Log message:
*: Recursive revision bump for openssl 1.1.1.

Log message:
postfix: update to 3.4.8

upstream changes:
-----------------
    Fix for an Exim interoperability problem when postscreen after-220 checks
    are enabled. Bug introduced in Postfix 3.4: the code that detected
    "PIPELINING after BDAT" looked at the wrong variable. The warning \ 
now says
    "BDAT without valid RCPT", and the error is no longer treated as a \ 
command
    PIPELINING error, thus allowing mail to be delivered. Meanwhile, Exim has
    been fixed to stop sending BDAT commands when postscreen rejects all RCPT
    commands.

    Usability bug, introduced in Postfix 3.4: the parser for key/certificate
    chain files rejected inputs that contain an EC PARAMETERS object. While
    this is technically correct (the documentation says what types are allowed)
    this is surprising behavior because the legacy cert/key parameters will
    accept such inputs. For now, the parser skips object types that it does not
    know about for usability, and logs a warning because ignoring inputs is not
    kosher.

    Bug introduced in Postfix 2.8: don't gratuitously enable all after-220
    tests when only one such test is enabled. This made selective tests
    impossible with 'good' clients. This will be fixed in older Postfix
    versions at some later time.

Log message:
mail: align variable assignments

pkglint -Wall -F --only aligned -r

No manual corrections.

Log message:
postfix: Update to 3.4.7

upstream changes:
-----------------
* Robustness: the tlsproxy(8) daemon could go into a loop, logging a flood of
  error messages. Problem reported by Andreas Schulze after enabling SMTP/TLS
  connection reuse.
* Workaround: OpenSSL changed an SSL_Shutdown() non-error result value into an
  error result value, causing logfile noise.
* Configuration: the new 'TLS fast shutdown' parameter name was implemented
  incorrectly. The documentation said "tls_fast_shutdown_enable", but \ 
the code
  said "tls_fast_shutdown". This was fixed by changing the code, \ 
because no-one
  is expected to override the default.
* Performance: workaround for poor TCP loopback performance on LINUX, where
  getsockopt(..., TCP_MAXSEG, ...) reports a bogus TCP maximal segment size that
  is 1/2 to 1/3 of the real MSS. To avoid client-side Nagle delays or
  server-side delayed ACKs caused by multiple smaller-than-MSS writes, Postfix
  chooses a VSTREAM buffer size that is a small multiple of the reported bogus
  MSS. This workaround increases the multiplier from 2x to 4x.
* Robustness: the Postfix Dovecot client could segfault (null pointer read) or
  cause an SMTP server assertion to fail when talking to a fake Dovecot server.
  The Postfix Dovecot client now logs a proper error instead. Problem reported
  by Tim Düsterhus.

Log message:
Bump PKGREVISIONs for perl 5.30.0

Log message:
postfix: update to 3.4.6

pkgsrc changes:
---------------
  * change COMMENT to make pkglint happy (inspired by http://www.postfix.org/)
  * update PLIST using make print-PLIST (missing @pkgdir)

upstream changes:
-----------------
20181125

	Cleanup: dict_file_to_xxx() takes a list of file names
	separated by CHARS_COMMA_SP. Shoe-horned into the existing
	API, make it nicer when there is time. File: util/dict_file.c.

20181127

	Cleanup: encapsulated clumsy 'read into VSTRING' code with
	easier-to-use vstream_fread_buf() and vstream_fread_app()
	primitives. Files: global/memcache_proto.c, global/record.c,
	global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c,
	global/xtext.c, milter/milter8.c, util/dict_file.c,
	util/hex_quote.c, util/netstring.c, util/vstream.c,
	util/vstream.h. Verified with "make tests".

	Cleanup: simplified the smtp_fread() API (introduced for
	BDAT support), and changed the name to smtp_fread_buf().
	Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with
	~megabyte BDAT commands.

	Cleanup: simplified a tlsproxy-internal API. File:
	tlsproxy/tlsproxy.c.

20181128

	Initial support for key/certificate chain files that will
	replace the proliferation of separate parameters for
	RSA/DSA/ECC/etc. key and certificate files. Viktor
	Dukhovni.

20181201

	Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET()
	calls with safe vstring_set_payload_size() calls, in code
	that directly writes into VSTRING. Files: tls/tls_session.c,
	tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h,
	xsasl/xsasl_cyrus_client.c.

