[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.5.html]
Fixes for Postfix 3.10 only:
Workaround for an interface mis-match between the Postfix SMTP client and MTA-STS policy plugins.
The existing behavior is to connect to any MX host listed in DNS, and to match the server certificate against any STS policy MX host pattern.
The corrected behavior is to connect to an MX host only if its name matches any STS policy MX host pattern, and to match the server certificate against the MX hostname.
The corrected behavior must be enabled in two places: in Postfix with a new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in an MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards STS policy attributes to Postfix. This works even if Postfix TLSRPT support is disabled at build time or at runtime.
TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found", pretend that the TLSRPT policy domain value is equal to the recipient domain. This ignores that different policy types (TLSA, STS) use different policy domains. But this is what Microsoft does, and therefore, what other tools expect.
Fixes for Postfix 3.10, 3.9, 3.8, 3.7:
Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's connection reuse logic did not distinguish between sessions that require SMTPUTF8 support, and sessions that do not. The solution is 1) to store sessions with different SMTPUTF8 requirements under distinct connection cache storage keys, and 2) to not cache a connection when SMTPUTF8 is required but the server does not support that feature.
Bugfix (defect introduced: Postfix 3.0, date 20140731): the smtpd 'disconnect' command statistics did not count commands with "bad syntax" and "bad UTF-8 syntax" errors.
Bugfix: the August 2025 patch broke DBM library support which is still needed on Solaris; and the same change could result in warnings with "database X is older than source file Y".
Postfix 3.11 forward compatibility: to avoid ugly warnings when Postfix 3.11 is rolled back to an older version, allow a preliminary 'size' record in maildrop queue files created with Postfix 3.11 or later.
Bugfix (defect introduced: Postfix 3.8, date 20220128): non-reproducible build, because the 'postconf -e' output order for new main.cf entries was no longer deterministic. Problem reported by Oleksandr Natalenko, diagnosis by Eray Aslan.
To make builds predictable, add missing meta_directory and shlib_directory settings to the stock main.cf file. Problem diagnosed by Eray Aslan.
Fixes for Postfix 3.10, 3.9, 3.8:
Bugfix (defect introduced: Postfix 3.9, date 20230517): posttls-finger(1) logged an incorrectly-formatted port number. Viktor Dukhovni.
You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.