com> Thu, 14 Sep 2023 14:08:10 -0400
postfix (3.8.1-2) unstable; urgency=medium
[Scott Kitterman]
* Delete debian/patches/02_kfreebsd_support.diff, no longer needed
* Drop debian/patches/04_remove_gdbm_support.diff, obsolete
* Add/update patch headers, particularly Forwarded status
* Rename collate.pl patch to 71_debianize_collate.pl.diff
* Fix spelling error in d/changelog
* Do not use full path for ypcat and update-inetd in postinst and
suidunregister in preinst
* Update debconf templates
* Correct regression that caused postfix set-permissions to fail (Closes:
#1040329)
- Restore and update debian/patches/05_debian_manpage_differences.diff
- Restore and update debian/patches/05_debian_readme_differences.diff
* Update autopkgtest to test postfix set-permissions
[localization folks]
* l10n: Add Romanian debconf translations. Closes: #1039560 (Remus-Gabriel
Chelu)
-- Scott Kitterman <scott@kitterman.com> Thu, 06 Jul 2023 00:18:21 -0400
postfix (3.8.1-1) unstable; urgency=medium
[Christian Göttsche]
* Bump _FORTIFY_SOURCE to level 3
* Enable stack clash protection
[Scott Kitterman]
* Refresh and update patches for 3.8.1
* Update default master.cf for new installs to comment out maildrop and
external delivery methods to match upstream, these all require additional
configuration. Closes: #1033346
* Delete unconditional call to fix_master and clarify wording of main.cf
status message in postfix.postinst. Closes: #1035350
* Minor wording improvements in d/po/templates.pot. Closes: #1028095
[Wietse Venema]
* 3.8.0 (Closes: #1036161)
* 3.8.1
-- Scott Kitterman <scott@kitterman.com> Sat, 10 Jun 2023 09:31:37 -0400
postfix (3.7.5-2) unstable; urgency=medium
[Sergio Durigan Junior]
* Update autopkgtest to work with new sasl2-bin service file.
Closes: #1032306
-- Scott Kitterman <scott@kitterman.com> Wed, 03 May 2023 10:27:40 -0400
postfix (3.7.5-1) unstable; urgency=medium
[Scott Kitterman]
* Fix typo in d/changelog
* Update d/watch to only look for 3.7.x updates for bookworm
[localization folks]
* l10n: Updated Turkish debconf translations. (Atila KOÇ). Closes: #1032459
[Wietse Venema]
* 3.7.5
- Bugfix (introduced: Postfix 3.4): the posttls-finger command
failed to detect that a connection was resumed in the case
that a server did not return a certificate. Viktor Dukhovni.
File: posttls-finger/posttls-finger.c.
- Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return
lazily-bound handles. Postfix now checks that the expected
functionality will be available instead of failing later.
Fix by Viktor Dukhovni. File: tls/tls_server.c.
- Bugfix (introduced: Postfix 3.5): check_ccert_access did
not parse inline map specifications. Report and fix by Sean
Gallagher. File: global/map_search.c.
- Safety: the long form "{ name = value }" in import_environment
or export_environment is not documented, but accepted, and
it was stored in the process environment as the invalid
form "name = value", thus not setting or overriding an entry
for "name". This form is now stored as the expected
"name=value". Found during code maintenance. Also refined
the "missing attribute name" detection. Files: clean_env.c,
split_nameval.c.
- Bugfix (introduced: Postfix 3.2): the MySQL client could
return "not found" instead of "error" during the time that
all MySQL server connections were turned down after error.
Found during code maintenance. File: global/dict_mysql.c.
