From 643c8e5e856c54e42f099b054e679c54917cd4bc Mon Sep 17 00:00:00 2001
From: Wietse Z Venema <wietse@porcupine.org>
Date: Thu, 7 Aug 2025 00:00:00 -0500
Subject: [PATCH] postfix-3.11-20250807

---
 postfix/HISTORY                   | 13 ++++++++++++-
 postfix/html/postconf.5.html      |  7 ++++---
 postfix/man/man5/postconf.5       |  7 ++++---
 postfix/proto/postconf.proto      |  7 ++++---
 postfix/src/global/mail_version.h |  2 +-
 postfix/src/smtp/smtp_connect.c   | 18 ++++++++++++++++++
 6 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 98fd5f0ab..8aec6eb2d 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -29193,7 +29193,6 @@ Apologies for any names omitted.
 	setting from "yes" to "no". The new default is enabled with
 	compatibility level >= 3.11. Files: smtp/smtp_tlsrpt.c,
 	global/mail_params.[hc], proto/COMPATIBILITY_README.html.
-	proto/memcache_table, global/dict_memcache.c, util/hex_code.[hc].
 
 20250608
 
@@ -29548,3 +29547,15 @@ Apologies for any names omitted.
 	and DANE policies. This prevents TLSRPT notifications for
 	all SMTP deliveries that do not require TLS. File:
 	smtp/smtp_connect.c.
+
+20250806
+
+	Documentation: updated the smtpd_hide_client_session
+	description with specific reference to RFC 5321 section
+	4.4. File: proto/postconf.proto.
+
+20250807
+
+	Bugfix (defect introduced: 20250803): "TLS-Required: no" was
+	no longer in effect for LMTP deliveries. Viktor Dukhovni.
+	File: smtp/smtp_connect.c.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index b61babdf2..ba54bb4d8 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -16637,7 +16637,7 @@ SMTP server's Received: message header. </p>
 
 <li> <p> The default setting, "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = no",
 must be used for the port 25 MTA service. It provides information
-that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. </p>
+that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. </p>
 
 <li> <p> The setting "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@@ -16660,8 +16660,9 @@ Received: by mail.example.com (Postfix) id postfix-queue-id
 </blockquote>
 
 <p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. The form does still meet <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> requirements. </p>
+and therefore it does not need to provide the FROM clause according
+to <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. The redacted form still meets <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>
+requirements. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 73fce25dd..d3aadfa04 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -11272,7 +11272,7 @@ SMTP server's Received: message header.
 .IP \(bu
 The default setting, "smtpd_hide_client_session = no",
 must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321.
+that is required by RFC 5321 section 4.4.
 .IP \(bu
 The setting "smtpd_hide_client_session = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@@ -11296,8 +11296,9 @@ Received: by mail.example.com (Postfix) id postfix\-queue\-id
 .in -4
 .PP
 The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-RFC 5321. The form does still meet RFC 5322 requirements.
+and therefore it does not need to provide the FROM clause according
+to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+requirements.
 .PP
 This feature is available in Postfix >= 3.10.
 .SH smtpd_history_flush_threshold (default: 100)
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 666264fe2..bc95018b5 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -19634,7 +19634,7 @@ SMTP server's Received: message header. </p>
 
 <li> <p> The default setting, "smtpd_hide_client_session = no",
 must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321. </p>
+that is required by RFC 5321 section 4.4. </p>
 
 <li> <p> The setting "smtpd_hide_client_session = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@@ -19657,8 +19657,9 @@ Received: by mail.example.com (Postfix) id postfix-queue-id
 </blockquote>
 
 <p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-RFC 5321. The form does still meet RFC 5322 requirements. </p>
+and therefore it does not need to provide the FROM clause according
+to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+requirements. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index c03965bdd..1836742ea 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20250803"
+#define MAIL_RELEASE_DATE	"20250807"
 #define MAIL_VERSION_NUMBER	"3.11"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index 8c26e9f64..24f5c76ce 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -575,6 +575,24 @@ static void smtp_connect_local(SMTP_STATE *state, const char *path)
 
     SMTP_ITER_INIT(iter, path, var_myhostname, path, NO_PORT, state);
 
+    /*
+     * If a "TLS-Required: no" header is in effect, update the iterator to
+     * override TLS policy selection and to limit the security level to
+     * "may". Do not reset the security level after policy selection, as that
+     * would result in errors. For example, when TLSA records are looked up
+     * for security level "dane", and then the security level is reset to
+     * "may", the activation of those TLSA records will fail.
+     * 
+     * Note that the REQUIRETLS verb in ESMTP overrides the "TLS-Required: no"
+     * header.
+     */
+#ifdef USE_TLS
+    if (var_tls_required_enable
+	&& (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) {
+	iter->tlsreqno = 1;
+    }
+#endif
+
     /*
      * Opportunistic TLS for unix domain sockets does not make much sense,
      * since the channel is private, mere encryption without authentication