X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=debian%2Fchangelog;h=a087584d4b60df746e97d8b172113cd218b30e72;hb=129f22ff87d2c57d0b84d7a9dba7504f704a8966;hp=8a14c32d3f1f78ceb1e2a4e1ca3d90eaedcc9463;hpb=6ae0102b3a2502841f89614429fa402cfafd99a0;p=pmg-api.git diff --git a/debian/changelog b/debian/changelog index 8a14c32..a087584 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,728 @@ +pmg-api (8.1.0) bookworm; urgency=medium + + * fix #5189: cluster: avoid sync errors for statistics and quarantine due to + existing data on fresh nodes, which can happen, for example, when + restoring a backup. + + * pmgdb dump: + - print the type of an object to better differentiate, e.g., an domain + entry from a regex entry with the same value. + - better highlight active rules over inactive ones + - drop "found" prefixes for each rule and group as that conveyed little + information, still clutters the output. + - add `active` CLI options to control if only active rules should be + printed + + * quarantine: sort the per-user want- and block-lists entries when saving + them to the DB + + * postfix template: update to current default setting (name) for the SMTP + Smuggling vulnerability in postfix version 3.7.10 and newer. + + * api: tracking center: drop timezone offset as new log-tracker does time + calculations directly in UTC + + * fix #2971: DKIM: Add a setting to specify whether to use the from-header + for signing instead of the current default envelope-from-address. + + * api: node status: return structured info about current kernel + + * api: node status: return info about current boot mode + + -- Proxmox Support Team Mon, 26 Feb 2024 20:26:57 +0100 + +pmg-api (8.0.12) bookworm; urgency=medium + + * fix #4818: utils: don't require minimum length for username + + * fix #4811: rule db: test regex validity on submit + + * system report: add content of /etc/pmg/dkim/domains + + * rule cache: reorganize how we gather marks and spaminfo and unnecessary + copying of marks + + * smtp-filter: log pre-fork worker settings on start-up + + * config: rework heurisitic for calculating the maximzm smtp-filter process + workers to better reflect modern setups w.r.t. total system memory + + * add objectgroup and rule attributes for 'and' and 'invert' logical + operators + + * rule cache: implement 'and' and 'invert' for the 'when', 'from', 'to' and + what objects + + * pmg-smtp-filter: rename proxtest.com to pmg.example in demo code paths to + avoid potential name squatting + + * database: use foreign keys for rule and object group attributes + + * fix #4392: keep empty user blocklist and wantlist in the database to + ensure they get synced correctly to other nodes + + * templates: postfix: set same timeouts for before and after-queue (10 + minutes) + + * config: postfix: make smtp-filter-timeout configurable + + * fix #2606: ruledb disclaimer: add ability to set position to start or end + + * fix #2430: ruledb disclaimer: make adding the separator configurable + + -- Proxmox Support Team Thu, 22 Feb 2024 17:26:12 +0100 + +pmg-api (8.0.11) bookworm; urgency=medium + + * fix invalid whitespaces in master.cf template introduced in 8.0.10 + + -- Proxmox Support Team Tue, 02 Jan 2024 12:53:36 +0100 + +pmg-api (8.0.10) bookworm; urgency=medium + + * address smtp-smuggling vulnerability (CVE-2023-51764) with the fix + recommended by postfix upstream by disallowing bare linefeeds, except from + internal sources, requires postfix version 3.7.9-0+deb12u1 to take effect + + -- Proxmox Support Team Tue, 02 Jan 2024 11:51:22 +0100 + +pmg-api (8.0.9) bookworm; urgency=medium + + * implement "SMTP-smuggling" mitigation for external port - see + https://www.postfix.org/smtp-smuggling.html for details + + -- Proxmox Support Team Fri, 22 Dec 2023 11:16:42 +0100 + +pmg-api (8.0.8) bookworm; urgency=medium + + * fix #4944: api/pbs remote: Add a