-- Scott Kitterman <scott@kitterman.com> Sun, 30 Apr 2023 13:53:55 -0400
postfix (3.7.4-2) unstable; urgency=medium
[Christian Göttsche]
* Add patch to disable LD_LIBRARY_PATH check
* Update postfix homepage supporting https
* Merge restorecon calls
* d/postinst: fix mixed indentation
* Quote variables and command output in scripts
* Drop upgrade handling against ancient versions
* Drop unnecessary script include
* Do not manually stop and restart postfix.service
* Switch to PCRE2 (Closes: #999988)
[Scott Kitterman]
* Build depend on libldap-dev instead of transitional libldap2-dev
* Update lintian overrides
* Drop ancient Breaks/Replaces on postfix 3.1.3-7~
-- Scott Kitterman <scott@kitterman.com> Tue, 24 Jan 2023 09:33:52 -0500
postfix (3.7.4-1) unstable; urgency=medium
[Scott Kitterman]
* Drop d/p/support_linux6, addressed upstream
* Drop depends on obsolete package lsb-base
[Wietse Venema]
* 3.7.4 (Closes: #1011040) (LP: #1995312)
[Sven Joachim]
* Replace deprecated c_rehash with openssl rehash (Closes: #895089)
[localization folks]
* l10n: Updated German debconf translations. (Markus Hiereth)
Closes: #1029113
-- Scott Kitterman <scott@kitterman.com> Sat, 21 Jan 2023 20:03:33 -0500
postfix (3.7.3-4) unstable; urgency=medium
* Also add LINUX6 to sys_defs.h (thanks to Bo YU for the fix).
Closes: #1028600
-- Scott Kitterman <scott@kitterman.com> Fri, 13 Jan 2023 18:42:01 -0500
postfix (3.7.3-3) unstable; urgency=medium
[Scott Kitterman]
* Add support for Linux 6 as a Linux major version in makedefs
* Remove obsolete debian/postfix.NEWS
* Update debian/copyright
* Bump standards-version to 4.6.2 without further change
[Gioele Barabucci]
* d/postfix.postinst: Use sed instead of perl
[Daniel Shahaf]
* Fix generic maps terminology in README.Debian. Closes: #1006345
[localization folks]
* l10n: Updated Dutch debconf translations. (Frans Spiesschaert)
Closes: #1004316, #1025842
* l10n: Updated Brazilian Portuguese debconf translations. (Paulo Henrique
de Lima Santana) Closes: #1024200
* l10n: Updated German debconf translations. (Markus Hiereth)
Closes: #1004011
-- Scott Kitterman <scott@kitterman.com> Wed, 11 Jan 2023 11:02:33 -0500
postfix (3.7.3-2) unstable; urgency=medium
* Update autopkgtest expected return code for 3.7 changes
-- Scott Kitterman <scott@kitterman.com> Sun, 09 Oct 2022 01:33:38 -0400
postfix (3.7.3-1) unstable; urgency=medium
[Scott Kitterman]
* Add postfix-resolvconf.path/service to watch for resolv.conf changes and
restart postfix using the existing hook if it is updated. Closes: #1003152
* Document in README.Debian that new postfix-resolvconf.path/service files
need to be manually enabled if needed and override dh_installsystemd to
that effect
* Delete unused postfix lintian overrides
* Fix spelling error in debian/postfix.postinst
* Refresh patches, delete 05_debian_manpage_differences.diff and
05_debian_readme_differences.diff, no longer needed
[Wietse Venema]
* 3.7.3 Closes: #1017313
-- Scott Kitterman <scott@kitterman.com> Sat, 08 Oct 2022 19:36:05 -0400
postfix (3.6.4-1) unstable; urgency=medium
[Scott Kitterman]
* Ignore changes to html files in debian/source/options
* Delete d/p/postfix-dup-postconf.patch, included in upstream release
* Add lintian-override for insecure URI - releases are signed
* Make signing-key.asc minimal
[Wietse Venema]
* 3.6.4
[Christian Göttsche]
* Rework rules to use dh sequencer
* Call subcommand via shell
* Update cleaning to build package twice
* Bump to debhelper compat level 13
* Drop default include path and split CCARGS
* Use mkdir -Z instead of subsequent running restorecon
* Drop custom function pathfind in favor of command -v
* Quote path in update-libc.d
* Update postfix.config
* Quote directory path in postfix-instance-generator
* Drop check on postinst.functions in postfix-sqlite.prerm
* Update postfix-add-policy script
* Update postfix-add-filter script
* Drop versioned symlinks to plugin libraries
* Drop ldconfig calls in maintscripts
* Support parallel build, except do not build man pages parallel
-- Scott Kitterman <scott@kitterman.com> Sat, 15 Jan 2022 18:41:26 -0500
postfix (3.6.3-5) unstable; urgency=medium
[Wietse Venema]
* Fix duplicate bounce_notice_recipient entries in postconf output.
