postfix-3.11-20250223

postfix/HISTORY

@@ -28995,3 +28995,10 @@ Apologies for any names omitted.
 	Bugfix (defect introduced: Postfix 3.10): Postfix SMTP
 	client segfault while reporting a 'certificate expired'
 	event. Problem reported by Oemer Gueven. File: tls/tls_verify.c.
+
+20250221
+
+	Bugfix (defect introduced: 20250210): a recent 'fix' for the
+	default smtp_tls_dane_insecure_mx_policy setting resulted in
+	unnecessary 'dnssec_probe' warnings, on systems that disable
+	DNSSEC lookups (the default). File: smtp/smtp_addr.c.

postfix/README_FILES/TLSRPT_README

@@ -49,8 +49,8 @@ TLSRPT information, are implemented and maintained by sys4 at https://
 github.com/sys4/libtlsrpt and https://github.com/sys4/tlsrpt-reporter,
 respectively.
 
-The Postfix implementation supports TLSRPT or domains with DANE (Postfix built-
+The Postfix implementation supports TLSRPT for domains with DANE (Postfix
-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
+built-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
 
 The Postfix smtp(8) client process implements the SMTP client engine. With
 "smtp_tls_connection_reuse = no", the smtp(8) client process also implements

postfix/html/SASL_README.html

@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="https://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>

postfix/html/TLSRPT_README.html

@@ -99,7 +99,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> and
 <a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>, respectively. </p>
 
-<p> The Postfix implementation supports TLSRPT or domains with DANE
+<p> The Postfix implementation supports TLSRPT for domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
 

postfix/proto/SASL_README.html

@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="https://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>

postfix/proto/TLSRPT_README.html

@@ -99,7 +99,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at https://github.com/sys4/libtlsrpt and
 https://github.com/sys4/tlsrpt-reporter, respectively. </p>
 
-<p> The Postfix implementation supports TLSRPT or domains with DANE
+<p> The Postfix implementation supports TLSRPT for domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
 

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20250217"
+#define MAIL_RELEASE_DATE	"20250223"
 #define MAIL_VERSION_NUMBER	"3.11"
 
 #ifdef SNAPSHOT

postfix/src/smtp/smtp_addr.c

@@ -299,7 +299,8 @@ static DNS_RR *smtp_addr_list(DNS_RR *mx_names, DSN_BUF *why)
     if (mx_names->dnssec_valid)
 	res_opt = RES_USE_DNSSEC;
 #ifdef USE_TLS
-    else if (smtp_tls_insecure_mx_policy > TLS_LEV_MAY)
+    else if (smtp_tls_insecure_mx_policy > TLS_LEV_MAY
+	     && smtp_dns_support == SMTP_DNS_DNSSEC)
 	res_opt = RES_USE_DNSSEC;
 #endif