Ubuntu
postfix package

Merge ~paride/ubuntu/+source/postfix:lp1906970-focal into ubuntu/+source/postfix:ubuntu/focal

Proposed by Paride Legovini on 2021-08-12

Status:

Superseded

Proposed branch:

~paride/ubuntu/+source/postfix:lp1906970-focal

Merge into:

ubuntu/+source/postfix:ubuntu/focal

Diff against target:

795 lines (+249/-88)

32 files modified

HISTORY (+81/-0)
Makefile.in (+1/-1)
README_FILES/MAILLOG_README (+1/-1)
RELEASE_NOTES (+8/-0)
conf/postfix-tls-script (+1/-1)
debian/changelog (+19/-0)
debian/patches/series (+0/-1)
debian/postfix.postinst (+1/-1)
dev/null (+0/-51)
html/MAILLOG_README.html (+1/-1)
html/postconf.5.html (+1/-1)
html/postfix.1.html (+1/-1)
makedefs (+14/-1)
man/man1/postfix.1 (+1/-1)
man/man5/postconf.5 (+1/-1)
proto/MAILLOG_README.html (+1/-1)
proto/postconf.proto (+1/-1)
src/dns/dns.h (+4/-0)
src/dns/dns_lookup.c (+5/-2)
src/dns/dns_str_resflags.c (+6/-0)
src/global/mail_params.c (+2/-0)
src/global/mail_params.h (+1/-1)
src/global/mail_version.h (+2/-2)
src/milter/milter.c (+5/-5)
src/postfix/postfix.c (+1/-1)
src/smtpd/smtpd_check.c (+8/-8)
src/tls/tls_bio_ops.c (+7/-0)
src/tls/tls_misc.c (+21/-0)
src/tls/tls_session.c (+1/-1)
src/tlsproxy/tlsproxy.c (+26/-4)
src/util/midna_domain.c (+26/-0)
src/util/midna_domain.h (+1/-0)

Related bugs:

Bug #1868955: [SRU] after upgrade to 20.04: dane support is not working	Medium	Fix Released
Bug #1881196: [SRU] postfix tls deploy-server-cert fails with "can't shift that many"	Undecided	Fix Released
Bug #1906970: [SRU] dpkg hook hostname error	Undecided	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Canonical Server		2021-08-12	Pending
Review via email: mp+407020@code.launchpad.net

This proposal has been superseded by a proposal from 2021-08-12.

Commit message

Focal SRU for LP: #1906970, same as https://code.launchpad.net/~paride/ubuntu/+source/postfix/+git/postfix/+merge/406805 but done against Focal.

Test PPA: https://launchpad.net/~paride/+archive/ubuntu/postfix-lp1906970

Test case: see [Test Plan] in the SRU bug description.

Autopkgtest summary (virt-server: lxd):

postfix PASS

Unmerged commits

c4b999b... by Paride Legovini on 2021-08-12

Update d/changelog for 3.4.13-0ubuntu2

3759f2e... by Paride Legovini on 2021-08-06

d/postfix.postinst: tolerate search domain with a leading dot

Search domain with a leading dot cause postfix.postinst to fail because
it constructs a 'myhostname' with a duplicate dot (see #991950).

The glibc resolver tolerates such domains and strips the leading dot
from the search domain [1]. This change makes postfix.postinst do the
same.

This same fix has been proposed for inclusion in Debian [2].

[1] https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/res_query.c;h=ebbe5a6a4ed86abe3fccd4a134bfcf6f613c9bbb;hb=HEAD#l411
[2] https://salsa.debian.org/postfix-team/postfix-dev/-/merge_requests/12

Closes: #991950, LP: #1906970

9ce4102... by Lucas Kanashiro on 2020-06-19

Update changelog

4656c5f... by Lucas Kanashiro on 2020-06-19

Drop patch 80_glibc2.30-ftbfs.diff

This patch is not needed anymore and it does not cleanly apply to this
new upstream release.

4c073fe... by Lucas Kanashiro on 2020-06-19

New upstream release: 3.4.13

Workaround for broken DANE support after an incompatible change in
GLIBC 2.31 (LP: #1868955)

