diff --git a/postfix/HISTORY b/postfix/HISTORY
index d5658bd7a..db6dfb59c 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -29488,3 +29488,26 @@ Apologies for any names omitted.
Postfix that would need to be converted to int64_t, or to
long long which just like time_t is a 64-bit type on many
ILP32 and LP64 systems.
+
+20250730
+
+ Bugfix (defect introduced: Postfix 3.6, date 20200710):
+ Postfix TLS client code logged "Untrusted TLS connection"
+ (wrong) instead of "Trusted TLS connection" (right) for a
+ resumed TLS session, when a server offered a trusted (valid
+ PKI trust chain) certificate that did not match the expected
+ server name pattern. Viktor Dukhovni. Files: tls/tls_client.c,
+ tls/tls_verify.c.
+
+ Cleanup: make the manpage extraction tooling smarter about
+ section headings, and remove the now unnecessary explicit
+ ".SH" formatting requests. This produces zero visible change
+ in formatted Postfix manpages. Files: mantools/srctoman,
+ src/global/config_known_tcp_ports.c, postmulti/postmulti.c,
+ tls/tls_misc.c.
+
+ Regenerate all manpages, causing parameter summaries to be
+ updated with new descriptions from postconf(5). Files:
+ conf/postfix-tls-script, discard/discard.c, error/error.c,
+ oqmgr/qmgr.c, postmulti/postmulti.c, qmgr/qmgr.c,
+ virtual/virtual.c.
diff --git a/postfix/conf/postfix-tls-script b/postfix/conf/postfix-tls-script
index 997e9c52e..04501b481 100644
--- a/postfix/conf/postfix-tls-script
+++ b/postfix/conf/postfix-tls-script
@@ -177,7 +177,7 @@
# The location of the OpenSSL command line program \fBopenssl\fR(1).
# .IP "\fBsmtp_tls_loglevel (0)\fR"
# Enable additional Postfix SMTP client logging of TLS activity.
-# .IP "\fBsmtp_tls_security_level (empty)\fR"
+# .IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
# The default SMTP TLS security level for the Postfix SMTP client.
# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
# Name of the file containing the optional Postfix SMTP client
diff --git a/postfix/html/discard.8.html b/postfix/html/discard.8.html
index 9d0e1ebde..207a03540 100644
--- a/postfix/html/discard.8.html
+++ b/postfix/html/discard.8.html
@@ -60,7 +60,7 @@ DISCARD(8) DISCARD(8)
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log-
- ging sub-second delay values.
+ ging delay values.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications that are gener-
diff --git a/postfix/html/error.8.html b/postfix/html/error.8.html
index aee2cd8ad..4f22acbe0 100644
--- a/postfix/html/error.8.html
+++ b/postfix/html/error.8.html
@@ -70,7 +70,7 @@ ERROR(8) ERROR(8)
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log-
- ging sub-second delay values.
+ ging delay values.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications that are gener-
diff --git a/postfix/html/oqmgr.8.html b/postfix/html/oqmgr.8.html
index 0bebfb533..cc47fea49 100644
--- a/postfix/html/oqmgr.8.html
+++ b/postfix/html/oqmgr.8.html
@@ -348,7 +348,7 @@ OQMGR(8) OQMGR(8)
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log-
- ging sub-second delay values.
+ ging delay values.
helpful_warnings (yes)
Log warnings about problematic configuration settings, and pro-
diff --git a/postfix/html/postfix-tls.1.html b/postfix/html/postfix-tls.1.html
index 272d98b53..b94443a39 100644
--- a/postfix/html/postfix-tls.1.html
+++ b/postfix/html/postfix-tls.1.html
@@ -182,7 +182,7 @@ POSTFIX-TLS(1) POSTFIX-TLS(1)
smtp_tls_loglevel (0)
Enable additional Postfix SMTP client logging of TLS activity.
