diff --git a/postfix/HISTORY b/postfix/HISTORY
index 91f24ead4..ec424051e 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28637,3 +28637,66 @@ Apologies for any names omitted.
 	datagram-based spawn(8) service. It was too difficult to
 	enforce that processes terminate as expected after "postfix
 	reload" etc. File: spawn/spawn.c.
+
+20241205
+
+	Portability: include <sys_socket.h> for a SUNOS5 workaround.
+	Gary R. Schmidt. File: util/peekfd.c.
+
+20241210
+
+	Documentation: ESMTP parameters that are supported in Milter
+	requests to change the envelope sender address, or to add
+	an envelope recipient address. File: proto/MILTER_README.html.
+
+20241213
+
+	Bugfix (defect introduced Postfix 3.1 date 20150523): makedefs did
+	not handle Major release version of zero. Michael Tokarev. File:
+	makedefs.
+
+	Portability: changed the closefrom() result type from 'int'
+	to 'void', for compatibility with systems that have a
+	closefrom() implementation that we don't want to use.
+	Michael Tokarev. Files: util/sys_defs.h, util/sys_compat.c.
+
+20241214
+
+	Documentation: updated the postlog(1) manpage text for
+	logging to the standard error stream. File postlog/postlog.c.
+
+20241226
+
+	Bit rot: The Postfix code for logging the TLS group wasn't
+	quite right. Instead of the TLS group name, it logged the
+	underlying public key algorithm name. These names may differ
+	when some of the newer constructs are used. Viktor Dukhovni.
+	File: tls/tls_misc.c.
+
+20241230
+
+	Bugfix (defect introduced: Postfix 3.3, date 20180107) small
+	memory leak in the cleanup daemon when generating a "From:
+	full-name <addr-spec>" message header. The impact is limited
+	because the number of requests is bounded by the "max_use"
+	configuration parameter. Found during code maintenance.
+	File: cleanup/cleanup_message.c.
+
+20250101
+
+	Wietse added -DNO_CLOSEFROM support to make the change
+	20241213 easily testable, and documented it in the makedefs(1)
+	manpage.
+
+20250102
+
+	Added pre-release checks for configuration parameters that
+	are implemented but not documented, and for configuration
+	parameters that are documented but not implemented. Files:
+	mantools/check-postconf-unimplemented,
+	mantools/check-postconf-undocumented.
+
+	Documentation: eliminated an "unused" postconf(5) entry for
+	the lmtp_lhlo_timeout parameter, and added end-of-life info
+	for the obsolete proxy_tls_session_cache_timeout parameter.
+	File: proto/postconf.proto.
diff --git a/postfix/Makefile.in b/postfix/Makefile.in
index d7152b57e..a37f89f3b 100644
--- a/postfix/Makefile.in
+++ b/postfix/Makefile.in
@@ -117,6 +117,7 @@ manpages:
 # Some checks require a bin/postconf executable.
 pre-release-checks: typo-check double-check missing-proxy-read-maps-check \
 	postlink-check postfix-files-check \
+	postconf-unimplemented-check postconf-undocumented-check \
 	check-table-proto check-see-postconf-d-output \
 	check-snapshot-nonprod
 
@@ -126,6 +127,12 @@ postfix-files-check:
 postlink-check:
 	$(SHLIB_ENV) mantools/check-postlink | diff /dev/null -
 
+postconf-undocumented-check:
+	$(SHLIB_ENV) mantools/check-postconf-undocumented | diff /dev/null -
+
+postconf-unimplemented-check:
+	$(SHLIB_ENV) mantools/check-postconf-unimplemented | diff /dev/null -
+
 missing-proxy-read-maps-check:
 	$(SHLIB_ENV) mantools/missing-proxy-read-maps | diff /dev/null -
 
diff --git a/postfix/README_FILES/MILTER_README b/postfix/README_FILES/MILTER_README
index 7d9e93893..aafc69396 100644
--- a/postfix/README_FILES/MILTER_README
+++ b/postfix/README_FILES/MILTER_README
@@ -663,10 +663,24 @@ the CONTENT_INSPECTION_README document for a discussion.
     command information; they have no access to the message header or body, and
     cannot make modifications to the message or to the envelope.
 
