postfix-3.6.10

2025-08-29 21:27:57 +00:00 · 2023-06-05 00:00:00 -05:00 · 2023-06-05 00:00:00 -05:00 · 0423f332f7
commit 0423f332f7
parent 61905f5c19
28 changed files with 826 additions and 28 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -25896,3 +25896,90 @@ Apologies for any names omitted.
 	return "not found" instead of "error" during the time that
 	all MySQL server connections were turned down after error.
 	Found during code maintenance. File: global/dict_mysql.c.
 20230428
 	Bugfix (defect introduced: Postfix 1.0): the command "postconf
 	.. name=v1 .. name=v2 .." (multiple instances of the same
 	parameter name) created multiple name=value entries with
 	the same parameter name. It now logs a warning and skips
 	the earlier update. Found during code maintenance. File:
 	postconf/postconf_edit.c
 	Bugfix (defect introduced: Postfix 3.3): the command "postconf
 	-M name1/type1='name2 type2 ...'" died with a segmentation
 	violation when the request matched multiple master.cf
 	entries. The master.cf file was not damaged. Problem reported
 	by SATOH Fumiyasu. File: postconf/postconf_master.c.
 20230502
 	Bugfix (defect introduced: Postfix 2.11): the command
 	"postconf -M name1/type1='name2 type2 ...'" could add a
 	service definition to master.cf that conflicted with an
 	already existing service definition. It now replaces all
 	existing service definitions that match the service pattern
 	'name1/type1' or the service name and type in 'name2 type2
 	...' with a single service definition 'name2 type2 ...'.
 	Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
 20230519
 	Bitrot: preliminary support for OpenSSL configuration files,
 	primarily OpenSSL 1.1.1b and later. This introduces new
 	parameters "tls_config_file" and "tls_config_name", which
 	can be used to limit collateral damage from OS distributions
 	that crank up security to 11, increasing the number of
 	plaintext email deliveries. Details are in the postconf(5)
 	manpage under "tls_config_file" and "tls_config_name".
 	Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
 	global/mail_params.h, posttls-finger/posttls-finger.c,
 	smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
 	tls/tls_misc.c, tls/tls_proxy_client_print.c,
 	tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
 	tlsproxy/tlsproxy.c.
 20230523
 	Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
 	configurations. This information is independent from the
 	client or server TLS context, and therefore does not belong
 	in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
 	server uses TLS_CLIENT_PARAMS to report differences between
 	its own global TLS settings, and those from its clients.
 	Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
 	smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
 	tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
 	tls/tls_proxy.h, tlsproxy/tlsproxy.c.
 20230524
 	Cleanup: reverted cosmetic-only changes to minimize the
 	patch footprint for OpenSSL INI file support; updated daemon
 	manpages with the new tls_config_file and tls_config_name
 	configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
 	tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
 20230529
 	Cleanup: made OpenSSL 'default' INI file support error
 	handling consistent with OpenSSL default behavior. Viktor
 	Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
 20230602
 	Backwards compatibility for stable releases that originally
 	had no OpenSSL INI support. Skip the new OpenSSL INI support
 	code, unless the Postfix configuration actually specifies
 	non-default tls_config_xxx settings. File: tls/tls_misc.c.
 	Cleanup: added a multiple initialization guard in the
 	tls_library_init() function, and made an initialization
 	error sticky. File: tls/tls_misc.c.
 20230605
 	Security: new parameter smtpd_forbid_unauth_pipelining
 	(default: no) to disconnect remote SMTP clients that violate
 	RFC 2920 (or 5321) command pipelining constraints. Files:
 	global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -25,6 +25,23 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 Major changes with Postfix 3.6.10
 =================================
 Security: the Postfix SMTP server optionally disconnects remote
 SMTP clients that violate RFC 2920 (or 5321) command pipelining
 constraints. The server replies with "554 5.5.0 Error: SMTP protocol
 synchronization" and logs the unexpected remote SMTP client input.
 Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
 feature is enabled by default in Postfix 3.9 and later.
 Workaround to limit collateral damage from OS distributions that
 crank up security to 11, increasing the number of plaintext email
 deliveries. This introduces basic OpenSSL configuration file support,
 with two new parameters "tls_config_file" and "tls_config_name".
 Details are in the postconf(5) manpage under "tls_config_file" and
 "tls_config_name".
 Major changes - internal protocol identification
 ------------------------------------------------
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@ -668,6 +668,15 @@ SMTP(8)                                                                SMTP(8)
              A  workaround  for implementations that hang Postfix while shut-
              ting down a TLS session, until Postfix times out.
       Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
       <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
              Optional configuration file with baseline OpenSSL settings.
       <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
              The application name passed by Postfix to OpenSSL  library  ini-
              tialization functions.
 <b>OBSOLETE STARTTLS CONTROLS</b>
       The following configuration parameters  exist  for  compatibility  with
       Postfix  versions  before  2.3.  Support for these will be removed in a
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -15296,6 +15296,22 @@ This feature is available in Postfix 2.0 and later.
