[This this announcement will be available at https://www.postfix.org/announcements/postfix-3.7.4.html]
Fixed in Postfix 3.7, 3.6, 3.5, 3.4: * Workaround: with OpenSSL 3 and later always turn on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed opportunities for TLS session reuse. This is safe because the SMTP protocol implements application-level framing, and is therefore not affected by TLS truncation attacks. Fix by Viktor Dukhovni. * Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily-bound handles for digest implementations. In sufficiently hostile configurations, Postfix could mistakenly believe that a digest algorithm is available, and fail when it is not. A similar workaround may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni. * Bugfix (bug introduced in Postfix 2.11): the checkok() macro in tls/tls_fprint.c evaluated its argument unconditionally; it should evaluate the argument only if there was no prior error. Found during code review. * Bugfix (bug introduced in Postfix 2.8): postscreen died with a segmentation violation when postscreen_dnsbl_threshold < 1. It should reject such input with a fatal error instead. Discovered by Benny Pedersen. * Bitrot: fixes for linker warnings from newer Darwin (MacOS) versions. Viktor Dukhovni. * Portability: Linux 6 support. Fixed in Postfix 3.4, 3.5: * Workaround: shut up compiler warnings for legitimate string comparison expressions. Back-ported from Postfix 3.6. Fixed in Postfix 3.7: * Added missing documentation that cidr:, pcre: and regexp: tables support inline specification only in Postfix 3.7 and later. You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/. Wietse