-  * Postfix 2.6 ignores the optional ESMTP parameters in requests to replace
-    the sender (SMFIR_CHGFROM) or to append a recipient (SMFIR_ADDRCPT_PAR).
-    Postfix logs a warning message when a Milter application supplies such
-    ESMTP parameters:
+  * Postfix 3.3 and later support the ESMTP parameters RET and ENVID in
+    requests to replace the envelope sender (SMFIR_CHGFROM). Postfix logs a
+    warning message when a Milter application supplies other ESMTP parameters:
+
+    warning: queue-id: cleanup_chg_from: ignoring bad ESMTP
+        parameter "whatever" in SMFI_CHGFROM request
+
+  * Postfix 3.0 and later support the ESMTP parameters NOTIFY and ORCPT in
+    requests to add an envelope recipient. Postfix logs a warning message when
+    a Milter application supplies other ESMTP parameters:
+
+    warning: queue-id: cleanup_add_rcpt: ignoring ESMTP argument
+        from Milter or header/body_checks: "whatever"
+
+  * Postfix 2.6 and later ignore optional ESMTP parameters in requests to
+    replace the sender (SMFIR_CHGFROM) or to append a recipient
+    (SMFIR_ADDRCPT_PAR). Postfix logs a warning message when a Milter
+    application supplies such ESMTP parameters:
 
     warning: queue-id: cleanup_chg_from: ignoring ESMTP arguments "whatever"
     warning: queue-id: cleanup_add_rcpt: ignoring ESMTP arguments "whatever"
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 0954a4254..ec31c7bea 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -10,11 +10,20 @@ Wish list:
 
 	Add a mail_version chek to each pluggable database client.
 
+	Unify conf/postfix-wrapper and proto/postfix-wrapper (make
+	one a dependency of the other). They have diverged.
+
+	Should the SMTP client log the queue ID with the TLS status?
+
 	relay_recipient_maps empty should default to 'no valid
 	recipients'. Subject to compatibility level.
 
 	Make a reason available for messages placed on 'hold'.
 
+	In pipe_command() and spawn_command(), the child process
+	should call initgroups() to corrrectly the access rights
+	of interactive shell users.
+
 	relay_recipient_maps empty should default to 'no valid
 	recipients'. Subject to compatibility level.
 
diff --git a/postfix/html/MILTER_README.html b/postfix/html/MILTER_README.html
index 02767bd76..841584026 100644
--- a/postfix/html/MILTER_README.html
+++ b/postfix/html/MILTER_README.html
@@ -973,7 +973,27 @@ only to the SMTP command information; they have no access to the
 message header or body, and cannot make modifications to the message
 or to the envelope. </p>
 
-<li> <p> Postfix 2.6 ignores the optional ESMTP parameters in
+<li> <p> Postfix 3.3 and later support the ESMTP parameters RET and
+ENVID in requests to replace the envelope sender (SMFIR_CHGFROM).
+Postfix logs a warning message when a Milter application supplies
+other ESMTP parameters: </p>
+
+<pre>
+warning: <i>queue-id</i>: cleanup_chg_from: ignoring bad ESMTP
+    parameter "<i>whatever</i>" in SMFI_CHGFROM request
+</pre>
+
+<li> <p> Postfix 3.0 and later support the ESMTP parameters NOTIFY
+and ORCPT in requests to add an envelope recipient. Postfix logs a
+warning message when a Milter application supplies other ESMTP
+parameters: </p>
+
+<pre>
+warning: <i>queue-id</i>: cleanup_add_rcpt: ignoring ESMTP argument
+    from Milter or header/body_checks: "<i>whatever</i>"
+</pre>
+
+<li> <p> Postfix 2.6 and later ignore optional ESMTP parameters in
 requests to replace the sender (SMFIR_CHGFROM) or to append a
 recipient (SMFIR_ADDRCPT_PAR). Postfix logs a warning message when
 a Milter application supplies such ESMTP parameters: </p>
diff --git a/postfix/html/makedefs.1.html b/postfix/html/makedefs.1.html
index b2bc7193f..e312a6ba5 100644
--- a/postfix/html/makedefs.1.html
+++ b/postfix/html/makedefs.1.html
@@ -47,6 +47,9 @@ MAKEDEFS(1)                                                        MAKEDEFS(1)
               non-default  <i>include</i>  directory.   The  following directives are
               special:
 
+              <b>-DNO_CLOSEFROM</b>
+                     Do not use the system closefom() implementation.
+
               <b>-DNO_DB</b>
                      Do not build with Berkeley DB support.
 