Closes: #999694
[Scott Kitterman]
* Remove left-over ca-certificates.crt file from postfix chroot.
Closes: #991609
* Align sysv init script start/stop/reload more to default init and drop
d/p/09_quiet_startup.diff, no longer needed.
* Add support for chroot_extra_files and chroot_extra_CAdir variables
sourced from /etc/default/postfix to enable users to specify additional
files needed in the chroot. Closes: #948321
* Add information about keeping resolv.conf up to date in the chroot with
the resolvconf package. Closes: #964762
* Add collate.pl script as postfix-collate. Closes: #941457
[Christian Göttsche]
* Drop unreproducible build paths from makedefs.out.
* Enable Link Time Optimiation (LTO).
[Sergio Gelato]
* Correct if-up.d to not error out if postfix can't send mail yet.
Closes: #959864
-- Scott Kitterman <scott@kitterman.com> Tue, 04 Jan 2022 15:20:02 -0500
postfix (3.6.3-4) unstable; urgency=medium
[Scott Kitterman]
* Update d/p/70_postfix-check.diff to exclude makedefs.out from symlink
check. Closes: #926331
* Test that nothing is reported by postfix check in autopkgtest
* Delete debian/patches/30_shared_libs.diff, no longer needed after linking
corrections in debian/rules
* Do not override user set default_transport in postinst. Closes: #988538
* Add overrides for incorrect unused-debconf-template results
* Update debconf templates
[Christian Göttsche]
* Overhaul compiler flags
* Ignore blhc false positives on for loop
* Drop linking against local build libraries
-- Scott Kitterman <scott@kitterman.com> Tue, 28 Dec 2021 17:00:40 -0500
postfix (3.6.3-3) unstable; urgency=medium
[Scott Kitterman]
* Force rm of html/Makefile.in in install-indep to avoid potential FTBFS.
Closes: #1002497
* Make all debian/rules rm calls -f to support building when not root
[Christian Göttsche]
* Enable building with multiple jobs
* Drop unnecessary linking libraries
-- Scott Kitterman <scott@kitterman.com> Sat, 25 Dec 2021 16:47:41 -0500
postfix (3.6.3-2) unstable; urgency=medium
[Scott Kitterman]
* Add postfix-mta-sts-resolver to suggests. Closes: #968516
* Include compatibility_level in addition to postifx version when
determining default value for chroot in master.cf. Closes: #995129
* Fixup errors in postifx-add-* man pages. Closes: #995031
* Set compatibility level to 3.6 for fresh installs
* Update main/master.cf.proto on upgrade if not modified. Closes: #991513
* Decruft debconf template:
- Remove ancient (postfix 2.3) mydomain_warning
- Delete old (Postfix 2.10) relay_restrictions_warning
- Delete unused lmtp_retired_warning template
- Delete unused kernel_version_warning template
- Delete unused retry_upgrade_warning template
- Delete unused tlsmgr_upgrade_warning template
* Debconf template cleanup, thanks to Markus Hiereth for the suggestions.
Closes: #905653
[Miriam España Acebal]
* Removed LDFLAG -Bsymbolic-functions to fix issue where TLS is disabled
when private/tlmsgr socket is not found. lp: #1885403
[Christian Göttsche]
* Update debian/patches/07_sasl_config.diff:
- Fix conversion warnings by adding explicit cast
- Drop unused function xsasl_getpath
* Fix lintian detected typos in Debian packaging.
