postfix-3.9-20240118

postfix/HISTORY

@@ -27720,3 +27720,14 @@ Apologies for any names omitted.
 
 	Reverted some changes after postfix-3.9-20240112, and updated
 	documentation.
+
+20240118
+
+	Documentation: Microsoft uses BDAT to send content with
+	bare LF. This violates the canonical MIME format for text
+	messages as required in RFC 3030 section 3, and as defined
+	in RFC 2045 sections 2.7 and 2.8. Files: proto/postconf.proto,
+	RELEASE_NOTES.
+
+	Baseline for back porting the SMTP smuggling fixes to Postfix
+	3.8.5, 3.7.10, 3.6.14, and 3.5.24.

postfix/RELEASE_NOTES

@@ -45,7 +45,7 @@ stray <CR> or <LF> characters.
 This feature applies to all email that Postfix locally or remotely
 sends out. It is not allowlisted based on client identity.
 
-Major changes with snapshot 20240116
+Major changes with snapshot 20240118
 ====================================
 
 This updates Postfix fixes for inbound SMTP smuggling attacks. For
@@ -77,38 +77,52 @@ The recommended Postfix 3.9 settings (i.e. the defaults) are now:
     # Otherwise, allow bare <LF> and process it as if the client sent
     # <CR><LF>.
     #
-    # Exclude local SMTP clients from enforcement.
-    #
     # This maintains compatibility with many legitimate SMTP client
     # applications that send a mix of standard and non-standard line
     # endings, but will fail to receive email from client implementations
-    # that do not send <CR><LF>.<CR><LF>. Such clients need to be
+    # that do not terminate DATA content with the standard End-of-DATA
-    # excluded with smtpd_forbid_bare_newline_exclusions.
+    # sequence <CR><LF>.<CR><LF>.
+    #
+    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+    # The example below allowlists SMTP clients in trusted networks.
     #
     smtpd_forbid_bare_newline = normalize
     smtpd_forbid_bare_newline_exclusions = $mynetworks
 
 Alternative settings:
 
-    # Reject input lines that end in <LF>, require that input lines
+    # Reject input lines that contain <LF> and log a "bare <LF> received"
-    # end in <CR><LF>, and require the standard End-of-DATA sequence
+    # error. Require that input lines end in <CR><LF>, and require the
-    # <CR><LF>.<CR><LF>.
+    # standard End-of-DATA sequence <CR><LF>.<CR><LF>.
     #
-    # Exclude local SMTP clients from enforcement.
+    # This will reject email from SMTP clients that send any non-standard
+    # line endings such as web applications, netcat, or load balancer
+    # health checks.
     #
-    # This will fail to receive email from SMTP clients that send any
+    # This will also reject some email from Microsoft services whose
-    # non-standard line endings such as web applications, netcat, or
+    # BDAT implementations violate the canonical MIME format for text
-    # load balancer health checks. Such clients need to be excluded with
+    # messages required in RFC 3030 Section 3, and defined in RFC 2045
-    # smtpd_forbid_bare_newline_exclusions.
+    # Sections 2.7 and 2.8.
+    #
+    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+    # The example below allowlists SMTP clients in trusted networks.
     #
     smtpd_forbid_bare_newline = reject
     smtpd_forbid_bare_newline_exclusions = $mynetworks
+    #
+    # Alternatively, in the case of BDAT violations, BDAT can be selectively
+    # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+    # disabled with smtpd_discard_ehlo_keywords.
+    #
+    # smtpd_discard_ehlo_keyword_address_maps =
+    #     cidr:{{10.0.0.1/24 chunking, silent-discard}}
+    # smtpd_discard_ehlo_keywords = chunking, silent-discard
 
 Major changes with snapshot 20240106
 ====================================
 
-Inbound SMTP smuggling: strip extra <CR> in <CR><LF>.<CR><CR><LF>,
+Inbound SMTP smuggling: don't strip extra <CR> in <CR><LF>.<CR><CR><LF>,
-to silence some tools that send attack sequences that are not viable.
+to silence test tools that send attack sequences that are not viable.
 Details at https://www.postfix.org/false-smuggling-claims.html
 
 Incompatible changes with snapshot 20231221

postfix/html/postconf.5.html

@@ -15976,21 +15976,28 @@ non-standard <LF>, and process them as if the client sent the
 standard &lt;CR&gt;&lt;LF&gt;. <br> <br> This maintains compatibility
 with many legitimate SMTP client applications that send a mix of
 standard and non-standard line endings, but will fail to receive
-email from client implementations that do not send
+email from client implementations that do not terminate DATA content
-&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Such clients need to be
+with the standard End-of-DATA sequence
-excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
+&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. <br> <br> Such clients
+can be excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
 
