- Bugfix (introduced: Postfix 3.5.5): part of a memory leak
   fix was backported to the wrong place. File: tls/tls_misc.c.
   The Postfix 3.5.5 workaround did not explicitly override
   the system-wide OpenSSL configuration of allowed TLS protocol
   versions, for sessions where the remote SMTP client sends
   SNI. It's better to be safe than sorry. File: tls/tls_server.c.
 - Workaround for distros that override Postfix protocol
   settings in a system-wide OpenSSL configuration file, causing
   interoperability problems after an OS update. File:
   tls/tls_client.c, tls/tls_server.c.
 - Bugfix (introduced: Postfix 3.0): 4kbyte per session memory
   leak in the Postfix TLS library, found during tests. File:
   tls/tls_misc.c.
 - Bugfix (introduced: Postfix 3.0): minor memory leaks in the
   Postfix TLS library, found during tests. File: tls/tls_misc.c.
 - Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
   client did not send the right SNI name when the TLSA base
   domain was a secure CNAME expansion of the MX hostname (or
   non-MX nexthop domain). Domains with CNAME expanded MX hosts
   are not conformant with RFC5321, and so are rare. Even more
   rare are MX hosts with TLSA records for their CNAME expansion.
   For this to matter, the remote SMTP server would also have
   to select its certificate based on the SNI name in such a
   way that the original MX host would yield a different
   certificate. Among the ~2 million hosts in the DANE survey,
   none meet the conditions for returning a different certificate
   for the expanded CNAME. Therefore, sending the correct SNI
   name should not break existing mail flows. Fixed by Viktor
   Dukhovni. File: src/tls/tls_client.c.
 - Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
   reuse was broken for configurations that use explicit trust
   anchors. Reported by Thorsten Habich. Fixed by calling DANE
   initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
 - Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
   reuse was broken for configurations that use explicit trust
   anchors. Reported by Thorsten Habich. Cause: the tlsproxy
   client was sending a zero certificate length. File:
   tls/tls_proxy_client_print.c.
 - Bugfix (introduced: Postfix 3.4): the connection_reuse
   attribute in smtp_tls_policy_maps resulted in an "invalid
   attribute name" error. Fix by Thorsten Habich. File:
   smtp/smtp_tls_policy.c.
 - Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
   the SNI callback reported an error when it was called a
   second time. This happened after the server-side TLS engine
   sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
   client. Reported by Ján Máté, fixed by Viktor Dukhovni.
   File: tls/tls_misc.c.
 - Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
   did not handle a missing optional argument. File:
   conf/postfix-tls-script.

- Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
   client caused a false 'lost connection' error for an SMTP
   over TLS session in the same Postfix process. Reported by
   Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
   tls/tls_bio_ops.c.
 - Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
   session may cause a false 'lost connection' error for a
   concurrent TLS session in the same tlsproxy process. File:
   tlsproxy/tlsproxy.c.
 - Noise suppression: avoid "SSL_Shutdown:shutdown while in
   init" warnings. File: tls/tls_session.c.
 - Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
   initializing the ICU library before making the chroot()
   call. Files: util/midna_domain.[hc], global/mail_params.c.
 - Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix
   default value used the minute instead of the month. Reported
   by Larry Stone. Files: conf/postfix-tls-script,
   proto/MAILLOG_README.html, proto/postconf.proto.
   global/mail_params.h, postfix/postfix.c.
 - Noise suppression: shut up a compiler that special-cases
   string literals. Viktor Dukhovni. File smtpd/smtpd_check.c.
 - Security: disable DANE support on Alpine Linux because
   libc-musl provides no indication whether DNS responses are
   authentic. This broke DANE support without a clear explanation.
   File: makedefs.
 - Noise suppression: shut up a compiler that special-cases
   string literals. Viktor Dukhovni. File milter/milter.c.
 - Bugfix: segfault in the tlsproxy client role when the server
   role was disabled. This typically happens on systems that
   do not receive mail, after configuring connection reuse for
   outbound TLS. Found during program maintenance. File:
   tlsproxy/tlsproxy.c.

