This release, among other fixes, includes the fix for the zero-day "SMTP smuggling" vulnerability. Detailed analysis: https://www.postfix.org/smtp-smuggling.html Until 0.7.1 maddy was a "email service B".
Fixes
- cfgparser: Do not interpet absolute paths relatively to the config dir (#592).
- target/remote: Fix isVerifyError not working correctly on Go 1.20 (#612).
- smtpconn/pool: Fix idle connections almost never cleaned up (#596).
- target/remote: Fix wrong DNS query type in DANE lookups for IPv6-only hosts (#631).
- [SECURITY] go-smtp: Mitigate SMTP smuggling issue (#661).
- endpoint/smtp: Detect cancelled rDNS lookup correctly (#626).
- check/spf: Handle empty MAIL FROM in accordance with RFC 7208.
Misc
- storage/imapsql: Add support for transpiled SQLite driver
Tests
- Fix cover_test.go deadlock on Go 1.20.
Distribution & packaging
- build.sh: Allow to run ./build.sh install without go command available (#569).
- dist/systemd: Ease umask restrictions, making files RW for maddy group (#569).
- dist/systemd: Depend on network-online.target (#617).
Documentation
- Improve Markdown formatting and grammar (#600, #614, #662).
- Fix a bunch of links being broken (#601, #602, #667).
- email_with_domains -> email_with_domain (#609, #613).
- Fix wrong SPF record suggestion (#640).
- Fix number of sigs for modifiers.dkim sign_fields (#643).
- Explicitly mention that referencing config block from global directive won't work.