EVOLUTION-MANAGER
Edit File: CHANGELOG.TXT
# Postfix Admin # # LICENSE # This source file is subject to the GPL license that is bundled with # this package in the file LICENSE.TXT. # # Further details on the project are available at http://postfixadmin.sf.net Version 3.2 - 2018/05/02 ------------------------------------------------- - move public facing stuff into public/, this allows us to stop exposing templates_c/ etc. to the world (but also means you'll need to adjust your webserver config) - enable users to reset their passwords by mail or SMS ($CONF['forgotten_user_password_reset'], $CONF['forgotten_admin_password_reset'], $CONF['sms_send_function']) - allow local alias targets (without @domain) - see #134 - add $CONF['edit_alias'] to disable "edit_alias" function for users - add php_crypt $CONF["encrypt"] option (see #170 for examples) - add random_compat phar (see: https://github.com/paragonie/random_compat) to support random_int()/random_string() in older PHP versions. - add support for MySQL connections over SSL - language updates: sk, ja, nl, bg, fr, cz - update bundled smarty library (lib/smarty to 3.1.32; includes security fixes) - split up pacrypt() into different functions; add some minimal test coverage - add id autoincrement field to log table (#89) - add token to login.php to prevent CSRF - lots of bugfixes and code cleanup - drop unused code in postfixadmin-cli - introduce PHP-CS-Fixer to enforce code style - vacation.pl: - avoid answering to more known autoresponders - add $no_vacation_pattern to avoid sending autoresponders based on the To: address - replace Deprecated Mail::Sender by Email::Sender - use MIME:EncWords - remove unused MIME::Base64 - add docker repo, see https://github.com/postfixadmin/docker Version 3.1 - 2017/06/25 ------------------------------------------------- - broadcast improvements: - allow to send to mailboxes only - allow to send to only some domains - allow domain admins to send to their domains - new config option $CONF['sendmail_all_admins'] - don't send to inactive mailboxes or aliases - update squirrelmail plugin - better static DB connection cache to avoid hundreds of mysqli connection when doing lots of escape_string() calls - use $CONF[page_size] in viewlog.php - fix problems with utf8mb4 as default charset in setup.php/upgrade.php - fix default for $CONF[create_mailbox_subdirs_hostoptions] - get rid of variables.inc.php (and initialize variables where needed) - add favicon to fix session handling in chrome (#44) - add check to ensure templates_c/ exists and is writeable - recommend usage of config.local.php in setup.php - remove php4 constructor from cNav_bar (page browser) - update fr.lang Version 3.0.2 - 2017/02/08 - SVN r1895 ------------------------------------------------- - SECURITY: don't allow to delete protected aliases (CVE-2017-5930, PR#23) - fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with lots of mailboxes - allow switching between dovecot:* password schemes while still accepting passwords hashed using the previous dovecot:* scheme - FetchmailHandler: use a valid date as default for 'date' - fix date formatting in non-english languages when using PostgreSQL - debian packaging: improve dependencies, remove old templates_c/ files - various small fixes Version 3.0.1 - 2016/09/19 - SVN r1870 ------------------------------------------------- - add missing Smarty files to Debian package (no changes to PostfixAdmin, therefore only released as Debian packages) Version 3.0 - 2016/09/11 - SVN r1861 ------------------------------------------------- - add sqlite backend option - add configurable smtp helo (CONF["smtp_client"]) - new translation: ro (Romanian) - language update: tw, cs, de - fix escaping in gen_show_status() (could be used to DOS list-virtual by creating a mail address with special chars) - add CSRF protection for POST requests - list.tpl: base edit/editactive/delete links in list.tpl on $RAW_item to avoid double escaping, and fix some corner cases - editform.tpl: add {if} block for description column for easier customization - use smarty html_options instead of select_options() - remove advice about using SetEnv for database password - include_once(config.local.php) instead of include()ing it to prevent include loops if someone copies config.inc.php to config.local.php - vacation.pl: encode wide-chars utf8 in mail body, mime-decode original subject - fix db_quota_text() for postgresql (concat() vs. ||) - change default date for 'created' and 'updated' columns from 0000-00-00 (which causes problems with MySQL strict mode) to 2000-01-01 - allow punicode even in TLDs - update Smarty to 3.1.29 - add checks to login.php and cli to ensure database layout is up to date - whitelist '-1' as valid value for postfixadmin-cli - don't stripslashes() the password in pacrypt - various small bugfixes Version 3.0 beta3 (2.93) - 2015/09/26 - SVN r1802 ------------------------------------------------- Summary of major changes: - add list.php and list.tpl for displaying lists - based on *Handler $struct, which means list view can now be customized with $CONF[*_struct_hook] functions (columns with display_in_list and non-empty label will be displayed) - add CSV export - replaces list-domain.php, list-admin.php and fetchmail.php (including their *.tpl files) and the alias and alias domain lists in list-virtual - improved / more detailed search support by using URL parameters (list.php?search[field]=value, optionally also ?searchmode[field]=< - no pretty search form yet, limited to fields the user/admin can access) - only display search input box if search fields are specified in *handler (that effectively means no search box for admin, domain and fetchmail listings) - can also be used for users (non-admins) - add FetchmailHandler (replaces fetchmail.php and its template), which also means postfixadmin-cli can configure fetchmail jobs now - add $CONF['fetchmail_struct_hook'] - remove unused $CONF['users_domain_controle'] PFAHandler: - new field types: - enma - associative array (value => displayed value), must be specified in the "options" column - html - raw HTML, used for mailbox status