From: Wietse Z Venema Date: Tue, 28 Oct 2025 05:00:00 +0000 (-0500) Subject: postfix-3.11-20251028 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9224acf999d9fedc6d8ccd442a1dfe5ca09f7a0;p=thirdparty%2Fpostfix.git postfix-3.11-20251028 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 1013be043..6262adf1a 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -29670,9 +29670,72 @@ Apologies for any names omitted. Cleanup: missing USE_TLS include guard. Viktor Dukhovni. Files: smtp/lmtp_params.c, smtp/lmtp_params.c. in + Configuration: with OpenSSL 3.5 and later, recommend that + tls_eecdh_auto_curves and tls_ffdhe_auto_groups be left + empty (the new default) in anticipation of the removal of + these parameters. Instead, configuration should be done + with OpenSSL. Viktor Dukhovni. Files: global/mail_params.h, + proto/postconf.proto. + 20251021 Cleanup: the change at 20250717 could result in warnings with "database X is older than source file Y". Files: util/dict.c, util/dict_db.c, util/dict_dbm.c, util/dict_lmdb.c, util/dict_sdbm.c. + +20251024 + + Logging: with "smtp_tls_enforce_sts_mx_patterns=yes" and + TLSRPT support enabled in a TLS policy plugin, the Postfix + SMTP client logs a warning when an MX hostname does not + match STS policy MX patterns; it logs a successful match + when verbose logging is enabled. File: smtp/smtp_tls_policy.c. + +20251025 + + Feature: original recipient address in "postqueue -j" output, + Christophe Kalt. Files: postqueue/postqueue.c, + postqueue/showq_compat.c, postqueue/showq_json.c, showq/showq.c. + +20251026 + + Cleanup: defer tlsproxy daemon warnings that the TLS server + role is disabled by configuration, until a request for that + role is received. File: tlsproxy/tlsproxy.c. + +20251027 + + Cleanup: add 12 more deprecation warnings for parameters + that have been renamed in the past, and that still provide + a backwards-compatible default value for their replacement. + The parameters deprecated by this change are: + authorized_verp_clients, fallback_relay, lmtp_per_request_deadline, + postscreen_blacklist_action, postscreen_dnsbl_ttl, + postscreen_dnsbl_whitelist_threshold, + postscreen_whitelist_interfaces, + smtpd_client_connection_limit_exceptions, + smtp_per_request_deadline, tlsproxy_client_level, + tlsproxy_client_policy, virtual_maps. Files: mantools/postlink, + proto/DEPRECATION_README.html, postconf/postconf_unused.c. + + Cleanup: SMTP client null pointer crash when an STS policy + plugin sends no policy_string or no mx_pattern attributes. + This can happen only during tests with a fake STS plugin. + File: smtp/smtp_tlsrpt.c. + +20251028 + + The postconf command logs deprecation warnings for the + tls_eecdh_auto_curves and tls_ffdhe_auto_groups parameters + when Postfix is built with OpenSSL 3.5. Files: + proto/DEPRECATION_README.html, postconf/postconf_unused.c. + + The postconf command logs a pointer to the on-line + DEPRECATION_README.html for further guidance. + + Deprecate the smtp_cname_overrides_servername and + lmtp_cname_overrides_servername parameters, and delete + documentation that has been obsolete since Postfix 2.11. + Files: proto/postconf.proto, proto/DEPRECATION_README.html, + postconf/postconf_unused.c. diff --git a/postfix/README_FILES/DEPRECATION_README b/postfix/README_FILES/DEPRECATION_README index ee797e50d..cb297e250 100644 --- a/postfix/README_FILES/DEPRECATION_README +++ b/postfix/README_FILES/DEPRECATION_README @@ -52,38 +52,134 @@ DDeepprreeccaatteedd ffeeaattuurreess The table summarizes removed or deprecated features and replacements. Click on the "obsolete feature" name for a more detailed description. - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - | |WWaarrnniinngg| | | - |OObbssoolleettee ffeeaattuurree nnaammee |aass |RReemmoovveedd |RReeppllaacceemmeenntt | - | |ooff |iinn vveerrssiioonn| | - | |vveerrssiioonn| | | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |xxx_tls_enforce_peername | 3.11 | - |xxx_tls_security_level | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |disable_dns_lookups | 3.9 | - |smtp_dns_support_level | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |xxx_use_tls | 3.9 | - |xxx_tls_security_level | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |xxx_enforce_tls | 3.9 | - |xxx_tls_security_level | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |xxx_per_site | 3.9 | - |xxx_policy_maps | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_tls_dh1024_param_file| 3.9 | - |do not specify (leave at | - | | | |default) | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_tls_eecdh_grade | 3.9 | - |do not specify (leave at | - | | | |default) | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |permit_mx_backup | 3.9 | - |relay_domains | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |check_relay_domains | 2.2 | 3.9 |permit_mynetworks, | - | | | |reject_unauth_destination| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |reject_maps_rbl | 2.1 | 3.9 |reject_rbl_client | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |permit_naked_ip_address | 2.0 | 3.9 |permit_mynetworks, | - | | | |permit_sasl_authenticated| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + | |WWaarrnniinngg|RReemmoovveedd| | + |OObbssoolleettee ffeeaattuurree nnaammee |aass | |RReeppllaacceemmeenntt | + | |ooff |iinn | | + | |vveerrssiioonn|vveerrssiioonn| | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |authorized_verp_clients | 3.11 | - |smtpd_authorized_verp_clients | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |fallback_relay | 3.11 | - |smtp_fallback_relay | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |lmtp_per_request_deadline | 3.11 | - |lmtp_per_request_deadline | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |postscreen_blacklist_action | 3.11 | - |postscreen_denylist_action | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |postscreen_dnsbl_ttl | 3.11 | - |postscreen_dnsbl_max_ttl | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |postscreen_dnsbl_whitelist_threshold | 3.11 | - |postscreen_dnsbl_allowlist_threshold| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |postscreen_whitelist_interfaces | 3.11 | - |postscreen_allowlist_interfaces | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtpd_client_connection_limit_exceptions| 3.11 | - |smtpd_client_event_limit_exceptions | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtp_per_request_deadline | 3.11 | - |smtp_per_request_deadline | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |tlsproxy_client_level | 3.11 | - |tlsproxy_client_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |tlsproxy_client_policy | 3.11 | - |tlsproxy_client_policy_maps | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |virtual_maps | 3.11 | - |virtual_alias_maps | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |tls_eecdh_auto_curves | 3.11 | - |do not specify with OpenSSL 3.5 or | + | | | |later | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |tls_ffdhe_auto_groups | 3.11 | - |do not specify with OpenSSL 3.5 or | + | | | |later | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtp_cname_overrides_servername | 3.11 | - |do not specify (leave at default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |lmtp_cname_overrides_servername | 3.11 | - |do not specify (leave at default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_tls_enforce_peername | 3.11 | - |xxx_tls_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |disable_dns_lookups | 3.9 | - |smtp_dns_support_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_use_tls | 3.9 | - |xxx_tls_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_enforce_tls | 3.9 | - |xxx_tls_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_per_site | 3.9 | - |xxx_policy_maps | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtpd_tls_dh1024_param_file | 3.9 | - |do not specify (leave at default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtpd_tls_eecdh_grade | 3.9 | - |do not specify (leave at default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |permit_mx_backup | 3.9 | - |relay_domains | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |check_relay_domains | 2.2 | 3.9 |permit_mynetworks, | + | | | |reject_unauth_destination | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |reject_maps_rbl | 2.1 | 3.9 |reject_rbl_client | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |permit_naked_ip_address | 2.0 | 3.9 |permit_mynetworks, | + | | | |permit_sasl_authenticated | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +PPaarraammeetteerrss tthhaatt hhaavvee bbeeeenn rreennaammeedd ffoorr ccoonnssiisstteennccyy + +The postconf(1) command logs one or more of the following: + + * support for parameter "authorized_verp_clients" will be removed; instead, + specify "smtpd_authorized_verp_clients" + * support for parameter "fallback_relay" will be removed; instead, specify + "smtp_fallback_relay" + * support for parameter "lmtp_per_request_deadline" will be removed; instead, + specify "lmtp_per_request_deadline" + * support for parameter "postscreen_blacklist_action" will be removed; + instead, specify "postscreen_denylist_action" + * support for parameter "postscreen_dnsbl_ttl" will be removed; instead, + specify "postscreen_dnsbl_max_ttl" + * support for parameter "postscreen_dnsbl_whitelist_threshold" will be + removed; instead, specify "postscreen_dnsbl_allowlist_threshold" + * support for parameter "postscreen_whitelist_interfaces" will be removed; + instead, specify "postscreen_allowlist_interfaces" + * support for parameter "smtpd_client_connection_limit_exceptions" will be + removed; instead, specify "smtpd_client_event_limit_exceptions" + * support for parameter "smtp_per_request_deadline" will be removed; instead, + specify "smtp_per_request_deadline" + * support for parameter "tlsproxy_client_level" will be removed; instead, + specify "tlsproxy_client_security_level" + * support for parameter "tlsproxy_client_policy" will be removed; instead, + specify "tlsproxy_client_policy_maps" + * support for parameter "virtual_maps" will be removed; instead, specify + "virtual_alias_maps" + +The above parameters have been renamed for consistency with other parameters. +For backwards compatibility, the old parameter values are used as the default +value for the new parameters, but they will eventually be removed to eliminate +clutter and confusion + +To silence these warning messages, edit main.cf or master.cf, and replace each +obsolete parameter name with its replacement. + +OObbssoolleettee aauuttoo ggrroouupp//ccuurrvvee ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "tls_eecdh_auto_curves" will be removed; instead, do + not specify with OpenSSL 3.5 or later + * support for parameter "tls_ffdhe_auto_groups" will be removed; instead, do + not specify with OpenSSL 3.5 or later + +The empty value is the default setting for both as of Postfix 3.11, when +compiled with OpenSSL 3.5 or later. See tls_config_file for a configuration +example + +OObbssoolleettee CCNNAAMMEE oovveerrrriiddee ffoorr ppeeeerr nnaammee ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "smtp_cname_overrides_servername" will be removed; + instead, do not specify + * support for parameter "lmtp_cname_overrides_servername" will be removed; + instead, do not specify + +These features control whether a DNS CNAME record can override the server peer +name that Postfix will use for policy lookup or for certificate verification. +This behavior is disabled by default as of Postfix 2.11, because it no longer +solves a real problem. OObbssoolleettee TTLLSS ppeeeerr nnaammee mmaattcchh ccoonnffiigguurraattiioonn diff --git a/postfix/html/DEPRECATION_README.html b/postfix/html/DEPRECATION_README.html index 604028350..eb7c16c82 100644 --- a/postfix/html/DEPRECATION_README.html +++ b/postfix/html/DEPRECATION_README.html @@ -104,6 +104,76 @@ detailed description.