 </p>
 </DD>
 <DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>
 (default: Postfix &ge; 3.9: yes)</b></DT><DD>
 <p> Disconnect remote SMTP clients that violate <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
 command pipelining constraints. The server replies with "554 5.5.0
 Error: SMTP protocol synchronization" and logs the unexpected remote
 SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes"
 to enable. This feature is enabled by default with Postfix &ge;
 3.9.  </p>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
 </DD>
 <DT><b><a name="smtpd_forbidden_commands">smtpd_forbidden_commands</a>
@ -18723,6 +18739,113 @@ backwards compatibility, to avoid breaking certificate verification
 with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
 </DD>
 <DT><b><a name="tls_config_file">tls_config_file</a>
 (default: default)</b></DT><DD>
 <p> Optional configuration file with baseline OpenSSL settings.
 OpenSSL loads any SSL settings found in the configuration file for
 the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
 built-in application name "openssl_conf" when no application name is
 specified, or no corresponding configuration section is present.
 </p>
 <p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
 Postfix) can neither specify an alternative configuration file, nor
 avoid loading the default configuration file.  </p>
 <p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
 </p>
 <dl>
 <dt> <b>default</b> (default) </dt> <dd> Load the system-wide
 "openssl.cnf" configuration file.  </dd>
 <dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
 <dd> This setting disables loading of  the system-wide "openssl.cnf"
 file.  </dd>
 <dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
 <dd> Load the configuration file specified by <i>/absolute-path</i>.
 With this setting it is an error for the file to not contain any
 settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>.  There is no fallback to
 the default "openssl_conf" name. </dd>
 </dl>
 <p> Failures in processing of the built-in default configuration file,
 are silently ignored.  Any errors in loading a non-default configuration
 file are detected by Postfix, and cause TLS support to be disabled.
 </p>
 <p> The OpenSSL configuration file format is not documented here,
 beyond giving two examples. <p>
 <p> Example: Default settings for all applications. </p>
 <blockquote>
 <pre>
 # The name 'openssl_conf' is the default application name
 # The section name to the right of the '=' sign is arbitrary,
 # any name will do, so long as it refers to the desired section.
 #
 # The name 'system_default' selects the settings applied internally
 # by the SSL library as part of SSL object creation.  Applications
 # can then apply any additional settings of their choice.
 #
 # In this example, TLS versions prior to 1.2 are disabled by default.
 #
 openssl_conf = system_wide_settings
 [system_wide_settings]
 ssl_conf = ssl_library_settings
 [ssl_library_settings]
 system_default = initial_ssl_settings
 [initial_ssl_settings]
 MinProtocol = TLSv1.2
 </pre>
 </blockquote>
 <p> Example: Custom settings for an application named "postfix". </p>
 <blockquote>
 <pre>
 # The mapping from an application name to the corresponding configuration
 # section must appear near the top of the file, (in what is sometimes called
 # the "default section") prior to the start of any explicitly named
 # "[sections]".  The named sections can appear in any order and don't nest.
 #
 postfix = postfix_settings
 [postfix_settings]
 ssl_conf = postfix_ssl_settings
 [postfix_ssl_settings]
 system_default = baseline_postfix_settings
 [baseline_postfix_settings]
 MinProtocol = TLSv1
 </pre>
 </blockquote>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
 </DD>
 <DT><b><a name="tls_config_name">tls_config_name</a>
 (default: empty)</b></DT><DD>
 <p> The application name passed by Postfix to OpenSSL library
 initialization functions.  This name is used to select the desired
 configuration "section" in the OpenSSL configuration file specified
 via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter.  When empty, or when the
 selected name is not present in the configuration file, the default
 application name ("openssl_conf") is used as a fallback.  </p>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
 </DD>
 <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@ -668,6 +668,15 @@ SMTP(8)                                                                SMTP(8)
              A  workaround  for implementations that hang Postfix while shut-
              ting down a TLS session, until Postfix times out.
       Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
       <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
              Optional configuration file with baseline OpenSSL settings.
       <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
              The application name passed by Postfix to OpenSSL  library  ini-
              tialization functions.
 <b>OBSOLETE STARTTLS CONTROLS</b>
       The following configuration parameters  exist  for  compatibility  with
       Postfix  versions  before  2.3.  Support for these will be removed in a
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@ -619,6 +619,15 @@ SMTPD(8)                                                              SMTPD(8)
              The email address form that will be used  in  non-debug  logging
              (info, warning, etc.).
       Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
       <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
              Optional configuration file with baseline OpenSSL settings.
       <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
              The  application  name passed by Postfix to OpenSSL library ini-
              tialization functions.
 <b>OBSOLETE STARTTLS CONTROLS</b>
       The  following  configuration  parameters  exist for compatibility with
       Postfix versions before 2.3. Support for these will  be  removed  in  a
@ -921,6 +930,12 @@ SMTPD(8)                                                              SMTPD(8)
              to  send to this service per time unit, regardless of whether or
              not Postfix actually accepts those commands.
       Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
       <b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> &gt;<b>= 3.9: yes)</b>
              Disconnect  remote  SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
              command pipelining constraints.
 <b>TARPIT CONTROLS</b>
       When a remote SMTP client makes errors, the  Postfix  SMTP  server  can
       insert  delays  before  responding. This can help to slow down run-away
--- a/postfix/html/tlsproxy.8.html
+++ b/postfix/html/tlsproxy.8.html
@ -150,6 +150,15 @@ TLSPROXY(8)                                                        TLSPROXY(8)
              A  workaround  for implementations that hang Postfix while shut-
              ting down a TLS session, until Postfix times out.
       Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
       <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
              Optional configuration file with baseline OpenSSL settings.
       <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
              The application name passed by Postfix to OpenSSL  library  ini-
              tialization functions.