markers which include HTML tags - b64p - passwords stored as base64, used by FetchmailHandler - vtxt, vnum - "virtual", read-only text/integer - quot - formatted quota ("5/10", read-only) - automatically skip quot, vtxt and vnum fields in store() - add handling of users (non-admins), including permission checks - add and use $this->label_field and $this->label for nicer messages - add $this->order_by to allow ordering by any field(s) - add getMsg() function (needed by list.php) - add $msg['can_create'] (true by default, false will hide the 'create' button) - add $is_superadmin to make admin vs. superadmin easier to handle - add $can_edit and $can_delete (only available in edit/delete mode, set by init() based on the '_can_edit' and '_can_delete' from database query) - add $searchfields[] (list of fields to search by default, $search[_]) - add $this->msg['show_simple_search'] (true if $searchfields is non-empty) - split off build_select_query() (also used for pagebrowser) from read_from_db() and add support for $search['_'] (searching in $searchfields[]) - read_from_db(), getList(): add $searchmode parameter (_before_ $limit and $offset!) to be able to use query different query modes, not only "=" - add getPagebrowser() (returns an array of pagebrowser keys) AdminHandler: - switch to using list.php (replaces list-admin.php) DomainHandler: - reduce required permissions to 'admin', restrict write operations to superadmins - add optical quota indicators for aliases, mailboxes and domain quota - fix counting of aliases for domains without any mailbox - use list.php for displaying domain list (replaces list-domain.php) MailboxHandler: - check_quota(): deny creating an unlimited mailbox if domain quota is set - storemore(): store maildir in the correct variable to fix running mailbox_postedit script (bug#342) AliasHandler: - read_from_db_postprocess(): disable _can_edit and _can_delete for default aliases if special_alias_control is off and not superadmin - add 'status' column, move gen_show_status handling for aliases from list-virtual into AliasHandler db_read_from_db_potprocess() - change getList() to work with empty $condition - add getPagebrowser() to filter out mailboxes edit.php: - Newer PHP versions (noticed with 5.6.6) don't include empty fields in $_POST, which broke changing a field to empty. Make sure all !isset() fields are set to ''. - for not-set bool values, set $values instead of the (wrong) $inp_values - add user (non-admin) mode delete.php: - allow users (non-admins) to use delete.php (not used in PostfixAdmin yet) list-virtual: - use AliasHandler, AliasdomainHandler and list.tpl for aliases and alias domains (the mailbox list still uses the old code) - replace $alias_pagebrowser_query and the create_page_browser() call with $handler->getPagebrowser() - adjust search to use ?search[_]=... - drop $check_alias_owner variable and check_alias_owner() call (replaced by the code added in AliasHandler) misc: - translation updates: cs (patch#126), pl (by marcin-github), sv (patch#128) - add CliScheme.php to display the database scheme (for usage in upgrade.php) - error_log() a warning if nameserver queries in check_domain() take more than 2 seconds in total - add functions db_quota_text() and db_quota_percent() to generate SQL queries for used quota ("x/y" and percentage) - pacol(): replace $not_in_db with $multiopt - the remaining parameters can be specified as associative array (backwards-compatible). Also add $linkto parameter - db_where_clause(): add $additional_raw_where and $searchmode parameters, split query into WHERE and HAVING - delete no longer used check_alias_owner() function - display "view log" menu entry only if logging is enabled (patch#127) - smarty.inc.php assign(): additionally provide the unsanitized values as RAW_$key - setup.php: after creating a superadmin, display a note that the setup is done and it's possible to login now - setup.php: stop relying on subversion keyword for database upgrades - explictly set session_cache_limiter to nocache (bug#347) - fetchmail.pl: honor the (newly added) active column - change fetchmail.date field to date (no auto-update) (bug#351) - several small changes and fixes at various places - too many to list them here Version 3.0 beta2 (2.92) - 2014/10/28 - SVN r1706 ------------------------------------------------- - AliasHandler: don't clean goto field when making alias inactive (bug#316) - list-virtual: display quota even if $CONF[used_quotas] == NO (bug#307) - vacation.pl: fix postgresql queries in vacation.pl (bug#315) - fix query in AliasHandler getList() which caused an empty list and breaks deletion of aliases in MariaDB (bug#313, bug#325) - fetchmail.pl: fix ssl extra options (cert check, cert path, fingerprint) - fix logging (run setup.php to fix old log entries) (bug#317) - fetchmail.php: change error_reporting() to exclude E_NOTICE (bug#322) - translation updates: fr (patch#123), nl (patch#122) - $CONF[default_aliases] can now use the new domain as alias target (patch#124) - check that vacation start/end date are not in the past (patch#122) - update vacation INSTALL.TXT with more secure locations - update Smarty to 3.1.21 Version 3.0 beta1 (2.91) - 2014/05/06 - SVN r1670 ------------------------------------------------- Summary of major changes: - new command-line interface "postfixadmin-cli" - major rewrite: - move lots of code into *Handler classes, which are used by web and command-line interface - replace various edit-*.php and create-*.php with a generic editform (edit.php/editform.tpl) - this also means it's easy to customize forms, add fields etc. (see $CONF['*_struct_hook']) - lots of code cleanup, remove/merge lots of duplicated code and templates - use smarty for templates - add ability to choose activation date, end date and reply interval for vacation message - various enhancements everywhere - redesign login page, list and edit pages (goodbye, green!) and make them wider - several new config options and changed defaults - NOTE: changes from the 2.3.x releases also apply to this version new config options: - $CONF['language_hook'] Hook function to override or add