 <dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
 
 <dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
 sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Reject a command
-or message content when a line ends in &lt;LF&gt;, log a "bare
+or message content when a line contains bare &lt;LF&gt;, log a "bare
 &lt;LF&gt; received" error, and reply with the SMTP status code in
-$<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>. <br> <br> This will fail
+$<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>. <br> <br> This will reject
-to receive email from SMTP clients that may send any non-standard
+email from SMTP clients that send any non-standard line endings
-line endings such as web applications, netcat, or load balancer
+such as web applications, netcat, or load balancer health checks.
-health checks. Such clients need to be excluded with
+<br> <br> This will also reject some email from Microsoft services
-<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
+whose BDAT implementations violate the canonical MIME format for
+text messages required in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3, and defined in <a href="https://tools.ietf.org/html/rfc2045">RFC</a>
+<a href="https://tools.ietf.org/html/rfc2045">2045</a> Sections 2.7 and 2.8. <br> <br> Such clients can be excluded
+with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> (or, in the case of BDAT
+violations, BDAT can be selectively disabled with
+<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with
+<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd>
 
 <dt> <b>no</b> </dt> <dd> Do not require the standard End-of-DATA
 sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Always process
@@ -16002,7 +16009,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
 
 </dl>
 
-<p> Examples: </p>
+<p> Example 1: </p>
 
 <blockquote>
 <pre>
@@ -16010,34 +16017,50 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
 # Otherwise, allow bare &lt;LF&gt; and process it as if the client sent
 # &lt;CR&gt;&lt;LF&gt;.
 #
-# Exclude local SMTP clients from enforcement.
-#
 # This maintains compatibility with many legitimate SMTP client
 # applications that send a mix of standard and non-standard line
 # endings, but will fail to receive email from client implementations
-# that do not send &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Such clients need to be
+# that do not terminate DATA content with the standard End-of-DATA
-# excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
+#
+# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# The example below allowlists SMTP clients in trusted networks.
 #
 <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = normalize
 <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
 </pre>
 </blockquote>
 
+<p> Example 2: </p>
+
 <blockquote>
 <pre>
-# Reject input lines that end in &lt;LF&gt;, require that input lines
+# Reject input lines that contain &lt;LF&gt; and log a "bare &lt;LF&gt; received"
-# end in &lt;CR&gt;&lt;LF&gt;, and require the standard End-of-DATA sequence
+# error. Require that input lines end in &lt;CR&gt;&lt;LF&gt;, and require the
-# &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
+# standard End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
 #
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
 #
-# This will fail to receive email from SMTP clients that send any
+# This will also reject some email from Microsoft services whose
-# non-standard line endings such as web applications, netcat, or
+# BDAT implementations violate the canonical MIME format for text
-# load balancer health checks. Such clients need to be excluded with
+# messages required in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3, and defined in <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>
-# <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
+# The example below allowlists SMTP clients in trusted networks.
 #
 <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject
 <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally
+# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>.
+#
+# <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> =
+#     <a href="cidr_table.5.html">cidr</a>:{{10.0.0.1/24 chunking, silent-discard}}
+# <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent-discard
 </pre>
 </blockquote>
 