- Workaround for broken builds after an incompatible change
   in GCC 10. Files: makedefs, Makefile.in.
 - Workaround for broken DANE support after an incompatible
   change in GLIBC 2.31. This avoids the need for new options
   in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.

- Removed the issuer_cn and subject_cn matches from
   check_ccert_access. Files: smtpd/smtpd_check.c,
   proto/postconf.proto.
 - Usability: the Postfix SMTP server now logs a warning when
   a configuration requests access control by client certificate,
   but "smtpd_tls_ask_clientcert = no".  Files: proto/postconf.proto,
   smtpd/smtpd_check.c.

- Bugfix (introduced: Postfix 2.3): panic with Postfix
   multi-Milter configuration during MAIL FROM. Milter client
   state was not properly reset after one of the Milters failed.
   Reported by WeiYu Wu.
 - Bugfix (introduced: Postfix 2.5): the Milter connect event
   macros were evaluated before the Milter connection itself
   had been negotiated. Problem reported by David Baergin.
   Files: milter/milter.h, milter/milter.c, milter/milter8.c

- Bugfix (introduced: Postfix 3.1): support for
   smtp_dns_resolver_options was broken while adding support
   for negative DNS response caching in postscreen. Postfix
   was inadvertently changed to call res_query() instead of
   res_search(). Reported by Jaroslav Skarvada. File:
   dns/dns_lookup.c.
 - Bugfix (introduced: Postfix 3.0): sanitize server responses
   before storing them in the verify database, to avoid Postfix
   warnings about malformed UTF8. File: verify/verify.c.
 - Usability: the parser for key/certificate chain files
   rejected inputs that contain an EC PARAMETERS object. While
   this is technically correct (the documentation says what
   types are allowed) this is surprising behavior because the
   legacy cert/key parameters will accept such inputs. For
   now, the parser skips object types that it does not know
   about for usability, and logs a warning because ignoring
   inputs is not kosher. Viktor and Wietse. File: tls/tls_certkey.c.
 - Bugfix (introduced: Postfix 2.8): don't gratuitously enable
   all after-220 tests when only one such test is enabled.
   This made selective tests impossible with 'good' clients.
   File: postscreen/postscreen_smtpd.c.
 - Bugfix: the 20180903 postscreen fix for a misleading
   "PIPELINING after BDAT" warning looked at the wrong variable.
   The warning now says "BDAT without valid RCPT", and the
   error is no longer treated as a command PIPELINING error
   (but sending BDAT is still a client error, because postscreen
   rejects all RCPT commands and does not announce PIPELINING
   support). File: postscreen/postscreen_smtpd.c.

- Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
   error results after a plaintext output error. The code could
   loop, and with some OpenSSL error results could flood the
   log with error messages (see below for a specific case).
   Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
   Bitrot: don't invoke SSL_shutdown() when the SSL engine
   thinks it is processing a TLS handshake. The commit at
   https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
   changed the error status, incompatibly, from SSL_ERROR_NONE
   into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.
 - Bugfix (introduced: 20051222): the Dovecot client could
   segfault (null pointer read) or cause an SMTP server assertion
   to fail when talking to a fake Dovecot server. The client
   now logs a proper error instead. Problem reported by Tim
   Daesterhus. File: xsasl/xsasl_dovecot_server.c.
 - Workaround for poor TCP loopback performance on LINUX, where
   getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
   size that is 1/2 to 1/3 of the MTU. For example, with kernel
   5.1.16-300.fc30.x86_64 the TCP client and server announce
   an mss of 65495 in the TCP handshake, but getsockopt()
   returns 32741 (less than half). As a matter of principle,
   Postfix won't turn on client-side TCP_NODELAY because that
   hides application performance bugs, and because that still
   suffers from server-side delayed ACKs. Instead, Postfix
   avoids sending "small" writes back-to-back, by choosing a
   VSTREAM buffer size that is a multiple of the reported MSS.
   This workaround bumps the multiplier from 2x to 4x. File:
   util/vstream_tweak.c.