translations to $PALANG. Example hook function included (commented out). - $CONF['password_validation'] - array with regular expressions to check if a password is valid/good enough. The default configuration enforces: - minimum length 5 characters/digits/whatever - at least 2 characters - at least 2 digits - $CONF['*_struct_hook'] - make $struct in the *Handler classes customizeable - $CONF['vacation_choice_of_reply'] - list of reply interval options - $CONF['domain_quota'] - total quota per domain - $CONF['theme_custom_css'] - to add some custom CSS without editing the default CSS file - $CONF['motd_*'] - replaces motd*.txt changed config defaults (with their new default value): - $CONF['database_type'] = 'mysqli'; - $CONF['dovecotpw'] = "/usr/sbin/doveadm pw"; $CONF['new_quota_table'] = 'YES'; (for dovecot 2) - $CONF['domain_path'] = 'YES'; $CONF['domain_in_mailbox'] = 'NO'; (results in domain.tld/username/ maildirs) - $CONF['alias_control'] = 'YES'; $CONF['alias_control_admin'] = 'YES'; - $CONF['backup'] = 'NO'; - $CONF['show_status']='YES'; $CONF['show_status_key']='YES'; $CONF['show_undeliverable']='YES'; $CONF['show_popimap']='YES'; $CONF['show_undeliverable_exceptions'] - "gmail.com" removed - $CONF[*_post*_script] - add empty defaults - $CONF['admin_email'] = '' IMPORTANT: If set, this will be used as mail sender for all mails (2.3.x used the currently logged in admin's username in most cases). $CONF['admin_email'] = '' will match the 2.3.x behaviour. removed config options: - $CONF['min_password_length'] - now handled in /.{5}/ in $CONF['password_validation'] - $CONF['postfix_admin_url'] - relative paths are now used everywhere list-virtual.php: - display percentage of quota usage - display alias domains less confusing (using From/To) - list-virtual can now display only mailboxes, only aliases or only alias domains - or all in one page as in 2.3 - extreme speedup of page browser in list-virtual if a large number of mailboxes or aliases exist - include search support (replaces search.php and brings various bug fixes for free) - fix: delivery to mailbox with a recipient delimiter (mailbox+foo@domain) was marked as "forward only" - fix: don't mark mailboxes with vacation active as undeliverable - fix: undeliverable targets were not flagged if another target pointed to a domain in $CONF[show_undeliverable_exceptions] fetchmail.php, fetchmail.pl: - add sslcertck, sslcertpath, sslfingerprint fields/check (sslcertpath and sslfingerprint require $CONF[fetchmail_extra_options] because they don't have input validation) functions.inc.php - allowed_quota: if $CONF[quota] == NO, just return 0 (unlimited) - authentification_get_username() - honor POSTFIXADMIN_SETUP to avoid a redirect to login.php after creating an admin with setup.php and to get "SETUP.PHP" for db_log() - check_domain(), check_email(): instead of calling flash_error(), return string with error message - or empty string if everything is ok - check_email(): - replace $CONF[vacation_domain] only at the end of the mail address - don't trim() mail address to avoid that aliases starting with a space are allowed. This fixes http://sourceforge.net/p/postfixadmin/bugs/210/ - check_language(): remove things like ";q=0.8" before checking if a language exists - check_owner(): - escape_string() $username and $domain to prevent SQL injections - db_pgsql() - new function to replace lots of "if ($CONF[database_type] == 'pgsql')) checks - db_delete(): allow to specify additional conditions for the WHERE clause - db_get_boolean(): allow 0 and 1 as parameters, not only boolean true/false - db_log(): - allow log actions create_admin and edit_admin - add edit_admin_state and delete_admin as comment/reminder that they should also be logged - db_query(): error_log() failed query - db_where_clause($condition, $struct) - new function to create a WHERE clause (bool values are converted with db_get_boolean() based on $struct) - _flash_string(): - also accept an array of messages, not only a string - html-escape messages to fix XSS if the message contains user-supplied input - generate_password(): make generated password always 8 chars long (instead of $CONF['min_password_length']) - get_domain_properties(): use DomainHandler (function result mostly unchanged, only difference: instead of quota_sum in bytes it now returns total_quota in MB) - list_domains_for_admin(): - rewrite to work for superadmins also (will list all domains now instead of "ALL"), which means we can drop the admin vs. superadmin check at various places - pacrypt(): - no longer escape_string() the result. This fixes http://sourceforge.net/p/postfixadmin/bugs/218/ - for 'system' encryption, use full hashed password as salt https://sourceforge.net/p/postfixadmin/bugs/2/ - dovecot:*: - add support for dovecot *-CRYPT passwords (needs dovecot >= 2.1) - allow "." in dovecot method (to allow a suffix like ".b64") - Also, the {METHOD} part is no longer removed (passwords without {METHOD} still work) - remove_from_array() - new function - safesession() - new function (like safeget(), but for $_SESSION) - smtp_mail(): error_log() the error message if fsockopen() fails - table_by_key() now always prepends $CONF['database_prefix'] NOTE: If you have/had an incomplete database_tables array and use $CONF['database_prefix'], you might need to rename the affected tables manually (add the database_prefix in their name). - moved several functions to the *Handler classes - deleted no longer used functions: - admin_exist() - authentication_is_admin() - authentication_is_user() - boolconf() (moved to Config::bool()) - check_string() - create_admin() - check_alias() (moved to AliasHandler->create_allowed()) - db_boolean_to_int() - domain_exist() - get_admin_properties() - get_mailbox_properties() - get rid of global $table_* variables, use table_by_key() instead PFAHandler.php: - parent class for all *Handler classes - contains code shared between all classes AdminHandler.php: - Handler class for admins - for now, set the superadmin column and add "ALL" in domain_admins to keep the database backwards-compatible with 2.3.x AdminpasswordHandler.php: - used for the "change