postfix/man/man5/postconf.5

@@ -11049,9 +11049,13 @@ standard <CR><LF>.
 This maintains compatibility
 with many legitimate SMTP client applications that send a mix of
 standard and non\-standard line endings, but will fail to receive
-email from client implementations that do not send
+email from client implementations that do not terminate DATA content
-<CR><LF>.<CR><LF>. Such clients need to be
+with the standard End\-of\-DATA sequence
-excluded with smtpd_forbid_bare_newline_exclusions.
+<CR><LF>.<CR><LF>.
+.br
+.br
+Such clients
+can be excluded with smtpd_forbid_bare_newline_exclusions.
 .br
 .IP "\fByes\fR"
 Compatibility alias for \fBnormalize\fR.
@@ -11059,16 +11063,27 @@ Compatibility alias for \fBnormalize\fR.
 .IP "\fBreject\fR"
 Require the standard End\-of\-DATA
 sequence <CR><LF>.<CR><LF>. Reject a command
-or message content when a line ends in <LF>, log a "bare
+or message content when a line contains bare <LF>, log a "bare
 <LF> received" error, and reply with the SMTP status code in
 $smtpd_forbid_bare_newline_reject_code.
 .br
 .br
-This will fail
+This will reject
-to receive email from SMTP clients that may send any non\-standard
+email from SMTP clients that send any non\-standard line endings
-line endings such as web applications, netcat, or load balancer
+such as web applications, netcat, or load balancer health checks.
-health checks. Such clients need to be excluded with
+.br
-smtpd_forbid_bare_newline_exclusions.
+.br
+This will also reject some email from Microsoft services
+whose BDAT implementations violate the canonical MIME format for
+text messages required in RFC 3030 Section 3, and defined in RFC
+2045 Sections 2.7 and 2.8.
+.br
+.br
+Such clients can be excluded
+with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT
+violations, BDAT can be selectively disabled with
+smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
+smtpd_discard_ehlo_keywords).
 .br
 .IP "\fBno\fR"
 Do not require the standard End\-of\-DATA
@@ -11079,7 +11094,7 @@ an Internet\-facing SMTP server, because it is vulnerable to  SMTP smuggling.
 .br
 .br
 .PP
-Examples:
+Example 1:
 .sp
 .in +4
 .nf
@@ -11089,13 +11104,14 @@ Examples:
 # Otherwise, allow bare <LF> and process it as if the client sent
 # <CR><LF>.
 #
-# Exclude local SMTP clients from enforcement.
-#
 # This maintains compatibility with many legitimate SMTP client
 # applications that send a mix of standard and non\-standard line
 # endings, but will fail to receive email from client implementations
-# that do not send <CR><LF>.<CR><LF>. Such clients need to be
+# that do not terminate DATA content with the standard End\-of\-DATA
-# excluded with smtpd_forbid_bare_newline_exclusions.
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions = $mynetworks
@@ -11103,24 +11119,39 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
 .ad
 .ft R
 .in -4
+.PP
+Example 2:
 .sp
 .in +4
 .nf
 .na
 .ft C
-# Reject input lines that end in <LF>, require that input lines
+# Reject input lines that contain <LF> and log a "bare <LF> received"
-# end in <CR><LF>, and require the standard End\-of\-DATA sequence
+# error. Require that input lines end in <CR><LF>, and require the
-# <CR><LF>.<CR><LF>.
+# standard End\-of\-DATA sequence <CR><LF>.<CR><LF>.
 #
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non\-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
 #
-# This will fail to receive email from SMTP clients that send any
+# This will also reject some email from Microsoft services whose
-# non\-standard line endings such as web applications, netcat, or
+# BDAT implementations violate the canonical MIME format for text
-# load balancer health checks. Such clients need to be excluded with
+# messages required in RFC 3030 Section 3, and defined in RFC 2045
-# smtpd_forbid_bare_newline_exclusions.
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = reject
 smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps =
+#     cidr:{{10.0.0.1/24 chunking, silent\-discard}}
+# smtpd_discard_ehlo_keywords = chunking, silent\-discard
 .fi
 .ad
 .ft R

postfix/proto/postconf.proto

@@ -19075,21 +19075,28 @@ non-standard <LF>, and process them as if the client sent the
 standard &lt;CR&gt;&lt;LF&gt;. <br> <br> This maintains compatibility
 with many legitimate SMTP client applications that send a mix of
 standard and non-standard line endings, but will fail to receive
-email from client implementations that do not send
+email from client implementations that do not terminate DATA content
-&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Such clients need to be
+with the standard End-of-DATA sequence
-excluded with smtpd_forbid_bare_newline_exclusions. </dd>
+&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. <br> <br> Such clients
+can be excluded with smtpd_forbid_bare_newline_exclusions. </dd>
 
 <dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
 
 <dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
 sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Reject a command
-or message content when a line ends in &lt;LF&gt;, log a "bare
+or message content when a line contains bare &lt;LF&gt;, log a "bare
 &lt;LF&gt; received" error, and reply with the SMTP status code in
-$smtpd_forbid_bare_newline_reject_code. <br> <br> This will fail
+$smtpd_forbid_bare_newline_reject_code. <br> <br> This will reject
-to receive email from SMTP clients that may send any non-standard
+email from SMTP clients that send any non-standard line endings
-line endings such as web applications, netcat, or load balancer
+such as web applications, netcat, or load balancer health checks.
-health checks. Such clients need to be excluded with
+<br> <br> This will also reject some email from Microsoft services
-smtpd_forbid_bare_newline_exclusions. </dd>
+whose BDAT implementations violate the canonical MIME format for
+text messages required in RFC 3030 Section 3, and defined in RFC
+2045 Sections 2.7 and 2.8. <br> <br> Such clients can be excluded
+with smtpd_forbid_bare_newline_exclusions (or, in the case of BDAT
+violations, BDAT can be selectively disabled with
+smtpd_discard_ehlo_keyword_address_maps, or globally disabled with
+smtpd_discard_ehlo_keywords). </dd>
 