Removed
in version Replacement + authorized_verp_clients + 3.11 - +smtpd_authorized_verp_clients + + fallback_relay 3.11 - +smtp_fallback_relay + + lmtp_per_request_deadline + 3.11 - +lmtp_per_request_deadline + + postscreen_blacklist_action + 3.11 - +postscreen_denylist_action + + postscreen_dnsbl_ttl 3.11 - +postscreen_dnsbl_max_ttl + + postscreen_dnsbl_whitelist_threshold + 3.11 - + +postscreen_dnsbl_allowlist_threshold + + postscreen_whitelist_interfaces + 3.11 - + postscreen_allowlist_interfaces + + smtpd_client_connection_limit_exceptions + 3.11 - + +smtpd_client_event_limit_exceptions + + smtp_per_request_deadline + 3.11 - +smtp_per_request_deadline + + tlsproxy_client_level 3.11 - +tlsproxy_client_security_level + + tlsproxy_client_policy 3.11 - +tlsproxy_client_policy_maps + + virtual_maps +3.11 - virtual_alias_maps + + + +tls_eecdh_auto_curves 3.11 + - do not specify with OpenSSL 3.5 or later + + + +tls_ffdhe_auto_groups 3.11 + - do not specify with OpenSSL 3.5 or later + + + +smtp_cname_overrides_servername 3.11 + - do not specify (leave at default) + + + +lmtp_cname_overrides_servername 3.11 + - do not specify (leave at default) + + xxx_tls_enforce_peername 3.11 - xxx_tls_security_level @@ -154,6 +224,100 @@ smtpd_tls_dh1024_param_file 3.9 +

Parameters that have been renamed for +consistency

+ +

The postconf(1) command logs one or more of the following:

+ + + +

The above parameters have been renamed for consistency with other +parameters. For backwards compatibility, the old parameter values are +used as the default value for the new parameters, but they will +eventually be removed to eliminate clutter and confusion

+ +

To silence these warning messages, edit main.cf or master.cf, +and replace each obsolete parameter name with its replacement.

