[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-3.3.2.html]
Changes for all supported stable releases:
Support for OpenSSL 1.1.1, and support for TLSv1.3-specific features.
Updated Postfix TLS documentation examples for TLSv1.3. See FORWARD_SECRECY_README.
New TLSv1.3-specific attributes in Postfix logging and in Postfix "Received:" message headers: key exchange, server signature, client signature.
New option to selectively disable TLSv1.3 in *_tls_protocols settings.
New server-side support to avoid issuing multiple session tickets.
New support to allow OpenSSL >= 1.1.0 run-time micro version bumps without logging Postfix warnings about library version mismatches.
Fixed in all stable releases:
Bugfix: smtpd_discard_ehlo_keywords could not disable "SMTPUTF8", because some lookup table was using "EHLO_MASK_SMTPUTF8" instead.
Bugfix: minor memory leak in DANE support when minting issuer certs. This affects a tiny minority of use cases.
Fixed in Postfix 3.3.2:
Bugfix: the Postfix build did not abort if the m4 command was not installed, resulting in a broken postconf command.
Changes for Postfix 3.0.14:
Additional Postfix TLS library updates to catch up with Postfix 3.1 and later. This was necessary to make support for OpenSSL 1.1.1 and TLSv1.3 feasible.
You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/.