	Cleanup: postscreen_command_time_limit did not need to be
	a 'raw' parameter. This makes "postconf -x" behavior more
	consistent. Files: global/mail_params.h, postscreen/postscreen.c.

	Documentation: added text that the following parameter
	values are not subject to Postfix parameter $name expansion:
	default_rbl_reply, command_execution_directory, luser_relay,
	smtpd_reject_footer. These have their own documented $name
	substitution mechanism. File: proto/postconf.proto.

20181202

	Bugfix: posttls-finger reported an error for UNIX-domain
	connections, even if they did not fail. Found by Coverity.
	File: posttls-finger/posttls-finger.c.

20181208

	Documentation: add even more redundancy to the rate-delay
	description. File: proto/postconf.proto.

20181210

	Cleanup: code deduplication. File: util/dict_file.c.

20181226

	Cleanup: code deduplication and better encapsulation with
	PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros.
	Files: postscreen/postscreen.h, postscreen/postscreen_state.c.

	Documentation: POSTSCREEN_README did not describe the
	postscreen_post_queue_limit, and attributed the wrong reject
	message to the postscreen_pre_queue_limit. Problem reported
	by Michael Orlitzky. File: proto/POSTSCREEN_README.html.

	(20181226-nonprod) Compatibility: removed support for OpenSSL
	1.0.1 (not supported since December 31, 2016) and earlier
	releases. This eliminated a large number of #ifdefs with
	bitrot workarounds.  Viktor Dukhovni. Files: global/mail_params.h,
	posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
	tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
	tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
	tls/tls_session.c.

	(20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
	setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
	tls/tls_client.c, tls/tls_dh.c.

	(20181226-nonprod) Documentation update for TLS support.
	Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.

20181229

	Explicit maps_file_find() and dict_file_lookup() methods
	that decode base64 content. Decoding content is not built
	into the dict->lookup() method, because that would complicate
	the implementation of map nesting (inline, thash), map
	composition (pipemap, unionmap), and map proxying.  For
	consistency, decoding base64 file content is also not built
	into the maps_find() method. Files: util/dict.h.
	util/dict_file.c, global/maps.[hc], postmap/postmap.c.

20190106

        Documentation: documented the SRC_RHS_IS_FILE flag in
        dict_open.c, and updated the -F description in the postmap
        manpage. Files: util/dict_open.c, postmap/postmap.c.

	(20190106-nonprod) Feature: support for files that combine
	multiple (key, certificate, trust chain) instances in one
	file, to avoid separate files for RSA, DSA, Elliptic Curve,
	and so on. Viktor Dukhovni. Files: .indent.pro,
	global/mail_params.h, posttls-finger/posttls-finger.c,
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
	smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
	tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
	tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.

	(20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
	for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
	src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.

	(20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
	Files: src/global/mail_params.h, src/smtp/smtp.c,
	src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
	src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,

	(20190106-nonprod) Configurable client-side SNI signal.
	Viktor Dukhovni. Files: global/mail_params.h,
	posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
	smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
	smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
	tls/tls_proxy.h, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c.

20190121

	Logging: support for internal logging file, without using
	syslog (it uses the new postlogd daemon instead). This
	solves a usability problem for MacOS, may help getting
	around systemd, and solves 99% of the problem for logging
	to stdout in a container (hopefully we have 100% soon).
	Enable by setting, for example, "maillog_file =
	/var/log/postfix.log").  This works fine for daemons, and
	with some limitations for non-daemon programs.  See
	RELEASE_NOTES for more details.  Files: conf/master.cf,
	conf/post-install, conf/postfix-files, conf/postfix-script,
	mantools/postlink, proto/master, proto/postconf.proto,
	global/mail_params.c, global/mail_params.h, global/mail_proto.h,
	global/maillog_client.c, global/maillog_client.h,
	master/dgram_server.c, master/event_server.c, master/mail_server.h,
	master/master.c, master/master.h, master/master_ent.c,
	master/master_listen.c, master/master_proto.h,
	master/master_wakeup.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c,
	postalias/postalias.c, postconf/postconf_master.c,
	postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c,
	postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c,
	postmulti/postmulti.c, postqueue/postqueue.c,
	postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h,
	util/listen.h, util/logwriter.c, util/logwriter.h,
	util/msg_logger.c, util/msg_logger.h, util/msg_output.c,
	util/msg_output.h, util/unix_dgram_connect.c,
	util/unix_dgram_listen.c.