password" form for admins DomainHandler.php - handler class for domains - delete(): do not allow to delete a domain if it is an alias domain target AliasdomainHandler.php: - handler class for alias domains - alias domains can now be edited AliasHandler.php: - rewrite based on PFAHandler - we even get a "deliver to local mailbox" checkbox :-) - only allow @domain as target if $this->id is a catchall - remove deprecated functions: - get() - hasStoreAndForward() - update() - is_mailbox_alias() - is_vacation_address() - hasAliasRecord() MailboxHandler (previously named UserHandler in 2.3): - rewrite based on PFAHandler - drop old __construct(), view() and change_pass() - replace check of old password in change_pw() with $this->login - delete(): also cleanup fetchmail, quota and quota2 tables - always check password with validate_password() - always display correct available quota (using allowed_quota()) - do not escape the password coming from $_POST. Fixes http://sourceforge.net/p/postfixadmin/bugs/218/ VacationHandler: - rewrite based on PFAHandler (not useable yet) - add ability to choose activation date, end date and reply interval for vacation message - http://sourceforge.net/p/postfixadmin/patches/111/ vacation.pl: - allow to use original subject in vacation reply subject ("Re: $SUBJECT") http://sourceforge.net/p/postfixadmin/patches/117/ - encode subject - https://sourceforge.net/p/postfixadmin/bugs/272/ , https://sourceforge.net/p/postfixadmin/patches/119/ - add a friendly from address to vacation messages ($friendly_from) - make error handling if we cannot send the reply more robust - add $smtp_client config option to specify the helo name - added custom noreply detection ($noreply_pattern, $custom_noreply_pattern) Config.php - new class to store $CONF - also used to store $PALANG texts (Config::Lang()) - contains functions to read config entries in various ways (bool etc.) edit.php - generic edit page for everything (admins, domains, mailboxes, aliases, ...) - use ?table= parameter to decide what will be edited (basically $tableHandler) - read handler-specific configuration from $handler->webformConfig() and use it at various places - always redirect to edit.php?table=$table after adding an item to ensure correct initialization for next item - call $handler->mergeId if $id_field is editable, but not displayed in form (usecase: merge localpart + domain to address) - set $form_fields and $id_field later (after $hander->init()) - needed for AliasHandler to decide if goto_mailbox should be displayed - only set $values if a field is editable and displayed in the form editform.tpl: - generic edit form template, uses $struct to render the form - implement handling of 'list' fields (<select> with multiple choices allowed) - also include alternative implementation with checkboxes (commented out) upgrade.php - _pgsql_field_exists(), _mysql_field_exists(): Those functions are always called with the expanded table name - don't expand it twice. (The better solution would be to change all calling code to provide non-expanded tablenames, but that's more work.) - change {BIGINT} to include "NOT NULL DEFAULT 0" - upgrade_1283(): add a "superadmin" column to the admin table This is the first step to get rid of the "ALL" dummy domain. - upgrade_1284(): migrate the ALL domain to the superadmin column Note: The ALL domain is not (yet) deleted to stay backwards-compatible for now (will be done in a later upgrade function) - change {BOOLEAN} to include "default false" login.php - when login.php is requested, logout the current admin/user https://sourceforge.net/p/postfixadmin/bugs/284/ - this also means login.php is now used for logout - error_log() failed login attemps https://sourceforge.net/p/postfixadmin/feature-requests/111/ delete.php, editactive.php: - require token for CSRF protection, see https://sourceforge.net/p/postfixadmin/bugs/269/ xmlrpc.php: - adopt to *Handler syntax - setAway(): add (optional) new parameters for interval_time, activeFrom and activeUntil - https://sourceforge.net/p/postfixadmin/patches/113/ - change $_SESSION['username'] to $_SESSION['sessid']['username'] *.lang: - get rid of several duplicate texts - removed HTML tags from $PALANG texts - several translation updates documentation updates: - SECURITY.TXT: add note about templates_c directory - DOCUMENTS/POSTFIX_CONF.TXT is now executable and can generate the mysql_*.cf maps for postfix - update DOCUMENTS/DOVECOT.TXT for dovecot 2.x squirrelmail plugin: - various bugfixes - documentation update Debian packaging: - Changed source format to 3.0 (quilt) - simplified the DB credential patch and removing ucf registrations on package purge... - control: added php5-cli dependency - rules: - some permission fixes to postfixadmin-cli scripts - New target prep: Create a needed tar.gz file to build a non-nativ .dpkg - New target build-package: Call this target to build a shiny new .dpkg file - postfixadmin.docs: removed redundant changelog file - debian/postfixadmin.postrm: Call wwwconfig scripts only if they are existing Version 2.3.8 - 2015/10/07 - SVN r1814 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311) - don't prefill username in users/ login on failed logins - fixes (probably harmless) XSS - fix show_gen_status() to properly escape mail addresses in query (#356) - fix escaping in create-admin, create-mailbox and fetchmail templates - fixes (harmless) XSS on form validation errors - don't echo the password back to the browser in the fetchmail form - allow MariaDB in Debian package dependencies Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - SECURITY: fix SQL injection in show_gen_status() - lt.lang, da.lang translation update - when enabling/disabling a mailbox, also update the corresponding alias - fix creating superadmin in setup.php with MariaDB (more strict SQL) - don't trim() mail address to avoid that aliases starting with a space are allowed. This fixes http://sourceforge.net/p/postfixadmin/bugs/210/ and https://sourceforge.net/p/postfixadmin/feature-requests/113/ - update regex in check_domain() to support new, longer TLDs like .international - mark vacation_notification.notified