+ +

Obsolete auto group/curve configuration +

+ +

The postconf(1) command logs one of the following:

+ + + +

The empty value is the default setting for both as of Postfix +3.11, when compiled with OpenSSL 3.5 or later. See tls_config_file +for a configuration example

+ +

Obsolete CNAME override +for peer name configuration

+ +

The postconf(1) command logs one of the following:

+ + + +

These features control whether a DNS CNAME record can override +the server peer name that Postfix will use for policy lookup or for +certificate verification. This behavior is disabled by default as of +Postfix 2.11, because it no longer solves a real problem.

+

Obsolete TLS peer name match configuration

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index a8d362911..b13f6ca3d 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -11416,11 +11416,8 @@ false hostname information in DNS CNAME records, and makes SASL password file lookups more predictable. This is the default setting as of Postfix 2.3.

-

When DNS CNAME records are validated with secure DNS lookups -(smtp_dns_support_level = dnssec), they are always allowed to -override the above servername (Postfix 2.11 and later).

- -

This feature is available in Postfix 2.2.9 and later.

+

This feature is available in Postfix 2.2.9 and later, deprecated +as of Postfix 3.11.

@@ -15198,6 +15195,14 @@ This feature is available in Postfix 2.2 and later.

+ + +
smtpd_client_connection_limit_exceptions +(default: $mynetworks)
+ +

Renamed to smtpd_client_event_limit_exceptions in Postfix 2.2.

+ +
smtpd_client_connection_rate_limit @@ -20250,6 +20255,11 @@ MinProtocol = TLSv1 main.cf: tls_config_file = ${config_directory}/openssl.cnf tls_config_name = postfix + # Clear Postfix curve/group settings to let OpenSSL settings take + # effect. + # Uncomment only with Postfix < 3.11 or OpenSSL < 3.5. + # tls_eecdh_auto_curves = + # tls_ffdhe_auto_groups = 
@@ -20504,7 +20514,9 @@ configuration syntax that Postfix will not attempt to imitate.
 Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
 both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
 to the empty value, to enable algorithm selection through OpenSSL
-configuration. See tls_config_file for a configuration example.
+configuration.  The empty value is the default setting for both as
+of Postfix 3.11, when compiled with OpenSSL 3.5 or later.  See
+tls_config_file for a configuration example.
 

 
 
 This feature is available in Postfix 3.2 and later, when it is
@@ -20662,7 +20674,9 @@ configuration syntax that Postfix will not attempt to imitate.
 Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
 both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
 value, to enable algorithm selection through OpenSSL configuration.
-See tls_config_file for a configuration example. 

+The empty value is the default setting for both as of Postfix 3.11,
+when compiled with OpenSSL 3.5 or later.  See tls_config_file for a
+configuration example. 

 
 
 All the default groups and EC curves should be sufficiently strong to make
 "pruning" the defaults unwise.  At a minimum, "x25519" and "prime256v1" (the
diff --git a/postfix/html/postqueue.1.html b/postfix/html/postqueue.1.html
index 3d63737d1..4ef6188ec 100644
--- a/postfix/html/postqueue.1.html
+++ b/postfix/html/postqueue.1.html
@@ -144,6 +144,9 @@ POSTQUEUE(1)                                                      POSTQUEUE(1)
               address
                      One recipient address.
 
+              orig_address
+                     One original recipient address.
+
               delay_reason
                      If present, the reason  for  delayed  delivery.   Delayed
                      recipients  may  have no delay reason, for example, while
diff --git a/postfix/man/man1/postqueue.1 b/postfix/man/man1/postqueue.1
index d042a34d6..4959609d2 100644
--- a/postfix/man/man1/postqueue.1
+++ b/postfix/man/man1/postqueue.1
@@ -139,6 +139,8 @@ An array containing zero or more objects with members:
 .RS
 .IP \fBaddress\fR
 One recipient address.
+.IP \fBorig_address\fR
+One original recipient address.
 .IP \fBdelay_reason\fR
 If present, the reason for delayed delivery.  Delayed
 recipients may have no delay reason, for example, while
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index bcecdf30d..7c824b4f7 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -7165,11 +7165,8 @@ false hostname information in DNS CNAME records, and makes SASL
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3.
 .PP
-When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later).
-.PP
-This feature is available in Postfix 2.2.9 and later.
+This feature is available in Postfix 2.2.9 and later, deprecated
+as of Postfix 3.11.
 .SH smtp_connect_timeout (default: 30s)
 The Postfix SMTP client time limit for completing a TCP connection, or
 zero (use the operating system built\-in time limit).
@@ -10132,6 +10129,8 @@ WARNING: The purpose of this feature is to limit abuse. It must
 not be used to regulate legitimate mail traffic.
 .PP
 This feature is available in Postfix 2.2 and later.
+.SH smtpd_client_connection_limit_exceptions (default: $mynetworks)
+Renamed to smtpd_client_event_limit_exceptions in Postfix 2.2.
 .SH smtpd_client_connection_rate_limit (default: 0)
 The maximal number of connection attempts any client is allowed to
 make to this service per time unit.  The time unit is specified
@@ -14106,6 +14105,11 @@ Example: Custom OpenSSL group settings.
 main.cf:
     tls_config_file = ${config_directory}/openssl.cnf
     tls_config_name = postfix
+    # Clear Postfix curve/group settings to let OpenSSL settings take
+    # effect.
+    # Uncomment only with Postfix < 3.11 or OpenSSL < 3.5.
+    # tls_eecdh_auto_curves =
+    # tls_ffdhe_auto_groups =
 .fi
 .ad
 .PP
@@ -14337,7 +14341,9 @@ configuration syntax that Postfix will not attempt to imitate.
 Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
 both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
 to the empty value, to enable algorithm selection through OpenSSL
-configuration. See tls_config_file for a configuration example.
+configuration.  The empty value is the default setting for both as
+of Postfix 3.11, when compiled with OpenSSL 3.5 or later.  See
+tls_config_file for a configuration example.
 .PP
 This feature is available in Postfix 3.2 and later, when it is
 compiled and linked with OpenSSL 1.0.2 or later on platforms where
@@ -14457,7 +14463,9 @@ configuration syntax that Postfix will not attempt to imitate.
 Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
 both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
 value, to enable algorithm selection through OpenSSL configuration.
-See tls_config_file for a configuration example.
+The empty value is the default setting for both as of Postfix 3.11,
+when compiled with OpenSSL 3.5 or later.  See tls_config_file for a
+configuration example.
 .PP
 All the default groups and EC curves should be sufficiently strong to make
 "pruning" the defaults unwise.  At a minimum, "x25519" and "prime256v1" (the
diff --git a/postfix/mantools/check-postconf-unimplemented b/postfix/mantools/check-postconf-unimplemented
index 9f5479fe7..e6214f267 100755
--- a/postfix/mantools/check-postconf-unimplemented
+++ b/postfix/mantools/check-postconf-unimplemented
@@ -63,6 +63,7 @@ sender_based_routing
 smtp_per_record_deadline
 smtp_skip_4xx_greeting
 smtp_tls_cipherlist
+smtpd_client_connection_limit_exceptions
 smtpd_per_record_deadline
 smtpd_sasl_application_name
 smtpd_tls_cipherlist
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 2b174bcac..3ed499977 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -544,6 +544,7 @@ while (<>) {
     s;\bsmtpd_client_auth_rate_limit\b;$&;g;
     s;\bsmtpd_client_connec[-]*\n*[ ]*tion_count_limit\b;$&;g;
     s;\bsmtpd_client_event_limit_exceptions\b;$&;g;
+    s;\bsmtpd_client_connection_limit_exceptions\b;$&;g;
     s;\bsmtpd_client_connec[-]*\n*[ ]*tion_rate_limit\b;$&;g;
     s;\bsmtpd_client_message_rate_limit\b;$&;g;
     s;\bsmtpd_client_port_logging\b;$&;g;
diff --git a/postfix/proto/DEPRECATION_README.html b/postfix/proto/DEPRECATION_README.html
index 6f9f247bf..8dbcb11fb 100644
--- a/postfix/proto/DEPRECATION_README.html
+++ b/postfix/proto/DEPRECATION_README.html
@@ -104,6 +104,76 @@ detailed description. 