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 6672ade3c..4720204bd 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -21430,7 +21430,7 @@ cache information. Since the cache is shared with <a href="smtpd.8.html">smtpd(8
 by <a href="tlsmgr.8.html">tlsmgr(8)</a>, there is only one expiration time for the SMTP server cache
 shared by all three services, namely <a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a>. </p>
 
-<p> This feature is available in Postfix 2.8 and later. </p>
+<p> This feature is available in Postfix 2.8-2.10. </p>
 
 
 </DD>
diff --git a/postfix/html/postlog.1.html b/postfix/html/postlog.1.html
index 23f9d69ae..a2f25860c 100644
--- a/postfix/html/postlog.1.html
+++ b/postfix/html/postlog.1.html
@@ -21,9 +21,9 @@ POSTLOG(1)                                                          POSTLOG(1)
        record.  If  no <i>text</i> is specified on the command line, <a href="postlog.1.html"><b>postlog</b>(1)</a> reads
        from standard input and logs each input line as one record.
 
-       By default, logging is sent to  <b>syslogd</b>(8)  or  <a href="postlogd.8.html"><b>postlogd</b>(8)</a>;  when  the
-       standard error stream is connected to a terminal, logging is sent there
-       as well.
+       Logging is sent to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>, and to the standard error
+       stream  (with  Postfix  &lt;  3.8, <a href="postlog.1.html"><b>postlog</b>(1)</a> writes to the standard error
+       stream only if that stream is connected to a terminal).
 
        The following options are implemented:
 
diff --git a/postfix/makedefs b/postfix/makedefs
index a048d09ce..9bd730281 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -46,6 +46,8 @@
 #	\fIinclude\fR directory.
 #	The following directives are special:
 # .RS
+# .IP \fB-DNO_CLOSEFROM\fR
+#	Do not use the system closefom() implementation.
 # .IP \fB-DNO_DB\fR
 #	Do not build with Berkeley DB support.
 # .IP \fB-DNO_DEVPOLL\fR
@@ -240,8 +242,6 @@ case $# in
  # Officially supported usage.
  0) SYSTEM=`(uname -s) 2>/dev/null`
     RELEASE=`(uname -r) 2>/dev/null`
-    # No ${x%%y} support in Solaris 11 /bin/sh
-    RELEASE_MAJOR=`expr "$RELEASE" : '\([0-9]*\)'` || exit 1
     VERSION=`(uname -v) 2>/dev/null`
     case "$VERSION" in
      dcosx*) SYSTEM=$VERSION;;
@@ -251,6 +251,9 @@ case $# in
  *) echo usage: $0 [system release] 1>&2; exit 1;;
 esac
 
+# No ${x%%y} support in Solaris 11 /bin/sh
+RELEASE_MAJOR=`echo "$RELEASE" | sed 's/[^0-9].*//'` || exit 1
+
 case "$SYSTEM.$RELEASE" in
    SCO_SV.3.2)	SYSTYPE=SCO5
 		# Use the native compiler by default
diff --git a/postfix/man/man1/makedefs.1 b/postfix/man/man1/makedefs.1
index 1f3f452d3..52b5daea9 100644
--- a/postfix/man/man1/makedefs.1
+++ b/postfix/man/man1/makedefs.1
@@ -49,6 +49,8 @@ Specifies non\-default compiler arguments, for example, a non\-default
 \fIinclude\fR directory.
 The following directives are special:
 .RS
+.IP \fB\-DNO_CLOSEFROM\fR
+Do not use the system closefom() implementation.
 .IP \fB\-DNO_DB\fR
 Do not build with Berkeley DB support.
 .IP \fB\-DNO_DEVPOLL\fR
diff --git a/postfix/man/man1/postlog.1 b/postfix/man/man1/postlog.1
index d9723e7c4..a8c70b8ef 100644
--- a/postfix/man/man1/postlog.1
+++ b/postfix/man/man1/postlog.1
@@ -23,10 +23,10 @@ line as one record. If no \fItext\fR is specified on the command
 line, \fBpostlog\fR(1) reads from standard input and logs each input
 line as one record.
 
