From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 3 Oct 2020 05:00:00 +0000 (-0500)
Subject: postfix-3.6-20201003
X-Git-Tag: v3.6.0-RC1~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d1a538b40453e3af1db3dc3311f8dd10b2e7810;p=thirdparty%2Fpostfix.git

postfix-3.6-20201003
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index cc0172562..f4810b325 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -7269,7 +7269,7 @@ Apologies for any names omitted.
 20021119
 
 	New address_verification_negative_cache = yes/no parameter
-	controls whether Postfix stores the result of negatieve
+	controls whether Postfix stores the result of negative
 	address verification probes. This reduces cache pollution
 	but causes Postfix to send a probe for each address
 	verification service query. File: verify/verify.c.
@@ -7559,7 +7559,7 @@ Apologies for any names omitted.
 	rewrite broken user@ or user@. address forms into even more
 	broken forms. bother. File: trivial-rewrite/rewrite.c.
 
-	Cleanup: the address resolver code now treates forms ending
+	Cleanup: the address resolver code now treats forms ending
 	in @ in a more rational manner (because the address rewriting
 	code no longer messes up by appending .my.domain).
 
@@ -8611,7 +8611,7 @@ Apologies for any names omitted.
 	libraries support just SPACE, others SPACE and ",". Postfix
 	now normalizes the host list into a space separated format.
 	This is less surprising to Postfix users used to the full
-	range of delimeters in other contexts. Implemented by Liviu
+	range of delimiters in other contexts. Implemented by Liviu
 	Daia. File: util/dict_ldap.c
 
 	Bugfix: after returning too old mail, the bounce daemon
@@ -8968,7 +8968,7 @@ Apologies for any names omitted.
 20040104
 
 	Workaround: MacOSX dumps core on the 20030913 TZ censoring
-	code. We explictly set TZ=UTC, which will produce incorrect
+	code. We explicitly set TZ=UTC, which will produce incorrect
 	results when "mailq" formatting is moved from the showq
 	daemon to the postqueue command.   File: msg_syslog.c.
 
@@ -11119,7 +11119,7 @@ Apologies for any names omitted.
 	Cleanup: removed the legacy "tls_info" structure, factored
 	out common code for peer_CN and issuer_CN lookup, and added
 	sanity check to not verify subject common names that contain
-	nulls or that are execessively long. Patch by Victor Duchovni.
+	nulls or that are excessively long. Patch by Victor Duchovni.
 	Files: tls_client.c, tls_server.c, tls_session.c, tls_misc.c,
 	tls_verify.c.
 	
@@ -15560,7 +15560,7 @@ Apologies for any names omitted.
 
 	Cleanup: the postscreen daemon now applies the permanent
 	whitelist first. It is a safety feature that prevents mail
-	from being blocked. File: postscreeb/postscreen.c.
+	from being blocked. File: postscreen/postscreen.c.
 
 20091224
 
@@ -15883,7 +15883,7 @@ Apologies for any names omitted.
 	This code was started in Postfix 2.1, but it was never
 	finished due to time constraints.  Files: smtpd/smtpd.[hc]
 	smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c,
-	*qmgr/qmgr_messsage.c, *qmgr/qmgr_deliver.c,
+	*qmgr/qmgr_message.c, *qmgr/qmgr_deliver.c,
 	global/deliver_request.[hc], global/mail_proto.h,
 	global/deliver_pass.c, smtp/smtp_proto.c.
 
@@ -16531,7 +16531,7 @@ Apologies for any names omitted.
 	Cleaned up and finalized read/write deadline support. Once
 	this code has been fielded it can go into Postfix 2.8.1,
 	and made available as optional patch for earlier releases.
-	Further refinements have only dimishing returns and can
+	Further refinements have only diminishing returns and can
 	evolve in the 2.9 release cycle.  File: util/vstream.c.
 
