From 02ec7249797eb14b58ae8dd7743b6a8d3ce38539 Mon Sep 17 00:00:00 2001
From: Wietse Z Venema <wietse@porcupine.org>
Date: Tue, 25 Nov 2025 00:00:00 -0500
Subject: [PATCH] postfix-3.8.13

---
 postfix/HISTORY                      | 12 ++++++++++++
 postfix/html/postconf.5.html         |  4 ----
 postfix/man/man5/postconf.5          |  4 ----
 postfix/proto/postconf.proto         |  4 ----
 postfix/src/global/mail_version.h    |  4 ++--
 postfix/src/postconf/postconf_edit.c |  6 ++++--
 6 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 025b04fb5..3dfa54331 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -27585,3 +27585,15 @@ Apologies for any names omitted.
 	with "database X is older than source file Y". Files:
 	util/dict.c, util/dict_db.c, util/dict_dbm.c, util/dict_lmdb.c,
 	util/dict_sdbm.c.
+
+20251028
+
+	Documentation: removed incorrect text from the parameter
+	description for smtp_cname_overrides_servername. File:
+	proto/postconf.proto.
+
+20251120
+
+	Bugfix (defect introduced: Postfix 2.9, date: 20120307):
+	segfault with duplicate parameter name in "postconf -X" or
+	"postconf -#'. File: postconf/postconf_edit.c.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 6a6a6f197..d8288bcf3 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -11023,10 +11023,6 @@ false hostname information in DNS CNAME records, and makes SASL
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3. </p>
 
-<p> When DNS CNAME records are validated with secure DNS lookups
-(<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later). </p>
-
 <p> This feature is available in Postfix 2.2.9 and later. </p>
 
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index e88eb6d0e..a05e97325 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -7031,10 +7031,6 @@ false hostname information in DNS CNAME records, and makes SASL
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3.
 .PP
-When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later).
-.PP
 This feature is available in Postfix 2.2.9 and later.
 .SH smtp_connect_timeout (default: 30s)
 The Postfix SMTP client time limit for completing a TCP connection, or
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 54346ba8a..3958edbd3 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -11172,10 +11172,6 @@ false hostname information in DNS CNAME records, and makes SASL
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3. </p>
 
-<p> When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later). </p>
-
 <p> This feature is available in Postfix 2.2.9 and later. </p>
 
 %PARAM lmtp_cname_overrides_servername yes
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 101c8d2d5..cc90befbf 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20251026"
-#define MAIL_VERSION_NUMBER	"3.8.12"
+#define MAIL_RELEASE_DATE	"20251125"
+#define MAIL_VERSION_NUMBER	"3.8.13"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postconf/postconf_edit.c b/postfix/src/postconf/postconf_edit.c
index 642965817..2808290bf 100644
--- a/postfix/src/postconf/postconf_edit.c
+++ b/postfix/src/postconf/postconf_edit.c
@@ -209,8 +209,10 @@ void    pcf_edit_main(int mode, int argc, char **argv)
 	    msg_panic("pcf_edit_main: unknown mode %d", mode);
 	}
 	if ((cvalue = htable_find(table, pattern)) != 0) {
-	    msg_warn("ignoring earlier request: '%s = %s'",
-		     pattern, cvalue->value);
+	    if (edit_value && cvalue->value 
+		&& strcmp(edit_value, cvalue->value) != 0)
+		msg_warn("ignoring earlier request: '%s = %s'",
+			 pattern, cvalue->value);
 	    htable_delete(table, pattern, myfree);
 	}
 	cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
-- 
2.47.3