port config + + * user quarantine: use raw pmail for ticket assembly + + * reduce the logging level of certain messages + + * apt: use `apt changelog` for changelog fetching + + * api/cli: acme: add eab parameters + + * api: acme: deprecate tos endpoint in favor of new meta endpoint + * api: quarantine: include descriptions for KAM rules in the spaminfo + + * pmg7to8: Add check for dkms modules + + * pmg7to8: check for proper grub meta-package for bootmode + + -- Proxmox Support Team Wed, 20 Dec 2023 10:58:29 +0100 + +pmg-api (8.0.7) bookworm; urgency=medium + + * handle pve-kernel -> proxmox-kernel rename + + -- Proxmox Support Team Tue, 01 Aug 2023 11:53:07 +0200 + +pmg-api (8.0.6) bookworm; urgency=medium + + * cluster: fingerprint parsing: adapt to changed openssl output + + -- Proxmox Support Team Tue, 25 Jul 2023 11:32:42 +0200 + +pmg-api (8.0.5) bookworm; urgency=medium + + * cluster config: restrict slurp scope to avoid issue parsing network + interfaces + + * pmg7to8: notify about unmodified templates + + * system report: skip irrelevant files in /etc/pmg/templates + + -- Proxmox Support Team Tue, 11 Jul 2023 17:53:49 +0200 + +pmg-api (8.0.4) bookworm; urgency=medium + + * fix #4815: pmgsh: fix calling the api paths directly + + * statistics: fix syntax of SQL query for virus info counter update + + -- Proxmox Support Team Mon, 03 Jul 2023 12:42:23 +0200 + +pmg-api (8.0.3) bookworm; urgency=medium + + * pmgpolicy, pmg-smtp-filter: set sensible PATH to ensure that standard + system binaries can be executed even if just their base name is used. + + -- Proxmox Support Team Wed, 28 Jun 2023 17:42:32 +0200 + +pmg-api (8.0.2) bookworm; urgency=medium + + * make section match more precise when hard-coding 'use_bayes' & 'use_awl' + properties + + * tell the systemd debhelper to not stop the no-start services on upgrade, + avoiding noisy warnings for those with an associated timer and also that + any currently running operation of those services gets aborted + + * enable TFA lockout, for the relatively low-entropy TOTP type after 8 + consecutive tries, for all other types after 1000 consecutive tries, as + they have much higher entropy + + * include tfa lock status in user list and add user tfa-unlock endpoint + + -- Proxmox Support Team Wed, 28 Jun 2023 11:12:57 +0200 + +pmg-api (8.0.1) bookworm; urgency=medium + + * include version metadata again in statically generated pmgcfg module again + + -- Proxmox Support Team Wed, 28 Jun 2023 08:04:50 +0200 + +pmg-api (8.0.0) bookworm; urgency=medium + + * d/postinst: remove re-generation of unique machine-ID for old ISOs + + * cluster: adapt invocation of rsync for the version in Debian 12 Bookworm + + * postgresql compat: cast results explicitly to integer to cope with + PostgreSQL 15 changes where UNIX epochs are returned as float + + * auth: set PAM context to 'proxmox-mailgateway-auth' and set the rhost to + the IP address the users connects with, allowing one to limit PAM login to + certain networks. + + -- Proxmox Support Team Tue, 27 Jun 2023 18:20:30 +0200 + +pmg-api (8.0.0~1) bookworm; urgency=medium + + * re-build for Proxmox Mail Gateway 8 based on Debian 12 Bookworm + + * update postgresql dependency to 15 + + * postgresql.conf template: drop 'stats_temp_directory' config-setting as it + was deprecated by upstream PostgreSQL 14 and removed with 15. + + * explicitly depend on rsyslog for the tracking center, as rsyslog doesn't + gets installed by default in Debian 12 Bookworm anymore + + * config: disable awl and bayes by default + + * config: disable advanced statistic filters by default + + * debian/postinst: hard code old default values for 'advfilter', + 'use_bayes' & 'use_awl' during upgrade to 8.0.0 + + * grant 'root' and 'www-data' users respective permissions on public schema + for newly created databases + + -- Proxmox Support Team Mon, 26 Jun 2023 