   Removed 
 in version   Replacement 
 
 
+   authorized_verp_clients  
+ 3.11   -  
+smtpd_authorized_verp_clients  
+
+   fallback_relay    3.11   -  
+smtp_fallback_relay  
+
+   lmtp_per_request_deadline  
+ 3.11   -  
+lmtp_per_request_deadline  
+
+   postscreen_blacklist_action  
+ 3.11   -  
+postscreen_denylist_action  
+
+   postscreen_dnsbl_ttl    3.11   -  
+postscreen_dnsbl_max_ttl  
+
+   postscreen_dnsbl_whitelist_threshold
+   3.11   -
+  
+postscreen_dnsbl_allowlist_threshold  
+
+   postscreen_whitelist_interfaces 
+  3.11   - 
+ postscreen_allowlist_interfaces  
+
+   smtpd_client_connection_limit_exceptions
+   3.11   -
+ 
+smtpd_client_event_limit_exceptions  
+
+   smtp_per_request_deadline  
+ 3.11   -  
+smtp_per_request_deadline  
+
+   tlsproxy_client_level    3.11   -  
+tlsproxy_client_security_level  
+
+   tlsproxy_client_policy    3.11   -  
+tlsproxy_client_policy_maps  
+
+   virtual_maps   
+3.11   -   virtual_alias_maps 
+
+
+  
+tls_eecdh_auto_curves    3.11
+  -   do not specify with OpenSSL 3.5 or later
+ 
+
+  
+tls_ffdhe_auto_groups    3.11
+  -   do not specify with OpenSSL 3.5 or later
+ 
+
+  
+smtp_cname_overrides_servername    3.11
+  -   do not specify (leave at default)
+ 
+
+  
+lmtp_cname_overrides_servername    3.11
+  -   do not specify (leave at default)
+ 
+
   
 xxx_tls_enforce_peername    3.11
   -   xxx_tls_security_level
@@ -154,6 +224,100 @@ reject_rbl_client  
 
 
 
+
  Parameters that have been renamed for
+consistency  

+
+
 The postconf(1) command logs one or more of the following: 

+
+
    
+
+
  •  support for parameter "authorized_verp_clients" will be removed;
+instead, specify "smtpd_authorized_verp_clients" 
    • 
+
+
  •  support for parameter "fallback_relay" will be removed; instead,
+specify "smtp_fallback_relay" 
    • 
+
+
  •  support for parameter "lmtp_per_request_deadline" will be
+removed; instead, specify "lmtp_per_request_deadline" 
    • 
+
+
  •  support for parameter "postscreen_blacklist_action" will be
+removed; instead, specify "postscreen_denylist_action" 
    • 
+
+
  •  support for parameter "postscreen_dnsbl_ttl" will be removed;
+instead, specify "postscreen_dnsbl_max_ttl" 
    • 
+
+
  •  support for parameter "postscreen_dnsbl_whitelist_threshold"
+will be removed; instead, specify "postscreen_dnsbl_allowlist_threshold"
+
    • 
+
+
  •  support for parameter "postscreen_whitelist_interfaces" will
+be removed; instead, specify "postscreen_allowlist_interfaces" 
    • 
+
+
  •  support for parameter "smtpd_client_connection_limit_exceptions"
+will be removed; instead, specify "smtpd_client_event_limit_exceptions"
+
    • 
+
+
  •  support for parameter "smtp_per_request_deadline" will be
+removed; instead, specify "smtp_per_request_deadline" 
    • 
+
+
  •  support for parameter "tlsproxy_client_level" will be removed;
+instead, specify "tlsproxy_client_security_level" 
    • 
+
+
  •  support for parameter "tlsproxy_client_policy" will be removed;
+instead, specify "tlsproxy_client_policy_maps" 
    • 
+
+
  •  support for parameter "virtual_maps" will be removed; instead,
+specify "virtual_alias_maps" 
    • 
+
+

+
+
 The above parameters have been renamed for consistency with other
+parameters. For backwards compatibility, the old parameter values are
+used as the default value for the new parameters, but they will
+eventually be removed to eliminate clutter and confusion  

+
+
 To silence these warning messages, edit main.cf or master.cf,
+and replace each obsolete parameter name with its replacement. 