 <b>STARTTLS SERVER CONTROLS</b>
       These settings are clones of Postfix SMTP server settings.  They  allow
       <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -10412,6 +10412,16 @@ The smtpd_expansion_filter value is not subject to Postfix configuration
 parameter $name expansion.
 .PP
 This feature is available in Postfix 2.0 and later.
 .SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)
 Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
 command pipelining constraints. The server replies with "554 5.5.0
 Error: SMTP protocol synchronization" and logs the unexpected remote
 SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
 to enable. This feature is enabled by default with Postfix >=
 3.9.
 .PP
 This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20.
 .SH smtpd_forbidden_commands (default: CONNECT, GET, POST)
 List of commands that cause the Postfix SMTP server to immediately
 terminate the session with a 221 code. This can be used to disconnect
@ -13122,6 +13132,104 @@ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
 backwards compatibility, to avoid breaking certificate verification
 with sites that don't use permit_tls_all_clientcerts.
 .SH tls_config_file (default: default)
 Optional configuration file with baseline OpenSSL settings.
 OpenSSL loads any SSL settings found in the configuration file for
 the selected application name (see tls_config_name) or else the
 built\-in application name "openssl_conf" when no application name is
 specified, or no corresponding configuration section is present.
 .PP
 With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
 Postfix) can neither specify an alternative configuration file, nor
 avoid loading the default configuration file.
 .PP
 With OpenSSL 1.1.1b or later, this parameter may be set to one of:
 .IP "\fBdefault\fR (default)"
 Load the system\-wide
 "openssl.cnf" configuration file.
 .br
 .IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
 This setting disables loading of  the system\-wide "openssl.cnf"
 file.
 .br
 .IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
 Load the configuration file specified by \fI/absolute\-path\fR.
 With this setting it is an error for the file to not contain any
 settings for the selected tls_config_name.  There is no fallback to
 the default "openssl_conf" name.
 .br
 .br
 .PP
 Failures in processing of the built\-in default configuration file,
 are silently ignored.  Any errors in loading a non\-default configuration
 file are detected by Postfix, and cause TLS support to be disabled.
 .PP
 The OpenSSL configuration file format is not documented here,
 beyond giving two examples.
 .PP
 Example: Default settings for all applications.
 .sp
 .in +4
 .nf
 .na
 .ft C
 # The name 'openssl_conf' is the default application name
 # The section name to the right of the '=' sign is arbitrary,
 # any name will do, so long as it refers to the desired section.
 #
 # The name 'system_default' selects the settings applied internally
 # by the SSL library as part of SSL object creation.  Applications
 # can then apply any additional settings of their choice.
 #
 # In this example, TLS versions prior to 1.2 are disabled by default.
 #
 openssl_conf = system_wide_settings
 [system_wide_settings]
 ssl_conf = ssl_library_settings
 [ssl_library_settings]
 system_default = initial_ssl_settings
 [initial_ssl_settings]
 MinProtocol = TLSv1.2
 .fi
 .ad
 .ft R
 .in -4
 .PP
 Example: Custom settings for an application named "postfix".
 .sp
 .in +4
 .nf
 .na
 .ft C
 # The mapping from an application name to the corresponding configuration
 # section must appear near the top of the file, (in what is sometimes called
 # the "default section") prior to the start of any explicitly named
 # "[sections]".  The named sections can appear in any order and don't nest.
 #
 postfix = postfix_settings
 [postfix_settings]
 ssl_conf = postfix_ssl_settings
 [postfix_ssl_settings]
 system_default = baseline_postfix_settings
 [baseline_postfix_settings]
 MinProtocol = TLSv1
 .fi
 .ad
 .ft R
 .in -4
 .PP
 This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20.
 .SH tls_config_name (default: empty)
 The application name passed by Postfix to OpenSSL library
 initialization functions.  This name is used to select the desired
 configuration "section" in the OpenSSL configuration file specified
 via the tls_config_file parameter.  When empty, or when the
 selected name is not present in the configuration file, the default
 application name ("openssl_conf") is used as a fallback.
 .PP
 This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@ -603,6 +603,13 @@ Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 A workaround for implementations that hang Postfix while shutting
 down a TLS session, until Postfix times out.
 .PP
 Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 .IP "\fBtls_config_file (default)\fR"
 Optional configuration file with baseline OpenSSL settings.
 .IP "\fBtls_config_name (empty)\fR"
 The application name passed by Postfix to OpenSSL library
 initialization functions.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@ -548,6 +548,13 @@ Available in Postfix 3.5 and later:
 .IP "\fBinfo_log_address_format (external)\fR"
 The email address form that will be used in non\-debug logging
 (info, warning, etc.).
 .PP
 Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 .IP "\fBtls_config_file (default)\fR"
 Optional configuration file with baseline OpenSSL settings.
 .IP "\fBtls_config_name (empty)\fR"
 The application name passed by Postfix to OpenSSL library
 initialization functions.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf
@ -808,6 +815,11 @@ Available in Postfix version 3.1 and later:
 The maximal number of AUTH commands that any client is allowed to
 send to this service per time unit, regardless of whether or not
 Postfix actually accepts those commands.
 .PP
 Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
 Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
 command pipelining constraints.
 .SH "TARPIT CONTROLS"
 .na
 .nf
--- a/postfix/man/man8/tlsproxy.8
+++ b/postfix/man/man8/tlsproxy.8
@ -150,6 +150,13 @@ Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 A workaround for implementations that hang Postfix while shutting
 down a TLS session, until Postfix times out.