Fix "postfix tls deploy-server-cert", now it handles a missing optional
argument (LP: #1881196)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Paride Legovini

git-ubuntu developers

 diff --git a/HISTORY b/HISTORY
 index 1ebf42a..fe15290 100644
 --- a/HISTORY
 +++ b/HISTORY
@@ -24346,3 +24346,84 @@ Apologies for any names omitted.
  	multi-Milter configuration during MAIL FROM. Milter client
  	state was not properly reset after one of the Milters failed.
  	Reported by WeiYu Wu.
++
++20200416
++
++	Workaround for broken builds after an incompatible change
++	in GCC 10. Files: makedefs, Makefile.in.
++
++	Workaround for broken DANE support after an incompatible
++	change in GLIBC 2.31. This avoids the need for new options
++	in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
++
++20200419
++
++	Bugfix: segfault in the tlsproxy client role when the server
++	role was disabled. This typically happens on systems that
++	do not receive mail, after configuring connection reuse for
++	outbound TLS. Found during program maintenance. File:
++	tlsproxy/tlsproxy.c.
++
++20200420
++
++	Noise suppression: shut up a compiler that special-cases
++	string literals. Viktor Dukhovni. File milter/milter.c.
++
++20200422
++
++	Security: disable DANE support on Alpine Linux because
++	libc-musl provides no indication whether DNS responses are
++	authentic. This broke DANE support without a clear explanation.
++	File: makedefs.
++
++20200505
++
++	Noise suppression: shut up a compiler that special-cases
++	string literals. Viktor Dukhovni. File smtpd/smtpd_check.c.
++
++20200509
++
++	Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix
++	default value used the minute instead of the month. Reported
++	by Larry Stone. Files: conf/postfix-tls-script,
++	proto/MAILLOG_README.html, proto/postconf.proto.
++	global/mail_params.h, postfix/postfix.c.
++
++20200510
++
++	Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
++	initializing the ICU library before making the chroot()
++	call. Files: util/midna_domain.[hc], global/mail_params.c.
++
++20200511
++
++	Noise suppression: avoid "SSL_Shutdown:shutdown while in
++	init" warnings. File: tls/tls_session.c.
++
++20200515
++
++	Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
++	client caused a false 'lost connection' error for an SMTP
++	over TLS session in the same Postfix process. Reported by
++	Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
++	tls/tls_bio_ops.c.
++
++	Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
++	session may cause a false 'lost connection' error for a
++	concurrent TLS session in the same tlsproxy process. File:
++	tlsproxy/tlsproxy.c.
++
++20200530
++
++	Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
++	did not handle a missing optional argument. File:
++	conf/postfix-tls-script.
++
++20200610
++
++	Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
++	the SNI callback reported an error when it was called a
++	second time. This happened after the server-side TLS engine
++	sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
++	client. Reported by Ján Máté, fixed by Viktor Dukhovni.
++	File: tls/tls_misc.c.
 diff --git a/Makefile.in b/Makefile.in
 index fa12b04..aaab94d 100644
 --- a/Makefile.in
 +++ b/Makefile.in
@@ -1,5 +1,5 @@
  SHELL	= /bin/sh
--WARN    = -Wmissing-prototypes -Wformat -Wno-comment
++WARN    = -Wmissing-prototypes -Wformat -Wno-comment -fcommon
  OPTS	= 'WARN=$(WARN)'
  DIRS	= src/util src/global src/dns src/tls src/xsasl src/master src/milter \
  	src/postfix src/fsstone src/smtpstone \
 diff --git a/README_FILES/MAILLOG_README b/README_FILES/MAILLOG_README
 index 5184425..cc8b097 100644
 --- a/README_FILES/MAILLOG_README
 +++ b/README_FILES/MAILLOG_README
@@ -64,7 +64,7 @@ implements the following steps:
    * Rename the current logfile by appending a suffix that contains the date and
      time. This suffix is configured with the maillog_file_rotate_suffix
--    parameter (default: %Y%M%d-%H%M%S).
++    parameter (default: %Y%m%d-%H%M%S).
    * Reload Postfix so that postlogd(8) immediately closes the old logfile.
 diff --git a/RELEASE_NOTES b/RELEASE_NOTES
 index 63e8e5a..c981244 100644
 --- a/RELEASE_NOTES
 +++ b/RELEASE_NOTES