+
+
  Obsolete auto group/curve configuration
+ 

+
+
 The postconf(1) command logs one of the following: 

+
+
    
+
+
  •  support for parameter "tls_eecdh_auto_curves" will be removed;
+instead, do not specify with OpenSSL 3.5 or later
+
+
  •  support for parameter "tls_ffdhe_auto_groups" will be removed;
+instead, do not specify with OpenSSL 3.5 or later
+
+

+
+
 The empty value is the default setting for both as of Postfix
+3.11, when compiled with OpenSSL 3.5 or later. See tls_config_file
+for a configuration example 

+
+
  Obsolete CNAME override
+for peer name configuration  

+
+
 The postconf(1) command logs one of the following: 

+
+
    
+
+
  •  support for parameter "smtp_cname_overrides_servername" will be
+removed; instead, do not specify
+
+
  •  support for parameter "lmtp_cname_overrides_servername" will be
+removed; instead, do not specify
+
+

+
+
 These features control whether a DNS CNAME record can override
+the server peer name that Postfix will use for policy lookup or for
+certificate verification. This behavior is disabled by default as of
+Postfix 2.11, because it no longer solves a real problem. 

+
 
  Obsolete TLS peer name
 match configuration  

 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 4237ab897..c9733aee4 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -5104,6 +5104,10 @@ not be used to regulate legitimate mail traffic.
 This feature is available in Postfix 2.2 and later.
 

 
+%PARAM smtpd_client_connection_limit_exceptions $mynetworks
+
+
 Renamed to smtpd_client_event_limit_exceptions in Postfix 2.2. 

+
 %PARAM smtpd_client_event_limit_exceptions $mynetworks
 
 

@@ -11458,11 +11462,8 @@ false hostname information in DNS CNAME records, and makes SASL
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3. 

 
-
 When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later). 

-
-
 This feature is available in Postfix 2.2.9 and later. 

+
 This feature is available in Postfix 2.2.9 and later, deprecated
+as of Postfix 3.11. 

 
 %PARAM lmtp_cname_overrides_servername yes
 
@@ -13442,7 +13443,9 @@ configuration syntax that Postfix will not attempt to imitate.
 Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
 both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
 to the empty value, to enable algorithm selection through OpenSSL
-configuration. See tls_config_file for a configuration example.
+configuration.  The empty value is the default setting for both as
+of Postfix 3.11, when compiled with OpenSSL 3.5 or later.  See
+tls_config_file for a configuration example.
 

 
 
 This feature is available in Postfix 3.2 and later, when it is
@@ -13483,7 +13486,9 @@ configuration syntax that Postfix will not attempt to imitate.
 Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
 both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty
 value, to enable algorithm selection through OpenSSL configuration.
-See tls_config_file for a configuration example. 

+The empty value is the default setting for both as of Postfix 3.11,
+when compiled with OpenSSL 3.5 or later.  See tls_config_file for a
+configuration example. 

 
 
 All the default groups and EC curves should be sufficiently strong to make
 "pruning" the defaults unwise.  At a minimum, "x25519" and "prime256v1" (the
@@ -19290,6 +19295,11 @@ MinProtocol = TLSv1
 main.cf:
     tls_config_file = ${config_directory}/openssl.cnf
     tls_config_name = postfix
+    # Clear Postfix curve/group settings to let OpenSSL settings take
+    # effect. 
+    # Uncomment only with Postfix < 3.11 or OpenSSL < 3.5.
+    # tls_eecdh_auto_curves =
+    # tls_ffdhe_auto_groups =
 
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index 6b32f3309..89f28c530 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -202,3 +202,7 @@ proto  proto COMPATIBILITY_README html
  smtp smtp h smtp smtp_connect c smtp smtp_params c 
  the policies policy policy domain value This ignores
  TLSRPT Workaround when policies policy policy type is
+ Christophe Kalt Files postqueue postqueue c 
+ postqueue showq_compat c postqueue showq_json c showq showq c 
+ role is received File tlsproxy tlsproxy c 
+ Files proto postconf proto proto DEPRECATION_README html 
diff --git a/postfix/proto/stop.spell-cc b/postfix/proto/stop.spell-cc
index c21a6600d..ee926cca7 100644
--- a/postfix/proto/stop.spell-cc
+++ b/postfix/proto/stop.spell-cc
@@ -1871,3 +1871,6 @@ REPLYCODE
 PTEST
 finalizer
 enf
+Christophe
+Kalt
+stdlib
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 28a879f1c..de23c9637 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -22,6 +22,9 @@ typedef int bool;
 #if OPENSSL_VERSION_NUMBER < 0x1010100fUL
 #error "OpenSSL releases prior to 1.1.1 are no longer supported"
 #endif
+#endif
+#ifndef OPENSSL_VERSION_PREREQ
+#define OPENSSL_VERSION_PREREQ(m,n) 0
 #endif
 
  /*
@@ -3416,6 +3419,10 @@ extern char *var_tls_export_ignored;
 #define DEF_TLS_NULL_CLIST	"eNULL" TLS_EXCL_REST ":!aNULL"
 extern char *var_tls_null_clist;
 
+#define VAR_TLS_EECDH_AUTO	"tls_eecdh_auto_curves"
+#if OPENSSL_VERSION_PREREQ(3,5)
+#define DEF_TLS_EECDH_AUTO      ""
+#else
 #if defined(SN_X25519) && defined(NID_X25519)
 #define DEF_TLS_EECDH_AUTO_1 SN_X25519 " "
 #else
@@ -3446,12 +3453,12 @@ extern char *var_tls_null_clist;
 #define DEF_TLS_EECDH_AUTO_5 ""
 #endif
 
-#define VAR_TLS_EECDH_AUTO	"tls_eecdh_auto_curves"
 #define DEF_TLS_EECDH_AUTO      DEF_TLS_EECDH_AUTO_1 \
                                 DEF_TLS_EECDH_AUTO_2 \
                                 DEF_TLS_EECDH_AUTO_3 \
                                 DEF_TLS_EECDH_AUTO_4 \
                                 DEF_TLS_EECDH_AUTO_5
+#endif
 extern char *var_tls_eecdh_auto;
 
 #define VAR_TLS_EECDH_STRONG	"tls_eecdh_strong_curve"
@@ -3462,6 +3469,10 @@ extern char *var_tls_eecdh_strong;
 #define DEF_TLS_EECDH_ULTRA	"secp384r1"
 extern char *var_tls_eecdh_ultra;
 
+#define VAR_TLS_FFDHE_AUTO	"tls_ffdhe_auto_groups"
+#if OPENSSL_VERSION_PREREQ(3,5)
+#define DEF_TLS_FFDHE_AUTO      ""
+#else
 #if defined(SN_ffdhe2048) && defined(NID_ffdhe2048)
 #define DEF_TLS_FFDHE_AUTO_1 SN_ffdhe2048 " "
 #else
@@ -3473,9 +3484,9 @@ extern char *var_tls_eecdh_ultra;
 #define DEF_TLS_FFDHE_AUTO_2 ""
 #endif
 