field as latin1 to avoid overlong index - vacation.pl: encode subject - vacation.pl: disable use of TLS by default due to a bug in Mail::Sender 0.8.22 (you can re-enable it with $smtp_tls_allowed) Version 2.3.6 - 2013/01/02 - SVN r1417 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - display domain and mailbox description with correct encoding - fix footer link - focus username input field in login form - fix double inclusion of config.inc.php in setup.php - fix bool and date handling in fetchmail Version 2.3.5 - 2012/01/16 - SVN r1335 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt') - fix SQL injection in backup.php - the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump. WARNING: database dumps created with backup.php from 2.3.4 or older might contain malicious SQL. Double-check before using them! - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation - fix XSS in some create-domain input fields - fix XSS in create-alias and edit-alias error message - fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual - create-domain: fix SQL injection (only exploitable by superadmins) - add missing $LANG['pAdminDelete_admin_error'] - don't mark mailbox targets with recipient delimiter as "forward only" - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function Version 2.3.4 - 2011/09/16 - SVN r1180 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - generate more secure random passwords - squirrelmail plugin: fix typo in variable name - list-domain: fix SELECT query to work with PgSQL even when using custom fields - create-domain: force domain name to lowercase to avoid problems with PgSQL foreign keys - fix vacation.pl to log to "mail" syslog facility - error_log() dovecotpw error messages Version 2.3.3 - 2011/03/14 - SVN r1010 (postfixadmin-2.3 branch) ---------------------------------------------------------------- - create-alias: allow multiple alias targets - create-alias, edit-alias: prevent input data loss on validation errors - list-virtual: fix displaying of 'modified' column for aliases when using postgres - replaced deprecated split() with preg_split() or explode() - functions.inc.php: better error messages when database functions are missing - create domain: fixed typo in variable name that broke the default value for default aliases - postgres: changed mailbox.quota, domain.quota and domain.maxquota fields to bigint to allow mailboxes >4 GB (run setup.php to upgrade your database) - vacation.pl logged literal $variable instead of the variable content at two places - edit-vacation: log enabling/disabling vacation if done by admins - POSTFIX_CONF.txt: fixed filename for quota map - config.inc.php: removed double $CONF['database_prefix'] - config.inc.php: fixed comments about domain_post* script parameters - updated INSTALL.TXT and UPGRADE.TXT - sk translation update - some more minor fixes Version 2.3.2 - 2010/08/24 - SVN r860 (postfixadmin-2.3 branch) --------------------------------------------------------------- - SUMMARY: PostfixAdmin 2.3.2 is a bugfix-only release for Postfix Admin 2.3.1 - SECURITY: attackers could find out if a admin exists (login pre-filled the username after "only" a wrong password was entered) - SECURITY: fix sql injection in list-domain (only exploitable by superadmins) - alias targets in users/edit-alias are now validated - invalid alias targets in users/edit-alias are shown to the user again instead of dropping them - fix dovecot:* password encryption (was broken in 2.3.1) - fix displaying used quota for dovecot <= 1.1 (was broken in 2.3.1) - when deleting a domain that is an alias domain (on the "from" side), the alias domain is deleted Version 2.3.1 - 2010/07/09 - SVN r847 (postfixadmin-2.3 branch) --------------------------------------------------------------- - SUMMARY: PostfixAdmin 2.3.1 is a bugfix-only release for Postfix Admin 2.3. The only visible change is displaying the alias target for mailboxes which was a longstanding issue/"missing feature". The ADDITIONS directory contains some new scripts. - SECURITY: users could bypass checking the old password when changing the password by entering a too short new password. Fortunately only "exploitable" by authentificated users. - merge in changes to /debain (thanks normes) from trunk - display alias targets for mailboxes (if $CONF['special_alias_control'] = YES) - add hook for custom maildir path generation - add import_users_from_csv.py script (by Simone Piccardi) - add mailbox_post* scripts for cyrus - handle dovecot passwords without any tempfile (prevents safe_mode issues) - fix MySQL 6.0 compatibility - fix quota display (for dovecot >= 1.2) - fix short open tags ("<?") - translation updates and fixes - documentation updates and fixes - document commandline parameters for $CONF[*_script] options in config.inc.php - list-virtual: added error message if the check_owner query returns more than one result (can happen with pre-2.3 databases and prevents access for superadmins) - add in_array() check to avoid that superadmins can enter invalid domains - fix delete link for alias domains (when on target domain) - delete values from quota and quota2 table when deleting a mailbox - fix hardcoded table names in list-domain.php - fixed edit-alias.php not to drop alias to the mailbox if special_alias_control = NO - fix alias handling for mailboxes (special_alias_control vs. alias_control_admin confusion) - fix typo in upgrade.php that broke index creation and deletion when using non-default table names - fix creating 'ALL' domain (dummy for superadmins) when using non-default table names - fix: db_query did not return number of SELECTed rows if query starts with with whitespace - check for $CONF['encrypt'] = 'dovecot:md5-crypt' (postfixadmin login not working because dovecotpw uses a new salt each time), recommend internal md5crypt instead - replaced terribly outdated, broken squirrelmail plugin with a fresh version. Note: The new plugin version requires the Zend framework. Version 2.3 - 2009/10/24 - SVN r739 ----------------------------------- - automatically create quota tables for dovecot (both 1.0/1.1 and >= 1.2) - list-virtual