 .PP
 Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 .IP "\fBtls_config_file (default)\fR"
 Optional configuration file with baseline OpenSSL settings.
 .IP "\fBtls_config_name (empty)\fR"
 The application name passed by Postfix to OpenSSL library
 initialization functions.
 .SH "STARTTLS SERVER CONTROLS"
 .na
 .nf
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -548,6 +548,7 @@ while (<>) {
    s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g;
    s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
    s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
    s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
    s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
    s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;
    s;\bsmtpd_helo_restrictions\b;<a href="postconf.5.html#smtpd_helo_restrictions">$&</a>;g;
@ -767,6 +768,8 @@ while (<>) {
    s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
    s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
    s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
    s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
    s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
    s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
    s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
    s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -18058,3 +18058,114 @@ name-to-port = 1*(service-name "=') port-number
 name or port number. </p>
 <p> This feature is available in Postfix 3.6 and later. </p>
 %PARAM tls_config_name
 <p> The application name passed by Postfix to OpenSSL library
 initialization functions.  This name is used to select the desired
 configuration "section" in the OpenSSL configuration file specified
 via the tls_config_file parameter.  When empty, or when the
 selected name is not present in the configuration file, the default
 application name ("openssl_conf") is used as a fallback.  </p>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
 %PARAM tls_config_file default
 <p> Optional configuration file with baseline OpenSSL settings.
 OpenSSL loads any SSL settings found in the configuration file for
 the selected application name (see tls_config_name) or else the
 built-in application name "openssl_conf" when no application name is
 specified, or no corresponding configuration section is present.
 </p>
 <p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
 Postfix) can neither specify an alternative configuration file, nor
 avoid loading the default configuration file.  </p>
 <p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
 </p>
 <dl>
 <dt> <b>default</b> (default) </dt> <dd> Load the system-wide
 "openssl.cnf" configuration file.  </dd>
 <dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
 <dd> This setting disables loading of  the system-wide "openssl.cnf"
 file.  </dd>
 <dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
 <dd> Load the configuration file specified by <i>/absolute-path</i>.
 With this setting it is an error for the file to not contain any
 settings for the selected tls_config_name.  There is no fallback to
 the default "openssl_conf" name. </dd>
 </dl>
 <p> Failures in processing of the built-in default configuration file,
 are silently ignored.  Any errors in loading a non-default configuration
 file are detected by Postfix, and cause TLS support to be disabled.
 </p>
 <p> The OpenSSL configuration file format is not documented here,
 beyond giving two examples. <p>
 <p> Example: Default settings for all applications. </p>
 <blockquote>
 <pre>
 # The name 'openssl_conf' is the default application name
 # The section name to the right of the '=' sign is arbitrary,
 # any name will do, so long as it refers to the desired section.
 #
 # The name 'system_default' selects the settings applied internally
 # by the SSL library as part of SSL object creation.  Applications
 # can then apply any additional settings of their choice.
 #
 # In this example, TLS versions prior to 1.2 are disabled by default.
 #
 openssl_conf = system_wide_settings
 [system_wide_settings]
 ssl_conf = ssl_library_settings
 [ssl_library_settings]
 system_default = initial_ssl_settings
 [initial_ssl_settings]
 MinProtocol = TLSv1.2
 </pre>
 </blockquote>
 <p> Example: Custom settings for an application named "postfix". </p>
 <blockquote>
 <pre>
 # The mapping from an application name to the corresponding configuration
 # section must appear near the top of the file, (in what is sometimes called
 # the "default section") prior to the start of any explicitly named
 # "[sections]".  The named sections can appear in any order and don't nest.
 #
 postfix = postfix_settings
 [postfix_settings]
 ssl_conf = postfix_ssl_settings
 [postfix_ssl_settings]
 system_default = baseline_postfix_settings
 [baseline_postfix_settings]
 MinProtocol = TLSv1
 </pre>
 </blockquote>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
 %PARAM smtpd_forbid_unauth_pipelining Postfix &ge; 3.9: yes
 <p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
 command pipelining constraints. The server replies with "554 5.5.0
 Error: SMTP protocol synchronization" and logs the unexpected remote
 SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
 to enable. This feature is enabled by default with Postfix &ge;
 3.9.  </p>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@ -2430,6 +2430,10 @@ extern char *var_smtpd_exp_filter;
 #define DEF_SMTPD_PEERNAME_LOOKUP	1
 extern bool var_smtpd_peername_lookup;
 #define VAR_SMTPD_FORBID_UNAUTH_PIPE	"smtpd_forbid_unauth_pipelining"
 #define DEF_SMTPD_FORBID_UNAUTH_PIPE	0
 extern bool var_smtpd_forbid_unauth_pipe;
 /*
  * Heuristic to reject unknown local recipients at the SMTP port.