	Cleanup: cert/key/chain loading, plus unit tests to exercise
	non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
	tls*.pem.ref, tls/tls_certkey.c.

20190126

	Safety: Postfix programs will log to either syslog or postlog
	but not both; and postlogd forwards postlog logging to
	syslog, when a configuration change removes the maillog_file
	pathname, but some programs still use the old configuration.
	Files: util/msg_syslog.[hc], util/msg_logger.c,
	global/maillog_client.c, postlogd/postlogd.c,

	Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog
	pipe file descriptor leak. This pipe provides one source
	of liveness, data from this pipe is discarded, and therefore
	this does not enable privilege escalation or DOS. File:
	util/watchdog.c.

	Feature: stdout logging support; requires "postfix start-fg"
	and "maillog_file = /dev/stdout". Files: master/master.c,
	conf/postfix-script.

20190127

	Safety: when maillog_file is specified, 'postfix check' now
	requires that the postlog service is enabled in master.cf.
	Otherwise 'postfix start' etc. will log a fatal error. File:
	conf/postfix-script.

	Documentation: added policy_context example. File:
	proto/SMTPD_POLICY_README.html.

20190128

	Testing: run libtls tests under Valgrind. File tls/Makefile.in.

20190129

	Safety: require that $maillog_file matches one of the
	pathname prefixes specified in $maillog_file_prefixes. The
	maillog file is created by root, and the prefixes limit the
	damage from a single configuration error. Files:
	global/mail_params.[hc], global/maillog_client.c.

20191201

	Feature: "postfix logrotate" command with configurable
	compression program and datestamp filename suffix. File:
	conf/postfix-script.

20190202

	Cleanup: log a warning when the client sends a malformed
	SNI; log an info message when the client sends a valid SNI
	that does not match the SNI lookup tables; update the
	FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
	Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
	tls/tls_client.c, tls/tls_misc.c.

20190208

	Debugging: the master(8) daemon now logs a warning if a
	master.cf entry is defined multiple times. File:
	src/master/master_conf.c.

20190209

	Debugging: tlsproxy(8) now logs more details about unexpected
	configuration differences between the Postfix SMTP client
	and the tlsproxy(8) daemon.

20190210

	Documentation: Postfix 3.4.0 RELEASE NOTES.

	Documentation: added BDAT_README.

	Documentation: global TLS settings. Files: mantools/postlink,
	smtp/smtp.c, tlsproxy/tlsproxy.c.

20190211

	Cleanup: removed obsolete parameters: tls_dane_digest_agility,
	tls_dane_trust_anchor_digest_enable; removed openssl_path
	parameter from configuration difference checks in tlsproxy.
	Files: global/mail_params.h, tls/tls_misc.c,
	tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c, tls/tls_proxy.h.

20190212

	Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
	posttls-finger/posttls-finger.c.

20190217

	Cleanup: when the master daemon runs with PID=1 (init mode),
	reap orhpan processes from non-Postfix code running in the
	same container, instead of terminating with a panic. File:
	master/master_spawn.c.

20190218

	Bugfix: tlsproxy did not enable DANE-style PKI because
	libtls seems to have to accreted multiple init functions
	instead of reusing the tls_client_init() and tls_client_start()
	API. And some functions that do initialization don't even
	have init in their name! Problem report by Andreas Schulze.
	Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.

	Workaround: Postfix libtls makes DANE-specific changes to
	the shared SSL_CTX. To avoid false sharing, tlsproxy needs
	to label the SSL_CTX cache with DANE bits until we can
	remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c.

	Cleanup: Postfix libtls changed the shared SSL_CTX to
	override ciphers. instead of changing the SSL handle. To
	avoid false sharing in tlsproxy, the changes are now made
	to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
	tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.

20190219

	Bugfix: in the Postfix SMTP client, TLS wrappermode was not
	tested in tlsproxy mode. It needed some setup for buffering
	and timeouts. Problem report by Andreas Schulze. File:
	smtp/smtp_proto.c.

