postfix-3.11-20250730

2025-08-22 09:57:34 +00:00 · 2025-07-30 00:00:00 -05:00 · 2025-07-30 00:00:00 -05:00 · 9756d67d1a
commit 9756d67d1a
parent 1aa75d39fc
28 changed files with 128 additions and 49 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -29488,3 +29488,26 @@ Apologies for any names omitted.
 	Postfix that would need to be converted to int64_t, or to
 	long long which just like time_t is a 64-bit type on many
 	ILP32 and LP64 systems.
 20250730
 	Bugfix (defect introduced: Postfix 3.6, date 20200710):
 	Postfix TLS client code logged "Untrusted TLS connection"
 	(wrong) instead of "Trusted TLS connection" (right) for a
 	resumed TLS session, when a server offered a trusted (valid
 	PKI trust chain) certificate that did not match the expected
 	server name pattern. Viktor Dukhovni. Files: tls/tls_client.c,
 	tls/tls_verify.c.
 	Cleanup: make the manpage extraction tooling smarter about
 	section headings, and remove the now unnecessary explicit
 	".SH" formatting requests. This produces zero visible change
 	in formatted Postfix manpages. Files: mantools/srctoman,
 	src/global/config_known_tcp_ports.c, postmulti/postmulti.c,
 	tls/tls_misc.c.
 	Regenerate all manpages, causing parameter summaries to be
 	updated with new descriptions from postconf(5). Files:
 	conf/postfix-tls-script, discard/discard.c, error/error.c,
 	oqmgr/qmgr.c, postmulti/postmulti.c, qmgr/qmgr.c,
 	virtual/virtual.c.
--- a/postfix/conf/postfix-tls-script
+++ b/postfix/conf/postfix-tls-script
@ -177,7 +177,7 @@
 #	The location of the OpenSSL command line program \fBopenssl\fR(1).
 # .IP "\fBsmtp_tls_loglevel (0)\fR"
 #	Enable additional Postfix SMTP client logging of TLS activity.
-# .IP "\fBsmtp_tls_security_level (empty)\fR"
+# .IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
 #	The default SMTP TLS security level for the Postfix SMTP client.
 # .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
 #	Name of the file containing the optional Postfix SMTP client
--- a/postfix/html/discard.8.html
+++ b/postfix/html/discard.8.html
@ -60,7 +60,7 @@ DISCARD(8)                                                          DISCARD(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The maximal number of digits after the decimal point  when  log-
-              ging sub-second delay values.
+              ging delay values.
       <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
              The  sender  address of postmaster notifications that are gener-
--- a/postfix/html/error.8.html
+++ b/postfix/html/error.8.html
@ -70,7 +70,7 @@ ERROR(8)                                                              ERROR(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
       <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
              The sender address of postmaster notifications that  are  gener-
--- a/postfix/html/oqmgr.8.html
+++ b/postfix/html/oqmgr.8.html
@ -348,7 +348,7 @@ OQMGR(8)                                                              OQMGR(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
       <b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
              Log warnings about problematic configuration settings, and  pro-
--- a/postfix/html/postfix-tls.1.html
+++ b/postfix/html/postfix-tls.1.html
@ -182,7 +182,7 @@ POSTFIX-TLS(1)                                                  POSTFIX-TLS(1)
       <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
              Enable additional Postfix SMTP client logging of TLS activity.
-       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (Postfix</b> &gt;<b>= 3.11: may; Postfix</b> &lt; <b>3.11: empty)</b>
              The default SMTP TLS security level for the Postfix SMTP client.
       <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
--- a/postfix/html/qmgr.8.html
+++ b/postfix/html/qmgr.8.html
@ -426,7 +426,7 @@ QMGR(8)                                                                QMGR(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
       <b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
              Log warnings about problematic configuration settings, and  pro-
--- a/postfix/html/virtual.8.html
+++ b/postfix/html/virtual.8.html
@ -233,7 +233,7 @@ VIRTUAL(8)                                                          VIRTUAL(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
              The time limit for sending  or  receiving  information  over  an
--- a/postfix/man/man1/postfix-tls.1
+++ b/postfix/man/man1/postfix-tls.1
@ -185,7 +185,7 @@ configuration files.
 The location of the OpenSSL command line program \fBopenssl\fR(1).
 .IP "\fBsmtp_tls_loglevel (0)\fR"
 Enable additional Postfix SMTP client logging of TLS activity.
-.IP "\fBsmtp_tls_security_level (empty)\fR"
+.IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
 The default SMTP TLS security level for the Postfix SMTP client.
 .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
 Name of the file containing the optional Postfix SMTP client
--- a/postfix/man/man1/postmulti.1
+++ b/postfix/man/man1/postmulti.1
@ -95,6 +95,10 @@ command is performed just for the primary instance.
 .PP
 Iterator mode implements the following command options:
 .SH "Instance selection"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-a\fR
 Perform the operation on all instances. This is the default.
 .IP "\fB\-g \fIgroup\fR"
@ -111,10 +115,18 @@ are started before "source" instances.
 .sp
 This option cannot be used with \fB\-p\fR.
 .SH "List mode"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-l\fR
 List Postfix instances with their instance name, instance
 group name, enable/disable status and configuration directory.
-.SH "Postfix\-wrapper mode"
+.SH "Postfix-wrapper mode"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-p \fIpostfix\-command\fR"
 Invoke \fBpostfix(1)\fR to execute \fIpostfix\-command\fR.
 This option implements the \fBpostfix\-wrapper\fR(5) interface.
@ -146,6 +158,10 @@ invoke \fBpostmulti\fR(1) as follows:
 # postmulti \-g msa \-p start
 .RE
 .SH "Command mode"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-x \fIunix\-command\fR"
 Execute the specified \fIunix\-command\fR for all Postfix instances.
 The command runs with appropriate environment settings for
@ -154,6 +170,10 @@ config_directory, queue_directory, data_directory,
 multi_instance_name, multi_instance_group and
 multi_instance_enable.
 .SH "Other options"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple
 \fB\-v\fR options make the software increasingly verbose.
@ -168,6 +188,10 @@ multi\-instance status of an existing instance.
 .PP
 The following options are implemented:
 .SH "Existing instance selection"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-a\fR
 When creating or importing an instance, place the new
 instance at the front of the secondary instance list.
@ -183,6 +207,10 @@ With other life\-cycle operations, apply the operation to
 the named existing instance.  Specify "\-" to select the
 primary Postfix instance.
 .SH "New or existing instance name assignment"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-I \fIname\fR"
 Assign the specified instance \fIname\fR to an existing
 instance, newly\-created instance, or imported instance.
@ -194,6 +222,10 @@ likelihood of name collisions with system files.
 Assign the specified \fIgroup\fR name to an existing instance
 or to a newly created or imported instance.
 .SH "Instance creation/deletion/status change"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-e \fIaction\fR"
 "Edit" managed instances. The following actions are supported:
 .RS
@ -315,6 +347,10 @@ the instance will not be started etc. with "postfix start",
 "postmulti \-p start" and so on. The instance can still be
 started etc. with "postfix \-c config\-directory start".
 .SH "Other options"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple
 \fB\-v\fR options make the software increasingly verbose.
--- a/postfix/man/man8/discard.8
+++ b/postfix/man/man8/discard.8
@ -67,7 +67,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBdouble_bounce_sender (double\-bounce)\fR"
 The sender address of postmaster notifications that are generated
 by the mail system.
--- a/postfix/man/man8/error.8
+++ b/postfix/man/man8/error.8
@ -75,7 +75,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBdouble_bounce_sender (double\-bounce)\fR"
 The sender address of postmaster notifications that are generated
 by the mail system.
--- a/postfix/man/man8/oqmgr.8
+++ b/postfix/man/man8/oqmgr.8
@ -347,7 +347,7 @@ The names of message delivery transports that should not deliver mail
 unless someone issues "\fBsendmail \-q\fR" or equivalent.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBhelpful_warnings (yes)\fR"
 Log warnings about problematic configuration settings, and provide
 helpful suggestions.
--- a/postfix/man/man8/qmgr.8
+++ b/postfix/man/man8/qmgr.8
@ -411,7 +411,7 @@ The names of message delivery transports that should not deliver mail
 unless someone issues "\fBsendmail \-q\fR" or equivalent.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBhelpful_warnings (yes)\fR"
 Log warnings about problematic configuration settings, and provide
 helpful suggestions.
--- a/postfix/man/man8/virtual.8
+++ b/postfix/man/man8/virtual.8
@ -263,7 +263,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBipc_timeout (3600s)\fR"
 The time limit for sending or receiving information over an internal
 communication channel.
--- a/postfix/mantools/srctoman
+++ b/postfix/mantools/srctoman
@ -92,7 +92,7 @@ do
 	/^HISTORY/s//.SH &\
 .ad\
 .fi/
-	/^[A-Z][A-Z][A-Z][^a-z]*$/s//.SH "&"\
+	/^[A-Z][A-Za-z][A-Za-z].*$/s//.SH "&"\
 .na\
 .nf/
 	p
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@ -189,3 +189,7 @@ proto  proto COMPATIBILITY_README html
 long long which just like time_t is a 64 bit type on many
 File tls tls h
 dual purpose field File tls tls h 
 conf postfix tls script discard discard c error error c 
 oqmgr qmgr c postmulti postmulti c qmgr qmgr c 
 src global config_known_tcp_ports c postmulti postmulti c 
 virtual virtual c 
--- a/postfix/src/discard/discard.c
+++ b/postfix/src/discard/discard.c
@ -53,7 +53,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
 /*	The sender address of postmaster notifications that are generated
 /*	by the mail system.
--- a/postfix/src/error/error.c
+++ b/postfix/src/error/error.c
@ -61,7 +61,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
 /*	The sender address of postmaster notifications that are generated
 /*	by the mail system.
--- a/postfix/src/global/config_known_tcp_ports.c
+++ b/postfix/src/global/config_known_tcp_ports.c
@ -14,10 +14,10 @@
 /*	in the settings argument, and reports any warnings to the standard
 /*	error stream. The source argument is used to provide warning
 /*	context. It typically is a configuration parameter name.
-/* .SH EXPECTED SYNTAX (ABNF)
+/* EXPECTED SYNTAX (ABNF)
 /*	configuration = empty | name-to-port *("," name-to-port)
 /*	name-to-port = 1*(name "=") port
-/* SH EXAMPLES
+/* EXAMPLES
 /*	In the example below, the whitespace is optional.
 /*	smtp = 25, smtps = submissions = 465, submission = 587
 /* LICENSE
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20250729"
+#define MAIL_RELEASE_DATE	"20250730"
 #define MAIL_VERSION_NUMBER	"3.11"
 #ifdef SNAPSHOT
--- a/postfix/src/oqmgr/qmgr.c
+++ b/postfix/src/oqmgr/qmgr.c
@ -309,7 +309,7 @@
 /*	unless someone issues "\fBsendmail -q\fR" or equivalent.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBhelpful_warnings (yes)\fR"
 /*	Log warnings about problematic configuration settings, and provide
 /*	helpful suggestions.
--- a/postfix/src/postmulti/postmulti.c
+++ b/postfix/src/postmulti/postmulti.c
@ -84,7 +84,9 @@
 /*	command is performed just for the primary instance.
 /* .PP
 /*	Iterator mode implements the following command options:
-/* .SH "Instance selection"
+/* Instance selection
 /* .ad
 /* .fi
 /* .IP \fB-a\fR
 /*	Perform the operation on all instances. This is the default.
 /* .IP "\fB-g \fIgroup\fR"
@ -100,11 +102,15 @@
 /*	are started before "source" instances.
 /* .sp
 /*	This option cannot be used with \fB-p\fR.
-/* .SH "List mode"
+/* List mode
 /* .ad
 /* .fi
 /* .IP \fB-l\fR
 /*	List Postfix instances with their instance name, instance
 /*	group name, enable/disable status and configuration directory.
-/* .SH "Postfix-wrapper mode"
+/* Postfix-wrapper mode
 /* .ad
 /* .fi
 /* .IP "\fB-p \fIpostfix-command\fR"
 /*	Invoke \fBpostfix(1)\fR to execute \fIpostfix-command\fR.
 /*	This option implements the \fBpostfix-wrapper\fR(5) interface.
@ -135,7 +141,9 @@
 /* .IP
 /*	# postmulti -g msa -p start
 /* .RE
-/* .SH "Command mode"
+/* Command mode
 /* .ad
 /* .fi
 /* .IP "\fB-x \fIunix-command\fR"
 /*	Execute the specified \fIunix-command\fR for all Postfix instances.
 /*	The command runs with appropriate environment settings for
@ -143,7 +151,9 @@
 /*	config_directory, queue_directory, data_directory,
 /*	multi_instance_name, multi_instance_group and
 /*	multi_instance_enable.
-/* .SH "Other options"
+/* Other options
 /* .ad
 /* .fi
 /* .IP \fB-v\fR
 /*	Enable verbose logging for debugging purposes. Multiple
 /*	\fB-v\fR options make the software increasingly verbose.
@ -155,7 +165,9 @@
 /*	multi-instance status of an existing instance.
 /* .PP
 /*	The following options are implemented:
-/* .SH "Existing instance selection"
+/* Existing instance selection
 /* .ad
 /* .fi
 /* .IP \fB-a\fR
 /*	When creating or importing an instance, place the new
 /*	instance at the front of the secondary instance list.
@ -170,7 +182,9 @@
 /*	With other life-cycle operations, apply the operation to
 /*	the named existing instance.  Specify "-" to select the
 /*	primary Postfix instance.
-/* .SH "New or existing instance name assignment"
+/* New or existing instance name assignment
 /* .ad
 /* .fi
 /* .IP "\fB-I \fIname\fR"
 /*	Assign the specified instance \fIname\fR to an existing
 /*	instance, newly-created instance, or imported instance.
@ -181,7 +195,9 @@
 /* .IP "\fB-G \fIgroup\fR"
 /*	Assign the specified \fIgroup\fR name to an existing instance
 /*	or to a newly created or imported instance.
-/* .SH "Instance creation/deletion/status change"
+/* Instance creation/deletion/status change
 /* .ad
 /* .fi
 /* .IP "\fB-e \fIaction\fR"
 /*	"Edit" managed instances. The following actions are supported:
 /* .RS
@ -302,7 +318,9 @@
 /*	the instance will not be started etc. with "postfix start",
 /*	"postmulti -p start" and so on. The instance can still be
 /*	started etc. with "postfix -c config-directory start".
-/* .SH "Other options"
+/* Other options
 /* .ad
 /* .fi
 /* .IP \fB-v\fR
 /*	Enable verbose logging for debugging purposes. Multiple
 /*	\fB-v\fR options make the software increasingly verbose.
--- a/postfix/src/qmgr/qmgr.c
+++ b/postfix/src/qmgr/qmgr.c
@ -371,7 +371,7 @@
 /*	unless someone issues "\fBsendmail -q\fR" or equivalent.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBhelpful_warnings (yes)\fR"
 /*	Log warnings about problematic configuration settings, and provide
 /*	helpful suggestions.
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@ -319,6 +319,7 @@ static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
 static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert,
 			        const TLS_CLIENT_START_PROPS *props)
 {
    int     x509_err = SSL_get_verify_result(TLScontext->con);
    /*
     * On exit both peer_CN and issuer_CN should be set.
@ -330,7 +331,7 @@ static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert,
     * Is the certificate trust chain trusted and matched?  Any required name
     * checks are now performed internally in OpenSSL.
     */
-    if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) {
+    if (x509_err == X509_V_OK) {
 	TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
 	if (TLScontext->must_fail) {
 	    msg_panic("%s: cert valid despite trust init failure",
@ -363,8 +364,7 @@ static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert,
 	    }
 	}
    } else if (TLS_MUST_MATCH(TLScontext->level) &&
-	       TLScontext->errordepth == 0 &&
+	       x509_err == X509_V_ERR_HOSTNAME_MISMATCH) {
 	       TLScontext->errorcode == X509_V_ERR_HOSTNAME_MISMATCH) {
 	/*
 	 * If the only error is a hostname mismatch, the certificate must have
 	 * been trusted.
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@ -4,9 +4,7 @@
 /* SUMMARY
 /*	miscellaneous TLS support routines
 /* SYNOPSIS
-/* .SH Public functions
+/* Public functions
 /* .nf
 /* .na
 /*	#include <tls.h>
 /*
 /*	void tls_log_summary(role, usage, TLScontext)
@ -23,9 +21,7 @@
 /*	void	tls_pre_jail_init(TLS_ROLE)
 /*	TLS_ROLE role;
 /*
-/* .SH Internal functions
+/* Internal functions
 /* .nf
 /* .na
 /*	#define TLS_INTERNAL
 /*	#include <tls.h>
 /*
--- a/postfix/src/tls/tls_verify.c
+++ b/postfix/src/tls/tls_verify.c
@ -120,9 +120,10 @@
 /* update_error_state - safely stash away error state */
-static void update_error_state(TLS_SESS_STATE *TLScontext, int depth,
+static void update_error_state(X509_STORE_CTX *ctx, TLS_SESS_STATE *TLScontext,
-			               X509 *errorcert, int errorcode)
+			          int depth, X509 *errorcert, int errorcode)
 {
    /*
     * Report the error that is closest to the leaf certificate, any errors
     * higher up the chain are immaterial until the "inner" errors are fixed.
@ -132,12 +133,13 @@ static void update_error_state(TLS_SESS_STATE *TLScontext, int depth,
     * with a hostname mismatch.  Any other error has a higher priority.
     */
    if (TLScontext->errordepth >= 0) {
-	if (TLScontext->errordepth <= depth &&
+	if ((TLScontext->errordepth <= depth &&
-	    TLScontext->errorcode != X509_V_ERR_HOSTNAME_MISMATCH)
+	     TLScontext->errorcode != X509_V_ERR_HOSTNAME_MISMATCH) ||
-	    return;
+	    errorcode == X509_V_ERR_HOSTNAME_MISMATCH) {
-	if (errorcode == X509_V_ERR_HOSTNAME_MISMATCH)
+	    X509_STORE_CTX_set_error(ctx, TLScontext->errorcode);
 	    return;
 	}
    }
    /*
     * The certificate pointer is stable during the verification callback,
@ -191,12 +193,12 @@ int     tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx)
    if (TLScontext->must_fail) {
 	if (depth == 0) {
 	    X509_STORE_CTX_set_error(ctx, err = X509_V_ERR_UNSPECIFIED);
-	    update_error_state(TLScontext, depth, cert, err);
+	    update_error_state(ctx, TLScontext, depth, cert, err);
 	}
 	return (1);
    }
    if (ok == 0)
-	update_error_state(TLScontext, depth, cert, err);
+	update_error_state(ctx, TLScontext, depth, cert, err);
    if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
 	if (cert) {
--- a/postfix/src/virtual/virtual.c
+++ b/postfix/src/virtual/virtual.c
@ -227,7 +227,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBipc_timeout (3600s)\fR"
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.