can now handle both table formats - fixed upgrade.php for MySQL 6.0 compability - changed vacation.pl syslog facility from "user" to "mail" - added config option for postregsql database port - added config option to enable/disable XMLRPC interface (default: off) - Fix check/query for alias with enabled vacation in vacation.pl - Fix db_get_boolean() to return t/f for postgresql, not true/false - Fix missing quoting for boolean values in SQL queries at various places - Allow SHA courier-authlib passwords - various small bug fixes - fixed SVN revision for 2.3rc7 in changelog (was r691, should be r694) Version 2.3rc7 - 2009/07/27 - SVN r694 -------------------------------------- - Fix bug with confd-link.sh debian thing (breakage on Lenny with wwwconfig-common 0.1.2) - Fix crypt() issue (see https://sourceforge.net/tracker/?func=detail&aid=2814820&group_id=191583&atid=937964 ) Version 2.3rc6 - 2009/07/20 - SVN r689 -------------------------------------- - Updates to vacation.pl - PHP 5.3 compatibility - Easier dependencies for .debs - should work on Lenny/Ubuntu etc without issue now. Version 2.3rc5 - 2009/05/20 - SVN r658 -------------------------------------- - Improvements to the setup process - Far better Debian packaging (we hope!) which should make installation much, much easier. - Various bug fixes - Performance enhancements (or we fixed the regressions ...) in domain listing etc. Version 2.3rc4 - 2009/04/18 - SVN r632 -------------------------------------- - *Security fix* - on upgrade setup.php is restored; allowing a malicious user to create their own superadmin account. We've removed the requirement to delete setup.php, and instead a new config parameter (setup_password) is used to protect access to this page. Password is encrypted, and setup.php can be used to generate the initial value. - Fix undefined variables problem(s) - Fix PostgreSQL date timestamp issues... Version 2.3rc3 - 2009/04/06 - SVN r611 -------------------------------------- - Minor improvements to the Debian packaging, expect more soon - Assorted bug fixes - Partial support for per-user fetchmail.pl support Version 2.3rc2 - 2009/02/03 - SVN r593 -------------------------------------- - Refactor /users (see /model) and provide XmlRpc interface for remote mail clients (e.g. squirrelmail-postfixadmin) - Add dovecotpw support - see: https://sourceforge.net/tracker/index.php?func=detail&aid=2607332&group_id=191583&atid=937966 - Add unit tests for model/ directory (see /tests) - Add additional scripts to ADDITIONS - Documentation updates - Various language updates - added ADDITIONS/delete-mailq-by-domain.pl (by Jose Nilton) - added ADDITIONS/quota_usage.pl (by Jose Nilton) - produces report of quota usage - added support for courier authlib authentication flavors ($CONF['authlib_default_flavor']) Version 2.3 Beta - 2009/01/15 - SVN r527 ----------------------------------------- - added support for domain aliases (from lenix) (can be disabled with $CONF['alias_domain']) Important: If you update from a previous version, you'll have to adapt your postfix configuration (see DOCUMENTS/POSTFIX_CONF.txt) - or just disable alias domain support, your postfix configuration will continue to work - updated postfix example configuration for domain aliases and to use the new mysql map format - vacation.pl: - add option for re-notification after definable timeout (patch from Luxten) (default stays on "notify once") - force usage of envelope from/to, better checks for mailinglists, spam etc. If in doubt, do not send a vacation reply (patch from Lutxen) - added a small test suite - use Log4Perl - allow to enter the configuration in /etc/mail/postfixadmin/vacation.conf instead of editing vacation.pl directly - bump version number of vacation.pl - added domain-postcreation script support - added dovecot quota support (documentation + viewing in postfixadmin) - enhanced mailbox table to make it easier for people to customise where mailboxes live (new column "local_part") - enhanced fetchmail.pl script (file locking, syslog logging, configuration file etc) - added clear error message for non-resolvable domains when creating mailboxes or aliases - check for non-resolvable domains on domain creation - new option $CONF['create_mailbox_subdirs_prefix'] for compatibility with more IMAP servers - added support for mysql encrypt() password encrpytion - fix "illegal mix of collations" problem in MySQL by explicitely setting the charset everywhere - fix: cleanup vacation_notification table when disabling vacation - fix: config and fetchmail tables now honor $CONF['database_tables'] - fix: several table names were hardcoded in database creation/update - fix: "unlimited" and "disabled" for quota and limits were crossed at several places - fix: honor $CONF['default_transport'] even if $CONF['transport'] = "no" (patch by fabiobon) - fix: transport field is no longer emptied on domain edit if editing transport is disabled - show links to create mailboxes or alias even on disabled domains - added support for fetchmail's "ssl" option - superadmin can now setup fetchmail for all users, not only for himself - force username to be lowercase - this helps some IMAP clients apparently - the "probably undeliverable" marker now honors catchall targets - on mailbox creation, show password if $CONF['generate_password'] == 'YES', but do not show it if it was _not_ autogenerated and $CONF['show_password'] == 'NO' - dropped $CONF['show_custom_count']. PHP can count ;-) - dropped obsolete VIRTUAL_VACATION/mail-filter script - translation updates - several small bugfixes Version 2.2.1.1 - 2008/07/23 - SVN r412 --------------------------------------- - fixed version number in functions.inc.php ;-) Version 2.2.1 - 2008/07/21 - SVN r408 ------------------------------------- - added quota parameter to mailbox_postcreation hook - new hook to update the quota after editing a mailbox ($CONF['mailbox_postedit_script']) - fixed subfolder creation order and timing - allow smtp server to be specified in vacation.pl - fixed MySQL charset issues - several small bugfixes - Norwegian (bokmal) translation added - several translation updates Version 2.2.0 - 2008/04/29 -------------------------- <Far more changes than those listed here; thanks to all the community who have provided patches and time to help us get here!