 20110128
@@ -17642,7 +17642,7 @@ Apologies for any names omitted.
 	Cleanup: when multiple DNSBLs block an SMTP client, the
 	postscreen "reject" message now gives credit to the DNSBL
 	with the largest weight, instead of the DNSBL that replies
-	first. File: postscreen/postscreeb_dnsbl.c.
+	first. File: postscreen/postscreen_dnsbl.c.
 
 	Cleanup: memcache_table(5) manpage. File proto/memcache_table.
 
@@ -19113,7 +19113,7 @@ Apologies for any names omitted.
 	dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
 	dict_dbm.c, dict_cidr.c, dict_cdb.c.
 
-	Cleanup: warning message after canonical/virtal/etc.
+	Cleanup: warning message after canonical/virtual/etc.
 	table lookup error. Files: cleanup/cleanup_addr.c,
 	cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
 	cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
@@ -19381,13 +19381,13 @@ Apologies for any names omitted.
 	posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.
 
 	Cleanup: DANE support: Reduce #ifdef clutter to improve
-	redability and maintability. Viktor Dukhovni.  File:
+	redability and maintainability. Viktor Dukhovni.  File:
 	tls/tls_dane.c.
 
 	Future proofing: Tolerate disappearance of named bug-workaround
 	bits without invalidating user configurations.  When support
 	for a bug workaround is removed from OpenSSL, the corresponding
-	bit is defined as zero (i.e. NOOP) intstead of causing
+	bit is defined as zero (i.e. NOOP) instead of causing
 	programs to break. Viktor Dukhovni.  File: tls/tls_misc.c.
 
 20131217
@@ -19734,7 +19734,7 @@ Apologies for any names omitted.
 	libglobal or dynamicmaps maps.  File: postdrop/postdrop.c.
 
 	Cleanup: moved dynamicmaps initialization from parameter
-	inititialization (mail_conf_suck()) to dictionary initialization
+	initialization (mail_conf_suck()) to dictionary initialization
 	(mail_dict_init()).  A benefit of this is that dynamicmaps.cf
 	is no longer read by programs that don't use Postfix lookup
 	tables.  Files: global/mail_conf.[hc], global/mail_dict.c.
@@ -20142,7 +20142,7 @@ Apologies for any names omitted.
 	This implements the syntax of SMTP commands and DSN delivery
 	status notifications. It does not address the problem that
 	the same domain name may show up in different forms: an
-	UTF8-encoded name with non-ASCII charaters, or an IDNA-encoded
+	UTF8-encoded name with non-ASCII characters, or an IDNA-encoded
 	(xn--mumble) name with ASCII-only characters. This means
 	that access policies, mydestination, virtual_*_domains and
 	relay_domans will have to understand both forms in order
@@ -20624,7 +20624,7 @@ Apologies for any names omitted.
 20141011
 
 	Cleanup: replaced cryptic macros X_SMTP() and SMTP_X() with
-	more descripive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP().
+	more descriptive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP().
 	Files: smtp/smtp.c, smtp/smtp.h, smtp/smtp_chat.c,
 	smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_sasl_glue.c,
 	smtp/smtp_sasl_proto.c, smtp/smtp_tls_policy.c.
@@ -21377,7 +21377,7 @@ Apologies for any names omitted.
 	Cleanup: apply printable() to all bounce(8) service
 	string-valued protocol fields. File: bounce/bounce.c.
 
-	Apparenly the UCI 4.8 ucasemap_utf8FoldCase() function does
+	Apparently the UCI 4.8 ucasemap_utf8FoldCase() function does
 	not complain about UTF-8 syntax errors, so we add our own
 	redundant check. File: util/casefold.c.
 
@@ -22721,7 +22721,7 @@ Apologies for any names omitted.
 	configuration directory: the default configuration directory,
 	a directory that is listed in the default main.cf file with
 	alternate_config_directories or multi_instance_directories,
-	or the command must be invoked with root priveleges.  This
+	or the command must be invoked with root privileges.  This
 	mitigates a problem with the PHP mail() function.  Files:
 	global/mail_conf.[hc], sendmail/sendmail.c.
 