17:43:06 +0200 + +pmg-api (7.3-4) bullseye; urgency=medium + + * ruledb: match field: improve validation of regular expressions on addition, + warn for existing invalid ones. + + * d/maintscripts: prevent aborting on errors in some commands + + -- Proxmox Support Team Fri, 02 Jun 2023 10:30:31 +0200 + +pmg-api (7.3-3) bullseye; urgency=medium + + * config schema: document postfix option for smtputf8 flag + + * quarantine: delete Delivered-To and Return-Path when reinjecting mails, + fixing a (unpublished) regression with postfix's forwarding loop detection + + -- Proxmox Support Team Tue, 28 Mar 2023 07:42:19 +0200 + +pmg-api (7.3-2) bullseye; urgency=medium + + * config schema: extend documentation for options + + * templates: adapt to new path for KAM rules in proxmox-spamassassin + + * report: add `date -R` to general system info section + + -- Proxmox Support Team Mon, 27 Mar 2023 12:59:53 +0200 + +pmg-api (7.3-1) bullseye; urgency=medium + + * proxy: initialize the theme variable with an empty string + + * smtputf8: keep smtputf8 from incoming postfix, detect for local mail + + * config: make smtputf8 configurable through the API + + * reinject mail: improve error logging + + * quarantine: reuse the reinject local mail helper to profit from some of + it's recent improvements like IPv6 or DSN. + + * api: quarantine: decode addresses before delivery/userlisting + + -- Proxmox Support Team Thu, 23 Mar 2023 17:29:01 +0100 + +pmg-api (7.2-5) bullseye; urgency=medium + + * fix #4536: parse original filenames from gzip files + + * proxy: add support for switching themes + + * ruledb: spam: adapt to spamassassin 4.0.0 + + * templates: sync spamassassin templates with 4.0.0 upstream + + * templates: enable DecodeShortUrls for SpamAssassin 4.0.0 + + * templates: enable DMARC plugin in v400.pre.in + + * fix #2437: config: Add new tls_inbound_domains postfix map and add API + endpoint for managing entries + + * config: warn on parse errors for tls related config files + + * fix #4521: api/tasks: replace upid as filename for task log downloads + + -- Proxmox Support Team Tue, 21 Mar 2023 12:59:25 +0100 + +pmg-api (7.2-4) bullseye; urgency=medium + + * fix #4410: Remove non-null host bits from CIDR when writing postfix + config + + * utils: skip checking headers for non-ascii characters as stop gap to avoid + breaking mail flow of a few setups that have smtputf8 disabled in their + postfix config (e.g., because their downstream servers do not support this) + + -- Proxmox Support Team Wed, 25 Jan 2023 11:01:14 +0100 + +pmg-api (7.2-3) bullseye; urgency=medium + + * keep directories in /etc/pmg for inotify when restoring from backup + + * rulecache: sort rules additionally by id + + * fix mailflow if smtputf8 is disabled + + * pmgdb dump: encode ruledata before printing + + -- Proxmox Support Team Tue, 27 Dec 2022 11:17:13 +0100 + +pmg-api (7.2-2) bullseye; urgency=medium + + * d/control: depend directly on libproxmox-acme-plugins + + -- Proxmox Support Team Wed, 30 Nov 2022 10:46:04 +0100 + +pmg-api (7.2-1) bullseye; urgency=medium + + * queue administration: try to decode utf8 + + * make tasklog downloadable in the PMG backend + + * user accesslists: reword logging and hits for newer SA rule sets + + * user-bl: use custom description of USER_IN_BLOCKLIST consistently + + -- Proxmox Support Team Tue, 29 Nov 2022 15:48:26 +0100 + +pmg-api (7.1-11) bullseye; urgency=medium + + * fix #3287: add `pmail` parameter to virus and attachment quarantine list to + allow one to filter for a specific mail + + * fix #2541 ruledb: encode relevant values as utf-8 in database + + * fix #2465: handle smtputf8 addresses in all but who-objects of the + rule-system + + -- Proxmox Support Team Thu, 24 Nov 2022 16:43:19 +0100 + +pmg-api (7.1-10) bullseye; urgency=medium + + * fix #4006: do not split from header on ', ' for spamreport mails + + * ruledb: modfield: properly handle fields spanning multiple lines + + * ruledb: add deprecation warnings for unused `ReportSpam`, `Attach` and + `Counter` actions + + -- Proxmox Support Team Wed, 16 Nov 2022 09:03:52 +0100 + +pmg-api (7.1-9) bullseye; urgency=medium + + * api: quarantine: allow 'list attachments' endpoint for quarantine users, + they can see them in the raw email display already anyway + + * api: quarantine: add 'content-disposition' field to response of 'list + attachments' API + + * ruledb: modfield: properly encode field after variable substitution + + -- Proxmox Support Team Fri, 11 Nov 2022 13:48:23 +0100 + +pmg-api (7.1-8) bullseye; urgency=medium + + * api: apt versions: track proxmox-offline-mirror-helper + + * fix #4269: rule cache: from match: cope with undefined IP + + * rule database: notify: properly en-/decode the mail subject to avoid issues + with non-ascii characters, like for example, the reported chinese + characters. + + -- Proxmox Support Team Fri, 28 Oct 2022 11:42:15 +0200 + +pmg-api (7.1-7) bullseye; urgency=medium + + * d/control: recommend proxmox-offline-mirror-helper + + * d/postinst: migrate/update APT auth config + + -- Proxmox Support Team Wed, 14 Sep 2022 13:17:58 +0200 + +pmg-api (7.1-6) bullseye; urgency=medium + + * subscription: handle missing subscription info + + * fix #3915: remove obsolete /etc/apt/apt.conf.d/75pmgconf + + -- Proxmox Support Team Thu, 08 Sep 2022 15:04:49 +0200 + +pmg-api (7.1-5) bullseye; urgency=medium + + * add 'allow-subdomains' to webauthn schema + + * subscription: switch to rust, add offline key support + + -- Proxmox Support Team Tue, 6 Sep 2022 10:35:09 +0200 + +pmg-api (7.1-4) bullseye; urgency=medium + + * rulesystem: matchfield: match all headers not only the first + + * config: avoid adding a specific IPs or networks multiple times to + the template variables + + * api: quarantine: load custom rules description so that they show up + in the GUI too + + * pmg-daily: avoid short-circuting update of local channels + + * api: apt: switch to common Proxmox::RS::APT::Repositories package + + -- Proxmox Support Team Wed, 13 Jul 2022 11:15:00 +0200 + +pmg-api (7.1-3) bullseye; urgency=medium + + * fix duplicate 'x-ms-dos-executable' in default 'Dangerous Content' object + + * daily update timer: start already on 01:00 to avoid dst change issue + + * fix #3924: ldap: accept only valid email-address + + * Proxmox Backup Server integration: namespace support + + -- Proxmox Support Team Mon, 16 May 2022 12:20:42 +0200 + +pmg-api (7.1-2) bullseye; urgency=medium + + * fix #3758: allow empty `to` in noqueue case + + * postfix queue: add 'decode-headers' option for read endpoint + + * http server: pass TLS 1.3 ciphersuites and disable-TLS-1.2/1.3 options if + set + + * utils: change working directory to root before executing postgres admin + commands, to avoid that restrictions of the current CWD from the user + doesn't cause failing the command. + + -- Proxmox Support Team Thu, 03 Feb 2022 11:37:51 +0100 + +pmg-api (7.1-1) bullseye; urgency=medium + + * rulesystem: limit linelength of disclaimer to 998 bytes + + * fix #3734: scrub CSS 'url' from style tags/attributes if view-images is + disabled for the quarantine + + * fix #2795: add support for Delivery Status Notification (DSN) + + * add support for two factor authentication with TOTP, recovery codes and + WebAuthn to the admin interface + + -- Proxmox Support Team Sun, 28 Nov 2021 21:04:58 +0100 + +pmg-api (7.0-9) bullseye; urgency=medium + + * fix #2071: RuleDB: ignore duplicate entries for Who objects + + * api: ldap config: sync with the complete config + + * fix #3712: strip any trailing dot from the search-domain when passing it to + postifx + + * api: journal: stream the journal data to the client + + * api-daemons: make systemd restart them on-failure + + * api-dameons: set