[For updated versions of this announcement please see https://www.postfix.org/announcements/postfix-3.7.4.html]
Fixed in Postfix 3.7, 3.6, 3.5, 3.4:
Workaround: with OpenSSL 3 and later always turn on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed opportunities for TLS session reuse. This is safe because the SMTP protocol implements application-level framing, and is therefore not affected by TLS truncation attacks. Fix by Viktor Dukhovni.
Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily-bound handles for digest implementations. In sufficiently hostile configurations, Postfix could mistakenly believe that a digest algorithm is available, and fail when it is not. A similar workaround may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.
Bugfix (bug introduced in Postfix 2.11): the checkok() macro in tls/tls_fprint.c evaluated its argument unconditionally; it should evaluate the argument only if there was no prior error. Found during code review.
Bugfix (bug introduced in Postfix 2.8): postscreen died with a segmentation violation when postscreen_dnsbl_threshold < 1. It should reject such input with a fatal error instead. Discovered by Benny Pedersen.
Bitrot: fixes for linker warnings from newer Darwin (MacOS) versions. Viktor Dukhovni.
Portability: Linux 6 support.
Fixed in Postfix 3.4, 3.5:
Workaround: shut up compiler warnings for legitimate string comparison expressions. Back-ported from Postfix 3.6.
Fixed in Postfix 3.7:
Added missing documentation that cidr:, pcre: and regexp: tables support inline specification only in Postfix 3.7 and later.
You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.