@@ -25182,4 +25182,25 @@ Apologies for any names omitted.
 	warning if it is not. By default, the probe has type "ns"
 	and domain name ".". The probe is sent once per process
 	lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c,
-	test_dns_lookup.c.
+	test_dns_lookup.c, global/mail_params.[hc], mantools/postlink..
+
+20201003
+
+	The makedefs script no longer disables DNSSEC when Postfix
+	is built with libc-musl. Instead Postfix will rely on the
+	new dnssec_probe feature, and will log a warning when Postfix
+	requests DNSSEC validation, but the infrastructure does not
+	validate DNSSEC signatures. File: makedefs.
+
+	Cleanup: some wordsmithing of warnings when DNSSEC validation
+	is unavailable. File: dns/dns_sec.c.
+
+	Clenaup: add missing warnings for libpostfix version
+	mismatches. This will help folks with build processes that
+	mistakenly run newly-built Postfix installation commands
+	with previously-installed libpostfix files. Files:
+	postcat/postcat.c, postconf/postconf.c, postkick/postkick.c,
+	postlock/postlock.c.
+
+	Documentation: hyperlink occurrences of the info_log_address_format
+	parameter name in daemon manpages.
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 1f44e1593..dc6e9bb56 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -25,13 +25,24 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 
+Major changes with snapshot 20201003
+====================================
+
+The Postfix build system will no longer automatically disable DNSSEC
+support when it determines that Postfix will use libc-musl. Instead,
+Postfix will rely on the new dnssec_probe feature to determine at
+runtime if DNSSEC validation is available. DNSSEC support may be
+broken for reasons other than compatibility issues with the libc
+implementation.
+
 Major changes with snapshot 20200930
 ====================================
 
-The dnssec_probe parameter specifies the DNS query type (default:
-"ns") and DNS query name (default: ".") that Postfix may use to
-determine whether DNSSEC validation is available. Specify an empty
-value to disable this feature.
+When a Postfix process requires DNSSEC support (typically, for
+Postfix DANE support), the process may do a one-time test to determine
+if DNSSEC validation is available. DNSSEC support may be broken
+because of local configuration, libc incompatibility, or network
+infrastructure issues.
 
 Background: DNSSEC validation is needed for Postfix DANE support;
 this ensures that Postfix receives TLSA records with secure TLS
@@ -40,6 +51,11 @@ mail deliveries using opportunistic DANE will not be protected by
 server certificate info in TLSA records, and mail deliveries using
 mandatory DANE will not be made at all.
 
+The dnssec_probe parameter specifies the DNS query type (default:
+"ns") and DNS query name (default: ".") that Postfix may use to
+determine whether DNSSEC validation is available. Specify an empty
+value to disable this feature.
+
 By default, a Postfix process will send a DNSSEC probe after 1) the
 process made a DNS query that requested DNSSEC validation, 2) the
 process did not receive a DNSSEC validated response to this query
@@ -48,7 +64,11 @@ DNSSEC probe.
 
 When the DNSSEC probe has no response, or when the response is not
 DNSSEC validated, Postfix logs a warning that DNSSEC validation may
-be unavailable.
+be unavailable. Examples:
+
+warning: DNSSEC validation may be unavailable
+warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
+warning: reason: dnssec_probe 'ns:.' received no response: Server failure
 
 Incompatible change with snapshot 20200920
 ==========================================
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index b6c799054..36aef38ba 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -2,8 +2,9 @@ Wish list:
 
 	Does tlsproxy terminate to soon after 'postfix reload'?
 
-	touch all files that contain Binfo_log_address_format
-	then re-generate manpages.
+	Understand what happens with DNSSEC related status fields 
+	in posttls-finger when resolv.conf points to a host that
+	runs no DNS server.
 
