From 73ef04f1921f45430da269f88c1424e9d01ba8db Mon Sep 17 00:00:00 2001
From: Wietse Z Venema <wietse@porcupine.org>
Date: Sun, 23 Feb 2025 00:00:00 -0500
Subject: [PATCH] postfix-3.11-20250223

---
 postfix/HISTORY                    | 7 +++++++
 postfix/README_FILES/TLSRPT_README | 4 ++--
 postfix/html/SASL_README.html      | 2 +-
 postfix/html/TLSRPT_README.html    | 2 +-
 postfix/proto/SASL_README.html     | 2 +-
 postfix/proto/TLSRPT_README.html   | 2 +-
 postfix/src/global/mail_version.h  | 2 +-
 postfix/src/smtp/smtp_addr.c       | 3 ++-
 8 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 34109c238..2cae52077 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28995,3 +28995,10 @@ Apologies for any names omitted.
 	Bugfix (defect introduced: Postfix 3.10): Postfix SMTP
 	client segfault while reporting a 'certificate expired'
 	event. Problem reported by Oemer Gueven. File: tls/tls_verify.c.
+
+20250221
+
+	Bugfix (defect introduced: 20250210): a recent 'fix' for the
+	default smtp_tls_dane_insecure_mx_policy setting resulted in
+	unnecessary 'dnssec_probe' warnings, on systems that disable
+	DNSSEC lookups (the default). File: smtp/smtp_addr.c.
diff --git a/postfix/README_FILES/TLSRPT_README b/postfix/README_FILES/TLSRPT_README
index 415342e6a..91e72b526 100644
--- a/postfix/README_FILES/TLSRPT_README
+++ b/postfix/README_FILES/TLSRPT_README
@@ -49,8 +49,8 @@ TLSRPT information, are implemented and maintained by sys4 at https://
 github.com/sys4/libtlsrpt and https://github.com/sys4/tlsrpt-reporter,
 respectively.
 
-The Postfix implementation supports TLSRPT or domains with DANE (Postfix built-
-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
+The Postfix implementation supports TLSRPT for domains with DANE (Postfix
+built-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
 
 The Postfix smtp(8) client process implements the SMTP client engine. With
 "smtp_tls_connection_reuse = no", the smtp(8) client process also implements
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index f07a2da95..c47672a50 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="https://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
diff --git a/postfix/html/TLSRPT_README.html b/postfix/html/TLSRPT_README.html
index bc22acf3b..877c41e3a 100644
--- a/postfix/html/TLSRPT_README.html
+++ b/postfix/html/TLSRPT_README.html
@@ -99,7 +99,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> and
 <a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>, respectively. </p>
 
-<p> The Postfix implementation supports TLSRPT or domains with DANE
+<p> The Postfix implementation supports TLSRPT for domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
 
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index d50fc840f..bf1dd473c 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="https://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
diff --git a/postfix/proto/TLSRPT_README.html b/postfix/proto/TLSRPT_README.html
index 8f09e9098..7778a673c 100644
--- a/postfix/proto/TLSRPT_README.html
+++ b/postfix/proto/TLSRPT_README.html
@@ -99,7 +99,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at https://github.com/sys4/libtlsrpt and
 https://github.com/sys4/tlsrpt-reporter, respectively. </p>
 
-<p> The Postfix implementation supports TLSRPT or domains with DANE
+<p> The Postfix implementation supports TLSRPT for domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index cb9dc1de9..f1ebb226f 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20250217"
+#define MAIL_RELEASE_DATE	"20250223"
 #define MAIL_VERSION_NUMBER	"3.11"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtp/smtp_addr.c b/postfix/src/smtp/smtp_addr.c
index b7a63a4ff..476ac87c4 100644
--- a/postfix/src/smtp/smtp_addr.c
+++ b/postfix/src/smtp/smtp_addr.c
@@ -299,7 +299,8 @@ static DNS_RR *smtp_addr_list(DNS_RR *mx_names, DSN_BUF *why)
     if (mx_names->dnssec_valid)
 	res_opt = RES_USE_DNSSEC;
 #ifdef USE_TLS
-    else if (smtp_tls_insecure_mx_policy > TLS_LEV_MAY)
+    else if (smtp_tls_insecure_mx_policy > TLS_LEV_MAY
+	     && smtp_dns_support == SMTP_DNS_DNSSEC)
 	res_opt = RES_USE_DNSSEC;
 #endif