> - Unicode support for vacation messages - More language translations - Merged the two vacation scripts (PostgreSQL version won :) ) - Added setup.php/upgrade.php scripts to handle upgrades - See also new 'config' database table - Added support for 'fetchmail' so mail from a remote server can be retrieved. - Many, many bug fixes - Added: Feature to show status of aliases/mailboxes (GregC) - Fixed: Many admin/*.php files merged with /*.php - Fixed: 'alias' instead of '$table_alias' being used by some .php files (GregC) - Fixed: Overview no longer lists alias entries for mailboxes (GregC) - Changed: Added exit buttons to several edit options. (GregC) - Fixed: user options are a little more idiot-proof, templates are consistent (GregC) - Changed: Users can view and edit their vacation config (GregC) - Added: Slovakian language posted on SourceForge by eszabo - Changed: searches include mailbox.name matches (GregC) - Fixed: function check_email will ignore vacation_domain if vacation==YES (GregC) - Changed: applied patches from Christian Boltz posted at http://www.cboltz.de/tmp/postfixadmin-3.patch, referenced at https://sourceforge.net/tracker/index.php?func=detail&aid=1696647&group_id=191583&atid=937966 (GregC) - Added: main.php to admin dirctory (GregC) - Added: Item "Main" on admin menu (GregC) - Changed: Edit-vacation now edits for admins/superadmins (GregC) - Added: Do not store local copy when forward mail. (Mihau) [24] - Added: Virtual Vacation for PostgreSQL. (Tarvin) - Added: Virtual Vacation 3.2 (Thanx David) - Added: SUBJECT tag for Virtual Vacation. - Added: Dovecot setup document for Postfix Admin. (Thanx Massimo) - Added: SquirrelMail plugin to change_password. - Changed: Starting to merge /admin in root. (Mihau) - Changed: Moved some TXT files to DOCUMENTS. - Changed: Updated tw.lang. (Thanx Bruce) - Fixed: Usage of mysql_real_escape_string(). (Mihau) - Fixed: Calculating of quotas. (Mihau) - Fixed: Password generation when creating a new account. (Mihau) - Fixed: PostgreSQL patches. (Tarvin) - Fixed: Adding of multiple aliases. (Mihau) - Fixed: CSS Menu width. (Mihau) - Fixed: Overview when upgrading from 2.0.4. (Mihau) - Fixed: smtp_mail() to wait for response from server. - Fixed: pacrypt() so system works properly. (Thanx Npaufler) - Fixed: quoting an email address when sending mail in vacation.pl. (Thanx Marc) - Fixed: vacation.pl has a clean exit when it encounters an error. (Thanx Brian) - Fixed: descriptions for quota={-1|0} in admin section (Mihau) Version 2.1.0 -- 2005/01/07 --------------------------- - Added: Traditional Chinese language. (Thanx Bruce) - Added: Traditional Bulgarian language. (Thanx Plamen) - Added: Macedonian language. (Thanx Damjan) - Added: Estonian language. (Thanx Peeter) - Added: Slovenian language. (Thanx Nejc) - Added: Check for update link in footer. - Added: Additional language strings. Check LANGUAGE.TXT - Added: Transport support. (read postfix transport for more information) - Added: Additional language string for transport support. - Added: MySQL 4.1 support. - Added: PostgreSQL support. (Big Thanx WhiteFox!) - Added: Setup Checker script. (Thanx Fenrir) - Added: Database prefix. (Thanx Decramy) - Added: Template tags. (Thanx Nelson) - Added: admin/domain/alias/mailbox in delete dialog box. - Added: $CONF['postfix_admin_url'] variable. - Added: $CONF['postfix_admin_path'] variable. - Added: $CONF['vacation_domain'] variable. - Added: $CONF['welcome_text'] variable. - Added: $CONF['special_alias_control'] variable. (Thanx Mihau) - Added: Virtual Vacation 3.1 (Thanx David) - Added: ADDITIONS directory with third party scripts and plugins. - Added: Search function for aliases and mailboxes. - Changed: Postfix Admin has now it's own license. - Changed: New menu and color scheme. (Thanx Nelson) - Changed: Disable number and unlimited number for aliases/mailboxes/quota. - Changed: Virtual Vacation to have it's own transport. (Big Thanx Npaufler!) - Changed: Removed the welcome text for a new mailbox from the language files. - Changed: backup.php to be a more secure. (Thanx John) - Fixed: Cleaned up stylesheet. - Fixed: Default quota multiplier. - Fixed: All POST/GET strings are escaped. - Fixed: Corrected smtp_mail() to wait for result. (Thanx Patrice) - Fixed: Pagination with alias_control switched on. - Fixed: Swedish language. (Thanx Bjorne) - Fixed: Polish language. (Thanx Piotr) - Fixed: Minor Virtual Vacation bugs. (Thanx David) - Fixed: check_quota(). - Fixed: Minor encode_header() issue. (Thanx Matthew) - Fixed: edit-alias.php when running with magic_quotes_gpc = off Version 2.0.5 -- 2004/08/21 --------------------------- - Added: Chinese language. (Thanx Matthew) - Added: Catalan language. (Thanx Jaume) - Added: Czech language. (Thanx Jakub) - Added: Dynamic language detection. - Added: Header in header.tpl to set charset header from language file. - Added: More subroutines and alias checking for Vacation. (Thanx David) - Added: Domain pass-through with certain pages. - Added: Backup MX option for domain. - Added: Log contains IP address of admin. - Added: Pagination for alias/mailbox listing. - Added: 2 additional language strings to support Backup MX. - Added: Support for motd.txt (Domain Admins only). - Added: Support for motd-admin.txt (Site Admins only). - Added: Support for motd-users.txt (Users only). - Added: Optional hostname for vacation. - Added: generate_password() to generating random passwords for mailboxes. - Changed: dk -> da, se -> sv, no-nn -> nn - Changed: All email addresses are now converted to lowercase, strtolower(). - Changed: Moved onMouseOver to the CSS stylesheet. - Changed: Moved font color to the CSS styleheet. - Changed: PHP mail() is replaced by an internal function, smtp_mail(). - Changed: mysql_fetch_array() replaced with internal function db_array(). - Changed: mysql_fetch_assoc() replaced with internal function db_assoc(). - Changed: mysql_fetch_row() replaced with internal function