@@ -16,6 +16,14 @@ specifies the release date of a stable release or snapshot release.
  If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
  before proceeding.
++libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2
++------------------------------------------------------------------
++
++Security: this release disables DANE support on Linux systems with
++libc-musl, because libc-musl provides no indication whether DNS
++responses are authentic. This broke DANE support without a clear
++explanation.
++
  TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13
  -----------------------------------------------------------
 diff --git a/conf/postfix-tls-script b/conf/postfix-tls-script
 index 2c3430a..1a364b7 100644
 --- a/conf/postfix-tls-script
 +++ b/conf/postfix-tls-script
@@ -777,7 +777,7 @@ get_cache_db_type() {
  deploy_server_cert() {
      certfile=$1; shift
      keyfile=$1; shift
--    deploy=$1; shift
++    case $# in 0) deploy=;; *) deploy=$1; shift;; esac
      # Sets key_algo, key_param and cert_param
      check_key "$keyfile" || return 1
 diff --git a/debian/changelog b/debian/changelog
 index 86e71a2..43abc6c 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,22 @@
++postfix (3.4.13-0ubuntu2) focal; urgency=medium
++
++  * d/postfix.postinst: tolerate search domain with a leading dot
++    (LP: #1906970)
++
++ -- Paride Legovini <paride@ubuntu.com>  Thu, 12 Aug 2021 14:26:09 +0200
++
++postfix (3.4.13-0ubuntu1) focal; urgency=medium
++
++  * New upstream release: 3.4.13
++    - Workaround for broken DANE support after an incompatible change in
++      GLIBC 2.31 (LP: #1868955)
++    - Fix "postfix tls deploy-server-cert", now it handles a missing optional
++      argument (LP: #1881196)
++  * Drop patch 80_glibc2.30-ftbfs.diff. This patch is not needed anymore and
++    it does not cleanly apply to this new upstream release.
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Fri, 19 Jun 2020 14:11:03 -0300
++
  postfix (3.4.10-1ubuntu1) focal; urgency=medium
    * d/configure-instance.sh: fix typo in tls_CApath copying (LP: #1872288)
 diff --git a/debian/patches/80_glibc2.30-ftbfs.diff b/debian/patches/80_glibc2.30-ftbfs.diff
 deleted file mode 100644
 index c36baf0..0000000
 --- a/debian/patches/80_glibc2.30-ftbfs.diff
 +++ /dev/null
@@ -1,51 +0,0 @@
--Description: fix build with glibc 2.30
-- glibc 2.30 release notes at
-- https://savannah.gnu.org/forum/forum.php?forum_id=9515 states:
-- """
-- Support for the "inet6" option in /etc/resolv.conf and the RES_USE_INET6
-- resolver flag (deprecated in glibc 2.25) have been removed.
-- ...
-- The obsolete RES_INSECURE1 and RES_INSECURE2 option flags for the DNS stub
-- resolver have been removed from <resolv.h>.
-- """
-- And RES_AAONLY and RES_PRIMARY are already flagged as deprecated and are
-- being guarded with the same fix.
--Origin: upstream, https://github.com/vdukhovni/postfix/commit/3274c3cea9d739f86e84b65664aabb692e37e83f#diff-777bfb681a1cd539ddc8e1e606959ffa
--Bug: http://postfix.1071664.n5.nabble.com/build-failure-with-glibc-2-30-td102511.html
--Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1842923
--Last-Update: 2019-09-05
-----
--This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--diff --git a/postfix/src/dns/dns_str_resflags.c b/postfix/src/dns/dns_str_resflags.c
--index 5f2cce5e..472394c3 100644
----- a/src/dns/dns_str_resflags.c
--+++ b/src/dns/dns_str_resflags.c
--@@ -52,18 +52,28 @@
-- static const LONG_NAME_MASK resflag_table[] = {
--     "RES_INIT", RES_INIT,
--     "RES_DEBUG", RES_DEBUG,
--+#ifdef RES_AAONLY
--     "RES_AAONLY", RES_AAONLY,
--+#endif
--     "RES_USEVC", RES_USEVC,
--+#ifdef RES_PRIMARY
--     "RES_PRIMARY", RES_PRIMARY,
--+#endif
--     "RES_IGNTC", RES_IGNTC,
--     "RES_RECURSE", RES_RECURSE,
--     "RES_DEFNAMES", RES_DEFNAMES,
--     "RES_STAYOPEN", RES_STAYOPEN,
--     "RES_DNSRCH", RES_DNSRCH,
--+#ifdef RES_INSECURE1
--     "RES_INSECURE1", RES_INSECURE1,
--+#endif
--+#ifdef RES_INSECURE2
--     "RES_INSECURE2", RES_INSECURE2,
--+#endif
--     "RES_NOALIASES", RES_NOALIASES,
--+#ifdef RES_USE_INET6
--     "RES_USE_INET6", RES_USE_INET6,
--+#endif
-- #ifdef RES_ROTATE
--     "RES_ROTATE", RES_ROTATE,
-- #endif
 diff --git a/debian/patches/series b/debian/patches/series