20190304

	Bugfix: a reversed test broke TLS configurations that specify
	the same filename for a private key and certificate. Reported
	by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
	test. Files: tls/tls_certkey.c, tls/Makefile.in.

20190310

	Bitrot: LINUX5s support, after some sanity checks with a
	rawhide prerelease version. Files: makedefs, util/sys_defs.h.

	Bugfix (introduced: 20181226): broken DANE trust anchor
	file support, caused by left-over debris from the 20181226
	TLS library overhaul. By intrigeri. File: tls/tls_dane.c.

	Bugfix (introduced: Postfix-1.0.1): null pointer read, while
	logging a warning after a corrupted bounce log file. File:
	global/bounce_log.c.

	Bugfix (introduced: Postfix-2.9.0): null pointer read, while
	logging a warning after a postscreen_command_filter read
	error. File: postscreen/postscreen_smtpd.c. global/bounce_log.c

20190312

	Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
	has been producing false rejects starting with the Postfix
	2.2 smtpd_end_of_data_restrictons, and for the same reasons,
	does the same with the Postfix 3.4 BDAT command. The latter
	was reported by Andreas Schulze. File: smtpd/smtpd_check.c.

20190319

	With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
	chunks were always rejected as too large. File: smtpd/smtpd.c

20190328

	Bugfix (introduced: Postfix 3.0): LMTP connections over
	UNIX-domain sockets were cached but not reused, due to a
	cache lookup key mismatch. Therefore, idle cached connections
	could exhaust LMTP server resources, resulting in two-second
	pauses between email deliveries. This problem was investigated
	by Juliana Rodrigueiro. File: smtp/smtp_connect.c.

20190331

	Documentation: tlsext_padding is not a tls_ssl_options
	feature. File: proto/postconf.proto.

20190401

	Portability: added "#undef sun" to util/unix_dgram_connect.c.

20190403

	Bugfix (introduced: Postfix 2.3): a censoring filter broke
	multiline Milter responses for header/body events. Problem
	report by Andreas Thienemann. Files: util/printable.c,
	util/stringops.h, smtpd/smtpd.c

	Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit =
	0" no longer meant 'unlimited'. Problem report by Luc Pardon.
	File: smtp/smtp_addr.c.

20190615

	Documentation: updated the BUGS section in the smtp(8) manpage
	about TLS connection reuse. File: smtp/smtp.c.

	Workaround for implementations that hang Postfix while
	shutting down a TLS session, until Postfix times out. With
	"tls_fast_shutdown_enable = yes" (the default), Postfix no
	longer waits for the TLS peer to respond to a TLS 'close'
	request. This is recommended with TLSv1.0 and later. Files:
	global/mail_params.h, tls/tls_session.c, and documentation.

20190621

	Bugfix (introduced: Postfix 3.0): the code to reset Postfix
	SMTP server command counts was not called after a HaProxy
	handshake failure, causing stale numbers to be reported.
	The command counts are now reset in the function that reports
	the counts. File: smtpd/smtpd.c.

Log message:
postfix: fix PR pkg/54338

pkgsrc changes:
---------------
  * Remove -DHAS_EAI since it does not appear anywhere
  * Add pkg-config to USE_TOOLS since patch-ai introduces it
  * Bump revision since binaries are now linked to icui18n

Log message:
all: replace SUBST_SED with the simpler SUBST_VARS

pkglint -Wall -r --only "substitution command" -F

With manual review and indentation fixes since pkglint doesn't get that
part correct in every case.

Log message:
mail/postfix: update to 3.3.3

This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. This is the final update for Postfix
3.0.

Fixed in Postfix 3.3 and later:

  * When the master daemon runs with PID=1 (init mode), it will now
    reap child processes from non-Postfix code running in the same
    container, instead of terminating with a panic. Reported by
    Tamas Gerczei.

Fixed in Postfix 3.0 and later:

  * With smtputf8_enable=yes, table lookups could casefold the
    search string when searching a lookup table that does not use
    fixed-string keys (regexp, pcre, tcp, etc.).

  * With the posttls-finger test program, connections to unix-domain
    servers always resulted in "Failed to establish session" even
    after a connection was established. Reported by Jaroslav Skarva.

Log message:
Recursive revbump from textproc/icu