diff --git a/postfix/HISTORY b/postfix/HISTORY
index 9bc73d2ce..95abc5ce7 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -27451,3 +27451,30 @@ Apologies for any names omitted.
 	default smtp_tls_dane_insecure_mx_policy setting resulted in
 	unnecessary 'dnssec_probe' warnings, on systems that disable
 	DNSSEC lookups (the default). File: smtp/smtp_addr.c.
+
+20250223
+
+	Documentation: updated link to Dovecot documentation. File:
+	proto/SASL_README.
+
+20250227
+
+	Improved and corrected error messages when converting (host
+	or service) information to (symbolic text, numerical text,
+	or binary) form. File: util/myaddrinfo.c.
+
+20250304
+
+	Bugfix (defect introduced: Postfix 2.3, date 20051222): the
+	Dovecot auth client did not attempt to create a new connection
+	after an I/O error on an existing connection. Reported by
+	Oleksandr Kozmenko. File: xsasl/xsasl_dovecot_server.c.
+
+20250316
+
+	Bugfix (defect introduced: date 19991116): when appending
+	a setting to a main.cf or master.cf file that did not end
+	in a newline character, the "postconf -e" command did not
+	add an extra newline character before appending the new
+	setting, causing information to become garbled. Fix by
+	Michael Tokarev. File: postconf/postconf_edit.c.
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index ce3b89366..d797c66f1 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 14d959b4c..0904899d5 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 8d79dbcb8..0fd0d5e72 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20250224"
-#define MAIL_VERSION_NUMBER	"3.8.9"
+#define MAIL_RELEASE_DATE	"20250422"
+#define MAIL_VERSION_NUMBER	"3.8.10"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postconf/postconf_edit.c b/postfix/src/postconf/postconf_edit.c
index 7085acd72..437f2a870 100644
--- a/postfix/src/postconf/postconf_edit.c
+++ b/postfix/src/postconf/postconf_edit.c
@@ -113,8 +113,13 @@ static char *pcf_find_cf_info(VSTRING *buf, VSTREAM *dst)
 static char *pcf_next_cf_line(VSTRING *buf, VSTREAM *src, VSTREAM *dst, int *lineno)
 {
     char   *cp;
+    int     last_char;
 
-    while (vstring_get(buf, src) != VSTREAM_EOF) {
+    while ((last_char = vstring_get(buf, src)) != VSTREAM_EOF) {
+	if (last_char != '\n') {
+	    VSTRING_ADDCH(buf, '\n');
+	    VSTRING_TERMINATE(buf);
+	}
 	if (lineno)
 	    *lineno += 1;
 	if ((cp = pcf_find_cf_info(buf, dst)) != 0)
diff --git a/postfix/src/smtpd/smtpd_peer.c b/postfix/src/smtpd/smtpd_peer.c
index 838af9cb9..468732d30 100644
--- a/postfix/src/smtpd/smtpd_peer.c
+++ b/postfix/src/smtpd/smtpd_peer.c
@@ -217,8 +217,13 @@ static int smtpd_peer_sockaddr_to_hostaddr(SMTPD_STATE *state)
 	 */
 	if ((aierr = sockaddr_to_hostaddr(sa, sa_length, &client_addr,
 					  &client_port, 0)) != 0)
-	    msg_fatal("%s: cannot convert client address/port to string: %s",
-		      myname, MAI_STRERROR(aierr));
+	    msg_fatal("%s: cannot convert client sockaddr type %s length %ld "
+		      "to string: %s", myname,
+#ifdef AF_INET6
+		      sa->sa_family == AF_INET6 ? "AF_INET6" :
+#endif
+		      sa->sa_family == AF_INET ? "AF_INET" : "other",
+		      (long) sa_length, MAI_STRERROR(aierr));
 	state->port = mystrdup(client_port.buf);
 
 	/*
@@ -299,9 +304,15 @@ static int smtpd_peer_sockaddr_to_hostaddr(SMTPD_STATE *state)
 					  state->dest_sockaddr_len,
 					  &server_addr,
 					  &server_port, 0)) != 0)
-	    msg_fatal("%s: cannot convert server address/port to string: %s",
-		      myname, MAI_STRERROR(aierr));
-	/* TODO: convert IPv4-in-IPv6 to IPv4 form. */
+	    /* TODO: convert IPv4-in-IPv6 to IPv4 form. */
+	    msg_fatal("%s: cannot convert server sockaddr type %s length %ld "
+		    "to string: %s", myname,
+#ifdef AF_INET6
+		   state->dest_sockaddr.ss_family == AF_INET6 ? "AF_INET6" :
+#endif
+		      state->dest_sockaddr.ss_family == AF_INET ? "AF_INET" :
+		      "other", (long) state->dest_sockaddr_len,
+		      MAI_STRERROR(aierr));
 	state->dest_addr = mystrdup(server_addr.buf);
 	state->dest_port = mystrdup(server_port.buf);
 
@@ -409,8 +420,8 @@ static void smtpd_peer_hostaddr_to_sockaddr(SMTPD_STATE *state)
 
     if ((aierr = hostaddr_to_sockaddr(state->addr, state->port,
 				      SOCK_STREAM, &res)) != 0)
-	msg_fatal("%s: cannot convert client address/port to string: %s",
-		  myname, MAI_STRERROR(aierr));
+	msg_fatal("%s: cannot convert client address '%s' port '%s' to binary: %s",
+		  myname, state->addr, state->port, MAI_STRERROR(aierr));
     if (res->ai_addrlen > sizeof(state->sockaddr))
 	msg_panic("%s: address length > struct sockaddr_storage", myname);
     memcpy((void *) &(state->sockaddr), res->ai_addr, res->ai_addrlen);
diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c
index ac93a2da9..86954ed62 100644
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@@ -617,6 +617,7 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER *server,
     }
 
     vstring_strcpy(reply, "Connection lost to authentication server");
+    xsasl_dovecot_server_disconnect(server->impl);
     return XSASL_AUTH_TEMP;
 }
 
@@ -705,6 +706,7 @@ int     xsasl_dovecot_server_first(XSASL_SERVER *xp, const char *sasl_method,
 
 	if (i == 1) {
 	    vstring_strcpy(reply, "Can't connect to authentication server");
+	    xsasl_dovecot_server_disconnect(server->impl);
 	    return XSASL_AUTH_TEMP;
 	}
 
@@ -733,6 +735,7 @@ static int xsasl_dovecot_server_next(XSASL_SERVER *xp, const char *request,
 		    "CONT\t%u\t%s\n", server->last_request_id, request);
     if (vstream_fflush(server->impl->sasl_stream) == VSTREAM_EOF) {
 	vstring_strcpy(reply, "Connection lost to authentication server");
+	xsasl_dovecot_server_disconnect(server->impl);
 	return XSASL_AUTH_TEMP;
     }
     return xsasl_dovecot_handle_reply(server, reply);