From 3a6f05e1610e087a8ad5d2ed2c2aa61bc251d428 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 1 Jul 2018 00:00:00 -0500
Subject: [PATCH] postfix-3.4-20180701

---
 postfix/HISTORY                   |  7 +++++++
 postfix/README_FILES/TLS_README   |  8 ++++----
 postfix/RELEASE_NOTES             | 30 +++++++++++++++++++++---------
 postfix/html/TLS_README.html      |  8 ++++----
 postfix/proto/TLS_README.html     |  8 ++++----
 postfix/src/global/mail_version.h |  2 +-
 postfix/src/tlsproxy/tlsproxy.c   |  1 +
 7 files changed, 42 insertions(+), 22 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 8a85899c0..d57fd3152 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -23587,3 +23587,10 @@ Apologies for any names omitted.
 
 	Documentation: the connection caching limitation for SMTP
 	over TLS is now obsolete. File: proto/CONNECTION_CACHE_README.html.
+
+20180701
+
+	Incompatibility: the tlsproxy(8) daemon now requires a zero
+	process limit in master.cf (this setting is provided with
+	the default master.cf file). See RELEASE_NOTES for how to
+	change the tlsproxy process limit. File: tlsproxy/tlsproxy.c.
diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README
index 68e0157d1..da171258c 100644
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -1436,10 +1436,10 @@ Example:
 CClliieenntt--ssiiddee TTLLSS ccoonnnneeccttiioonn rreeuussee
 
 Historically, the Postfix SMTP client has supported multiple deliveries per
-connection only for plaintext connections. Postfix 3.4 introduces the ability
-to make multiple deliveries per TLS-encrypted connection. This is primarily to
-improve mail delivery performance for destinations that throttle clients when
-they don't combine deliveries.
+plaintext connection. Postfix 3.4 introduces support for multiple deliveries
+per TLS-encrypted connection. Multiple deliveries per connection improve mail
+delivery performance, especially for destinations that throttle clients that
+don't combine deliveries.
 
 To enable multiple deliveries per TLS connection, specify:
 
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 1020af982..3c429a651 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -25,6 +25,21 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 
+Incompatble change with snapshot 20180701
+=========================================
+
+To avoid performance loss under load, the tlsproxy(8) daemon now
+requires a zero process limit in master.cf (this setting is provided
+with the default master.cf file). As tlsproxy(8) processes become
+too busy handling TLS connections, more processes will automatically
+be added. By default, a tlsproxy(8) process will retire after several
+hours.
+
+To set the tlsproxy process limit to zero:
+
+# postconf -F tlsproxy/unix/process_limit=0
+# postfix reload
+
 Major changes with snapshot 20180617
 ====================================
 
@@ -38,15 +53,12 @@ main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
 It supports all Postfix TLS security levels including dane and
 dane-only.
 
-With connection reuse enabled as described above, the Postfix SMTP
-client uses the tlsproxy(8) server to encrypt a connection (even under
-low-traffic conditions). The tlsproxy(8) service was introduced in
-Postfix 2.8, to support STARTTLS in postscreen(8).
-
-Under high-traffic conditions, the Postfix SMTP client will use the
-scache(8) connection cache to store and retrieve open connections.
-This part already existed for plaintext SMTP, and it works in the
-same way for TLS-encrypted connections.
+The implementation of TLS connection reuse relies on the same
+scache(8) service as used for delivering plaintext SMTP mail, the
+same tlsproxy(8) daemon as used by the postscreen(8) service for
+inbound connections, and relies on the same hints from the qmgr(8)
+daemon. It reuses the configuration parameters described in
+CONNECTION_CACHE_README.
 
 The following illustrates how TLS connections are reused:
 
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index e51923961..d4ddae593 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -1913,10 +1913,10 @@ when the certificate is needed.  </p>
 <h3><a name="client_tls_reuse">Client-side TLS connection reuse</a> </h3>
 
 <p> Historically, the Postfix SMTP client has supported multiple
-deliveries per connection only for plaintext connections. Postfix
-3.4 introduces the ability to make multiple deliveries per TLS-encrypted
-connection. This is primarily to improve mail delivery performance
-for destinations that throttle clients when they don't combine
+deliveries per plaintext connection. Postfix 3.4 introduces support
+for multiple deliveries per TLS-encrypted connection. Multiple
+deliveries per connection improve mail delivery performance,
+especially for destinations that throttle clients that don't combine
 deliveries. </p>
 
 <p> To enable multiple deliveries per TLS connection, specify:</p>
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 0aa8fbe83..cca0630d2 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -1913,10 +1913,10 @@ when the certificate is needed.  </p>
 <h3><a name="client_tls_reuse">Client-side TLS connection reuse</a> </h3>
 
 <p> Historically, the Postfix SMTP client has supported multiple
-deliveries per connection only for plaintext connections. Postfix
-3.4 introduces the ability to make multiple deliveries per TLS-encrypted
-connection. This is primarily to improve mail delivery performance
-for destinations that throttle clients when they don't combine
+deliveries per plaintext connection. Postfix 3.4 introduces support
+for multiple deliveries per TLS-encrypted connection. Multiple
+deliveries per connection improve mail delivery performance,
+especially for destinations that throttle clients that don't combine
 deliveries. </p>
 
 <p> To enable multiple deliveries per TLS connection, specify:</p>
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 0fff4fc05..f0bc7ae4d 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20180624"
+#define MAIL_RELEASE_DATE	"20180701"
 #define MAIL_VERSION_NUMBER	"3.4"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index dfcf3e0ce..5f57c4e3d 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -1331,6 +1331,7 @@ int     main(int argc, char **argv)
 		      CA_MAIL_SERVER_SLOW_EXIT(tlsp_drain),
 		      CA_MAIL_SERVER_RETIRE_ME,
 		      CA_MAIL_SERVER_WATCHDOG(&var_tlsp_watchdog),
+		      CA_MAIL_SERVER_UNLIMITED,
 		      0);
 }