-By default, logging is sent to \fBsyslogd\fR(8) or
-\fBpostlogd\fR(8); when the
-standard error stream is connected to a terminal, logging
-is sent there as well.
+Logging is sent to \fBsyslogd\fR(8) or \fBpostlogd\fR(8), and
+to the standard error stream (with Postfix < 3.8, \fBpostlog\fR(1)
+writes to the standard error stream only if that stream is
+connected to a terminal).
 
 The following options are implemented:
 .IP "\fB\-c \fIconfig_dir\fR"
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index a4463da00..2ad4c4d39 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -14855,7 +14855,7 @@ cache information. Since the cache is shared with \fBsmtpd\fR(8) and managed
 by \fBtlsmgr\fR(8), there is only one expiration time for the SMTP server cache
 shared by all three services, namely smtpd_tls_session_cache_timeout.
 .PP
-This feature is available in Postfix 2.8 and later.
+This feature is available in Postfix 2.8\-2.10.
 .SH tlsproxy_use_tls (default: $smtpd_use_tls)
 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
 but do not require that clients use TLS encryption. See smtpd_use_tls
diff --git a/postfix/mantools/check-postconf-undocumented b/postfix/mantools/check-postconf-undocumented
new file mode 100644
index 000000000..7f45e2b33
--- /dev/null
+++ b/postfix/mantools/check-postconf-undocumented
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+# Reports parameters that exist in postconf(1) output, but that are not
+# documented in the postconf(5) manpage.
+
+LANG=C; export LANG
+LC_ALL=C; export LC_ALL
+
+bin/postconf mail_version >/dev/null || exit 1
+
+trap 'rm -f want.tmp have.tmp stoplist.tmp 2>/dev/null' 0 1 2 3 15
+
+# Extract parameters from the postconf(5) manpage.
+
+awk '/^%PARAM/ { print $2 }' proto/postconf.proto | sort > have.tmp || exit 1
+
+# Build a stoplist for postconf(1) output.
+
+# Eliminate unwanted dynamic parameter names for delivery agents. These
+# names are prefixed by their master.cf service name (they must instead
+# be documented with fake names that have the "transport_" prefix; that
+# is implemented later in this script).
+
+for xport in error lmtp local relay retry smtp virtual
+do
+   cat <<EOF
+${xport}_delivery_slot_cost
+${xport}_delivery_slot_discount
+${xport}_delivery_slot_loan
+${xport}_destination_concurrency_failed_cohort_limit
+${xport}_destination_concurrency_limit
+${xport}_destination_concurrency_negative_feedback
+${xport}_destination_concurrency_positive_feedback
+${xport}_destination_rate_delay
+${xport}_destination_recipient_limit
+${xport}_extra_recipient_limit
+${xport}_initial_destination_concurrency
+${xport}_minimum_delivery_slots
+${xport}_recipient_limit
+${xport}_recipient_refill_delay
+${xport}_recipient_refill_limit
+${xport}_transport_rate_delay
+EOF
+done >stoplist.tmp
+
+# Eliminate other unwanted per-service parameters.
+
+#cat >>stoplist.tmp <<EOF
+#EOF
+
+# Eliminate unwanted auto-generated parameters that make no sense.
+
+cat >>stoplist.tmp <<'EOF'
+lmtp_tlsrpt_enable
+lmtp_tlsrpt_skip_reused_handshakes
+lmtp_tlsrpt_socket_name
+EOF
+
+# Build the list of parameter names that must have an entry in the
+# postconf(5) manpage.
+
+(
+# First, extract parameters from postconf(1) output, using the stock
+# configurations.
+
+bin/postconf -dHc conf | grep -F -vx -f stoplist.tmp
+
+# Next, require that all dynamically-generated parameter names for delivery
+# agents are documented as transport_mumble.
+
+cat <<EOF
+transport_delivery_slot_cost
+transport_delivery_slot_discount
+transport_delivery_slot_loan
+transport_destination_concurrency_failed_cohort_limit
+transport_destination_concurrency_limit