 index 4976a63..fe67e62 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -14,6 +14,5 @@
 _rmail.diff
 _LANG.diff
 _postfix-check.diff
--80_glibc2.30-ftbfs.diff
  tls_version.diff
  debian-man-name.diff
 diff --git a/debian/postfix.postinst b/debian/postfix.postinst
 index dc28f3c..9ba7eac 100644
 --- a/debian/postfix.postinst
 +++ b/debian/postfix.postinst
@@ -49,7 +49,7 @@ myfqdn() {
  	if [ $myhostname = ${myhostname%.*} ]; then
  	    if [ -f /etc/resolv.conf ]; then
  		# The resolver uses the last one found, and ignores the rest
--		mydom=$(sed -n 's/^search[[:space:]]*\([^[:space:]]*\).*/\1/p;s/^domain[[:space:]]*\([^[:space:]]*\).*/\1/p' /etc/resolv.conf | tail -1)
++		mydom=$(sed -n 's/^search[[:space:]]*\.*\([^[:space:]]*\).*/\1/p;s/^domain[[:space:]]*\.*\([^[:space:]]*\).*/\1/p' /etc/resolv.conf | tail -1)
  		myhostname="$myhostname${mydom:+.$mydom}"
  	    else
  		myhostname="$myhostname.UNKNOWN"
 diff --git a/html/MAILLOG_README.html b/html/MAILLOG_README.html
 index b1f9702..c5b7978 100644
 --- a/html/MAILLOG_README.html
 +++ b/html/MAILLOG_README.html
@@ -114,7 +114,7 @@ run from a terminal. This command implements the following steps:
  <li> <p> Rename the current logfile by appending a suffix that
  contains the date and time. This suffix is configured with the
--<a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> parameter (default: %Y%M%d-%H%M%S). </p>
++<a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> parameter (default: %Y%m%d-%H%M%S). </p>
  <li> <p> Reload Postfix so that <a href="postlogd.8.html">postlogd(8)</a> immediately closes the
  old logfile. </p>
 diff --git a/html/postconf.5.html b/html/postconf.5.html
 index cba1fac..aa94c32 100644
 --- a/html/postconf.5.html
 +++ b/html/postconf.5.html
@@ -6284,7 +6284,7 @@ whitespace. </p>
  </DD>
  <DT><b><a name="maillog_file_rotate_suffix">maillog_file_rotate_suffix</a>
--(default: %Y%M%d-%H%M%S)</b></DT><DD>
++(default: %Y%m%d-%H%M%S)</b></DT><DD>
  <p> The format of the suffix to append to $<a href="postconf.5.html#maillog_file">maillog_file</a> while rotating
  the file with "postfix logrotate". See strftime(3) for syntax. The
 diff --git a/html/postfix.1.html b/html/postfix.1.html
 index 4c5c4f9..eb59ad3 100644
 --- a/html/postfix.1.html
 +++ b/html/postfix.1.html
@@ -285,7 +285,7 @@ POSTFIX(1)                                                          POSTFIX(1)
         <b><a href="postconf.5.html#maillog_file_prefixes">maillog_file_prefixes</a> (/var, /dev/stdout)</b>
                A list of allowed prefixes for a <a href="postconf.5.html#maillog_file">maillog_file</a> value.
--       <b><a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> (%Y%M%d-%H%M%S)</b>
++       <b><a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> (%Y%m%d-%H%M%S)</b>
                The format of the suffix to append to $<a href="postconf.5.html#maillog_file">maillog_file</a> while rotat-
                ing the file with "postfix logrotate".
 diff --git a/makedefs b/makedefs
 index 93731c2..64b42f4 100644
 --- a/makedefs
 +++ b/makedefs
@@ -228,6 +228,19 @@ case $# in
   *) echo usage: $0 [system release] 1>&2; exit 1;;
  esac
++case "$SYSTEM" in
++ Linux)
++    case "`PATH=/bin:/usr/bin ldd /bin/sh`" in
++     *-musl-*)
++	case "$CCARGS" in
++	 *-DNO_DNSSEC*) ;;
++	 *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2
++	    echo This build will not support DANE/TLSA. 1>&2
++	    CCARGS="$CCARGS -DNO_DNSSEC";;
++	esac;;
++    esac;;
++esac
++
  case "$SYSTEM.$RELEASE" in
     SCO_SV.3.2)	SYSTYPE=SCO5
  		# Use the native compiler by default
@@ -1136,7 +1149,7 @@ esac
  : ${CC=gcc} ${OPT='-O'} ${DEBUG='-g'} ${AWK=awk} \
  ${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
  	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
--	-Wunused -Wno-missing-braces'}
++	-Wunused -Wno-missing-braces -fcommon'}
  # Extract map type names from -DHAS_XXX compiler options.  We avoid
  # problems with tr(1) range syntax by using enumerations instead,
 diff --git a/man/man1/postfix.1 b/man/man1/postfix.1
 index 7a8a39c..412c0c9 100644
 --- a/man/man1/postfix.1
 +++ b/man/man1/postfix.1
@@ -252,7 +252,7 @@ The program to run after rotating $maillog_file with "postfix