- Bugfix: the documentation said tls_fast_shutdown_enable,
   but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
   the code because no-one is expected to override the default.
   File: global/mail_params.h.
 - Bugfix (introduced: Postfix 3.0): the code to reset Postfix
   SMTP server command counts was not called after a HaProxy
   handshake failure, causing stale numbers to be reported.
   The command counts are now reset in the function that reports
   the counts. File: smtpd/smtpd.c.

- Documentation: updated the BUGS section in the smtp(8) manpage
   about TLS connection reuse. File: smtp/smtp.c.
 - Workaround for implementations that hang Postfix while
   shutting down a TLS session, until Postfix times out. With
   "tls_fast_shutdown_enable = yes" (the default), Postfix no
   longer waits for the TLS peer to respond to a TLS 'close'
   request. This is recommended with TLSv1.0 and later. Files:
   global/mail_params.h, tls/tls_session.c, and documentation.
 - Bugfix (introduced: Postfix 3.0): the code to reset Postfix
   SMTP server command counts was not called after a HaProxy
   handshake failure, causing stale numbers to be reported.
   The command counts are now reset in the function that reports
   the counts. File: smtpd/smtpd.c.

- Bugfix (introduced: Postfix 3.0): LMTP connections over
   UNIX-domain sockets were cached but not reused, due to a
   cache lookup key mismatch. Therefore, idle cached connections
   could exhaust LMTP server resources, resulting in two-second
   pauses between email deliveries. This problem was investigated
   by Juliana Rodrigueiro. File: smtp/smtp_connect.c.
 - With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
   chunks were always rejected as too large. File: smtpd/smtpd.c
 - Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
   has been producing false rejects starting with the Postfix
   2.2 smtpd_end_of_data_restrictons, and for the same reasons,
   does the same with the Postfix 3.4 BDAT command. The latter
   was reported by Andreas Schulze. File: smtpd/smtpd_check.c.

- Bitrot: LINUX5s support, after some sanity checks with a
   rawhide prerelease version. Files: makedefs, util/sys_defs.h.
 - Bugfix (introduced: 20181226): broken DANE trust anchor
   file support, caused by left-over debris from the 20181226
   TLS library overhaul. Scott Kitterman. File: tls/tls_dane.c.
 - Bugfix (introduced: Postfix-1.0.1): null pointer read, while
   logging a warning after a corrupted bounce log file. File:
   global/bounce_log.c.
 - Bugfix (introduced: Postfix-2.9.0): null pointer read, while
   logging a warning after a postscreen_command_filter read
   error. File: postscreen/postscreen_smtpd.c. global/bounce_log.c

- Bugfix: in the Postfix SMTP client, TLS wrappermode was not
   tested in tlsproxy mode. It needed some setup for buffering
   and timeouts. Problem report by Andreas Schulze. File:
   smtp/smtp_proto.c.
 - Bugfix: a reversed test broke TLS configurations that specify
   the same filename for a private key and certificate. Reported
   by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
   test. Files: tls/tls_certkey.c, tls/Makefile.in.

- Bugfix (introduced: 20170617): postconf(1) command segfault
   if unable to open a Postfix database configuration file due
   to a file permission error. Report by Andreas Hasenack, fix
   by Viktor Dukhovni.  File: postconf/postconf_dbms.c.
 - Cleanup: Postfix did not support running as a PID=1 process,
   which complicated Postfix management in containers. The
   "postfix start-fg" command will now run the Postfix master
   daemon as a PID=1 process if possible. Thanks to inputs
   from Andreas Schulze, Eray Aslan, and Viktor Dukhovni.
   Files: postfix/postfix.c, master/master.c, master/master.h,
   master/master_sig.c, conf/postfix-script.
 - Bugfix (introduced: Postfix 2.11): minor memory leak when
   minting issuer certs. This affects a tiny minority of use
   cases. Viktor Dukhovni, based on a fix by Juan Altmayer
   Pizzorno for the ssl_dane library. File: tls/tls_dane.c.
 - Workaround: postconf build did not abort if the m4 command
   is not installed (on a system that does have the make
   command, the awk command, the perl command, and the C
   compiler?!).  File: postconf/extract_cfg.sh.
 - Multiple 'bit rot' fixes for OpenSSL API changes, including
   support to disable TLSv1.3, to avoid issuing multiple session
   tickets, and to allow OpenSSL >= 1.1.0 run-time micro version
   bumps without complaining about library version mismatches.
   Viktor Dukhovni. Files: proto/postconf.proto,
   proto/TLS_README.html, tls/tls.h, tls/tls_server.c,
   tls/tls_misc.c.
 - Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could
   not disable "SMTPUTF8". because the lookup table was using
   "EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c.
 - Documentation: update documentation for Postfix versions
   that support disabling TLS 1.3. File: proto/postconf.proto.
 - Improved logging of TLS 1.3 summary information, and improved
   reporting of the same info in Received: message headers.
   Viktor Dukhovni. Files: proto/FORWARD_SECRECY_README.html,
   posttls-finger/posttls-finger.c, smtpd/smtpd.c, tls/tls.h,
   tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h,
   tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
   tls/tls_server.c.