* Do not require postfix to be build by root.
* Set -e shell option explicitly.
* Bump watch file standard to version 4.
* Add misc:Pre-Depends to postfix.
* Remove trailing spaces in changelog.
* Add Documentation key to postfix service.
* Drop alternative dependency on obsolete libmysqlclient-dev.
* Add standard salsa ci configuration.
* Drop unused debconf template sqlite_warning.
[Paride Legovini]
* d/postfix.postinst: tolerate search domain with a leading dot.
Closes: #991950
[Sergio Durigan Junior]
* Support networkd-dispatcher. Closes: #999867 lp: #1718227
-- Scott Kitterman <scott@kitterman.com> Thu, 23 Dec 2021 00:18:30 -0500
postfix (3.6.3-1) unstable; urgency=medium
[Scott Kitterman]
* Add license information from TLS_LICENSE. Closes: #991610
* Additional debian/copyright updates
* Refresh patches
* Add Pre-Depends on init-system-helpers (>= 1.54~) due to use of
--skip-systemd-native flag
* Update lintian overrides
* Bump standards-version to 4.6.0 without further change
[Wietse Venema]
* 3.6.3
-- Scott Kitterman <scott@kitterman.com> Tue, 21 Dec 2021 00:13:25 -0500
postfix (3.5.13-1) unstable; urgency=medium
[Wietse Venema]
* 3.5.13
[Aaron Thompson]
* Support non-default instance config directories.
[Scott Kitterman]
* Refresh patches
-- Scott Kitterman <scott@kitterman.com> Sat, 13 Nov 2021 16:05:59 -0500
postfix (3.5.6-1) unstable; urgency=medium
[Dominic Raferd]
* Fix configure-instance.sh for postfix 3.0+ chroot default. Closes: #959517
[Scott Kitterman]
* Refresh patches
* Delete debian/patches/tls_version.diff - incorporated upstream
[Wietse Venema]
* 3.5.5
* 3.5.6
-- Scott Kitterman <scott@kitterman.com> Sun, 02 Aug 2020 17:11:04 -0400
postfix (3.5.4-1) unstable; urgency=medium
[Wietse Venema]
* 3.5.4
-- Scott Kitterman <scott@kitterman.com> Mon, 29 Jun 2020 21:16:04 -0400
postfix (3.5.3-1) unstable; urgency=medium
[Wietse Venema]
* 3.5.3 LP: #1881196
[Debian Janitor]
* Trim trailing whitespace.
* Fix day-of-week for changelog entries 0.0.20001030.SNAPSHOT-4,
0.0.20001030.SNAPSHOT-3, 0.0.19991231pl02-1, 0.0.19990122-1.
-- Scott Kitterman <scott@kitterman.com> Mon, 15 Jun 2020 16:23:34 -0400
postfix (3.5.2-1) unstable; urgency=medium
[Scott Kitterman]
* Update README.Debian to mention postfix-doc. Closes: #234009
* Spelling fixes in README.Debian
[Wietse Venema]
* 3.5.2
[Cody Brownstein]
* Fix README.Debian instructions for SMTP generic mapping and related
example
-- Scott Kitterman <scott@kitterman.com> Mon, 18 May 2020 15:25:47 -0400
postfix (3.5.1-1) unstable; urgency=medium
[Scott Kitterman]
* Delete d/p/gcc_10_glibc_2_31.patch, incorporated in 3.5.1
[Wietse Venema]
* 3.5.1
-- Scott Kitterman <scott@kitterman.com> Mon, 20 Apr 2020 17:21:21 -0400
postfix (3.5.0-2) unstable; urgency=medium
[Scott Kitterman]
* Add patch from upstream for GCC-10 and Glibc 2.31 support. Closes: #957697
[Aaron Thompson]
* Fix bug in tls_CApath copying. LP: #1872288
-- Scott Kitterman <scott@kitterman.com> Fri, 17 Apr 2020 11:51:01 -0400
postfix (3.5.0-1) unstable; urgency=medium
[Scott Kitterman]
* Drop debian/patches/80_glibc2.30-ftbfs.diff, incorporated upstream
* Refresh patches
[Wietse Venema]
* 3.5.0
