Log message:
Reset PKGREVISION along with updating postfix to 3.9.0.

Log message:
mail/postfix: update to 3.9.0

From release announce
<https://www.postfix.org/announcements/postfix-3.9.0.html>:

Postfix stable release 3.9.0 is available. Postfix 3.5 - 3.8 were
updated earlier this week; after that, Postfix 3.5 will no longer
be updated.

The main changes are below. See the RELEASE_NOTES file for further
details.

Removed functionality:

  * As described in DEPRECATION_README, the SMTP server features
    "permit_naked_ip_address", "check_relay_domains", and
    "reject_maps_rbl" have been removed, after they have been logging
    a warning for some 20 years. These features now log a warning
    and return a "server configuration error" response.

  * The MySQL client no longer supports MySQL versions < 4.0. MySQL
    version 4.0 was released in 2003.

Officially obsolete functionality:

  * As covered in DEPRECATION_README, the configuration parameter
    "disable_dns_lookup" and about a dozen TLS-related parameters
    are now officially obsolete. These parameters still work, but
    the postconf command logs warnings that they will be removed
    from Postfix.

  * As covered in DEPRECATION_README, "permit_mx_backup" logs a
    warning that it will be removed from Postfix.

Changed functionality:

  * In message headers, Postfix now formats numerical days as
    two-digit days, i.e. days 1-9 have a leading zero instead of a
    leading space. This change was made because the RFC 5322 date
    and time specification recommends (i.e. SHOULD) that a single
    space be used in each place that folding white space appears.
    This change avoids a breaking change in the length of a date
    string.

  * The MySQL client default characterset is now configurable with
    the "charset" configuration file attribute. The default is
    "utf8mb4", consistent with the MySQL 8.0 built-in default, but
    different from earlier MySQL versions where the built-in default
    was "latin1".

New functionality:

  * Support to query MongoDB databases, contributed by Hamid Maadani,
    based on earlier code by Stephan Ferraro. See MONGODB_README
    and mongodb_table(5)

  * The RFC 3461 envelope ID is now exported in the local(8) delivery
    agent with the ENVID environment variable, and in the pipe(8)
    delivery agent with the ${envid} command-line attribute.

  * Configurable idle and retry timer settings in the mysql: and
    pgsql: clients. A shorter than default retry timer can sped up
    the recovery after error, when Postfix is configured with only
    one server in the "hosts" attribute. After the code was frozen
    for release, we have learned that Postfix can recover faster
    from some errors when the single server is specified multiple
    times in the "hosts" attribute.

  * Optional Postfix TLS support to request an RFC7250 raw public
    key instead of an X.509 public-key certificate. The configuration
    settings for raw key public support will be ignored when there
    is no raw public key support in the local TLS implementation
    (i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
    for more information.

  * Preliminary support for OpenSSL configuration files, primarily
    OpenSSL 1.1.1b and later. This introduces two new parameters
    "tls_config_file" and "tls_config_name", which can be used to
    limit collateral damage from OS distributions that crank up
    security to 11, increasing the number of plaintext email
    deliveries. Details are in the postconf(5) manpage under
    "tls_config_file" and "tls_config_name".

Attack resistance:

  * With "smtpd_forbid_unauth_pipelining = yes" (the default),
    Postfix defends against multiple "blind" SMTP attacks. This
    feature was back-ported to older stable releases but disabled
    by default.

  * With "smtpd_forbid_bare_newline = normalize" (the default)
    Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
    for details. This feature was back-ported to older stable
    releases but disabled by default.

  * Prevent outbound SMTP smuggling, where an attacker uses Postfix
    to send email containing a non-standard End-of-DATA sequence,
    to exploit inbound SMTP smuggling at a vulnerable remote SMTP
    server. With "cleanup_replace_stray_cr_lf = yes" (the default),
    the cleanup daemon replaces each stray <CR> or <LF> character
    in message content with a space character. This feature was
    back-ported to older stable releases with identical functionality.

  * The Postfix DNS client now limits the total size of DNS lookup
    results to 100 records; it drops the excess records, and logs
    a warning. This limit is 20x larger than the number of server
    addresses that the Postfix SMTP client is willing to consider
    when delivering mail, and is far below the number of records
    that could cause a tail recursion crash in dns_rr_append() as
    reported by Toshifumi Sakaguchi. This also introduces a similar
    limit on the number of DNS requests that a check_*_*_access
    restriction can make. All this was back-ported to older stable
    releases with identical functionality.

Log message:
revbump after icu and protobuf updates

Log message:
mail/postfix: upadte to 3.8.5

3.8.5 (2024-01-22)

Security: this release improves support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server. For
background, see https://www.postfix.org/smtp-smuggling.html.

The improvements provide better logging, and better compatibility with
existing SMTP clients (less need to allowlist clients).

Sites concerned about SMTP smuggling attacks should enable this feature
on Internet-facing Postfix servers. For compatibility with non-standard
clients, Postfix by default excludes clients in mynetworks from this
countermeasure.

The recommended settings are:

    # Require the standard End-of-DATA sequence \ 
<CR><LF>.<CR><LF>.
    # Otherwise, allow bare <LF> and process it as if the client sent
    # <CR><LF>.
    #
    # This maintains compatibility with many legitimate SMTP client
    # applications that send a mix of standard and non-standard line
    # endings, but will fail to receive email from client implementations
    # that do not terminate DATA content with the standard End-of-DATA
    # sequence <CR><LF>.<CR><LF>.
    #
    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    # The example below allowlists SMTP clients in trusted networks.
    #
    smtpd_forbid_bare_newline = normalize
    smtpd_forbid_bare_newline_exclusions = $mynetworks

Notes:

  * The default setting is "smtpd_forbid_bare_newline = no" in Postfix
    releases < 3.9, for compatibility reasons. This means that Postfix
    is by default vulnerable to SMTP smuggling.

