The stable Postfix release is called postfix-2.10.x where 2=major
release number, 10=minor release number, x=patchlevel.  The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-2.11-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day).  Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
before proceeding.

Major changes with snapshot 20130602
====================================

Support for PKI-less TLS server certificate verification, where the
CA public key is identified via DNSSEC lookup. 

This feature introduces a new TLS security level called "dane"
(DNS-based Authentication of Named Entities) that uses DNSSEC to
look up CA information for a server TLS certificate.  The details
of DANE core protocols are still evolving, as are the details of
how DANE should be used in the context of SMTP. Postfix implements
what appears to be a "rational" subset of the DANE profiles.

The problem with PKI is that there are literally hundreds of
organizations world-wide that can provide a certificate in anyone's
name. There have been widely-published incidents in recent history
where a certificate authority gave out an inappropriate certificate
(e.g., a certificate in the name of Microsoft to someone who did
not represent Microsoft), where a CA was compromised (e.g., DigiNotar,
Comodo), or where a CA made operational mistakes (e.g., TURKTRUST).
Another concern is that a legitimate CA might be coerced to provide
a certificate that allows its government to play man-in-the-middle
on TLS traffic and observe the plaintext.

Major changes with snapshot 20130512
====================================

Allow an SMTP client to skip postscreen(8) tests based on its
postscreen_dnsbl_sites score. 

Specify a negative "postscreen_dnsbl_whitelist_threshold" to enable
this feature.  When a client passes the threshold value without
having failed other tests, all pending or disabled tests are flagged
as completed.

Major changes with snapshot 20130405
====================================

The recipient_delimiter parameter can now specify a set of characters.
A user name is now separated from its address extension by the first
character that matches the recipient_delimiter set.

For example, specify "recipient_delimiter = +-" to support both the
Postfix-style "+" and the qmail-style "-" extension delimiter.  

As before, this implementation recognizes one delimiter character
per email address, and one address extension per email address.

Major changes with snapshot 20130319
====================================

Postfix support for LMDB databases is suspended due to the existence
of a hard limit (an "out of storage" failure mode that cannot be
resolved by increasing the database size).

Postfix may support LMDB again when it no longer limits the size
of Postfix transactions, whether the limit is built into LMDB itself,
or implicit by requiring an unbounded amount of memory to handle a
large transaction.

Major changes with snapshot 20130315
====================================

LMDB support by Howard Chu. This implementation has unexpected
failure modes that don't exist with other Postfix databases, so
don't just yet abandon CDB. See LMDB_README for details.