+transport_destination_concurrency_negative_feedback
+transport_destination_concurrency_positive_feedback
+transport_destination_rate_delay
+transport_destination_recipient_limit
+transport_extra_recipient_limit
+transport_initial_destination_concurrency
+transport_minimum_delivery_slots
+transport_recipient_limit
+transport_recipient_refill_delay
+transport_recipient_refill_limit
+transport_transport_rate_delay
+EOF
+
+# Require that other per-service parameters are documented.
+
+cat <<EOF
+transport_time_limit
+EOF
+) | sort >want.tmp || exit 1
+
+# Report parameter names that have an implementation but no documentation.
+
+comm -23 want.tmp have.tmp
diff --git a/postfix/mantools/check-postconf-unimplemented b/postfix/mantools/check-postconf-unimplemented
new file mode 100644
index 000000000..9f5479fe7
--- /dev/null
+++ b/postfix/mantools/check-postconf-unimplemented
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+# Reports parameters that are documented in the postconf(5 mapage),
+# but not implemented according to postconf(1) output.
+
+LANG=C; export LANG
+LC_ALL=C; export LC_ALL
+
+bin/postconf mail_version >/dev/null || exit 1
+
+trap 'rm -f have.tmp want.tmp stoplist.tmp 2>/dev/null' 0 1 2 3 15
+
+# Extract the implemented parameter names from postconf(1) output, using
+# the stock configurations.
+
+bin/postconf -dHc conf | sort >have.tmp || exit 1
+
+# Build a stoplist for postconf(5) output.
+
+# Eliminate dynamic parameter names for delivery agents. These are
+# documented as transport_mumble.
+
+cat <<EOF >stoplist.tmp
+transport_delivery_slot_cost
+transport_delivery_slot_discount
+transport_delivery_slot_loan
+transport_destination_concurrency_failed_cohort_limit
+transport_destination_concurrency_limit
+transport_destination_concurrency_negative_feedback
+transport_destination_concurrency_positive_feedback
+transport_destination_rate_delay
+transport_destination_recipient_limit
+transport_extra_recipient_limit
+transport_initial_destination_concurrency
+transport_minimum_delivery_slots
+transport_recipient_limit
+transport_recipient_refill_delay
+transport_recipient_refill_limit
+transport_transport_rate_delay
+EOF
+
+# Eliminate other per-service transport_mumble parameters.
+
+cat <<EOF >>stoplist.tmp
+transport_time_limit
+EOF
+
+# Eliminate obsolete parameters. These are no longer implemented, but
+# still documented.
+
+cat >>stoplist.tmp <<'EOF'
+authorized_verp_clients
+enable_errors_to
+extract_recipient_limit
+fallback_relay
+lmtp_cache_connection
+lmtp_per_record_deadline
+postscreen_blacklist_action
+postscreen_dnsbl_ttl
+postscreen_dnsbl_whitelist_threshold
+postscreen_whitelist_interfaces
+sender_based_routing
+smtp_per_record_deadline
+smtp_skip_4xx_greeting
+smtp_tls_cipherlist
+smtpd_per_record_deadline
+smtpd_sasl_application_name
+smtpd_tls_cipherlist
+tls_dane_digest_agility
+tls_dane_trust_anchor_digest_enable
+tlsproxy_client_level
+tlsproxy_client_policy
+tlsproxy_tls_session_cache_timeout
+virtual_maps
+EOF
+
+# Extract parameters from the postconf(5) manpage.
+
+awk '/^%PARAM/ { print $2 }' proto/postconf.proto | 
+	grep -F -vx -f stoplist.tmp | sort > want.tmp || exit 1
+
+# Report names from the postconf(5) manpage that have no implementation.
+
+comm -23 want.tmp have.tmp
diff --git a/postfix/proto/MILTER_README.html b/postfix/proto/MILTER_README.html
index a331c37da..c8a557767 100644
--- a/postfix/proto/MILTER_README.html
+++ b/postfix/proto/MILTER_README.html
@@ -973,7 +973,27 @@ only to the SMTP command information; they have no access to the
 message header or body, and cannot make modifications to the message
 or to the envelope. </p>
 
