[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.7.0.html]
Postfix stable release 3.7.0 is available. This ends the support for legacy release Postfix 3.3.
The main changes are below. See the RELEASE_NOTES file for further details.
Support to inline the content of small cidr:, pcre:, and regexp: tables in Postfix parameter values. An example is the new smtpd_forbidden_commands default value, "CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}}", to quickly drop connections from clients that send garbage.
To make the maillog_file feature more useful, including stdout logging from a container, the postlog(1) command is now set-gid postdrop, so that unprivileged programs can use it to write logging through the postlogd(8) daemon. This required hardening the postlog(1) command against privilege escalation attacks.
Support for library APIs: OpenSSL 3.0.0, PCRE2, Berkeley DB 18.
Postfix programs now randomize the initial state of in-memory hash tables, to defend against hash collision attacks involving a large number of attacker-chosen lookup keys. Presently, the only known opportunity for such attacks involves remote SMTP client IPv6 addresses in the anvil(8) service, and requires making hundreds of short-lived connections per second while cycling through thousands of different client IP addresses.
Updated defense against remote clients or servers that 'trickle' SMTP or LMTP traffic. This replaces the old per-record deadlines with per-request deadlines and minimum data rates.
Many typofixes by raf and Wietse.
You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.