 	The documented order of relay/recipient restrictions differs
 	from the implementation. This may need a new compatibility
diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html
index 3d0039413..da24764f3 100644
--- a/postfix/html/cleanup.8.html
+++ b/postfix/html/cleanup.8.html
@@ -492,7 +492,7 @@ CLEANUP(8)                                                          CLEANUP(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The  email  address  form that will be used in non-debug logging
               (info, warning, etc.).
 
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index f35557304..07907f40f 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -369,8 +369,8 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b>
               The DNS query type (default: "ns") and DNS query name  (default:
-              ".")  that Postfix may use to determine whether DNSSEC is avail-
-              able.
+              ".") that Postfix may use to determine whether DNSSEC validation
+              is available.
 
 <b>MIME PROCESSING CONTROLS</b>
        Available in Postfix version 2.0 and later:
diff --git a/postfix/html/local.8.html b/postfix/html/local.8.html
index 34a46af73..af3491a8d 100644
--- a/postfix/html/local.8.html
+++ b/postfix/html/local.8.html
@@ -577,7 +577,7 @@ LOCAL(8)                                                              LOCAL(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The  email  address  form that will be used in non-debug logging
               (info, warning, etc.).
 
diff --git a/postfix/html/oqmgr.8.html b/postfix/html/oqmgr.8.html
index 5763473c3..0624982f7 100644
--- a/postfix/html/oqmgr.8.html
+++ b/postfix/html/oqmgr.8.html
@@ -382,7 +382,7 @@ OQMGR(8)                                                              OQMGR(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The  email  address  form that will be used in non-debug logging
               (info, warning, etc.).
 
diff --git a/postfix/html/pickup.8.html b/postfix/html/pickup.8.html
index 86292bcd3..238b9ad79 100644
--- a/postfix/html/pickup.8.html
+++ b/postfix/html/pickup.8.html
@@ -99,7 +99,7 @@ PICKUP(8)                                                            PICKUP(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The email address form that will be used  in  non-debug  logging
               (info, warning, etc.).
 
diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html
index eed936f2f..e112c7dda 100644
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@@ -473,7 +473,7 @@ PIPE(8)                                                                PIPE(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The email address form that will be used  in  non-debug  logging
               (info, warning, etc.).
 
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 7efb19f79..c672fa4ef 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -3062,6 +3062,14 @@ send a DNSSEC probe. <p>
 not DNSSEC validated, Postfix logs a warning that DNSSEC validation
 may be unavailable. </p>
 
+<p> Example: </p>
+
+<pre>
+warning: DNSSEC validation may be unavailable
+warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received a response that is not DNSSEC validated
+warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received no response: Server failure
+</pre>
+
 <p> Possible reasons why DNSSEC validation may be unavailable: </p>
 
 <ul>
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index 7ddf08b2e..4d0bade55 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -411,7 +411,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The  email  address  form that will be used in non-debug logging
               (info, warning, etc.).
 
diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html
index c47d7b3e1..96380b4f6 100644
--- a/postfix/html/qmgr.8.html
+++ b/postfix/html/qmgr.8.html
@@ -460,7 +460,7 @@ QMGR(8)                                                                QMGR(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The  email  address  form that will be used in non-debug logging
               (info, warning, etc.).
 
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index f35557304..07907f40f 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -369,8 +369,8 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b>
               The DNS query type (default: "ns") and DNS query name  (default:
-              ".")  that Postfix may use to determine whether DNSSEC is avail-
-              able.
+              ".") that Postfix may use to determine whether DNSSEC validation
+              is available.
 