-<li> <p> Postfix 2.6 ignores the optional ESMTP parameters in
+<li> <p> Postfix 3.3 and later support the ESMTP parameters RET and
+ENVID in requests to replace the envelope sender (SMFIR_CHGFROM).
+Postfix logs a warning message when a Milter application supplies
+other ESMTP parameters: </p>
+
+<pre>
+warning: <i>queue-id</i>: cleanup_chg_from: ignoring bad ESMTP
+    parameter "<i>whatever</i>" in SMFI_CHGFROM request
+</pre>
+
+<li> <p> Postfix 3.0 and later support the ESMTP parameters NOTIFY
+and ORCPT in requests to add an envelope recipient. Postfix logs a
+warning message when a Milter application supplies other ESMTP
+parameters: </p>
+
+<pre>
+warning: <i>queue-id</i>: cleanup_add_rcpt: ignoring ESMTP argument
+    from Milter or header/body_checks: "<i>whatever</i>"
+</pre>
+
+<li> <p> Postfix 2.6 and later ignore optional ESMTP parameters in
 requests to replace the sender (SMFIR_CHGFROM) or to append a
 recipient (SMFIR_ADDRCPT_PAR). Postfix logs a warning message when
 a Milter application supplies such ESMTP parameters: </p>
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 7b26017b0..c0b57e705 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -2302,20 +2302,6 @@ one-letter suffix that specifies the time unit).  Time units: s
 (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).  </p>
 
-%PARAM lmtp_lhlo_timeout 300s
-
-<p> The Postfix LMTP client time limit for receiving the LMTP
-greeting banner.  When the remote LMTP server drops the connection
-without sending a
-greeting banner, or when it sends no greeting banner within the
-deadline, the LMTP client tries the next address on the mail
-exchanger list.  </p>
-
-<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit).  Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).  </p>
-
 %PARAM lmtp_mail_timeout 300s
 
 <p>
@@ -16090,7 +16076,7 @@ cache information. Since the cache is shared with smtpd(8) and managed
 by tlsmgr(8), there is only one expiration time for the SMTP server cache
 shared by all three services, namely smtpd_tls_session_cache_timeout. </p>
 
-<p> This feature is available in Postfix 2.8 and later. </p>
+<p> This feature is available in Postfix 2.8-2.10. </p>
 
 %PARAM tlsproxy_use_tls $smtpd_use_tls
 
diff --git a/postfix/proto/stop b/postfix/proto/stop
index 8eea8ade5..8447195ea 100644
--- a/postfix/proto/stop
+++ b/postfix/proto/stop
@@ -1655,3 +1655,5 @@ hs
 ccformat
 xxsql
 MEMCACHE
+ORCPT
+RET
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index f0ef0c55b..2276687a8 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -146,3 +146,4 @@ proto  proto socketmap_table qmqpd qmqpd c tls tls_misc c
  a dependency for html html File html Makefile in 
  master dgram_server c master mail_server h postlogd postlogd c 
  reload etc File spawn spawn c 
+ logging to the standard error stream File postlog postlog c 
diff --git a/postfix/proto/stop.spell-history b/postfix/proto/stop.spell-history
index e7fa73e8f..9a892a1d5 100644
--- a/postfix/proto/stop.spell-history
+++ b/postfix/proto/stop.spell-history
@@ -95,3 +95,4 @@ mandoc
 v'expr
 roff
 diffs
+CLOSEFROM
diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c
index 1530eeb25..1c8881d84 100644
--- a/postfix/src/cleanup/cleanup_message.c
+++ b/postfix/src/cleanup/cleanup_message.c
@@ -789,7 +789,7 @@ static void cleanup_header_done_callback(void *context)
 		}
 		if (token) {
 		    tok822_externalize(state->temp2, token, TOK822_STR_NONE);
-		    tok822_free(token);
+		    tok822_free_tree(token);
 		    vstring_strcat(state->temp2, " ");
 		}
 		vstring_sprintf_append(state->temp2, "<%s>",
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index dcb9c7192..ca3b424e9 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20241202"
+#define MAIL_RELEASE_DATE	"20250103"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postlog/postlog.c b/postfix/src/postlog/postlog.c
index 195ebd918..ce6b3c0f9 100644
--- a/postfix/src/postlog/postlog.c
+++ b/postfix/src/postlog/postlog.c
@@ -17,10 +17,10 @@
 /*	line, \fBpostlog\fR(1) reads from standard input and logs each input
 /*	line as one record.
 /*
-/*	By default, logging is sent to \fBsyslogd\fR(8) or
-/*	\fBpostlogd\fR(8); when the
-/*	standard error stream is connected to a terminal, logging
-/*	is sent there as well.
+/*	Logging is sent to \fBsyslogd\fR(8) or \fBpostlogd\fR(8), and
+/*	to the standard error stream (with Postfix < 3.8, \fBpostlog\fR(1)
+/*	writes to the standard error stream only if that stream is
+/*	connected to a terminal).
 /*
 /*	The following options are implemented:
 /* .IP "\fB-c \fIconfig_dir\fR"
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 2f4b5e3ba..937999f08 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -1051,7 +1051,15 @@ void    tls_get_signature_params(TLS_SESS_STATE *TLScontext)
     if (SSL_version(ssl) < TLS1_3_VERSION)
 	return;
 