 <dt> <b>no</b> </dt> <dd> Do not require the standard End-of-DATA
 sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Always process
@@ -19101,7 +19108,7 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
 
 </dl>
 
-<p> Examples: </p>
+<p> Example 1: </p>
 
 <blockquote>
 <pre>
@@ -19109,34 +19116,50 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
 # Otherwise, allow bare &lt;LF&gt; and process it as if the client sent
 # &lt;CR&gt;&lt;LF&gt;.
 #
-# Exclude local SMTP clients from enforcement.
-#
 # This maintains compatibility with many legitimate SMTP client
 # applications that send a mix of standard and non-standard line
 # endings, but will fail to receive email from client implementations
-# that do not send &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Such clients need to be
+# that do not terminate DATA content with the standard End-of-DATA
-# excluded with smtpd_forbid_bare_newline_exclusions.
+# sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions = $mynetworks
 </pre>
 </blockquote>
 
+<p> Example 2: </p>
+
 <blockquote>
 <pre>
-# Reject input lines that end in &lt;LF&gt;, require that input lines
+# Reject input lines that contain &lt;LF&gt; and log a "bare &lt;LF&gt; received"
-# end in &lt;CR&gt;&lt;LF&gt;, and require the standard End-of-DATA sequence
+# error. Require that input lines end in &lt;CR&gt;&lt;LF&gt;, and require the
-# &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
+# standard End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
 #
-# Exclude local SMTP clients from enforcement.
+# This will reject email from SMTP clients that send any non-standard
+# line endings such as web applications, netcat, or load balancer
+# health checks.
 #
-# This will fail to receive email from SMTP clients that send any
+# This will also reject some email from Microsoft services whose
-# non-standard line endings such as web applications, netcat, or
+# BDAT implementations violate the canonical MIME format for text
-# load balancer health checks. Such clients need to be excluded with
+# messages required in RFC 3030 Section 3, and defined in RFC 2045
-# smtpd_forbid_bare_newline_exclusions.
+# Sections 2.7 and 2.8.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
 #
 smtpd_forbid_bare_newline = reject
 smtpd_forbid_bare_newline_exclusions = $mynetworks
+#
+# Alternatively, in the case of BDAT violations, BDAT can be selectively
+# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+# disabled with smtpd_discard_ehlo_keywords.
+#
+# smtpd_discard_ehlo_keyword_address_maps =
+#     cidr:{{10.0.0.1/24 chunking, silent-discard}}
+# smtpd_discard_ehlo_keywords = chunking, silent-discard
 </pre>
 </blockquote>
 

postfix/proto/stop

@@ -1592,3 +1592,5 @@ netcat
 probers
 lf
 EOD
+chunking
+allowlists

postfix/proto/stop.double-install-proto-text

@@ -41,3 +41,4 @@ root  root you
 virtual  virtual alias domain anything right hand content does not matter 
  skipping unexpected LF LF in DATA from 
 Inbound SMTP smuggling strip extra CR in CR LF CR CR LF 
+Inbound SMTP smuggling don t strip extra CR in CR LF CR CR LF 

postfix/proto/stop.double-proto-html

@@ -346,4 +346,7 @@ query_filter mailacceptinggeneralid s maildrop maildrop maildrop owner cn root d
  dt b a name check_address_map check_address_map a i a href DATABASE_README html type table a i b dt 
  PARAM postscreen_dnsbl_max_ttl postscreen_dnsbl_ttl postscreen_dnsbl_ttl 1 h
 standard lt CR gt lt LF gt br br This maintains compatibility
- smtpd_forbid_bare_newline_reject_code br br This will fail
+ lt CR gt lt LF gt lt CR gt lt LF gt br br Such clients
+ smtpd_forbid_bare_newline_reject_code br br This will reject
+ br br This will also reject some email from Microsoft services
+2045 Sections 2 7 and 2 8 br br Such clients can be excluded

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240116"
+#define MAIL_RELEASE_DATE	"20240118"
 #define MAIL_VERSION_NUMBER	"3.9"
 
 #ifdef SNAPSHOT