-- Scott Kitterman <scott@kitterman.com> Mon, 16 Mar 2020 16:32:19 -0400
postfix (3.4.10-1) unstable; urgency=medium
[Scott Kitterman]
* Update postfix.postinst text to refer to systemctl vice service
[Wietse Venema]
* 3.4.10
-- Scott Kitterman <scott@kitterman.com> Fri, 13 Mar 2020 01:11:35 -0400
postfix (3.4.9-1) unstable; urgency=medium
[Scott Kitterman]
* Correct Debian's smtp (8) man page name in d/p/debian-man-name.diff for
lmtp. Closes: #920356
* Fix d/init.d running change so it works with multi-instance again
- Thanks to jaroslav@thinline.cz for the fix. Closes: #944922
* Bump standards-version to 4.5.0 without further change
* Switch from debian/compat to debhelper-compat and bump compat to 12
- Update debian/rules to use dh_installsystemd instead of
dh_systemd_enable and dh_systemd_start
- Update debian/rules for new example install path
[Wietse Venema]
* 3.4.9
-- Scott Kitterman <scott@kitterman.com> Sat, 15 Feb 2020 22:34:22 -0500
postfix (3.4.8-1) unstable; urgency=medium
[Scott Kitterman]
* Stop generating obsolete Upstream substvar
* Bump standards-version to 4.4.1 without further change
* Use -l instead of LD_LIBRARY_PATH for dh_shlibdeps
* Check GPG signature when downloading new versions via uscan
[Wietse Venema]
* 3.4.8
-- Scott Kitterman <scott@kitterman.com> Sun, 12 Jan 2020 02:26:14 -0500
postfix (3.4.7-2) unstable; urgency=medium
[Andreas Hasenack]
* Update autopkgtest to use python3. Closes: #943212 LP: #1845334
[Scott Kitterman]
* Update smtp_tls_CApath to /etc/ssl/certs so it actually works.
Closes: #923083
* Refactor running status detection in sysv init based on upstream
postfix-script so it works in docker. Closes: #941293
-- Scott Kitterman <scott@kitterman.com> Sun, 03 Nov 2019 13:09:50 -0500
postfix (3.4.7-1) unstable; urgency=medium
[Andreas Hasenack]
* d/p/80_glibc2.30-ftbfs.diff: fix build with glibc 2.30 (LP: #1842923)
[Scott Kitterman]
* Refresh patches
* Modernize default TLS setup:
- Drop addition of smtpd_tls_session_cache_database to TLS parameters (no
longer needed since TLS session tickets are used now). Closes: #934803
- Replace use of obsolescent smtpd_use_tls=yes with
smtpd_tls_security_level=may in default TLS setting. Closes: #520936
- Add smtp_tls_security_level=may to default TLS settings so that both
client and server TLS are now enabled be default for new installations.
Closes: #163144
- Stop copying smtp_tls_CAfile into chroot, not needed per postfix docs
- Also copy smtpd_tls_CApath files into chroot. Closes: #579248
- Add smtp_tls_CApath using /usr/share/ca-certificates/ to default TLS
configuration so postfix smtp client can use the system certificate
store to verify smtp server certificates, add ca-certificates to postfix
Recommends. Closes: #923083
* Bump standards version to 4.4.0 without further change
* Fix spelling errors in Debian provided man pages
[Christian Göttsche]
* Fix debian/rules so build flags are applied Closes: #879668
[Wietse Venema]
* 3.4.6
* 3.4.7
-- Scott Kitterman <scott@kitterman.com> Sun, 22 Sep 2019 16:21:17 -0400
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog postfix`.
Generated by dwww version 1.16 on Tue Dec 16 04:55:35 CET 2025.