  logrotate".
  .IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR"
  A list of allowed prefixes for a maillog_file value.
--.IP "\fBmaillog_file_rotate_suffix (%Y%M%d\-%H%M%S)\fR"
++.IP "\fBmaillog_file_rotate_suffix (%Y%m%d\-%H%M%S)\fR"
  The format of the suffix to append to $maillog_file while rotating
  the file with "postfix logrotate".
  .IP "\fBpostlog_service_name (postlog)\fR"
 diff --git a/man/man5/postconf.5 b/man/man5/postconf.5
 index fdf6b39..ccb087a 100644
 --- a/man/man5/postconf.5
 +++ b/man/man5/postconf.5
@@ -3775,7 +3775,7 @@ mistake. Specify one or more prefix strings, separated by comma or
  whitespace.
  .PP
  This feature is available in Postfix 3.4 and later.
--.SH maillog_file_rotate_suffix (default: %Y%M%d\-%H%M%S)
++.SH maillog_file_rotate_suffix (default: %Y%m%d\-%H%M%S)
  The format of the suffix to append to $maillog_file while rotating
  the file with "postfix logrotate". See \fBstrftime\fR(3) for syntax. The
  default suffix, YYYYMMDD\-HHMMSS, allows logs to be rotated frequently.
 diff --git a/proto/MAILLOG_README.html b/proto/MAILLOG_README.html
 index 5fad103..9b56518 100644
 --- a/proto/MAILLOG_README.html
 +++ b/proto/MAILLOG_README.html
@@ -114,7 +114,7 @@ run from a terminal. This command implements the following steps:
  <li> <p> Rename the current logfile by appending a suffix that
  contains the date and time. This suffix is configured with the
--maillog_file_rotate_suffix parameter (default: %Y%M%d-%H%M%S). </p>
++maillog_file_rotate_suffix parameter (default: %Y%m%d-%H%M%S). </p>
  <li> <p> Reload Postfix so that postlogd(8) immediately closes the
  old logfile. </p>
 diff --git a/proto/postconf.proto b/proto/postconf.proto
 index f29cdf6..a37fb01 100644
 --- a/proto/postconf.proto
 +++ b/proto/postconf.proto
@@ -17611,7 +17611,7 @@ first argument. </p>
  <p> This feature is available in Postfix 3.4 and later. </p>
--%PARAM maillog_file_rotate_suffix %Y%M%d-%H%M%S
++%PARAM maillog_file_rotate_suffix %Y%m%d-%H%M%S
  <p> The format of the suffix to append to $maillog_file while rotating
  the file with "postfix logrotate". See strftime(3) for syntax. The
 diff --git a/src/dns/dns.h b/src/dns/dns.h
 index f758e44..b8c4c4a 100644
 --- a/src/dns/dns.h
 +++ b/src/dns/dns.h
@@ -59,6 +59,7 @@
   */
  #ifdef NO_DNSSEC
  #undef RES_USE_DNSSEC
++#undef RES_TRUSTAD
  #endif
   /*
@@ -70,6 +71,9 @@
  #ifndef RES_USE_EDNS0
  #define RES_USE_EDNS0	0
  #endif
++#ifndef RES_TRUSTAD
++#define RES_TRUSTAD	0
++#endif
   /*-
    * TLSA: https://tools.ietf.org/html/rfc6698#section-7.1
 diff --git a/src/dns/dns_lookup.c b/src/dns/dns_lookup.c
 index 1bfeb7e..2ae6483 100644
 --- a/src/dns/dns_lookup.c
 +++ b/src/dns/dns_lookup.c
@@ -116,6 +116,9 @@
  /*	Request DNSSEC validation. This flag is silently ignored
  /*	when the system stub resolver API, resolver(3), does not
  /*	implement DNSSEC.
++/*	Automatically turns on the RES_TRUSTAD flag on systems that
++/*	support this flag (this behavior will be more configurable
++/*	in a later release).
  /* .RE
  /* .IP lflags
  /*	Flags that control the operation of the dns_lookup*()
@@ -453,10 +456,10 @@ static int dns_query(const char *name, int type, unsigned flags,
      /*
       * Set extra options that aren't exposed to the application.
       */
--#define XTRA_FLAGS (RES_USE_EDNS0)
++#define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)
      if (flags & RES_USE_DNSSEC)
--	flags |= RES_USE_EDNS0;
++	flags |= (RES_USE_EDNS0 | RES_TRUSTAD);
      /*
       * Save and restore resolver options that we overwrite, to avoid
 diff --git a/src/dns/dns_str_resflags.c b/src/dns/dns_str_resflags.c
 index 5f2cce5..df32345 100644
 --- a/src/dns/dns_str_resflags.c
 +++ b/src/dns/dns_str_resflags.c
@@ -60,10 +60,16 @@ static const LONG_NAME_MASK resflag_table[] = {
      "RES_DEFNAMES", RES_DEFNAMES,
      "RES_STAYOPEN", RES_STAYOPEN,
      "RES_DNSRCH", RES_DNSRCH,
++#ifdef RES_INSECURE1
      "RES_INSECURE1", RES_INSECURE1,
++#endif
++#ifdef RES_INSECURE2
      "RES_INSECURE2", RES_INSECURE2,
++#endif
      "RES_NOALIASES", RES_NOALIASES,
++#ifdef RES_USE_INET6
      "RES_USE_INET6", RES_USE_INET6,
++#endif
  #ifdef RES_ROTATE
      "RES_ROTATE", RES_ROTATE,
  #endif