- smtp_tls_security_level (empty)
+ smtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)
The default SMTP TLS security level for the Postfix SMTP client.
smtp_tls_session_cache_database (empty)
diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html
index 3e6249e74..575f6d7cb 100644
--- a/postfix/html/qmgr.8.html
+++ b/postfix/html/qmgr.8.html
@@ -426,7 +426,7 @@ QMGR(8) QMGR(8)
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log-
- ging sub-second delay values.
+ ging delay values.
helpful_warnings (yes)
Log warnings about problematic configuration settings, and pro-
diff --git a/postfix/html/virtual.8.html b/postfix/html/virtual.8.html
index 880018fcb..b72652aaa 100644
--- a/postfix/html/virtual.8.html
+++ b/postfix/html/virtual.8.html
@@ -233,7 +233,7 @@ VIRTUAL(8) VIRTUAL(8)
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log-
- ging sub-second delay values.
+ ging delay values.
ipc_timeout (3600s)
The time limit for sending or receiving information over an
diff --git a/postfix/man/man1/postfix-tls.1 b/postfix/man/man1/postfix-tls.1
index 4e8cb9279..2a6025c6a 100644
--- a/postfix/man/man1/postfix-tls.1
+++ b/postfix/man/man1/postfix-tls.1
@@ -185,7 +185,7 @@ configuration files.
The location of the OpenSSL command line program \fBopenssl\fR(1).
.IP "\fBsmtp_tls_loglevel (0)\fR"
Enable additional Postfix SMTP client logging of TLS activity.
-.IP "\fBsmtp_tls_security_level (empty)\fR"
+.IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
The default SMTP TLS security level for the Postfix SMTP client.
.IP "\fBsmtp_tls_session_cache_database (empty)\fR"
Name of the file containing the optional Postfix SMTP client
diff --git a/postfix/man/man1/postmulti.1 b/postfix/man/man1/postmulti.1
index 6db035ea1..96c597e94 100644
--- a/postfix/man/man1/postmulti.1
+++ b/postfix/man/man1/postmulti.1
@@ -95,6 +95,10 @@ command is performed just for the primary instance.
.PP
Iterator mode implements the following command options:
.SH "Instance selection"
+.na
+.nf
+.ad
+.fi
.IP \fB\-a\fR
Perform the operation on all instances. This is the default.
.IP "\fB\-g \fIgroup\fR"
@@ -111,10 +115,18 @@ are started before "source" instances.
.sp
This option cannot be used with \fB\-p\fR.
.SH "List mode"
+.na
+.nf
+.ad
+.fi
.IP \fB\-l\fR
List Postfix instances with their instance name, instance
group name, enable/disable status and configuration directory.
-.SH "Postfix\-wrapper mode"
+.SH "Postfix-wrapper mode"
+.na
+.nf
+.ad
+.fi
.IP "\fB\-p \fIpostfix\-command\fR"
Invoke \fBpostfix(1)\fR to execute \fIpostfix\-command\fR.
This option implements the \fBpostfix\-wrapper\fR(5) interface.
@@ -146,6 +158,10 @@ invoke \fBpostmulti\fR(1) as follows:
# postmulti \-g msa \-p start
.RE
.SH "Command mode"
+.na
+.nf
+.ad
+.fi
.IP "\fB\-x \fIunix\-command\fR"
Execute the specified \fIunix\-command\fR for all Postfix instances.
The command runs with appropriate environment settings for
@@ -154,6 +170,10 @@ config_directory, queue_directory, data_directory,
multi_instance_name, multi_instance_group and
multi_instance_enable.
.SH "Other options"
+.na
+.nf
+.ad
+.fi
.IP \fB\-v\fR
Enable verbose logging for debugging purposes. Multiple
\fB\-v\fR options make the software increasingly verbose.
@@ -168,6 +188,10 @@ multi\-instance status of an existing instance.
.PP
The following options are implemented:
.SH "Existing instance selection"
+.na
+.nf
+.ad
+.fi
.IP \fB\-a\fR
When creating or importing an instance, place the new
instance at the front of the secondary instance list.
@@ -183,6 +207,10 @@ With other life\-cycle operations, apply the operation to
the named existing instance. Specify "\-" to select the
primary Postfix instance.