-#define VAR_TLS_FFDHE_AUTO	"tls_ffdhe_auto_groups"
 #define DEF_TLS_FFDHE_AUTO      DEF_TLS_FFDHE_AUTO_1 \
                                 DEF_TLS_FFDHE_AUTO_2
+#endif
 extern char *var_tls_ffdhe_auto;
 
 #define VAR_TLS_PREEMPT_CLIST	"tls_preempt_cipherlist"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 06ad2c875..0970dd873 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20251026"
+#define MAIL_RELEASE_DATE	"20251028"
 #define MAIL_VERSION_NUMBER	"3.11"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 402c96d7f..c68a07f19 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -1135,5 +1135,9 @@ int     main(int argc, char **argv)
 	}
     }
     vstream_fflush(VSTREAM_OUT);
+
+    if ((pcf_cmd_mode & PCF_WARN_UNUSED_DEPRECATED) && pcf_found_deprecated)
+	msg_warn("See https://www.postfix.org/DEPRECATION_README.html "
+		 "for details");
     exit(0);
 }
diff --git a/postfix/src/postconf/postconf.h b/postfix/src/postconf/postconf.h
index b42245c78..faeed0ded 100644
--- a/postfix/src/postconf/postconf.h
+++ b/postfix/src/postconf/postconf.h
@@ -304,6 +304,7 @@ extern void PRINTFLIKE(3, 4) pcf_print_line(VSTREAM *, int, const char *,...);
   */
 extern void pcf_flag_unused_main_parameters(void);
 extern void pcf_flag_unused_master_parameters(void);
+extern int pcf_found_deprecated;
 
  /*
   * postconf_other.c.
diff --git a/postfix/src/postconf/postconf_unused.c b/postfix/src/postconf/postconf_unused.c
index 0b8d14646..fc6a07bf9 100644
--- a/postfix/src/postconf/postconf_unused.c
+++ b/postfix/src/postconf/postconf_unused.c
@@ -6,6 +6,8 @@
 /* SYNOPSIS
 /*	#include 
 /*
+/*	int	pcf_found_deprecated;
+/*
 /*	void    pcf_flag_unused_main_parameters()
 /*
 /*	void    pcf_flag_unused_master_parameters()
@@ -20,6 +22,9 @@
 /*
 /*	pcf_flag_unused_master_parameters() reports unused or
 /*	deprecated "-o name=value" entries in master.cf.
+/*
+/*	pcf_found_deprecated is non-zero if deprecated parameters were
+/*	reported.
 /* DIAGNOSTICS
 /*	Problems are reported to the standard error stream.
 /* LICENSE
@@ -98,12 +103,35 @@ static const PCF_DEPR_PARAM_INFO pcf_depr_param_info[] = {
     /*
      * Deprecated as of Postfix 3.11.
      */
+    "authorized_verp_clients", "specify \"smtpd_authorized_verp_clients\"",
+    "fallback_relay", "specify \"smtp_fallback_relay\"",
+    "lmtp_per_request_deadline", "specify \"lmtp_per_request_deadline\"",
     "lmtp_tls_enforce_peername", "specify \"lmtp_tls_security_level\"",
+    "postscreen_blacklist_action", "specify \"postscreen_denylist_action\"",
+    "postscreen_dnsbl_ttl", "specify \"postscreen_dnsbl_max_ttl\"",
+    "postscreen_dnsbl_whitelist_threshold", "specify \"postscreen_dnsbl_allowlist_threshold\"",
+    "postscreen_whitelist_interfaces", "specify \"postscreen_allowlist_interfaces\"",
+    "smtpd_client_connection_limit_exceptions", "specify \"smtpd_client_event_limit_exceptions\"",
+    "smtp_per_request_deadline", "specify \"smtp_per_request_deadline\"",
     "smtp_tls_enforce_peername", "specify \"smtp_tls_security_level\"",
+    "tlsproxy_client_level", "specify \"tlsproxy_client_security_level\"",
+    "tlsproxy_client_policy", "specify \"tlsproxy_client_policy_maps\"",
+    "virtual_maps", "specify \"virtual_alias_maps\"",
+#if OPENSSL_VERSION_PREREQ(3,5)
+    "tls_eecdh_auto_curves", "do not specify with OpenSSL 3.5 or later",
+    "tls_ffdhe_auto_groups", "do not specify with OpenSSL 3.5 or later",
+#endif
+    "lmtp_cname_overrides_servername", "do not specify",
+    "smtp_cname_overrides_servername", "do not specify",
+
+    /*
+     * Terminator.
+     */
     0,
 };
 
 static HTABLE *pcf_depr_param_table;
+int     pcf_found_deprecated;
 