  */
@ -3313,8 +3317,17 @@ extern bool var_smtp_sender_auth;
 extern bool var_smtp_cname_overr;
 /*
-  * TLS cipherlists
+  * TLS library settings
  */
 #define VAR_TLS_CNF_FILE	"tls_config_file"
 #define DEF_TLS_CNF_FILE	"default"
 extern char *var_tls_cnf_file;
 #define VAR_TLS_CNF_NAME	"tls_config_name"
 #define DEF_TLS_CNF_NAME	""
 extern char *var_tls_cnf_name;
 #define VAR_TLS_HIGH_CLIST	"tls_high_cipherlist"
 #define DEF_TLS_HIGH_CLIST	"aNULL:-aNULL:HIGH:@STRENGTH"
 extern char *var_tls_high_clist;
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,8 +20,8 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20230418"
+#define MAIL_RELEASE_DATE	"20230605"
-#define MAIL_VERSION_NUMBER	"3.6.9"
+#define MAIL_VERSION_NUMBER	"3.6.10"
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- a/postfix/src/postconf/postconf_edit.c
+++ b/postfix/src/postconf/postconf_edit.c
@ -192,6 +192,11 @@ void    pcf_edit_main(int mode, int argc, char **argv)
 	} else {
 	    msg_panic("pcf_edit_main: unknown mode %d", mode);
 	}
 	if ((cvalue = htable_find(table, pattern)) != 0) {
 	    msg_warn("ignoring earlier request: '%s = %s'",
 		     pattern, cvalue->value);
 	    htable_delete(table, pattern, myfree);
 	}
 	cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
 	cvalue->value = edit_value;
 	cvalue->found = 0;
@ -459,8 +464,38 @@ void    pcf_edit_master(int mode, int argc, char **argv)
 	    /*
 	     * Match each service pattern.
 	     * 
 	     * Additional care is needed when a request adds or replaces an
 	     * entire service definition, instead of a specific field or
 	     * parameter. Given a command "postconf -M name1/type1='name2
 	     * type2 ...'", where name1 and name2 may differ, and likewise
 	     * for type1 and type2:
 	     * 
 	     * - First, if an existing service definition a) matches the service
 	     * pattern 'name1/type1', or b) matches the name and type in the
 	     * new service definition 'name2 type2 ...', remove the service
 	     * definition.
 	     * 
 	     * - Then, after an a) or b) type match, add a new service
 	     * definition for 'name2 type2 ...', but only after the first
 	     * match.
 	     * 
 	     * - Finally, if a request had no a) or b) type match for any
 	     * master.cf service definition, add a new service definition for
 	     * 'name2 type2 ...'.
 	     */
 	    for (req = edit_reqs; req < edit_reqs + num_reqs; req++) {
 		PCF_MASTER_ENT *tentative_entry = 0;
 		int     use_tentative_entry = 0;
 		/* Additional care for whole service definition requests. */
 		if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) {
 		    tentative_entry = (PCF_MASTER_ENT *)
 			mymalloc(sizeof(*tentative_entry));
 		    if ((err = pcf_parse_master_entry(tentative_entry,
 						      req->edit_value)) != 0)
 			msg_fatal("%s: \"%s\"", err, req->raw_text);
 		}
 		if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern,
 					      service_name,
 					      service_type)) {
@ -506,18 +541,30 @@ void    pcf_edit_master(int mode, int argc, char **argv)
 			     * Replace entire master.cf entry.
 			     */
 			case PCF_MASTER_ENTRY:
-			    if (new_entry != 0)
+			    if (req->match_count == 1)
-				pcf_free_master_entry(new_entry);
+				use_tentative_entry = 1;
 			    new_entry = (PCF_MASTER_ENT *)
 				mymalloc(sizeof(*new_entry));
 			    if ((err = pcf_parse_master_entry(new_entry,
 						     req->edit_value)) != 0)
 				msg_fatal("%s: \"%s\"", err, req->raw_text);
 			    break;
 			default:
 			    msg_panic("%s: unknown edit mode %d", myname, mode);
 			}
 		    }
 		} else if (tentative_entry != 0
 			 && PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv,
 						      service_name,
 						      service_type)) {
 		    service_name_type_matched = 1;	/* Sticky flag */
 		    req->match_count += 1;
 		    if (req->match_count == 1)
 			use_tentative_entry = 1;
 		}
 		if (tentative_entry != 0) {
 		    if (use_tentative_entry) {
 			if (new_entry != 0)
 			    pcf_free_master_entry(new_entry);
 			new_entry = tentative_entry;
 		    } else {
 			pcf_free_master_entry(tentative_entry);
 		    }
 		}
 	    }
--- a/postfix/src/postconf/postconf_master.c
+++ b/postfix/src/postconf/postconf_master.c
@ -156,6 +156,7 @@
 #include <readlline.h>
 #include <stringops.h>
 #include <split_at.h>
 #include <dict_ht.h>
 /* Global library. */
@ -393,12 +394,12 @@ const char *pcf_parse_master_entry(PCF_MASTER_ENT *masterp, const char *buf)
 	concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0);
    masterp->argv = argv;
    masterp->valid_names = 0;
    masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0);
    process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]);
-    dict_update(ro_name_space, VAR_PROCNAME, process_name);
+    dict_put(masterp->ro_params, VAR_PROCNAME, process_name);
-    dict_update(ro_name_space, VAR_SERVNAME,
+    dict_put(masterp->ro_params, VAR_SERVNAME,
-		strcmp(process_name, argv->argv[0]) != 0 ?
+	     strcmp(process_name, argv->argv[0]) != 0 ?
-		argv->argv[0] : process_name);
+	     argv->argv[0] : process_name);
    masterp->ro_params = dict_handle(ro_name_space);
    myfree(ro_name_space);
    masterp->all_params = 0;
    return (0);
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@ -569,6 +569,13 @@
 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 /*	A workaround for implementations that hang Postfix while shutting
 /*	down a TLS session, until Postfix times out.