 <b>MIME PROCESSING CONTROLS</b>
        Available in Postfix version 2.0 and later:
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index f4742141a..0881ebee2 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -604,7 +604,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The email address form that will be used  in  non-debug  logging
               (info, warning, etc.).
 
diff --git a/postfix/html/virtual.8.html b/postfix/html/virtual.8.html
index 9d2257106..e67218054 100644
--- a/postfix/html/virtual.8.html
+++ b/postfix/html/virtual.8.html
@@ -281,7 +281,7 @@ VIRTUAL(8)                                                          VIRTUAL(8)
 
        Available in Postfix 3.5 and later:
 
-       <b>info_log_address_format (external)</b>
+       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
               The  email  address  form that will be used in non-debug logging
               (info, warning, etc.).
 
diff --git a/postfix/makedefs b/postfix/makedefs
index 06aa2dc1a..280339750 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -230,19 +230,6 @@ case $# in
  *) echo usage: $0 [system release] 1>&2; exit 1;;
 esac
 
-case "$SYSTEM" in
- Linux)
-    case "`PATH=/bin:/usr/bin ldd /bin/sh`" in
-     *-musl-*)
-	case "$CCARGS" in
-	 *-DNO_DNSSEC*) ;;
-	 *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2
-	    echo This build will not support DANE/TLSA. 1>&2
-	    CCARGS="$CCARGS -DNO_DNSSEC";;
-	esac;;
-    esac;;
-esac
-
 case "$SYSTEM.$RELEASE" in
    SCO_SV.3.2)	SYSTYPE=SCO5
 		# Use the native compiler by default
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index bc7c54edf..38394bdb3 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -1924,6 +1924,18 @@ When the DNSSEC probe has no response, or when the response is
 not DNSSEC validated, Postfix logs a warning that DNSSEC validation
 may be unavailable.
 .PP
+Example:
+.PP
+.nf
+.na
+.ft C
+warning: DNSSEC validation may be unavailable
+warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
+warning: reason: dnssec_probe 'ns:.' received no response: Server failure
+.fi
+.ad
+.ft R
+.PP
 Possible reasons why DNSSEC validation may be unavailable:
 .IP \(bu
 The local /etc/resolv.conf file specifies a DNS resolver that
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index ad111897a..16084d104 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -360,7 +360,8 @@ The email address form that will be used in non\-debug logging
 Available in Postfix 3.6 and later:
 .IP "\fBdnssec_probe (ns:.)\fR"
 The DNS query type (default: "ns") and DNS query name (default:
-".") that Postfix may use to determine whether DNSSEC is available.
+".") that Postfix may use to determine whether DNSSEC validation
+is available.
 .SH "MIME PROCESSING CONTROLS"
 .na
 .nf
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 768250b85..81cdcad6a 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -17867,6 +17867,14 @@ send a DNSSEC probe. <p>
 not DNSSEC validated, Postfix logs a warning that DNSSEC validation
 may be unavailable. </p>
 
+<p> Example: </p>
+
+<pre>
+warning: DNSSEC validation may be unavailable
+warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
+warning: reason: dnssec_probe 'ns:.' received no response: Server failure
+</pre>
+
 <p> Possible reasons why DNSSEC validation may be unavailable: </p>
 
 <ul>
diff --git a/postfix/src/dns/dns_sec.c b/postfix/src/dns/dns_sec.c
index cc1d5bcc2..e6d7bb740 100644
--- a/postfix/src/dns/dns_sec.c
+++ b/postfix/src/dns/dns_sec.c
@@ -118,32 +118,27 @@ void    dns_sec_probe(int rflags)
 