oom-policy to `continue` so that a single (replacable) + worker getting OOM-killed does not bring down the whole service + + -- Proxmox Support Team Wed, 24 Nov 2021 19:13:29 +0100 + +pmg-api (7.0-8) bullseye; urgency=medium + + * api: apt: repos: avoid creating implicit default for enabled + + * api: apt: use pmg-style permission for endpoint schema to allow access to + admins that aren't root@pam + + * prefer more flexible get_local_ip where possible, it still prefers the + resolved hostname but falls back to configured or active IPs. Especially + useful for evaluation and initial (CT template) setups. + + * pmgbanner: retry getting local IP for a bit in case of failure, this should + be only relevant for evaluation and initial setups where the hostname may + not yet resolve to the primary IP address. + + -- Proxmox Support Team Mon, 20 Sep 2021 08:17:18 +0200 + +pmg-api (7.0-7) bullseye; urgency=medium + + * pmgversion: do not show packages with residual config as being in an error + installation state + + * api: apt versions: add ifupdown(2), libproxmox-acme-* and pmg-i18n to + packages included in the version report. + + * api: implement live network reload with ifupdown2 + + -- Proxmox Support Team Mon, 19 Jul 2021 09:04:25 +0200 + +pmg-api (7.0-6) bullseye; urgency=medium + + * fix cluster join when large ssh-rsa keys are setup + + -- Proxmox Support Team Wed, 14 Jul 2021 17:54:03 +0200 + +pmg-api (7.0-5) bullseye; urgency=medium + + * d/control: recommend ifupdown2 and suggest zfsutils-linux + + * switch enterprise repository over to bullseye + + -- Proxmox Support Team Wed, 14 Jul 2021 11:58:48 +0200 + +pmg-api (7.0-3) bullseye; urgency=medium + + * acme: handle wildcard dns validation + + * api: apt: add calls for repositories status and basic manegement + + * api: services: return active- and unit-state infos + + * api: services: track chrony service + + -- Proxmox Support Team Tue, 13 Jul 2021 18:42:07 +0200 + +pmg-api (7.0-2) bullseye; urgency=medium + + * d/postinst: handle static machine-id from ISO 5.0 <= x <= 6.0 + + * cluster: fix missing import of helper module + + * config: freshclam: default to incremental downloads + + * utils: fix service alias lookup for service commands and status + query + + -- Proxmox Support Team Sat, 03 Jul 2021 22:51:12 +0200 + +pmg-api (7.0-1) bullseye; urgency=medium + + * re-build for Proxmox Mail Gateway 7 based on Debian 11 Bullseye + + * pmgproxy: allow setting LISTEN_IP parameter + + * clamav: remove deprecated SafeBrowsing + + * api: nodes: drop deprecated 'upgrade' option of termproxy + + * TLSPolicy: drop deprecated 'domain' parameter + + * api: quarantine: drop deprecated b/w-list methods, and drop detail + statistic methods (replaced by more flexible endpoints in 6.x) + + * update postgresql dependency to version 13 + + * greylisting: drop unneeded Host column form cgreylist table + + * api: nodeconfig: validate acme config before writing + + * fix #2013 spamreport: remove ticket if authmode is ldap + + * api: tasks: add 'since', 'until', task-type and 'status' filters + + -- Proxmox Support Team Mon, 28 Jun 2021 15:57:10 +0200 + +pmg-api (6.4-4) pmg; urgency=medium + + * fix #2228: spam quarantine: automatically deliver on whitelisting and + delete on blacklisting a mail + + * acme: allow wildcard domain entries + + -- Proxmox Support Team Thu, 15 Apr 2021 15:19:00 +0200 + +pmg-api (6.4-3) pmg; urgency=medium + + * fix creating mailqueue spooldirs + + * rephrase backup notification template + + -- Proxmox Support Team Fri, 26 Mar 2021 19:09:41 +0100 + +pmg-api (6.4-2) pmg; urgency=medium + + * fix #3164: api: quarantine: allow to return spam from all users + + * ensure '/etc/pmg/acme/accounts' directory exists + + * certs: reload postfix to activate new certificate even if TLS config stayed + the same + + * cluster: trust both, old and new certificate