Log message:
postfix*: update to 3.8.4

20230815

	Bugfix (bug introduced: 20140218): when opportunistic TLS fails
	during or after the handshake, don't require that a probe
	message spent a minimum time-in-queue before falling back to
	plaintext. Problem reported by Serg. File: smtp/smtp.h.

20230819

	Bugfix (defect introduced: 19980207): the valid_hostname()
	check in the Postfix DNS client library was blocking unusual
	but legitimate wildcard names (*.name) in some DNS lookup
	results and lookup requests. Examples:

            name          class/type value
            *.one.example   IN CNAME *.other.example
            *.other.example IN A     10.0.0.1
            *.other.example IN TLSA  ..certificate info...

	Such syntax is blesed in RFC 1034 section 4.3.3.

	This problem was reported first in the context of TLSA
	record lookups. Files: util/valid_hostname.[hc],
	dns/dns_lookup.c.

20230929

	Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
	SMTP server was waiting for a client command instead of
	replying immediately, after a client certificate verification
	error in TLS wrappermode. Reported by Andreas Kinzler. File:
	smtpd/smtpd.c.

20231006

	Usability: the Postfix SMTP server now attempts to log the
	SASL username after authentication failure. In Postfix
	logging, this appends ", sasl_username=xxx" after the reason
	for SASL authentication failure. The logging replaces an
	unavailable reason with "(reason unavailable)", and replaces
	an unavailable sasl_username with "(unavailable)". Based
	on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
	xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.

20231026

	Bugfix (defect introduced: Postfix 2.11): in forward_path,
	the expression ${recipient_delimiter} would expand to an
	empty string when a recipient address had no recipient
	delimiter. Fixed by restoring Postfix 2.10 behavior to use
	a configured recipient delimiter value. Reported by Tod
	A. Sandman. Files: proto/postconf.proto, local/local_expand.c.

20231221

	Security: with "smtpd_forbid_bare_newline = yes" (default
	"no" for Postfix < 3.9), reply with "Error: bare <LF>
	received" and disconnect when an SMTP client sends a line
	ending in <LF>, violating the RFC 5321 requirement that
	lines must end in <CR><LF>. This prevents SMTP smuggling
	attacks that target a recipient at a Postfix server. For
	backwards compatibility, local clients are excluded by
	default with "smtpd_forbid_bare_newline_exclusions =
	$mynetworks". Files: mantools/postlink, proto/postconf.proto,
	global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
	smtpd/smtpd.c.

Log message:
*: bump for openssl 3

Log message:
mail/postfix: update to 3.5.1

Update postfix to 3.5.1.

3.5.0 (2020-03-16)

Postfix stable release 3.5.0 is available. Support has ended for
legacy release Postfix 3.1.

The main changes are below. See the RELEASE_NOTES file for further details.

  * Support for the haproxy v2 protocol. The Postfix implementation
    supports TCP over IPv4 and IPv6, as well as non-proxied
    connections; the latter are typically used for heartbeat tests.

  * Support to force-expire email messages. This introduces new
    postsuper(1) command-line options to request expiration, and
    additional information in mailq(1) or postqueue(1) output.

  * The Postfix SMTP and LMTP client support a list of nexthop
    destinations separated by comma or whitespace. These destinations
    will be tried in the specified order. Examples:

    /etc/postfix/main.cf:
        relayhost = foo.example, bar.example
        default_transport = smtp:foo.example, bar.example

Incompatible changes:

  * Logging: Postfix daemon processes now log the from= and to=
    addresses in external (quoted) form in non-debug logging (info,
    warning, etc.). This means that when an address localpart
    contains spaces or other special characters, the localpart will
    be quoted, for example:

	from=<"name with spaces"@example.com>

    Specify "info_log_address_format = internal" for backwards \ 
compatibility.

  * Postfix now normalizes IP addresses received with XCLIENT,
    XFORWARD, or with the HaProxy protocol, for consistency with
    direct connections to Postfix. This may change the appearance
    of logging, and the way that check_client_access will match
    subnets of an IPv6 address.

3.5.1 (2020-04-20)

Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14:

  * Bitrot workaround for broken builds after an incompatible change
    in GCC 10.

  * Bitrot workaround for broken DANE/DNSSEC support after an
    incompatible change in GLIBC 2.31. This change avoids the need
    for new options in /etc/resolv.conf.

Log message:
*: Recursive revision bump for openssl 1.1.1.

Log message:
Reset PKGREVISION.

Log message:
Fixed PKGREVISION to be only defined directly in the package Makefile.

Log message:
Update postfix to 3.1.2.

3.1.0

The main changes in no particular order are:

  * "postfix tls" command to simplify setup of opportunistic TLS,
    and to simplify SMTP server key/certificate management.

  * Positive and negative DNS reply TTL support in postscreen(8).

  * SASL AUTH rate limit in the Postfix SMTP server.

  * A safety limit on the number of address verify requests.

  * JSON-format Postfix queue listing.

  * Destination-independent delivery rate delay

For details, see the RELEASE_NOTES file.

3.1.1

Fixed in all supported releases:

  * The Milter "replace sender" (SMFIR_CHGFROM) request lost an
    address that was added with sender_bcc_maps, resulting in a
    "rcpt count mismatch" warning. Reported by Joerg Backschues.
    This defect was introduced with Postfix 2.6.

  * The "bad filetype" example in the header_checks(5) manpage
    falsely rejected Content- headers with ``name="example";
    x-apple-part-url="example.com"''.  Reported by Cedric Knight.
    This defect was introduced with Postfix 2.6.

3.1.2

Fixed with Postfix 3.1.2:

  * Changes to make Postfix build with OpenSSL 1.1.0.

Fixed with Postfix 3.1.2 and 3.0.6:

  * The makedefs script ignored readme_directory=pathname overrides.
    Fix by Todd C. Olson.

  * The tls_session_ticket_cipher documentation says that the default
    cipher for TLS session tickets is aes-256-cbc, but the implemented
    default was aes-128-cbc. Note that TLS session ticket keys are
    rotated after 1/2 hour, to limit the impact of attacks on session
    ticket keys.

Log message:
Bump PKGREVISION for security/openssl ABI bump.