-    if (tls_get_peer_dh_pubkey(ssl, &dh_pkey)) {
+    /*
+     * On the client side, a TLS 1.3 KEM has no server key, just ciphertext
+     * to decapsulate, but, as of OpenSSL 3.0, the client can still obtain
+     * the negotiated group name directly.
+     */
+    if (!kex_name)
+	kex_name = TLS_GROUP_NAME(ssl);
+
+    if (kex_name == NULL && tls_get_peer_dh_pubkey(ssl, &dh_pkey)) {
 	switch (nid = EVP_PKEY_id(dh_pkey)) {
 	default:
 	    kex_name = OBJ_nid2sn(EVP_PKEY_type(nid));
@@ -1079,16 +1087,6 @@ void    tls_get_signature_params(TLS_SESS_STATE *TLScontext)
 	EVP_PKEY_free(dh_pkey);
     }
 
-    /*
-     * On the client side, a TLS 1.3 KEM has no server key, just ciphertext
-     * to decapsulate, but, as of OpenSSL 3.0, the client can still obtain
-     * the negotiated group name directly.  We nevertheless still try to get
-     * the group details from the peer key first, which works with OpenSSL
-     * 1.1.1 and retains the original output format for the (EC)DH groups.
-     */
-    if (!kex_name)
-	kex_name = TLS_GROUP_NAME(ssl);
-
     /*
      * On the client end, the certificate may be present, but not used, so we
      * check via SSL_get_signature_nid().  This means that local signature
diff --git a/postfix/src/util/peekfd.c b/postfix/src/util/peekfd.c
index e9480a2d6..420a92b05 100644
--- a/postfix/src/util/peekfd.c
+++ b/postfix/src/util/peekfd.c
@@ -39,6 +39,9 @@
 
 #include <sys_defs.h>
 #include <sys/ioctl.h>
+#ifdef SUNOS5
+#include <sys/socket.h>			/* shutdown(2) */
+#endif
 #ifdef FIONREAD_IN_SYS_FILIO_H
 #include <sys/filio.h>
 #endif
diff --git a/postfix/src/util/sys_compat.c b/postfix/src/util/sys_compat.c
index 8bf8e581d..a28deacdf 100644
--- a/postfix/src/util/sys_compat.c
+++ b/postfix/src/util/sys_compat.c
@@ -286,7 +286,7 @@ int     dup2_pass_on_exec(int oldd, int newd)
 
 /* closefrom() - closes all file descriptors from the given one up */
 
-int     closefrom(int lowfd)
+void    closefrom(int lowfd)
 {
     int     fd_limit = open_limit(0);
     int     fd;
@@ -298,14 +298,12 @@ int     closefrom(int lowfd)
      */
     if (lowfd < 0) {
 	errno = EBADF;
-	return (-1);
+	return;
     }
     if (fd_limit > 500)
 	fd_limit = 500;
     for (fd = lowfd; fd < fd_limit; fd++)
 	(void) close(fd);
-
-    return (0);
 }
 
 #endif
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index 62749ab57..70aab2366 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -1466,6 +1466,10 @@ typedef int WAIT_STATUS_T;
 #undef HAVE_POSIX_GETPW_R
 #endif
 
+#ifdef NO_CLOSEFROM
+#undef HAS_CLOSEFROM
+#endif
+
 #ifdef NO_DB
 #undef HAS_DB
 #endif
@@ -1526,7 +1530,7 @@ extern int setsid(void);
 #endif
 
 #ifndef HAS_CLOSEFROM
-extern int closefrom(int);
+extern void closefrom(int);
 
 #endif