.SH "New or existing instance name assignment"
+.na
+.nf
+.ad
+.fi
.IP "\fB\-I \fIname\fR"
Assign the specified instance \fIname\fR to an existing
instance, newly\-created instance, or imported instance.
@@ -194,6 +222,10 @@ likelihood of name collisions with system files.
Assign the specified \fIgroup\fR name to an existing instance
or to a newly created or imported instance.
.SH "Instance creation/deletion/status change"
+.na
+.nf
+.ad
+.fi
.IP "\fB\-e \fIaction\fR"
"Edit" managed instances. The following actions are supported:
.RS
@@ -315,6 +347,10 @@ the instance will not be started etc. with "postfix start",
"postmulti \-p start" and so on. The instance can still be
started etc. with "postfix \-c config\-directory start".
.SH "Other options"
+.na
+.nf
+.ad
+.fi
.IP \fB\-v\fR
Enable verbose logging for debugging purposes. Multiple
\fB\-v\fR options make the software increasingly verbose.
diff --git a/postfix/man/man8/discard.8 b/postfix/man/man8/discard.8
index 782389149..6f01d86a6 100644
--- a/postfix/man/man8/discard.8
+++ b/postfix/man/man8/discard.8
@@ -67,7 +67,7 @@ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built\-in watchdog timer.
.IP "\fBdelay_logging_resolution_limit (2)\fR"
The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
.IP "\fBdouble_bounce_sender (double\-bounce)\fR"
The sender address of postmaster notifications that are generated
by the mail system.
diff --git a/postfix/man/man8/error.8 b/postfix/man/man8/error.8
index f0dae3be9..08c9e158e 100644
--- a/postfix/man/man8/error.8
+++ b/postfix/man/man8/error.8
@@ -75,7 +75,7 @@ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built\-in watchdog timer.
.IP "\fBdelay_logging_resolution_limit (2)\fR"
The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
.IP "\fBdouble_bounce_sender (double\-bounce)\fR"
The sender address of postmaster notifications that are generated
by the mail system.
diff --git a/postfix/man/man8/oqmgr.8 b/postfix/man/man8/oqmgr.8
index 61b4299ab..6ea0cede1 100644
--- a/postfix/man/man8/oqmgr.8
+++ b/postfix/man/man8/oqmgr.8
@@ -347,7 +347,7 @@ The names of message delivery transports that should not deliver mail
unless someone issues "\fBsendmail \-q\fR" or equivalent.
.IP "\fBdelay_logging_resolution_limit (2)\fR"
The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
.IP "\fBhelpful_warnings (yes)\fR"
Log warnings about problematic configuration settings, and provide
helpful suggestions.
diff --git a/postfix/man/man8/qmgr.8 b/postfix/man/man8/qmgr.8
index ca1fd4c79..6be3f8bb1 100644
--- a/postfix/man/man8/qmgr.8
+++ b/postfix/man/man8/qmgr.8
@@ -411,7 +411,7 @@ The names of message delivery transports that should not deliver mail
unless someone issues "\fBsendmail \-q\fR" or equivalent.
.IP "\fBdelay_logging_resolution_limit (2)\fR"
The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
.IP "\fBhelpful_warnings (yes)\fR"
Log warnings about problematic configuration settings, and provide
helpful suggestions.
diff --git a/postfix/man/man8/virtual.8 b/postfix/man/man8/virtual.8
index 746fc0df2..68e2382c4 100644
--- a/postfix/man/man8/virtual.8
+++ b/postfix/man/man8/virtual.8
@@ -263,7 +263,7 @@ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built\-in watchdog timer.