 diff --git a/src/global/mail_params.c b/src/global/mail_params.c
 index 8953fe6..4b6a058 100644
 --- a/src/global/mail_params.c
 +++ b/src/global/mail_params.c
@@ -868,6 +868,8 @@ void    mail_params_init()
      var_smtputf8_enable = 0;
  #else
      midna_domain_transitional = var_idna2003_compat;
++    if (var_smtputf8_enable)
++	midna_domain_pre_chroot();
  #endif
      util_utf8_enable = var_smtputf8_enable;
 diff --git a/src/global/mail_params.h b/src/global/mail_params.h
 index 1f4c207..900ef51 100644
 --- a/src/global/mail_params.h
 +++ b/src/global/mail_params.h
@@ -4178,7 +4178,7 @@ extern char *var_maillog_file_pfxs;
  extern char *var_maillog_file_comp;
  #define VAR_MAILLOG_FILE_STAMP	"maillog_file_rotate_suffix"
--#define DEF_MAILLOG_FILE_STAMP	"%Y%M%d-%H%M%S"
++#define DEF_MAILLOG_FILE_STAMP	"%Y%m%d-%H%M%S"
  extern char *var_maillog_file_stamp;
  #define VAR_POSTLOG_SERVICE	"postlog_service_name"
 diff --git a/src/global/mail_version.h b/src/global/mail_version.h
 index 41647d3..95afa7b 100644
 --- a/src/global/mail_version.h
 +++ b/src/global/mail_version.h
@@ -20,8 +20,8 @@
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
--#define MAIL_RELEASE_DATE	"20200312"
--#define MAIL_VERSION_NUMBER	"3.4.10"
++#define MAIL_RELEASE_DATE	"20200614"
++#define MAIL_VERSION_NUMBER	"3.4.13"
  #ifdef SNAPSHOT
  #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
 diff --git a/src/milter/milter.c b/src/milter/milter.c
 index cee169c..3d71cc6 100644
 --- a/src/milter/milter.c
 +++ b/src/milter/milter.c
@@ -620,14 +620,14 @@ void    milter_disc_event(MILTERS *milters)
    * names by skipping the redundant "milter_" prefix.
    */
  static ATTR_OVER_TIME time_table[] = {
--    7 + VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0,
--    7 + VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0,
--    7 + VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0,
++    7 + (const char *) VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0,
++    7 + (const char *) VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0,
++    7 + (const char *) VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0,
 ,
  };
  static ATTR_OVER_STR str_table[] = {
--    7 + VAR_MILT_PROTOCOL, 0, 1, 0,
--    7 + VAR_MILT_DEF_ACTION, 0, 1, 0,
++    7 + (const char *) VAR_MILT_PROTOCOL, 0, 1, 0,
++    7 + (const char *) VAR_MILT_DEF_ACTION, 0, 1, 0,
 ,
  };
 diff --git a/src/postfix/postfix.c b/src/postfix/postfix.c
 index f8b3de4..b2306fb 100644
 --- a/src/postfix/postfix.c
 +++ b/src/postfix/postfix.c
@@ -242,7 +242,7 @@
  /*	logrotate".
  /* .IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR"
  /*	A list of allowed prefixes for a maillog_file value.
--/* .IP "\fBmaillog_file_rotate_suffix (%Y%M%d-%H%M%S)\fR"
++/* .IP "\fBmaillog_file_rotate_suffix (%Y%m%d-%H%M%S)\fR"
  /*	The format of the suffix to append to $maillog_file while rotating
  /*	the file with "postfix logrotate".
  /* .IP "\fBpostlog_service_name (postlog)\fR"
 diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c
 index d1caa5c..a25b401 100644
 --- a/src/smtpd/smtpd_check.c
 +++ b/src/smtpd/smtpd_check.c
@@ -483,20 +483,20 @@ typedef struct {
    * parameter names by skipping the redundant "smtpd_policy_service_" prefix.
    */
  static ATTR_OVER_TIME time_table[] = {
--    21 + VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0,
--    21 + VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0,
--    21 + VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0,
--    21 + VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0,
 ,
  };
  static ATTR_OVER_INT int_table[] = {
--    21 + VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0,
--    21 + VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0,
 ,
  };
  static ATTR_OVER_STR str_table[] = {
--    21 + VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0,
--    21 + VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0,
++    21 + (const char *) VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0,
 ,
  };
 diff --git a/src/tls/tls_bio_ops.c b/src/tls/tls_bio_ops.c
 index 1f4ec41..9b66195 100644
 --- a/src/tls/tls_bio_ops.c
 +++ b/src/tls/tls_bio_ops.c
@@ -194,6 +194,13 @@ int     tls_bio(int fd, int timeout, TLS_SESS_STATE *TLScontext,