 /* pcf_init_depr_params - initialize lookup table */
 
@@ -164,6 +192,7 @@ static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name,
 		msg_warn("%s/%s: support for parameter %s has been removed;"
 			 " instead, %s", var_config_dir, conf_name,
 			 param_name, dp->alternative);
+		pcf_found_deprecated = 1;
 	    } else {
 		msg_warn("%s/%s: unused parameter: %s=%s",
 			 var_config_dir, conf_name, param_name, param_value);
@@ -181,6 +210,7 @@ static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name,
 	    msg_warn("%s/%s: support for parameter \"%s\" will be removed;"
 		     " instead, %s", var_config_dir, conf_name,
 		     param_name, dp->alternative);
+	    pcf_found_deprecated = 1;
 	}
     }
 }
diff --git a/postfix/src/postconf/test18.ref b/postfix/src/postconf/test18.ref
index 09224a638..2a79d6c8c 100644
--- a/postfix/src/postconf/test18.ref
+++ b/postfix/src/postconf/test18.ref
@@ -1,3 +1,6 @@
 config_directory = .
 smtpd_client_connection_limit_exceptions = yyy
 virtual_maps = xxx
+./postconf: warning: ./main.cf: support for parameter "smtpd_client_connection_limit_exceptions" will be removed; instead, specify "smtpd_client_event_limit_exceptions"
+./postconf: warning: ./main.cf: support for parameter "virtual_maps" will be removed; instead, specify "virtual_alias_maps"
+./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details
diff --git a/postfix/src/postconf/test76.ref b/postfix/src/postconf/test76.ref
index 3e4cd2640..57b5aabfe 100644
--- a/postfix/src/postconf/test76.ref
+++ b/postfix/src/postconf/test76.ref
@@ -7,3 +7,4 @@ smtpd_tls_dh1024_param_file = auto
 ./postconf: warning: ./main.cf: support for parameter "smtpd_tls_dh1024_param_file" will be removed; instead, do not specify (leave at default)
 ./postconf: warning: ./main.cf: support for parameter deleted-test-only has been removed; instead, do not specify
 ./postconf: warning: ./master.cf: support for parameter "smtp_enforce_tls" will be removed; instead, specify "smtp_tls_security_level"
+./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details
diff --git a/postfix/src/postconf/test78.ref b/postfix/src/postconf/test78.ref
index 59d171b4a..47741a110 100644
--- a/postfix/src/postconf/test78.ref
+++ b/postfix/src/postconf/test78.ref
@@ -5,3 +5,4 @@ smtp_tls_enforce_peername = yes
 ./postconf: warning: ./main.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level"
 ./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level"
 ./postconf: warning: ./master.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level"
+./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details
diff --git a/postfix/src/postqueue/postqueue.c b/postfix/src/postqueue/postqueue.c
index ca8bcd348..6c376416f 100644
--- a/postfix/src/postqueue/postqueue.c
+++ b/postfix/src/postqueue/postqueue.c
@@ -131,6 +131,8 @@
 /* .RS
 /* .IP \fBaddress\fR
 /*	One recipient address.
+/* .IP \fBorig_address\fR
+/*	One original recipient address.
 /* .IP \fBdelay_reason\fR
 /*	If present, the reason for delayed delivery.  Delayed
 /*	recipients may have no delay reason, for example, while
diff --git a/postfix/src/postqueue/showq_compat.c b/postfix/src/postqueue/showq_compat.c
index f5ca05991..8647034ca 100644
--- a/postfix/src/postqueue/showq_compat.c
+++ b/postfix/src/postqueue/showq_compat.c
@@ -84,6 +84,7 @@ static unsigned long showq_message(VSTREAM *showq_stream)
     static VSTRING *queue_name = 0;
     static VSTRING *queue_id = 0;
     static VSTRING *id_status = 0;
+    static VSTRING *oaddr = 0;
     static VSTRING *addr = 0;
     static VSTRING *why = 0;
     long    arrival_time;
@@ -102,6 +103,7 @@ static unsigned long showq_message(VSTREAM *showq_stream)
 	queue_name = vstring_alloc(100);
 	queue_id = vstring_alloc(100);
 	id_status = vstring_alloc(100);
+	oaddr = vstring_alloc(100);
 	addr = vstring_alloc(100);
 	why = vstring_alloc(100);
     }
@@ -146,9 +148,10 @@ static unsigned long showq_message(VSTREAM *showq_stream)
     while ((showq_status = attr_scan_more(showq_stream)) > 0) {
 	if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT
 		      | ATTR_FLAG_PRINTABLE,
+		      RECV_ATTR_STR(MAIL_ATTR_ORCPT, oaddr),
 		      RECV_ATTR_STR(MAIL_ATTR_RECIP, addr),
 		      RECV_ATTR_STR(MAIL_ATTR_WHY, why),
-		      ATTR_TYPE_END) != 2)
+		      ATTR_TYPE_END) != 3)
 	    msg_fatal_status(EX_SOFTWARE, "malformed showq server response");
 
 	/*
diff --git a/postfix/src/postqueue/showq_json.c b/postfix/src/postqueue/showq_json.c
index a2820dda9..bf55e97d6 100644
--- a/postfix/src/postqueue/showq_json.c
+++ b/postfix/src/postqueue/showq_json.c
@@ -64,6 +64,7 @@ static void format_json(VSTREAM *showq_stream)
 {
     static VSTRING *queue_name = 0;
     static VSTRING *queue_id = 0;
+    static VSTRING *oaddr = 0;
     static VSTRING *addr = 0;
     static VSTRING *why = 0;
     static VSTRING *quote_buf = 0;
@@ -79,6 +80,7 @@ static void format_json(VSTREAM *showq_stream)
     if (queue_name == 0) {
 	queue_name = vstring_alloc(100);
 	queue_id = vstring_alloc(100);
+	oaddr = vstring_alloc(100);
 	addr = vstring_alloc(100);
 	why = vstring_alloc(100);
 	quote_buf = vstring_alloc(100);
@@ -126,10 +128,13 @@ static void format_json(VSTREAM *showq_stream)
 	vstream_printf("{");
 	if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT
 		      | ATTR_FLAG_PRINTABLE,
+		      RECV_ATTR_STR(MAIL_ATTR_ORCPT, oaddr),
 		      RECV_ATTR_STR(MAIL_ATTR_RECIP, addr),
 		      RECV_ATTR_STR(MAIL_ATTR_WHY, why),
-		      ATTR_TYPE_END) != 2)
+		      ATTR_TYPE_END) != 3)
 	    msg_fatal_status(EX_SOFTWARE, "malformed showq server response");
+	vstream_printf("\"orig_address\": \"%s\", ",
+		       QUOTE_JSON(quote_buf, STR(oaddr)));
 	vstream_printf("\"address\": \"%s\"",
 		       QUOTE_JSON(quote_buf, STR(addr)));
 	if (LEN(why) > 0)
diff --git a/postfix/src/showq/showq.c b/postfix/src/showq/showq.c
index 80e1e89e2..c54a32476 100644
--- a/postfix/src/showq/showq.c
+++ b/postfix/src/showq/showq.c
@@ -171,10 +171,12 @@ static void showq_report(VSTREAM *client, char *queue, char *id,
     long    msg_size = size;
     BOUNCE_LOG *logfile;
     HTABLE *dup_filter = 0;
+    VSTRING *orcpt_buf = vstring_alloc(100);
     RCPT_BUF *rcpt_buf = 0;
     DSN_BUF *dsn_buf = 0;
     int     sender_seen = 0;
     int     msg_size_ok = 0;
+    const char *have_orcpt = 0;
 