.IP "\fBdelay_logging_resolution_limit (2)\fR"
The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
.IP "\fBipc_timeout (3600s)\fR"
The time limit for sending or receiving information over an internal
communication channel.
diff --git a/postfix/mantools/srctoman b/postfix/mantools/srctoman
index e48f379cd..3959be583 100755
--- a/postfix/mantools/srctoman
+++ b/postfix/mantools/srctoman
@@ -92,7 +92,7 @@ do
/^HISTORY/s//.SH &\
.ad\
.fi/
- /^[A-Z][A-Z][A-Z][^a-z]*$/s//.SH "&"\
+ /^[A-Z][A-Za-z][A-Za-z].*$/s//.SH "&"\
.na\
.nf/
p
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index 45bfd7fb7..4b800e3ab 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -189,3 +189,7 @@ proto proto COMPATIBILITY_README html
long long which just like time_t is a 64 bit type on many
File tls tls h
dual purpose field File tls tls h
+ conf postfix tls script discard discard c error error c
+ oqmgr qmgr c postmulti postmulti c qmgr qmgr c
+ src global config_known_tcp_ports c postmulti postmulti c
+ virtual virtual c
diff --git a/postfix/src/discard/discard.c b/postfix/src/discard/discard.c
index 331f96fbd..f21b95cbc 100644
--- a/postfix/src/discard/discard.c
+++ b/postfix/src/discard/discard.c
@@ -53,7 +53,7 @@
/* request before it is terminated by a built-in watchdog timer.
/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
/* The maximal number of digits after the decimal point when logging
-/* sub-second delay values.
+/* delay values.
/* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
/* The sender address of postmaster notifications that are generated
/* by the mail system.
diff --git a/postfix/src/error/error.c b/postfix/src/error/error.c
index 61e805b0d..e1ff1cb7c 100644
--- a/postfix/src/error/error.c
+++ b/postfix/src/error/error.c
@@ -61,7 +61,7 @@
/* request before it is terminated by a built-in watchdog timer.
/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
/* The maximal number of digits after the decimal point when logging
-/* sub-second delay values.
+/* delay values.
/* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
/* The sender address of postmaster notifications that are generated
/* by the mail system.
diff --git a/postfix/src/global/config_known_tcp_ports.c b/postfix/src/global/config_known_tcp_ports.c
index 563bbd356..db61f4aae 100644
--- a/postfix/src/global/config_known_tcp_ports.c
+++ b/postfix/src/global/config_known_tcp_ports.c
@@ -14,10 +14,10 @@
/* in the settings argument, and reports any warnings to the standard
/* error stream. The source argument is used to provide warning
/* context. It typically is a configuration parameter name.
-/* .SH EXPECTED SYNTAX (ABNF)
+/* EXPECTED SYNTAX (ABNF)
/* configuration = empty | name-to-port *("," name-to-port)
/* name-to-port = 1*(name "=") port
-/* SH EXAMPLES
+/* EXAMPLES
/* In the example below, the whitespace is optional.
/* smtp = 25, smtps = submissions = 465, submission = 587
/* LICENSE
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 8ef93f86d..56b86a414 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20250729"
+#define MAIL_RELEASE_DATE "20250730"
#define MAIL_VERSION_NUMBER "3.11"
#ifdef SNAPSHOT
diff --git a/postfix/src/oqmgr/qmgr.c b/postfix/src/oqmgr/qmgr.c
index 02573f161..11859a871 100644
--- a/postfix/src/oqmgr/qmgr.c
+++ b/postfix/src/oqmgr/qmgr.c
@@ -309,7 +309,7 @@
/* unless someone issues "\fBsendmail -q\fR" or equivalent.
/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
/* The maximal number of digits after the decimal point when logging
-/* sub-second delay values.
+/* delay values.
/* .IP "\fBhelpful_warnings (yes)\fR"
/* Log warnings about problematic configuration settings, and provide
/* helpful suggestions.
diff --git a/postfix/src/postmulti/postmulti.c b/postfix/src/postmulti/postmulti.c
index 5adcd272c..ccb85afa8 100644
--- a/postfix/src/postmulti/postmulti.c
+++ b/postfix/src/postmulti/postmulti.c
@@ -84,7 +84,9 @@
/* command is performed just for the primary instance.
/* .PP
/* Iterator mode implements the following command options:
-/* .SH "Instance selection"
+/* Instance selection
+/* .ad
+/* .fi
/* .IP \fB-a\fR
/* Perform the operation on all instances. This is the default.
/* .IP "\fB-g \fIgroup\fR"
@@ -100,11 +102,15 @@
/* are started before "source" instances.