 /* .PP
 /*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 /* .IP "\fBtls_config_file (default)\fR"
 /*	Optional configuration file with baseline OpenSSL settings.
 /* .IP "\fBtls_config_name (empty)\fR"
 /*	The application name passed by Postfix to OpenSSL library
 /*	initialization functions.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@ -514,6 +514,13 @@
 /* .IP "\fBinfo_log_address_format (external)\fR"
 /*	The email address form that will be used in non-debug logging
 /*	(info, warning, etc.).
 /* .PP
 /*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 /* .IP "\fBtls_config_file (default)\fR"
 /*	Optional configuration file with baseline OpenSSL settings.
 /* .IP "\fBtls_config_name (empty)\fR"
 /*	The application name passed by Postfix to OpenSSL library
 /*	initialization functions.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
@ -762,6 +769,11 @@
 /*	The maximal number of AUTH commands that any client is allowed to
 /*	send to this service per time unit, regardless of whether or not
 /*	Postfix actually accepts those commands.
 /* .PP
 /*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 /* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
 /*	Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
 /*	command pipelining constraints.
 /* TARPIT CONTROLS
 /* .ad
 /* .fi
@ -1447,6 +1459,7 @@ char   *var_milt_eod_macros;
 char   *var_milt_unk_macros;
 char   *var_milt_macro_deflts;
 bool    var_smtpd_client_port_log;
 bool    var_smtpd_forbid_unauth_pipe;
 char   *var_stress;
 char   *var_reject_tmpf_act;
@ -5375,6 +5388,32 @@ static SMTPD_CMD smtpd_cmd_table[] = {
 static STRING_LIST *smtpd_noop_cmds;
 static STRING_LIST *smtpd_forbid_cmds;
 /* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
 static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
 {
    /*
     * This code will not return after I/O error, timeout, or EOF. VSTREAM
     * exceptions must be enabled in advance with smtp_stream_setup().
     */
    if (vstream_peek(state->client) == 0
 	&& peekfd(vstream_fileno(state->client)) > 0)
 	(void) vstream_ungetc(state->client, smtp_fgetc(state->client));
    if (vstream_peek(state->client) > 0) {
 	if (state->expand_buf == 0)
 	    state->expand_buf = vstring_alloc(100);
 	escape(state->expand_buf, vstream_peek_data(state->client),
 	       vstream_peek(state->client) < 100 ?
 	       vstream_peek(state->client) : 100);
 	msg_info("improper command pipelining after %s from %s: %s",
 		 state->where, state->namaddr, STR(state->expand_buf));
 	state->flags |= SMTPD_FLAG_ILL_PIPELINING;
 	return (1);
    }
    return (0);
 }
 /* smtpd_proto - talk the SMTP protocol */
 static void smtpd_proto(SMTPD_STATE *state)
@ -5513,6 +5552,21 @@ static void smtpd_proto(SMTPD_STATE *state)
 	}
 #endif
 	/*
 	 * If the client spoke before the server sends the initial greeting,
 	 * raise a flag and log the content of the protocol violation. This
 	 * check MUST NOT apply to TLS wrappermode connections.
 	 */
 	if (SMTPD_STAND_ALONE(state) == 0
 	    && vstream_context(state->client) == 0	/* not postscreen */
 	    && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
 	    && smtpd_flag_ill_pipelining(state)
 	    && var_smtpd_forbid_unauth_pipe) {
 	    smtpd_chat_reply(state,
 			  "554 5.5.0 Error: SMTP protocol synchronization");
 	    break;
 	}
 	/*
 	 * XXX The client connection count/rate control must be consistent in
 	 * its use of client address information in connect and disconnect
@ -5740,16 +5794,11 @@ static void smtpd_proto(SMTPD_STATE *state)
 		&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
 		    || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
 		&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
-		&& (vstream_peek(state->client) > 0
+		&& smtpd_flag_ill_pipelining(state)
-		    || peekfd(vstream_fileno(state->client)) > 0)) {
+		&& var_smtpd_forbid_unauth_pipe) {
-		if (state->expand_buf == 0)
+		smtpd_chat_reply(state,
-		    state->expand_buf = vstring_alloc(100);
+			  "554 5.5.0 Error: SMTP protocol synchronization");
-		escape(state->expand_buf, vstream_peek_data(state->client),
+		break;
 		       vstream_peek(state->client) < 100 ?
 		       vstream_peek(state->client) : 100);
 		msg_info("improper command pipelining after %s from %s: %s",
 			 cmdp->name, state->namaddr, STR(state->expand_buf));
 		state->flags |= SMTPD_FLAG_ILL_PIPELINING;
 	    }
 	    if (cmdp->action(state, argc, argv) != 0)
 		state->error_count++;
@ -6412,6 +6461,7 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
 	VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
 	VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
 	VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
 	0,
    };
    static const CONFIG_NBOOL_TABLE nbool_table[] = {
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@ -76,6 +76,7 @@ extern const char *str_tls_level(int);
 #include <openssl/crypto.h>		/* Legacy SSLEAY_VERSION_NUMBER */
 #include <openssl/opensslv.h>		/* OPENSSL_VERSION_NUMBER */
 #include <openssl/ssl.h>
 #include <openssl/conf.h>
 /* Appease indent(1) */
 #define x509_stack_t STACK_OF(X509)
@ -311,6 +312,7 @@ extern void tls_free_app_context(TLS_APPL_STATE *);
  * tls_misc.c
  */
 extern void tls_param_init(void);
 extern int tls_library_init(void);
 /*
  * Protocol selection.