     /*
      * Let the optimizer worry about eliminating duplicate code.
@@ -184,6 +186,7 @@ static void showq_report(VSTREAM *client, char *queue, char *id,
 	    attr_print(client, ATTR_FLAG_NONE, ATTR_TYPE_END); \
 	vstring_free(buf); \
 	vstring_free(printable_quoted_addr); \
+	vstring_free(orcpt_buf); \
 	if (rcpt_buf) \
 	    rcpb_free(rcpt_buf); \
 	if (dsn_buf) \
@@ -248,6 +251,17 @@ static void showq_report(VSTREAM *client, char *queue, char *id,
 				     STR(printable_quoted_addr)),
 		       ATTR_TYPE_END);
 	    break;
+	case REC_TYPE_ORCP:
+	    if (sender_seen == 0) {
+		msg_warn("%s: missing sender address: %s "
+			 "-- skipping remainder of this file",
+			 id, STR(printable_quoted_addr));
+		SHOWQ_CLEANUP_AND_RETURN;
+	    }
+	    quote_822_local(orcpt_buf, start);
+	    /* For consistency with REC_TYPE_RCPT below. */
+	    have_orcpt = printable(STR(orcpt_buf), '?');
+	    break;
 	case REC_TYPE_RCPT:
 	    if (sender_seen == 0) {
 		msg_warn("%s: missing sender address: %s "
@@ -255,18 +269,24 @@ static void showq_report(VSTREAM *client, char *queue, char *id,
 			 id, STR(printable_quoted_addr));
 		SHOWQ_CLEANUP_AND_RETURN;
 	    }
-	    if (*start == 0)			/* can't happen? */
+	    if (*start == 0)			/* non-smtpd case */
 		start = var_empty_addr;
 	    quote_822_local(printable_quoted_addr, start);
 	    /* For consistency with recipients in bounce logfile. */
 	    printable(STR(printable_quoted_addr), '?');
+	    /* For consistency with cleanup server and maildrop messages. */
+	    if (have_orcpt == 0)
+		have_orcpt = STR(vstring_strcpy(orcpt_buf,
+						STR(printable_quoted_addr)));
 	    if (dup_filter == 0
 	      || htable_locate(dup_filter, STR(printable_quoted_addr)) == 0)
 		attr_print(client, ATTR_FLAG_MORE,
+			   SEND_ATTR_STR(MAIL_ATTR_ORCPT, have_orcpt),
 			   SEND_ATTR_STR(MAIL_ATTR_RECIP,
 					 STR(printable_quoted_addr)),
 			   SEND_ATTR_STR(MAIL_ATTR_WHY, ""),
 			   ATTR_TYPE_END);
+	    have_orcpt = 0;
 	    break;
 	case REC_TYPE_MESG:
 	    if (msg_size_ok && vstream_fseek(qfile, msg_size, SEEK_CUR) < 0)
@@ -325,6 +345,7 @@ static void showq_reasons(VSTREAM *client, BOUNCE_LOG *bp, RCPT_BUF *rcpt_buf,
 		htable_enter(dup_filter, rcpt->address, (void *) 0);
 
 	attr_print(client, ATTR_FLAG_MORE,
+		   SEND_ATTR_STR(MAIL_ATTR_ORCPT, rcpt->orig_addr),
 		   SEND_ATTR_STR(MAIL_ATTR_RECIP, rcpt->address),
 		   SEND_ATTR_STR(MAIL_ATTR_WHY, dsn->reason),
 		   ATTR_TYPE_END);
diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c
index 73d1cd962..028f48c32 100644
--- a/postfix/src/smtp/smtp_tls_policy.c
+++ b/postfix/src/smtp/smtp_tls_policy.c
@@ -187,9 +187,16 @@ int     smtp_tls_authorize_mx_hostname(SMTP_TLS_POLICY *tls, const char *name)
 	} else
 #endif
 	    aname = name;
-	for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++)
-	    if (match_sts_mx_host_pattern(*pattp, aname))
+	for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++) {
+	    if (match_sts_mx_host_pattern(*pattp, aname)) {
+		if (msg_verbose)
+		    msg_info("MX name '%s' matches STS MX pattern for '%s'",
+		    aname, tls->ext_policy_domain ? tls->ext_policy_domain : "");
 		return (1);
+	    }
+	}
+	msg_warn("MX name '%s' does not match STS MX pattern for '%s'",
+		 aname, tls->ext_policy_domain ? tls->ext_policy_domain : "");
 	return (0);
     }
     /* No applicable policy name patterns. */
diff --git a/postfix/src/smtp/smtp_tlsrpt.c b/postfix/src/smtp/smtp_tlsrpt.c
index b22be52c3..b8af71105 100644
--- a/postfix/src/smtp/smtp_tlsrpt.c
+++ b/postfix/src/smtp/smtp_tlsrpt.c
@@ -312,13 +312,15 @@ static void smtp_tlsrpt_set_ext_policy(SMTP_STATE *state)
     if (tls->ext_policy_type == 0)
 	msg_panic("smtp_tlsrpt_set_ext_policy: no policy type");
 
+#define ARGV_OR_NULL(ap) ((ap) ? (ap)->argv : 0)
+
     switch (policy_type_val =
 	    convert_tlsrpt_policy_type(tls->ext_policy_type)) {
     case TLSRPT_POLICY_STS:
 	trw_set_tls_policy(state->tlsrpt, policy_type_val,
-			(const char *const *) tls->ext_policy_strings->argv,
+		(const char *const *) ARGV_OR_NULL(tls->ext_policy_strings),
 			   tls->ext_policy_domain,
-		     (const char *const *) tls->ext_mx_host_patterns->argv);
+	     (const char *const *) ARGV_OR_NULL(tls->ext_mx_host_patterns));
 	break;
     case TLSRPT_NO_POLICY_FOUND:
 	smtp_tlsrpt_set_no_policy(state);
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index 5eb6027ce..cef9a4f23 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -546,6 +546,7 @@ static bool tlsp_pre_jail_done;
 static int ask_client_cert;
 static char *tlsp_pre_jail_client_param_key;	/* pre-jail global params */
 static char *tlsp_pre_jail_client_init_key;	/* pre-jail init props */
+static const char *server_role_disabled;
 
  /*
   * TLS per-client status.
@@ -1481,6 +1482,8 @@ static void tlsp_get_request_event(int event, void *context)
     case TLS_PROXY_FLAG_ROLE_SERVER:
 	state->is_server_role = 1;
 	ready = (tlsp_server_ctx != 0);
+	if (server_role_disabled)
+	    msg_warn("%s", server_role_disabled);
 	break;
     default:
 	state->is_server_role = 0;
@@ -1593,8 +1596,7 @@ static void pre_jail_init_server(void)
     }
     var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls;
     if (!var_tlsp_use_tls) {
-	msg_warn("TLS server role is disabled with %s or %s",
-		 VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS);
+	server_role_disabled = "TLS server role is disabled by configuration";
 	return;
     }