     why = vstring_alloc(100);
     dns_status = dns_lookup(qname, qtype, rflags, &rrlist, (char) 0, why);
+    if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE))
+	msg_warn("DNSSEC validation may be unavailable");
+    else if (msg_verbose)
+	msg_info(VAR_DNSSEC_PROBE
+		 " '%s' received a response that is DNSSEC validated",
+		 var_dnssec_probe);
     switch (dns_status) {
     default:
 	if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE))
-	    msg_warn(VAR_DNSSEC_PROBE
-		     " '%s' got a response that is not DNSSEC validated",
+	    msg_warn("reason: " VAR_DNSSEC_PROBE
+		     " '%s' received a response that is not DNSSEC validated",
 		     var_dnssec_probe);
 	if (rrlist)
 	    dns_rr_free(rrlist);
 	break;
-    case DNS_POLICY:
-	msg_warn(VAR_DNSSEC_PROBE
-		 " '%s' response was deleted by DNS reply filter",
-		 var_dnssec_probe);
-	break;
     case DNS_RETRY:
     case DNS_FAIL:
-	msg_warn(VAR_DNSSEC_PROBE " '%s' got no response: %s",
+	msg_warn("reason: " VAR_DNSSEC_PROBE " '%s' received no response: %s",
 		 var_dnssec_probe, vstring_str(why));
 	break;
     }
-    if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE))
-	msg_warn("DNSSEC support may be unavailable");
-    else if (msg_verbose)
-	msg_info(VAR_DNSSEC_PROBE
-		 " '%s' got a response that is DNSSEC validated",
-		 var_dnssec_probe);
     myfree(saved_dnssec_probe);
     vstring_free(why);
 }
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 8c387cd1e..d0b5da56a 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200930"
+#define MAIL_RELEASE_DATE	"20201003"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postcat/postcat.c b/postfix/src/postcat/postcat.c
index f1eb3fd63..002e02558 100644
--- a/postfix/src/postcat/postcat.c
+++ b/postfix/src/postcat/postcat.c
@@ -452,6 +452,11 @@ int     main(int argc, char **argv)
      */
     msg_vstream_init(argv[0], VSTREAM_ERR);
 
+    /*
+     * Check the Postfix library version as soon as we enable logging.
+     */
+    MAIL_VERSION_CHECK;
+
     /*
      * Parse JCL.
      */
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 026639ec1..295e52f85 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -829,6 +829,11 @@ int     main(int argc, char **argv)
      */
     msg_vstream_init(argv[0], VSTREAM_ERR);
 
+    /*
+     * Check the Postfix library version as soon as we enable logging.
+     */
+    MAIL_VERSION_CHECK;
+
     /*
      * Parse JCL.
      */
diff --git a/postfix/src/postkick/postkick.c b/postfix/src/postkick/postkick.c
index dde3dbf9f..6bf924552 100644
--- a/postfix/src/postkick/postkick.c
+++ b/postfix/src/postkick/postkick.c
@@ -158,6 +158,11 @@ int     main(int argc, char **argv)
     msg_vstream_init(argv[0], VSTREAM_ERR);
     set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
 
+    /*
+     * Check the Postfix library version as soon as we enable logging.
+     */
+    MAIL_VERSION_CHECK;
+
     /*
      * Parse JCL.
      */
diff --git a/postfix/src/postlock/postlock.c b/postfix/src/postlock/postlock.c
index 68683263b..a05d11ed6 100644
--- a/postfix/src/postlock/postlock.c
+++ b/postfix/src/postlock/postlock.c
@@ -203,6 +203,11 @@ int     main(int argc, char **argv)
     msg_vstream_init(argv[0], VSTREAM_ERR);
     msg_cleanup(fatal_exit);
 
+    /*
+     * Check the Postfix library version as soon as we enable logging.
+     */
+    MAIL_VERSION_CHECK;
+
     /*
      * Parse JCL.
      */
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index a89dcdb03..3c8d397aa 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -334,7 +334,8 @@
 /*	Available in Postfix 3.6 and later:
 /* .IP "\fBdnssec_probe (ns:.)\fR"
 /*	The DNS query type (default: "ns") and DNS query name (default:
-/*	".") that Postfix may use to determine whether DNSSEC is available.
+/*	".") that Postfix may use to determine whether DNSSEC validation
+/*	is available.
 /* MIME PROCESSING CONTROLS
 /* .ad
 /* .fi