- Documentation patches by Sven Neuhaus. Files:
   proto/FORWARD_SECRECY_README.html, proto/MILTER_README.html,
   proto/SMTPD_ACCESS_README.html.
 - Cleanup: missing mailbox seek-to-end error check in the
   local(8) delivery agent. File: local/mailbox.c.
   Cleanup: incorrect mailbox seek-to-end error message in the
   virtual(8) delivery agent. File: virtual/mailbox.c.
 - Licence: in addition to the historical IBM Public License
   1.0, this software is now also distributed with the more
   recent Eclipse Public License 2.0. Recipients can choose
   to take the software under the license of their choice.
   Those who are more comfortable with the IPL can continue
   with that license. File: LICENSE.
 - Cleanup: added 22 missing *_maps parameters to the default
   proxy_read_maps setting. Files: global/mail_params.h.
 - Bugfix (introduced: 20120117): postconf should scan only
   built-in or service-defined parameters for ldap, *sql, etc.
   database names. Files: postconf/postconf_user.c.
 - Bugfix (introduced: 19990302): when luser_relay specifies
   a non-existent local address, the luser_relay feature becomes
   a black hole. Reported by Jørgen Thomsen. File: local/unknown.c.
 - Bugfix (introduced: Postfix 2.8): missing tls_server_start()
   error propagation in tlsproxy(8) resulting in segfault after
   TLS handshake error. Found during code maintenance. File:
   tlsproxy/tlsproxy.c.

* Cleanup: "match_list_match: permit_mynetworks: no match" after
    a SUCCESSFUL permit_mynetworks match of a client IP address was
    complicating troubleshooting.  The fix is to log additional
    context to clarify that this "no match" condition is for
    smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.
  * Documentation: typos in postfix-tls-script(1) manpage.
    line wrapping in postconf(1) manpage.
  * Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
    (replace sender) request lost the sender_bcc_maps address.
    Fixed by moving some record keeping to the sender output
    function.  Files: cleanup/cleanup_envelope.c,
    cleanup/cleanup_addr.c, cleanup/cleanup_milter.c,
    cleanup/cleanup.h, regression tests.
  * Bugfix (introduced: Postfix 2.6): the "bad filetype"
    header_checks pattern falsely rejected Content-Mumble headers
    with ``name="example"; x-apple-part-url="example.com"''.
    Fixed by respecting the ";" separator between content
    attribute values.  Reported by Cedric Knight.  File:
    proto/header_checks.
    Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h.

- fixpack-release
  * The uxtext_unquote() function had the same problem as 
    xtext_unquote(), because one was created by copying the 
    other. The Postfix SMTP server uses this function to 
    parse input for the ORCPT parameter when the remote 
    SMTP client sends SMTPUTF8 mail.

  * Unreported bug: Postfix smtpd_mumble_restrictions could 
    report an incorrect reason for failed DNS lookups. Fixed 
    by saving and restoring h_errno while evaluating the 
    result from multi-query DNS lookups.

  * The COMPATIBILITY_README text and HTML files were not 
    installed.

- initial build for CentOS 7