diff --git a/postfix/HISTORY b/postfix/HISTORY
index e13b88a74..3e970c8ad 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -11012,3 +11012,36 @@ Apologies for any names omitted.
 	if Postfix could somehow be forced to send HELO instead of
 	EHLO. Victor Duchovni.  File: src/smtp/smtp_proto.c.
 
+20061203
+
+	Bugfix (introduced with Postfix 2.2): with SMTP server
+	tarpit delays of smtp_rset_timeout or larger, the SMTP
+	client could get out of sync with the server while reusing
+	a connection.  The symptoms were "recipient rejected .. in
+	reply to DATA".  Fix by Victor Duchovni and Wietse.  File:
+	smtp/smtp_proto.c, smtp/smtp_connect.c. Back-ported from
+	Postfix 2.3.
+
+	Safety: additional error tests to prevent connection reuse
+	after timeout error. Files: lmtp/lmtp.c, smtp/smtp_connect.c.
+	Back-ported from Postfix 2.3.
+
+20070529
+
+	Cleanup: misleading error message while discarding malformed
+	input after queue file write error. File postdrop/postdrop.c.
+
+20070911
+
+	Bugfix (introduced Postfix 2.2.11): TLS client certificate
+	with unparsable canonical name caused the SMTP server's
+	policy client to allocate zero-length memory, triggering
+	an assertion that it shouldn't do such things.  File:
+	smtpd/smtpd_check.c.
+
+20070917
+
+	Workaround: the flush daemon forces an access time update
+	for the per-destination logfile, to prevent an excessive
+	rate of delivery attempts when the queue file system is
+	mounted with "noatime".  File: flush/flush.c.
diff --git a/postfix/src/flush/flush.c b/postfix/src/flush/flush.c
index ffdf81a41..d9a12209b 100644
--- a/postfix/src/flush/flush.c
+++ b/postfix/src/flush/flush.c
@@ -147,6 +147,7 @@
 
 #include <sys_defs.h>
 #include <sys/stat.h>
+#include <sys/time.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <utime.h>
@@ -479,6 +480,11 @@ static int flush_send_path(const char *path, int how)
     if (count > 0 && ftruncate(vstream_fileno(log), (off_t) 0) < 0)
 	msg_fatal("%s: truncate fast flush logfile %s: %m", myname, path);
 
+    /*
+     * Workaround for noatime mounts. Use futimes() if available.
+     */
+    (void) utimes(VSTREAM_PATH(log), (struct timeval *) 0);
+
     /*
      * Request delivery and clean up.
      */
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index b9c9b6c8f..6c9b58af5 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only.
   */
-#define MAIL_RELEASE_DATE	"20060724"
-#define MAIL_VERSION_NUMBER	"2.2.11"
+#define MAIL_RELEASE_DATE	"20071021"
+#define MAIL_VERSION_NUMBER	"2.2.12"
 
 #define VAR_MAIL_VERSION	"mail_version"
 #ifdef SNAPSHOT
diff --git a/postfix/src/lmtp/lmtp.c b/postfix/src/lmtp/lmtp.c
index 763c05229..2dd66f00c 100644
--- a/postfix/src/lmtp/lmtp.c
+++ b/postfix/src/lmtp/lmtp.c
@@ -443,6 +443,7 @@ static int deliver_message(DELIVER_REQUEST *request, char **unused_argv)
     if (state->session != 0
 	&& (!var_lmtp_cache_conn
 	    || vstream_ferror(state->session->stream)
+	    || vstream_ftimeout(state->session->stream)
 	    || vstream_feof(state->session->stream)))
 	state->session = lmtp_session_free(state->session);
 
diff --git a/postfix/src/postdrop/postdrop.c b/postfix/src/postdrop/postdrop.c
index 7d22955d8..77ad3b11d 100644
--- a/postfix/src/postdrop/postdrop.c
+++ b/postfix/src/postdrop/postdrop.c
@@ -406,6 +406,8 @@ int     main(int argc, char **argv)
 	    while ((rec_type = rec_get(VSTREAM_IN, buf, var_line_limit)) > 0
 		   && rec_type != REC_TYPE_END)
 		 /* void */ ;
+	    if (rec_type <= 0)
+		msg_fatal("uid=%ld: malformed input", (long) uid);
 	    break;
 	}
 	if (rec_type == REC_TYPE_END)
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index 047d720f7..3004ffb6e 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -378,7 +378,11 @@ static void smtp_cleanup_session(SMTP_STATE *state)
      * logical next-hop state, so that we won't cache connections to
      * less-preferred MX hosts under the logical next-hop destination.
      */
-    if (session->reuse_count > 0) {
+    if (session->reuse_count > 0
+    /* Redundant tests for safety... */
+	&& vstream_ferror(session->stream) == 0
+	&& vstream_ftimeout(session->stream) == 0
+	&& vstream_feof(session->stream) == 0) {
 	smtp_save_session(state);
 	if (HAVE_NEXTHOP_STATE(state))
 	    FREE_NEXTHOP_STATE(state);
@@ -709,6 +713,7 @@ int     smtp_connect(SMTP_STATE *state)
 		if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0
 		    && smtp_helo(state, misc_flags) != 0) {
 		    if (vstream_ferror(session->stream) == 0
+			&& vstream_ftimeout(session->stream) == 0
 			&& vstream_feof(session->stream) == 0)
 			smtp_quit(state);
 		} else
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index 7bb244af3..7fb37204b 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -888,6 +888,8 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
     } while (0)
 
 #define RETURN(x) do { \
+	if (recv_state != SMTP_STATE_LAST) \
+	    DONT_CACHE_THIS_SESSION; \
 	vstring_free(next_command); \
 	if (session->mime_state) \
 	    session->mime_state = mime_state_free(session->mime_state); \
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 96930395c..286fffb67 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3072,7 +3072,7 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
 	    coded_CN_buf = 0; \
 	    coded_CN = ""; \
 	} else { \
-	    coded_CN_buf = vstring_alloc(strlen(CN)); \
+	    coded_CN_buf = vstring_alloc(strlen(CN) + 1); \
 	    xtext_quote(coded_CN_buf, CN, ""); \
 	    coded_CN = STR(coded_CN_buf); \
 	} \