/* .sp
/* This option cannot be used with \fB-p\fR.
-/* .SH "List mode"
+/* List mode
+/* .ad
+/* .fi
/* .IP \fB-l\fR
/* List Postfix instances with their instance name, instance
/* group name, enable/disable status and configuration directory.
-/* .SH "Postfix-wrapper mode"
+/* Postfix-wrapper mode
+/* .ad
+/* .fi
/* .IP "\fB-p \fIpostfix-command\fR"
/* Invoke \fBpostfix(1)\fR to execute \fIpostfix-command\fR.
/* This option implements the \fBpostfix-wrapper\fR(5) interface.
@@ -135,7 +141,9 @@
/* .IP
/* # postmulti -g msa -p start
/* .RE
-/* .SH "Command mode"
+/* Command mode
+/* .ad
+/* .fi
/* .IP "\fB-x \fIunix-command\fR"
/* Execute the specified \fIunix-command\fR for all Postfix instances.
/* The command runs with appropriate environment settings for
@@ -143,7 +151,9 @@
/* config_directory, queue_directory, data_directory,
/* multi_instance_name, multi_instance_group and
/* multi_instance_enable.
-/* .SH "Other options"
+/* Other options
+/* .ad
+/* .fi
/* .IP \fB-v\fR
/* Enable verbose logging for debugging purposes. Multiple
/* \fB-v\fR options make the software increasingly verbose.
@@ -155,7 +165,9 @@
/* multi-instance status of an existing instance.
/* .PP
/* The following options are implemented:
-/* .SH "Existing instance selection"
+/* Existing instance selection
+/* .ad
+/* .fi
/* .IP \fB-a\fR
/* When creating or importing an instance, place the new
/* instance at the front of the secondary instance list.
@@ -170,7 +182,9 @@
/* With other life-cycle operations, apply the operation to
/* the named existing instance. Specify "-" to select the
/* primary Postfix instance.
-/* .SH "New or existing instance name assignment"
+/* New or existing instance name assignment
+/* .ad
+/* .fi
/* .IP "\fB-I \fIname\fR"
/* Assign the specified instance \fIname\fR to an existing
/* instance, newly-created instance, or imported instance.
@@ -181,7 +195,9 @@
/* .IP "\fB-G \fIgroup\fR"
/* Assign the specified \fIgroup\fR name to an existing instance
/* or to a newly created or imported instance.
-/* .SH "Instance creation/deletion/status change"
+/* Instance creation/deletion/status change
+/* .ad
+/* .fi
/* .IP "\fB-e \fIaction\fR"
/* "Edit" managed instances. The following actions are supported:
/* .RS
@@ -302,7 +318,9 @@
/* the instance will not be started etc. with "postfix start",
/* "postmulti -p start" and so on. The instance can still be
/* started etc. with "postfix -c config-directory start".
-/* .SH "Other options"
+/* Other options
+/* .ad
+/* .fi
/* .IP \fB-v\fR
/* Enable verbose logging for debugging purposes. Multiple
/* \fB-v\fR options make the software increasingly verbose.
diff --git a/postfix/src/qmgr/qmgr.c b/postfix/src/qmgr/qmgr.c
index 25168e482..d3048d1c7 100644
--- a/postfix/src/qmgr/qmgr.c
+++ b/postfix/src/qmgr/qmgr.c
@@ -371,7 +371,7 @@
/* unless someone issues "\fBsendmail -q\fR" or equivalent.
/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
/* The maximal number of digits after the decimal point when logging
-/* sub-second delay values.
+/* delay values.
/* .IP "\fBhelpful_warnings (yes)\fR"
/* Log warnings about problematic configuration settings, and provide
/* helpful suggestions.
diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index babdbf40b..02db1d56f 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -319,6 +319,7 @@ static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert,
const TLS_CLIENT_START_PROPS *props)
{
+ int x509_err = SSL_get_verify_result(TLScontext->con);
/*
* On exit both peer_CN and issuer_CN should be set.