db_row(). - Changed: Quota multiplier is now a configuration option. - Fixed: Login didn't check for active flag. - Fixed: Minor html table errors. - Fixed: Row count by using COUNT(*). - Fixed: Locked down subdirectories. - Fixed: Create admin properly populates the domain_admins table. - Fixed: Cleaned up stylesheet.css. - Fixed: Delete mailbox properly removes vacation entries. Version 2.0.4 -- 2004/02/26 ---------------------------- - Added: Euskara language. (Thanx Julen) - Added: Hungarian language. (Thanx Christian) - Added: Icelandic language. (Thanx Gestur) - Added: Italian language. (Thanx Stucchi) - Added: Norwegian - Nynorsk language. (Thanx Paul) - Added: Polish language. (Thanx Jarek) - Added: Portuguese - Brazil language. (Thanx Roberto) - Added: Rusian language. (Thanx Paul) - Added: Turkish language (Thanx Onuryalazi) - Added: Encode a string according to RFC 1522 for use in headers if it contains 8-bit characters. (Thanx Evgeniy) - Added: One click active change of mailbox/domain/admin. (Thanx Marcin) - Changed: Header in header.tpl to read charset header from language file. - Fixed: Some form values are now parsed through htmlspecialchars(). (Thanx Marcin) - Fixed: admin/delete.php ignored $CONF['vacation']. - Fixed: More minor fixes to Virtual Vacation. Version 2.0.3 -- 2004/01/14 ---------------------------- - Added: Site Admin email address. - Added: Danish language. (Thanx Lars) - Added: Dutch language. (Thanx Mourik) - Added: Faroese language. (Thanx Danial) - Added: Finnish language. (Thanx Palo) - Added: French language. (Thanx Kuthz) - Added: Swedish language. (Thanx Slite) - Added: Ignoring of MAILER-DAEMON type emails for Vacation. - Fixed: Minor issues regarding mail(). - Fixed: Minor issues regarding crypt(). - Fixed: Strip issue of email address for Vacation. Version 2.0.2 -- 2004/01/06 ---------------------------- - Added: German language. (Thanx Tobias) - Added: Spanish language. (Thanx Alvaro) - Fixed: The body was not included using sendmail.php. - Fixed: Undefined variables. - Fixed: Minor HTML cleanup. Version 2.0.1 -- 2004/01/04 ---------------------------- - Fixed: The language variable caused a problem on some systems. Version 2.0.0 -- 2004/01/03 ---------------------------- - Added: The ability for one domain admin to maintain multiple domains. - Added: Domain to domain forwarding. - Added: Mailboxes can now be activated or deactivated. - Added: Configurable welcome message for new mailboxes. - Added: Optional sending of welcome message. - Added: Create alias "To" defaults to current domain. - Added: Logging of admin / user actions. - Added: Limit for aliases and/or mailboxes per domain. - Added: Disable aliases and/or mailboxes per domain. - Added: Max quota per mailbox per domain. - Added: Multi-Language support. - Added: Statistics overview for all domains. - Added: User .forwarding for mailbox users. - Added: Logo for Postfix Admin (Thanx Andrew). - Added: Extra MySQL debugging capabilities. - Added: Clear text password support. - Added: PHP crypt() support. - Changed: Separated logic and SQL from content. - Changed: config.inc.php doesn't point to example.com anymore. - Changed: Virtual Vacation no longer requires procmail. - Changed: Complete re-write. Version 1.5.4 -- 2003/06/16 ---------------------------- - Added: Option for "Back to". - Added: Option for Vacation module. - Added: Table declaration for the use of Quota in the INSTALL.TXT. This requires an additional local delivery agent. Quotas are not supported by Postfix! - Changed: The word "View" to "List". Version 1.5.3 -- 2003/06/06 ---------------------------- - Fixed: Even more minor bugs in regards to declaration of variables. (Thanx Aquilante and Kyle_m) Version 1.5.2 -- 2003/06/05 ---------------------------- - Fixed: Minor bugs in regards to declaration of variables. Version 1.5.1 -- 2003/06/04 ---------------------------- - Added: Optional mailbox per domain directory structure. (Thanx Jim) - Added: Option to completely control the stored aliases. (Thanx Alex) - Changed: config.inc.php is renamed to config.inc.php.sample. (Thanx Alex) - Fixed: $PHP_SELF in config.inc.php and my_lib.php. (Thanx Jim) Version 1.5.0 -- 2003/05/28 ---------------------------- - Added: Support for "Back to Main Site" - Added: config.inc.php as the main configuration file. - Added: Drop down box for domain selection when adding a new admin. - Added: Resend of test email to newly created mailbox. - Added: Mailbox and Aliases count for domainview. - Added: Change description of domain without deleting the complete domain. - Added: Change name of mailbox user without deleting the mailbox. - Added: Expire headers for unnecessary reloads. (Thanx Alex) - Fixed: Code clean up. - Fixed: Minor bugs and cosmetic fixes. - Fixed: Modified check_string() to check numbers and returns false if not matched. (Thanx btaber) - Fixed: Correct session handling in login.php (Thanx Yen-Wei Liu) - Fixed: Correct deletion of RFC822 email addresses. (Thanx Yen-Wei Liu) - Removed: Completely removed the site_lib.php. - Removed: my_lib.php from the admin directory. - Removed: Symlink to index.php. Version 1.4.0 -- 2003/04/07 ---------------------------- - Added: When deleting a domain, all aliases and mailboxes for that domain are also deleted from the database. - Added: Add standard aliases for every domain that is created. These aliases can point to the main "local" administrator. The aliases are configured in the config.php in the admin directory. - Changed: The layout of my_lib.php and site_lib.php have been changed. - Changed: Modifying an alias is now done with TEXTAREA for more flexibility. - Fixed: Minor bugs and cosmetic fixes. Version 1.3.8a -- 2003/03/31 ---------------------------- - Fixed: After deletion of a domain it would not return to the correct page. Version 1.3.8 -- 2003/03/25 ---------------------------- - Added: Admin password change. No longer needed to delete and re-enter the admin user for a specific domain. Version 1.3.7 -- 2002/12/24 ---------------------------- - Initial public release of Postfix Admin. # vim: set expandtab softtabstop=2 tabstop=2 shiftwidth=2: