diff --git a/postfix/HISTORY b/postfix/HISTORY
index e5329fefe..2852d9e3c 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16829,3 +16829,20 @@ Apologies for any names omitted.
 	command must wait until its requests have reached the pickup
 	and qmgr servers before closing the UNIX-domain request
 	sockets.  Files: postqueue/postqueue.c, postqueue/Makefile.in.
+
+20120621
+
+	Bugfix (introduced: Postfix 2.8): the unused "pass" trigger
+	client could close the wrong file descriptors.  File:
+	util/unix_pass_trigger.c.
+
+20120702
+
+	Bugfix (introduced: 19990127): the BIFF client leaked an
+	unprivileged UDP socket. Fix by Jaroslav Skarvada.  File:
+	local/biff_notify.c.
+
+20120730
+
+	Bugfix (introduced: 20000314): AUTH is not allowed after
+	MAIL. Timo Sirainen.  File: smtpd/smtpd_sasl_proto.c.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 90f136732..50e7d6892 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20120520"
-#define MAIL_VERSION_NUMBER	"2.8.11"
+#define MAIL_RELEASE_DATE	"20120801"
+#define MAIL_VERSION_NUMBER	"2.8.12"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/local/biff_notify.c b/postfix/src/local/biff_notify.c
index b189ad4b2..ca7dc1645 100644
--- a/postfix/src/local/biff_notify.c
+++ b/postfix/src/local/biff_notify.c
@@ -43,6 +43,7 @@
 /* Utility library. */
 
 #include <msg.h>
+#include <iostuff.h>
 
 /* Application-specific. */
 
@@ -81,9 +82,12 @@ void    biff_notify(const char *text, ssize_t len)
     /*
      * Open a socket, or re-use an existing one.
      */
-    if (sock < 0 && (sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-	msg_warn("socket: %m");
-	return;
+    if (sock < 0) {
+	if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+	    msg_warn("socket: %m");
+	    return;
+	}
+	close_on_exec(sock, CLOSE_ON_EXEC);
     }
 
     /*
diff --git a/postfix/src/smtpd/smtpd_sasl_proto.c b/postfix/src/smtpd/smtpd_sasl_proto.c
index e5fe8b0f0..0468d56c0 100644
--- a/postfix/src/smtpd/smtpd_sasl_proto.c
+++ b/postfix/src/smtpd/smtpd_sasl_proto.c
@@ -152,6 +152,12 @@ int     smtpd_sasl_auth_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	smtpd_chat_reply(state, "503 5.5.1 Error: authentication not enabled");
 	return (-1);
     }
+#define IN_MAIL_TRANSACTION(state) ((state)->sender != 0)
+    if (IN_MAIL_TRANSACTION(state)) {
+	state->error_mask |= MAIL_ERROR_PROTOCOL;
+	smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
+	return (-1);
+    }
     if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0) {
 	if (err[0] == '5') {
 	    state->error_mask |= MAIL_ERROR_POLICY;
diff --git a/postfix/src/util/unix_pass_trigger.c b/postfix/src/util/unix_pass_trigger.c
index 612300924..ccf2cdd16 100644
--- a/postfix/src/util/unix_pass_trigger.c
+++ b/postfix/src/util/unix_pass_trigger.c
@@ -63,7 +63,7 @@
 struct unix_pass_trigger {
     int     fd;
     char   *service;
-    int    *pair;
+    int     pair[2];
 };
 
 /* unix_pass_trigger_event - disconnect from peer */
@@ -129,7 +129,8 @@ int     unix_pass_trigger(const char *service, const char *buf, ssize_t len, int
     up = (struct unix_pass_trigger *) mymalloc(sizeof(*up));
     up->fd = fd;
     up->service = mystrdup(service);
-    up->pair = pair;
+    up->pair[0] = pair[0];
+    up->pair[1] = pair[1];
 
     /*
      * Write the request...