@@ -330,7 +331,7 @@ static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert,
* Is the certificate trust chain trusted and matched? Any required name
* checks are now performed internally in OpenSSL.
*/
- if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) {
+ if (x509_err == X509_V_OK) {
TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
if (TLScontext->must_fail) {
msg_panic("%s: cert valid despite trust init failure",
@@ -363,8 +364,7 @@ static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert,
}
}
} else if (TLS_MUST_MATCH(TLScontext->level) &&
- TLScontext->errordepth == 0 &&
- TLScontext->errorcode == X509_V_ERR_HOSTNAME_MISMATCH) {
+ x509_err == X509_V_ERR_HOSTNAME_MISMATCH) {
/*
* If the only error is a hostname mismatch, the certificate must have
* been trusted.
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index d4cbe2bb9..6cc38cc40 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -4,9 +4,7 @@
/* SUMMARY
/* miscellaneous TLS support routines
/* SYNOPSIS
-/* .SH Public functions
-/* .nf
-/* .na
+/* Public functions
/* #include
/*
/* void tls_log_summary(role, usage, TLScontext)
@@ -23,9 +21,7 @@
/* void tls_pre_jail_init(TLS_ROLE)
/* TLS_ROLE role;
/*
-/* .SH Internal functions
-/* .nf
-/* .na
+/* Internal functions
/* #define TLS_INTERNAL
/* #include
/*
diff --git a/postfix/src/tls/tls_verify.c b/postfix/src/tls/tls_verify.c
index deb3ae8d3..9c7191c45 100644
--- a/postfix/src/tls/tls_verify.c
+++ b/postfix/src/tls/tls_verify.c
@@ -120,9 +120,10 @@
/* update_error_state - safely stash away error state */
-static void update_error_state(TLS_SESS_STATE *TLScontext, int depth,
- X509 *errorcert, int errorcode)
+static void update_error_state(X509_STORE_CTX *ctx, TLS_SESS_STATE *TLScontext,
+ int depth, X509 *errorcert, int errorcode)
{
+
/*
* Report the error that is closest to the leaf certificate, any errors
* higher up the chain are immaterial until the "inner" errors are fixed.
@@ -132,11 +133,12 @@ static void update_error_state(TLS_SESS_STATE *TLScontext, int depth,
* with a hostname mismatch. Any other error has a higher priority.
*/
if (TLScontext->errordepth >= 0) {
- if (TLScontext->errordepth <= depth &&
- TLScontext->errorcode != X509_V_ERR_HOSTNAME_MISMATCH)
- return;
- if (errorcode == X509_V_ERR_HOSTNAME_MISMATCH)
+ if ((TLScontext->errordepth <= depth &&
+ TLScontext->errorcode != X509_V_ERR_HOSTNAME_MISMATCH) ||
+ errorcode == X509_V_ERR_HOSTNAME_MISMATCH) {
+ X509_STORE_CTX_set_error(ctx, TLScontext->errorcode);
return;
+ }
}
/*
@@ -191,12 +193,12 @@ int tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx)
if (TLScontext->must_fail) {
if (depth == 0) {
X509_STORE_CTX_set_error(ctx, err = X509_V_ERR_UNSPECIFIED);
- update_error_state(TLScontext, depth, cert, err);
+ update_error_state(ctx, TLScontext, depth, cert, err);
}
return (1);
}
if (ok == 0)
- update_error_state(TLScontext, depth, cert, err);
+ update_error_state(ctx, TLScontext, depth, cert, err);
if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
if (cert) {
diff --git a/postfix/src/virtual/virtual.c b/postfix/src/virtual/virtual.c
index 6fa9f1e67..ed8025352 100644
--- a/postfix/src/virtual/virtual.c
+++ b/postfix/src/virtual/virtual.c
@@ -227,7 +227,7 @@
/* request before it is terminated by a built-in watchdog timer.
/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
/* The maximal number of digits after the decimal point when logging
-/* sub-second delay values.
+/* delay values.
/* .IP "\fBipc_timeout (3600s)\fR"
/* The time limit for sending or receiving information over an internal
/* communication channel.