       * handling any pending network I/O.
       */
      for (;;) {
++
++	/*
++	 * Flush the per-thread SSL error queue. Otherwise, errors from other
++	 * code that also uses TLS may confuse SSL_get_error(3).
++	 */
++	ERR_clear_error();
++
  	if (hsfunc)
  	    status = hsfunc(TLScontext->con);
  	else if (rfunc)
 diff --git a/src/tls/tls_misc.c b/src/tls/tls_misc.c
 index 9fac444..1a1fd96 100644
 --- a/src/tls/tls_misc.c
 +++ b/src/tls/tls_misc.c
@@ -686,6 +686,27 @@ static int server_sni_callback(SSL *ssl, int *alert, void *arg)
  		 TLScontext->namaddr, sni);
  	return SSL_TLSEXT_ERR_NOACK;
+     }
++
++    /*
++     * With TLS 1.3, when the client's proposed key share is not supported by
++     * the server, the server may issue a HelloRetryRequest (HRR), and the
++     * client will then retry with a new key share on a curve supported by
++     * the server.  This results in the SNI callback running twice for the
++     * same connection.
++     *
++     * When that happens, The client MUST send the essentially the same hello
++     * message, including the SNI name, and since we've already loaded our
++     * certificate chain, we don't need to do it again!  Therefore, if we've
++     * already recorded the peer SNI name, just check that it has not
++     * changed, and return success.
++     */
++    if (TLScontext->peer_sni) {
++	if (strcmp(sni, TLScontext->peer_sni) == 0)
++	    return SSL_TLSEXT_ERR_OK;
++	msg_warn("TLS SNI changed from %s initially %s, %s after hello retry",
++		 TLScontext->namaddr, TLScontext->peer_sni, sni);
++	return SSL_TLSEXT_ERR_NOACK;
++    }
      do {
  	/* Don't silently skip maps opened with the wrong flags. */
  	pem = maps_file_find(tls_server_sni_maps, cp, 0);
 diff --git a/src/tls/tls_session.c b/src/tls/tls_session.c
 index 3f6027f..a4b7a8f 100644
 --- a/src/tls/tls_session.c
 +++ b/src/tls/tls_session.c
@@ -118,7 +118,7 @@ void    tls_session_stop(TLS_APPL_STATE *unused_ctx, VSTREAM *stream, int timeou
       * so we will not perform SSL_shutdown() and the session will be removed
       * as being bad.
       */
--    if (!failure) {
++    if (!failure && !SSL_in_init(TLScontext->con)) {
  	retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
  	if (!var_tls_fast_shutdown && retval == 0)
  	    tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
 diff --git a/src/tlsproxy/tlsproxy.c b/src/tlsproxy/tlsproxy.c
 index 50b4154..65c7201 100644
 --- a/src/tlsproxy/tlsproxy.c
 +++ b/src/tlsproxy/tlsproxy.c
@@ -781,6 +781,7 @@ static void tlsp_strategy(TLSP_STATE *state)
       */
      if (state->flags & TLSP_FLAG_DO_HANDSHAKE) {
  	state->timeout = state->handshake_timeout;
++	ERR_clear_error();
  	if (state->is_server_role)
  	    ssl_stat = SSL_accept(tls_context->con);
  	else
@@ -809,6 +810,7 @@ static void tlsp_strategy(TLSP_STATE *state)
      if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
  	if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
  	    nbbio_disable_readwrite(state->plaintext_buf);
++	ERR_clear_error();
  	if (!SSL_in_init(tls_context->con)
  	    && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
  	    handshake_err = SSL_get_error(tls_context->con, ssl_stat);
@@ -835,6 +837,7 @@ static void tlsp_strategy(TLSP_STATE *state)
       */
      ssl_write_err = SSL_ERROR_NONE;
      while (NBBIO_READ_PEND(plaintext_buf) > 0) {
++	ERR_clear_error();
  	ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf),
  			     NBBIO_READ_PEND(plaintext_buf));
  	ssl_write_err = SSL_get_error(tls_context->con, ssl_stat);
@@ -865,6 +868,7 @@ static void tlsp_strategy(TLSP_STATE *state)
       */
      ssl_read_err = SSL_ERROR_NONE;
      while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) {
++	ERR_clear_error();
  	ssl_stat = SSL_read(tls_context->con,
  			    NBBIO_WRITE_BUF(plaintext_buf)
  			    + NBBIO_WRITE_PEND(state->plaintext_buf),
@@ -1489,16 +1493,15 @@ static void tlsp_service(VSTREAM *plaintext_stream,
  			    TLSP_INIT_TIMEOUT, (void *) state);
+ }
--/* pre_jail_init - pre-jail initialization */
++/* pre_jail_init_server - pre-jail initialization */
--static void pre_jail_init(char *unused_name, char **unused_argv)
++static void pre_jail_init_server(void)
+ {