fingerprint of master during + update + + -- Proxmox Support Team Tue, 23 Mar 2021 08:30:22 +0100 + +pmg-api (6.3-7) pmg; urgency=medium + + * implement Automatic Certificate Management Environment (ACME) for API and + SMTP TLS certificates. Allowing one to use providers like Let's Encrypt for + deployment and automatic renewal of trusted certificates. + + * cluster: automatically trigger an update of the pinned certificate + fingerprint for a node in the cluster configuration on certificate change + + -- Proxmox Support Team Thu, 18 Mar 2021 11:05:17 +0100 + +pmg-api (6.3-6) pmg; urgency=medium + + * api: spamassassin: read local channels and include them in daily SA + update + + * api: statistics: add central API enpoint for details, avoiding + issues with certain characters in mail addresses + + * utils: allow / inside email address localpart + + * fix #3154: backup: add include-statistics to Proxmox Backup Server + + * fix #3146: backup: add email notifications + + -- Proxmox Support Team Fri, 05 Mar 2021 22:48:07 +0100 + +pmg-api (6.3-5) pmg; urgency=medium + + * utils: ignore leading whitespace in SpamAssassin rule description + + * api: termproxy: adapt to newer Proxmox VE and Proxmox Backup Server 'cmd' + interface, to stay compatible + + -- Proxmox Support Team Wed, 25 Nov 2020 10:21:49 +0100 + +pmg-api (6.3-4) pmg; urgency=medium + + * integrate Proxmox Backup Server for automatic configuration backups + + * fix #3098: DKIM: sort domains by length first + + * backup: add Spam Assassin custom score file to backup + + * reinject email: fix connecting for ipv6-only hosts + + * fix #3141: do not split on ', ' for returning the from header + + * allow to enable a user self-service login for the user spam quarantine as + opt-in config option + + -- Proxmox Support Team Wed, 18 Nov 2020 19:52:58 +0100 + +pmg-api (6.2-6) pmg; urgency=medium + + * fix #2785: prefix message-id in attachment-quarantine + + * add logging to disclaimer action + + -- Proxmox Support Team Wed, 23 Sep 2020 09:03:45 +0200 + +pmg-api (6.2-5) pmg; urgency=medium + + * fix #1976: optionally sort postfix queue result + + * allow to remove subscription + + * make regex test-match case-insensitive, like the real tests + + -- Proxmox Support Team Thu, 04 Jun 2020 16:48:26 +0200 + +pmg-api (6.2-4) pmg; urgency=medium + + * Mail Tracker: handle before queue status + + -- Proxmox Support Team Thu, 14 May 2020 17:51:25 +0200 + +pmg-api (6.2-3) pmg; urgency=medium + + * enable policy checking also if only IPv6 greylisting is enabled + + * improve ordering of system services + + * add logrotate config to monthly-rotate pmgproxy.log + + * api tracker: always check that specified 'endtime' is newer than + 'starttime' + + * improve pmg-system-report with more relevant information + + -- Proxmox Support Team Fri, 24 Apr 2020 19:31:15 +0200 + +pmg-api (6.1-9) pmg; urgency=medium + + * add new 'Match Archive Filename' What Object + + * use postgres inet functions for greylist matching + + * pmgpolicy: add IPv6 support for greylisting + + * greylist: make netmasks configurable + + -- Proxmox Support Team Mon, 20 Apr 2020 17:37:09 +0200 + +pmg-api (6.1-8) pmg; urgency=medium + + * pmgqm: warn and exit if running on slave node + + * pmgspamreport: purge before sending reports + + * fix rendering of ipv(4|6) literal lmtp transports + + * fix #1948: allow setting TLS policy for transports + + * add TLS options for lmtp to main.cf template + + * fix #2661: reintroduce LDAPCache->ldap_connect + + * skip writing default ports in spamreports + + * use ucf to handle template overrides + + * freshclam.conf.in: make ScriptedUpdates a variable + + * freshclam.conf.in: remove ReceiveTimeout option + + -- Proxmox Support Team Tue, 14 Apr 2020 10:10:59 +0200 + pmg-api (6.1-7) pmg; urgency=medium * fix #2622: include all spam levels from the ">= 10 score" bucket in total