-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Oct 2025 13:24:35 +0300
Source: postfix
Binary: postfix-doc
Architecture: all
Version: 3.10.5-1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 postfix-doc - Documentation for Postfix
Closes: 1115412
Changes:
 postfix (3.10.5-1~deb13u1) trixie; urgency=medium
 .
   * new upstream stable/bugfix 3.10.5 release, with multiple fixes.
     From the upstream release notes:
   - Workaround for an interface mis-match between the Postfix SMTP client
     and MTA-STS policy plugins.
      * The existing behavior is to connect to any MX host listed in DNS, and
        to match the server certificate against any STS policy MX host pattern.
      * The corrected behavior is to connect to an MX host only if its
        name matches any STS policy MX host pattern, and to match the server
        certificate against the MX hostname.
     The corrected behavior must be enabled in two places: in Postfix with a
     new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in
     an MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards
     STS policy attributes to Postfix. This works even if Postfix TLSRPT
     support is disabled at build time or at runtime.
   - TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found",
     pretend that the TLSRPT policy domain value is equal to the recipient
     domain. This ignores that different policy types (TLSA, STS) use different
     policy domains.  But this is what Microsoft does, and therefore,
     what other tools expect.
   - Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's
     connection reuse logic did not distinguish between sessions that
     require SMTPUTF8 support, and sessions that do not. The solution is
      1) to store sessions with different SMTPUTF8 requirements
         under distinct connection cache storage keys, and
      2) to not cache a connection when SMTPUTF8 is required
         but the server does not support that feature
   - Bugfix (defect introduced: Postfix 3.0, date 20140731):
     the smtpd 'disconnect' command statistics did not count commands
     with "bad syntax" and "bad UTF-8 syntax" errors
   - Postfix 3.11 forward compatibility: to avoid ugly warnings when
     Postfix 3.11 is rolled back to an older version, allow a preliminary
     'size' record in maildrop queue files created with Postfix 3.11 or later
   - Bugfix (defect introduced: Postfix 3.8, date 20220128):
     non-reproducible build, because the 'postconf -e' output order
     for new main.cf entries was no longer deterministic
   - To make builds predictable, add missing meta_directory and
     shlib_directory settings to the stock main.cf file
   - Bugfix (defect introduced: Postfix 3.9, date 20230517):
     posttls-finger(1) logged an incorrectly-formatted port number
   * debian/patches/debian-defaults.patch: refresh, update for 2 new
     parameters (with defaults) in main.cf, and make it with less context
   * configure-instance.in: fix typo which caused recreating
     cadir in chroot and excessive logging (Closes: #1115412)
Checksums-Sha1:
 009cc705fd04db678eab5cb2e2a5aff4402af955 1396576 postfix-doc_3.10.5-1~deb13u1_all.deb
 029042d040191ed601c6ee015fa414b0d9bb75ba 7416 postfix_3.10.5-1~deb13u1_all-buildd.buildinfo
Checksums-Sha256:
 d13e48036d2edc3d9a7242ffebb525fc582a2c78c7a6f31557603bc5b375075e 1396576 postfix-doc_3.10.5-1~deb13u1_all.deb
 73adc7cc23392b0a37a1626eb54e1dfc91baf9a25a90b971417bdab0e3b3f95c 7416 postfix_3.10.5-1~deb13u1_all-buildd.buildinfo
Files:
 051a51f40d7d55951aca4cbcbcaa722c 1396576 doc optional postfix-doc_3.10.5-1~deb13u1_all.deb
 f919fb83b528455da53877c04c5a40ef 7416 mail optional postfix_3.10.5-1~deb13u1_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHqtYLkdKRyCY94K8fUw6/tXbAmMFAmkGSo8ACgkQfUw6/tXb
AmMj/g/+J850BBDI8ezW82uotS1fnXPBaCK/NVKvmf8WWObRKjUGk5QYqZmaqaDO
kTvnI21hdDIRLNTE9zCnd8o7SMz2PFpTI12tJpt21Zz/L0mqQOWJTL0Iah+6jnqI
R3IeqWLuB32lM/TnK0Y/cIjj0eSRcipMXcbBodbgugGNHo5/OZW+7T+fGwo4QMOz
srHLzdJZY7XEl8kAPbGl7a8H0RWqzYy9Pxv7kGzVm5IEMUTzE6OPVsYtAcOFwT8p
F+2+QP1Zxq9b6P+/ZQU4ZHeEez3wW3xtS6WN0aRe9UZctMlX5GVtXtN+8G0n1hK+
JZDiHn35Geml+hIRs/u1mPN0agTQ2fN1mJsliXsCZoLRAwLHIxSqKiPqq1dw1EH4
4kjHpsKsbNfnpXOOHM9WB01m2mBY2vP+m51TVob07mvjG0Sb/MUfnn7ZTK5aMDu9
2467isrPPfhBO8y2DnUaAxZN5YKwJ11szQ+iHYhi8zOMZA5amWcAFbM8s3SxHro5
y7oewouQz4LmgEbKIAtAFjPsGyh8BdFmOQU8qpSYc25kPPxZbX/mmM0vEV/XfWgI
l5BPSMHsLt3phwNog6WibJmZVXlZ3XpBconEjzD2c/ZncvEjW/6jEv8owk44WhMP
Ful6V2IqtnCIT+Pu72VyP3ByFUSDWg8o1mTnsi1ler5cdanlU+4=
=wMvK
-----END PGP SIGNATURE-----