      TLS_SERVER_INIT_PROPS props;
      const char *cert_file;
      int     have_server_cert;
      int     no_server_cert_ok;
      int     require_server_cert;
--    int     clnt_use_tls;
      /*
       * The code in this routine is pasted literally from smtpd(8). I am not
@@ -1531,7 +1534,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
+     }
      var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls;
      if (!var_tlsp_use_tls) {
--	msg_warn("TLS service is requested, but disabled with %s or %s",
++	msg_warn("TLS server role is disabled with %s or %s",
  		 VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS);
  	return;
+     }
@@ -1622,6 +1625,13 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
  	SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx,
  			 SSL_MODE_ENABLE_PARTIAL_WRITE
  			 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
++}
++
++/* pre_jail_init_client - pre-jail initialization */
++
++static void pre_jail_init_client(void)
++{
++    int     clnt_use_tls;
      /*
       * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT
@@ -1733,6 +1743,18 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
  		msg_warn("TLS client initialization failed");
+ 	}
+     }
++}
++
++/* pre_jail_init - pre-jail initialization */
++
++static void pre_jail_init(char *unused_name, char **unused_argv)
++{
++
++    /*
++     * Initialize roles separately.
++     */
++    pre_jail_init_server();
++    pre_jail_init_client();
      /*
       * tlsp_client_init() needs to know if it is called pre-jail or
 diff --git a/src/util/midna_domain.c b/src/util/midna_domain.c
 index 667e75e..333a5c9 100644
 --- a/src/util/midna_domain.c
 +++ b/src/util/midna_domain.c
@@ -20,6 +20,8 @@
  /*
  /*	const char *midna_domain_suffix_to_utf8(
  /*	const char *name)
++/* AUXILIARY FUNCTIONS
++/*	void midna_domain_pre_chroot(void)
  /* DESCRIPTION
  /*	The functions in this module transform domain names from/to
  /*	ASCII and UTF-8 form. The result is cached to avoid repeated
@@ -52,6 +54,8 @@
  /*
  /*	midna_domain_transitional enables transitional conversion
  /*	between UTF8 and ASCII labels.
++/*
++/*	midna_domain_pre_chroot() does some pre-chroot initialization.
  /* SEE ALSO
  /*	http://unicode.org/reports/tr46/ Unicode IDNA Compatibility processing
  /*	msg(3) diagnostics interface
@@ -144,6 +148,22 @@ static const char *midna_domain_strerror(UErrorCode error, int info_errors)
+     }
+ }
++/* midna_domain_pre_chroot - pre-chroot initialization */
++
++void    midna_domain_pre_chroot(void)
++{
++    UErrorCode error = U_ZERO_ERROR;
++    UIDNAInfo info = UIDNA_INFO_INITIALIZER;
++    UIDNA  *idna;
++
++    idna = uidna_openUTS46(midna_domain_transitional ? UIDNA_DEFAULT
++			   : UIDNA_NONTRANSITIONAL_TO_ASCII, &error);
++    if (U_FAILURE(error))
++	msg_warn("ICU library initialization failed: %s",
++		 midna_domain_strerror(error, info.errors));
++    uidna_close(idna);
++}
++
  /* midna_domain_to_ascii_create - convert domain to ASCII */
  static void *midna_domain_to_ascii_create(const char *name, void *unused_context)
@@ -327,6 +347,7 @@ const char *midna_domain_suffix_to_utf8(const char *name)
   /*
    * Test program - reads names from stdin, reports invalid names to stderr.
    */
++#include <unistd.h>
  #include <stdlib.h>
  #include <locale.h>
@@ -350,6 +371,11 @@ int     main(int argc, char **argv)
      /* msg_verbose = 1; */
      util_utf8_enable = 1;
++    if (geteuid() == 0) {
++	midna_domain_pre_chroot();
++	if (chroot(".") != 0)
++	    msg_fatal("chroot(\".\"): %m");
++    }
      while (vstring_fgets_nonl(buffer, VSTREAM_IN)) {
  	bp = STR(buffer);
  	msg_info("> %s", bp);
 diff --git a/src/util/midna_domain.h b/src/util/midna_domain.h
 index 03d875b..1abe2a1 100644
 --- a/src/util/midna_domain.h
 +++ b/src/util/midna_domain.h
@@ -18,6 +18,7 @@ extern const char *midna_domain_to_ascii(const char *);
  extern const char *midna_domain_to_utf8(const char *);
  extern const char *midna_domain_suffix_to_ascii(const char *);
  extern const char *midna_domain_suffix_to_utf8(const char *);
++extern void midna_domain_pre_chroot(void);
  extern int midna_domain_cache_size;
  extern int midna_domain_transitional;

Ubuntupostfix package