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@ -640,6 +640,13 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
     */
    tls_check_version();
    /*
     * Initialize the OpenSSL library, possibly loading its configuration
     * file.
     */
    if (tls_library_init() == 0)
 	return (0);
    /*
     * Create an application data index for SSL objects, so that we can
     * attach TLScontext information; this information is needed inside
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@ -29,6 +29,8 @@
 /*	#define TLS_INTERNAL
 /*	#include <tls.h>
 /*
 /*	char	*var_tls_cnf_file;
 /*	char	*var_tls_cnf_name;
 /*	char	*var_tls_high_clist;
 /*	char	*var_tls_medium_clist;
 /*	char	*var_tls_low_clist;
@ -69,6 +71,8 @@
 /*
 /*	void	tls_param_init()
 /*
 /*	int     tls_library_init(void)
 /*
 /*	int	tls_proto_mask_lims(plist, floor, ceiling)
 /*	const char *plist;
 /*	int	*floor;
@ -155,6 +159,9 @@
 /*	tls_param_init() loads main.cf parameters used internally in
 /*	TLS library. Any errors are fatal.
 /*
 /*	tls_library_init() initializes the OpenSSL library, optionally
 /*	loading an OpenSSL configuration file.
 /*
 /*	tls_pre_jail_init() opens any tables that need to be opened before
 /*	entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
 /*	for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@ -274,6 +281,8 @@
 /*
  * Tunable parameters.
  */
 char   *var_tls_cnf_file;
 char   *var_tls_cnf_name;
 char   *var_tls_high_clist;
 char   *var_tls_medium_clist;
 char   *var_tls_low_clist;
@ -642,6 +651,8 @@ void    tls_param_init(void)
 {
    /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
    static const CONFIG_STR_TABLE str_table[] = {
 	VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
 	VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
 	VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
 	VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
 	VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
@ -685,6 +696,118 @@ void    tls_param_init(void)
    get_mail_conf_bool_table(bool_table);
 }
 /* tls_library_init - perform OpenSSL library initialization */
 int     tls_library_init(void)
 {
    OPENSSL_INIT_SETTINGS *init_settings;
    char   *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
    char   *conf_file = 0;
    unsigned long init_opts = 0;
 #define TLS_LIB_INIT_TODO	(-1)
 #define TLS_LIB_INIT_ERR	(0)
 #define TLS_LIB_INIT_OK		(1)
    static int init_res = TLS_LIB_INIT_TODO;
    if (init_res != TLS_LIB_INIT_TODO)
 	return (init_res);
    /*
     * Backwards compatibility: skip this function unless the Postfix
     * configuration actually has non-default tls_config_xxx settings.
     */
    if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
 	&& strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
 	if (msg_verbose)
 	    msg_info("tls_library_init: using backwards-compatible defaults");
 	return (init_res = TLS_LIB_INIT_OK);
    }
    if ((init_settings = OPENSSL_INIT_new()) == 0) {
 	msg_warn("error allocating OpenSSL init settings, "
 		 "disabling TLS support");
 	return (init_res = TLS_LIB_INIT_ERR);
    }
 #define TLS_LIB_INIT_RETURN(x) \
    do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
 #if OPENSSL_VERSION_NUMBER < 0x1010102fL
    /*
     * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
     * files, disabling loading of the file, or getting strict error
     * handling.  Thus, the only supported configuration file is "default".
     */
    if (strcmp(var_tls_cnf_file, "default") != 0) {
 	msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
 	       "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
 	TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
    }
 #else
    {
 	unsigned long file_flags = 0;
 	/*-
 	 * OpenSSL 1.1.1b or later:
 	 * We can now use a non-default configuration file, or
 	 * use none at all.  We can also request strict error
 	 * reporting.
 	 */
 	if (strcmp(var_tls_cnf_file, "none") == 0) {
 	    init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
 	} else if (strcmp(var_tls_cnf_file, "default") == 0) {
 	    /*
 	     * The default global config file is optional.  With "default"
 	     * initialisation we don't insist on a match for the requested
 	     * application name, allowing fallback to the default application
 	     * name, even when a non-default application name is specified.
 	     * Errors in loading the default configuration are ignored.
 	     */
 	    conf_file = 0;
 	    file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
 	    file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
 	    file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
 	} else if (*var_tls_cnf_file == '/') {
 	    /*
 	     * A custom config file must be present, error reporting is
 	     * strict and the configuration section for the requested
 	     * application name does not fall back to "openssl_conf" when
 	     * missing.
 	     */
 	    conf_file = var_tls_cnf_file;
 	} else {
 	    msg_warn("non-default %s = %s is not an absolute pathname, "
 	       "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
 	    TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
 	}
 	OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
    }
 #endif
    if (conf_file)
 	OPENSSL_INIT_set_config_filename(init_settings, conf_file);
    if (conf_name)
 	OPENSSL_INIT_set_config_appname(init_settings, conf_name);
    if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
 	if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
 	    msg_warn("error loading the '%s' settings from the %s OpenSSL "
 		     "configuration file, disabling TLS support",
 		     conf_name ? conf_name : "global",
 		     conf_file ? conf_file : "default");
 	else
 	    msg_warn("error initializing the OpenSSL library, "
 		     "disabling TLS support");
 	tls_print_errors();
 	TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
    }
    TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
 }
 /* tls_pre_jail_init - Load TLS related pre-jail tables */
 void    tls_pre_jail_init(TLS_ROLE role)
--- a/postfix/src/tls/tls_proxy.h
+++ b/postfix/src/tls/tls_proxy.h
@ -44,6 +44,8 @@
  * VAR_TLS_SERVER_SNI_MAPS.