  * The new setting "smtpd_forbid_bare_newline = normalize" is the
    default for Postfix releases 3.9 and later.

  * The old setting "smtpd_forbid_bare_newline = yes" is now an alias for
    "smtpd_forbid_bare_newline = normalize".

  * The new setting "smtpd_forbid_bare_newline = reject" will refuse
    commands or message content with a bare newline. For details see
    the RELEASE_NOTES or the postconf(5) documentation.

Log message:
postfix*: update to 3.8.4

20230815

	Bugfix (bug introduced: 20140218): when opportunistic TLS fails
	during or after the handshake, don't require that a probe
	message spent a minimum time-in-queue before falling back to
	plaintext. Problem reported by Serg. File: smtp/smtp.h.

20230819

	Bugfix (defect introduced: 19980207): the valid_hostname()
	check in the Postfix DNS client library was blocking unusual
	but legitimate wildcard names (*.name) in some DNS lookup
	results and lookup requests. Examples:

            name          class/type value
            *.one.example   IN CNAME *.other.example
            *.other.example IN A     10.0.0.1
            *.other.example IN TLSA  ..certificate info...

	Such syntax is blesed in RFC 1034 section 4.3.3.

	This problem was reported first in the context of TLSA
	record lookups. Files: util/valid_hostname.[hc],
	dns/dns_lookup.c.

20230929

	Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
	SMTP server was waiting for a client command instead of
	replying immediately, after a client certificate verification
	error in TLS wrappermode. Reported by Andreas Kinzler. File:
	smtpd/smtpd.c.

20231006

	Usability: the Postfix SMTP server now attempts to log the
	SASL username after authentication failure. In Postfix
	logging, this appends ", sasl_username=xxx" after the reason
	for SASL authentication failure. The logging replaces an
	unavailable reason with "(reason unavailable)", and replaces
	an unavailable sasl_username with "(unavailable)". Based
	on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
	xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.

20231026

	Bugfix (defect introduced: Postfix 2.11): in forward_path,
	the expression ${recipient_delimiter} would expand to an
	empty string when a recipient address had no recipient
	delimiter. Fixed by restoring Postfix 2.10 behavior to use
	a configured recipient delimiter value. Reported by Tod
	A. Sandman. Files: proto/postconf.proto, local/local_expand.c.

20231221

	Security: with "smtpd_forbid_bare_newline = yes" (default
	"no" for Postfix < 3.9), reply with "Error: bare <LF>
	received" and disconnect when an SMTP client sends a line
	ending in <LF>, violating the RFC 5321 requirement that
	lines must end in <CR><LF>. This prevents SMTP smuggling
	attacks that target a recipient at a Postfix server. For
	backwards compatibility, local clients are excluded by
	default with "smtpd_forbid_bare_newline_exclusions =
	$mynetworks". Files: mantools/postlink, proto/postconf.proto,
	global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
	smtpd/smtpd.c.

Log message:
*: recursive bump for icu 74.1

Log message:
*: bump for openssl 3

Log message:
postfix: Update to 3.8.1

Major changes with Postfix 3.8.1
================================

- Security: the Postfix SMTP server optionally disconnects remote SMTP clients
  that violate RFC 2920 (or 5321) command pipelining constraints. The server
  replies with "554 5.5.0 Error: SMTP protocol synchronization" and \ 
logs the
  unexpected remote SMTP client input. Specify "smtpd_forbid_unauth_pipelining
  = yes" to enable. This feature is enabled by default in Postfix 3.9 and
  later.

- Workaround to limit collateral damage from OS distributions that crank up
  security to 11, increasing the number of plaintext email deliveries. This
  introduces basic OpenSSL configuration file support, with two new parameters
  "tls_config_file" and "tls_config_name". Details are in \ 
the postconf(5)
  manpage under "tls_config_file" and "tls_config_name".

Full release notes:
http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.8.1.RELEASE_NOTES

Log message:
postfix: Update to 3.8.0

upstream changes:
-----------------
Postfix 3.7.8
  o Support to look up DNS SRV records in the Postfix SMTP/LMTP client, Based
    on code by Tomas Korbar (Red Hat). For example, with "use_srv_lookup =
    submission" and "relayhost = example.com:submission", the \ 
Postfix SMTP
    client will look up DNS SRV records for _submission._tcp.example.com, and
    will relay email through the hosts and ports that are specified with those
    records.
  o TLS obsolescence: Postfix now treats the "export" and \ 
"low" cipher grade
    settings as "medium". The "export" and "low" \ 
grades are no longer supported
    in OpenSSL 1.1.1, the minimum version required in Postfix 3.6.0 and later.
    Also, Postfix default settings now exclude deprecated or unused ciphers
    (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5), key exchange algorithms
    (DH, ECDH), and public key algorithm (DSS).
  o Attack resistance: the Postfix SMTP server can now aggregate
    smtpd_client_*_rate and smtpd_client_*_count statistics by network block
    instead of by IP address, to raise the bar against a memory exhaustion
    attack in the anvil(8) server; Postfix TLS support unconditionally disables
    TLS renegotiation in the middle of an SMTP connection, to avoid a CPU
    exhaustion attack.
  o The PostgreSQL client encoding is now configurable with the "encoding"
    Postfix configuration file attribute. The default is "UTF8". \ 
Previously the
    encoding was hard-coded as "LATIN1", which is not useful in the \ 
context of
    SMTP.
  o The postconf command now warns for #comment in or after a Postfix parameter
    value. Postfix programs do not support #comment after other text, and treat
    that as input.

Log message:
revbump after textproc/icu update