Log message:
mail/postfix: Update to 3.5.7

Changelog:
With "smtp_tls_connection_reuse = yes", tlsproxy(8) was using the \ 
wrong global
TLS context for connections that use DANE trust anchors or that use non-DANE
trust anchors. This resulted in a global certificate verify function pointer
race, between TLS handshakes that use trust achors and concurrent TLS
handshakes that use PKI. No memory was corrupted in the course of all this.

Reference: http://www.postfix.org/announcements/postfix-3.5.7.html

Log message:
postfix: Update to 3.5.6

upstream changes:
-----------------
Fixed in Postfix versions 3.5.6, 3.4.16, 3.3.14, 3.2.19:

  * One fix for memory leaks in the Postfix TLS library was back-ported to the \ 
wrong place, resulting in undefined program behavior.

Fixed in Postfix versions 3.5.6, 3.4.16:

  * The workaround for allowed TLS protocol versions did not explictly override \ 
the system-wide OpenSSL configuration, for sessions where the remote SMTP client \ 
sends SNI. It's better to be safe than sorry.

 Fixed in Postfix versions 3.5.5, 3.4.15, 3.3.13, 3.2.18:

  * Workaround for unexpected TLS interoperability problems when Postfix runs on \ 
OS distributions with system-wide OpenSSL configurations.

  * Memory leaks in the Postfix TLS library, the largest one involving multiple \ 
kBytes per peer certificate.

Log message:
mail/postfix: update to 3.5.4

Update postfix to 3.5.4.

Fixed in Postfix 3.5.4, 3.4.14:

  * The connection_reuse attribute in smtp_tls_policy_maps always
    resulted in an "invalid attribute name" error. Fix by Thorsten
    Habich.

  * SMTP over TLS connection reuse always failed for Postfix SMTP
    client configurations that specify explicit trust anchors (remote
    SMTP server certificates or public keys). Reported by Thorsten
    Habich.

Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:

  * The Postfix SMTP client's DANE implementation would always send
    an SNI option with the name in a destination's MX record, even
    if the MX record pointed to a CNAME record. MX records that
    point to CNAME records are not conformant with RFC5321, and so
    are rare.

    Based on the DANE survey of ~2 million hosts it was found that
    with the corrected SMTP client behavior, sending SNI with the
    CNAME-expanded name, the SMTP server would not send a different
    certificate. This fix should therefore be safe.

Log message:
mail/postfix: update to 3.5.3

Update postfix and related pacakges to 3.5.3.

Quote freom release announce.

Postfix 3.5.3, 3.4.13:

  * TLS handshake failure in the Postfix SMTP server during SNI
    processing, after the server-side TLS engine sent a TLSv1.3
    HelloRetryRequest (HRR) to a remote SMTP client. Reported by
    J??n M??t??, fixed by Viktor Dukhovni.

Postfix versions 3.5.3, 3.4.13, 3.3.11, 3.2.16:

  * The command "postfix tls deploy-server-cert" did not handle a
    missing optional argument. This bug was introduced in Postfix
    3.1.

Log message:
Revbump for icu

Log message:
postfix: update to 3.5.2

upstream changes:
-----------------
 Postfix versions 3.5.2, 3.4.12, 3.2.10, 3.2.15:
  * A TLS error for a database client caused a false 'lost connection' error for \ 
an SMTP over TLS session in the same Postfix process. Reported by Alexander \ 
Vasarab, diagnosed by Viktor Dukhovni. This bug was introduced with Postfix 2.2.
  * The same bug existed in the tlsproxy(8) daemon, where a TLS error for one \ 
TLS session could cause a false 'lost connection' error for a concurrent TLS \ 
session in the same process. This bug was introduced with Postfix 2.8.
  * The Postfix build now disables DANE support on Linux systems with libc-musl, \ 
because libc-musl provides no indication whether DNS responses are authentic. \ 
This broke DANE support without a clear explanation.
  * Due to implementation changes in the ICU library, some Postfix daemons \ 
reported file access errrors (U_FILE_ACCESS_ERROR) after chroot(). This was \ 
fixed by initializing the ICU library before making the chroot() call.
  * Minor code changes to silence a compiler that special-cases string literals.

Postfix 3.5.2, 3.4.12:
  * Segfault in the tlsproxy(8) client role when the server role was disabled. \ 
This typically happened on systems that do not receive mail, after configuring \ 
connection reuse for outbound SMTP over TLS.
  * The date portion of the maillog_file_rotate_suffix default value used the \ 
minute (%M) instead of the month (%m). Reported by Larry Stone.

Log message:
mail/postfix: update to 3.5.1

Update postfix to 3.5.1.

3.5.0 (2020-03-16)

Postfix stable release 3.5.0 is available. Support has ended for
legacy release Postfix 3.1.

The main changes are below. See the RELEASE_NOTES file for further details.

  * Support for the haproxy v2 protocol. The Postfix implementation
    supports TCP over IPv4 and IPv6, as well as non-proxied
    connections; the latter are typically used for heartbeat tests.

  * Support to force-expire email messages. This introduces new
    postsuper(1) command-line options to request expiration, and
    additional information in mailq(1) or postqueue(1) output.

  * The Postfix SMTP and LMTP client support a list of nexthop
    destinations separated by comma or whitespace. These destinations
    will be tried in the specified order. Examples:

    /etc/postfix/main.cf:
        relayhost = foo.example, bar.example
        default_transport = smtp:foo.example, bar.example

Incompatible changes:

  * Logging: Postfix daemon processes now log the from= and to=
    addresses in external (quoted) form in non-debug logging (info,
    warning, etc.). This means that when an address localpart
    contains spaces or other special characters, the localpart will
    be quoted, for example:

	from=<"name with spaces"@example.com>

    Specify "info_log_address_format = internal" for backwards \ 
compatibility.

  * Postfix now normalizes IP addresses received with XCLIENT,
    XFORWARD, or with the HaProxy protocol, for consistency with
    direct connections to Postfix. This may change the appearance
    of logging, and the way that check_client_access will match
    subnets of an IPv6 address.

3.5.1 (2020-04-20)

Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14:

  * Bitrot workaround for broken builds after an incompatible change
    in GCC 10.

  * Bitrot workaround for broken DANE/DNSSEC support after an
    incompatible change in GLIBC 2.31. This change avoids the need
    for new options in /etc/resolv.conf.

Log message:
Recursive revision bump after textproc/icu update

Log message:
postfix: update to 3.4.9

upstream changes:
-----------------
 Fixed in all supported stable releases:

    Bug (introduced: Postfix 3.1): smtp_dns_resolver_options were broken while \ 
adding support for negative DNS response caching in postscreen. Postfix was \ 
inadvertently changed to call res_query() instead of res_search(). Reported by \ 
Jaroslav Skarvada.

    Bug (introduced: Postfix 2.5): Postfix ignored the CONNECT macro overrides \ 
from a Milter application. Postfix now evaluates the Milter macros for an SMTP \ 
CONNECT event after the Postfix-to-Milter connection is negotiated. Problem \ 
reported by David Bürgin.

    Bug (introduced: Postfix 3.0): sanitize (remote) server responses before \ 
storing them in the verify database, to avoid Postfix warnings about malformed \ 
UTF8. Found during code maintenance.

Log message:
mail/postfix: fix insufficient permissions for var/spool/postfix/...

pkgsrc changes:
---------------
  * Remove the subdirectories of var/spool/postfix to avoid insufficient
    permissions when upgrading (Thanks Matthias!).