  */
 typedef struct TLS_CLIENT_PARAMS {
    char   *tls_cnf_file;
    char   *tls_cnf_name;
    char   *tls_high_clist;
    char   *tls_medium_clist;
    char   *tls_low_clist;
@ -65,12 +67,13 @@ typedef struct TLS_CLIENT_PARAMS {
 } TLS_CLIENT_PARAMS;
 #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
-    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
+    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \
    (((params)->a1), ((params)->a2), ((params)->a3), \
    ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
    ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
    ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
-    ((params)->a16), ((params)->a17), ((params)->a18))
+    ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
    ((params)->a20))
 /*
  * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@ -217,6 +220,8 @@ extern void tls_proxy_server_start_free(TLS_SERVER_START_PROPS *);
 /*
  * TLS_CLIENT_INIT_PROPS attributes.
  */
 #define TLS_ATTR_CNF_FILE	"config_file"
 #define TLS_ATTR_CNF_NAME	"config_name"
 #define TLS_ATTR_LOG_PARAM	"log_param"
 #define TLS_ATTR_LOG_LEVEL	"log_level"
 #define TLS_ATTR_VERIFYDEPTH	"verifydepth"
--- a/postfix/src/tls/tls_proxy_client_misc.c
+++ b/postfix/src/tls/tls_proxy_client_misc.c
@ -78,6 +78,8 @@
 TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
 {
    TLS_PROXY_PARAMS(params,
 		     tls_cnf_file = var_tls_cnf_file,
 		     tls_cnf_name = var_tls_cnf_name,
 		     tls_high_clist = var_tls_high_clist,
 		     tls_medium_clist = var_tls_medium_clist,
 		     tls_low_clist = var_tls_low_clist,
--- a/postfix/src/tls/tls_proxy_client_print.c
+++ b/postfix/src/tls/tls_proxy_client_print.c
@ -95,6 +95,8 @@ int     tls_proxy_client_param_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
 	msg_info("begin tls_proxy_client_param_print");
    ret = print_fn(fp, flags | ATTR_FLAG_MORE,
 		   SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
 		   SEND_ATTR_STR(TLS_ATTR_CNF_NAME,  params->tls_cnf_name),
 		   SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
 		   SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
 				 params->tls_medium_clist),
--- a/postfix/src/tls/tls_proxy_client_scan.c
+++ b/postfix/src/tls/tls_proxy_client_scan.c
@ -121,6 +121,8 @@
 void    tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
 {
    myfree(params->tls_cnf_file);
    myfree(params->tls_cnf_name);
    myfree(params->tls_high_clist);
    myfree(params->tls_medium_clist);
    myfree(params->tls_low_clist);
@ -145,6 +147,8 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
    TLS_CLIENT_PARAMS *params
    = (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
    int     ret;
    VSTRING *cnf_file = vstring_alloc(25);
    VSTRING *cnf_name = vstring_alloc(25);
    VSTRING *tls_high_clist = vstring_alloc(25);
    VSTRING *tls_medium_clist = vstring_alloc(25);
    VSTRING *tls_low_clist = vstring_alloc(25);
@ -167,6 +171,8 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
     */
    memset(params, 0, sizeof(*params));
    ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
 		  RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
 		  RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
 		  RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
 		  RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
 		  RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist),
@ -192,6 +198,8 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
 				&params->tls_multi_wildcard),
 		  ATTR_TYPE_END);
    /* Always construct a well-formed structure. */
    params->tls_cnf_file = vstring_export(cnf_file);
    params->tls_cnf_name = vstring_export(cnf_name);
    params->tls_high_clist = vstring_export(tls_high_clist);
    params->tls_medium_clist = vstring_export(tls_medium_clist);
    params->tls_low_clist = vstring_export(tls_low_clist);
@ -206,7 +214,7 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
    params->tls_mgr_service = vstring_export(tls_mgr_service);
    params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
-    ret = (ret == 18 ? 1 : -1);
+    ret = (ret == 20 ? 1 : -1);
    if (ret != 1) {
 	tls_proxy_client_param_free(params);
 	params = 0;
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@ -370,6 +370,13 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     */
    tls_check_version();
    /*
     * Initialize the OpenSSL library, possibly loading its configuration
     * file.
     */
    if (tls_library_init() == 0)
 	return (0);
    /*
     * First validate the protocols. If these are invalid, we can't continue.
     */
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@ -134,6 +134,13 @@
 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 /*	A workaround for implementations that hang Postfix while shutting
 /*	down a TLS session, until Postfix times out.
 /* .PP
 /*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
 /* .IP "\fBtls_config_file (default)\fR"
 /*	Optional configuration file with baseline OpenSSL settings.
 /* .IP "\fBtls_config_name (empty)\fR"
 /*	The application name passed by Postfix to OpenSSL library
 /*	initialization functions.
 /* STARTTLS SERVER CONTROLS
 /* .ad
 /* .fi