[A hyperlinked version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.0.html]
Postfix stable release 3.11.0 is available. Postfix 3.7 - 3.10 were updated a few weeks ago; after that, Postfix 3.7 will no longer be updated.
The main changes are below. See the RELEASE_NOTES file for further details.
Berkeley DB migration:
Some (Linux) distributions are removing support for BerkeleyDB databases (In Postfix, this means we lose support for the hash: and btree: lookup tables). See NON_BERKELEYDB_README for manual and partially automatic migration from btree: to lmdb:, and from hash: to lmdb: or cdb:.
The loss of BerkeleyDB affects Mailman versions that want to execute commands like "postmap hash:/path/to/file" when a mailing list is added or removed. Postfix provides a way to redirect such commands to a supported database type.
You don't have to wait until BerkeleyDB support is removed. It can make sense to migrate while BerkeleyDB support is still available (mainly, less downtime).
Changes in TLS support:
Default TLS security. The Postfix SMTP client smtp_tls_security_level default value is "may" if Postfix was built with TLS support, and the compatibility_level is 3.11 or higher.
Support for the RFC 8689 "REQUIRETLS" verb in ESMTP. This requires that every SMTP (and LMTP) server in the forward path is strongly authenticated with DANE, STS, or equivalent, and that every server announces REQUIRETLS support.
See REQUIRETLS_README for suggestions to carefully enforce REQUIRETLS without causing massive mail delivery problems.
Logging the TLS security level. This shows the desired and actual TLS security level enforcement status and, if a message requests REQUIRETLS, the REQUIRETLS policy enforcement status. For a list of examples see smtp_log_tls_feature_status
Workaround for an interface mismatch between the Postfix SMTP client and MTA-STS policy plugins. This introduces a new parameter smtp_tls_enforce_sts_mx_patterns (default: "yes"). The MTA-STS plugin configuration needs to enable TLSRPT support, so that it forwards STS policy attributes to Postfix. Both postfix-tlspol and postfix-mta-sts-resolver have been updated accordingly.
With this, the Postfix SMTP client will connect to an MX host only if its name matches any STS policy MX host pattern, and will match a server certificate against the MX hostname. Otherwise, the old behavior stays in effect: connect to any MX host listed in DNS, and match a server certificate against any STS policy MX host pattern.
Post-quantum cryptography support. With OpenSSL 3.5 and later, change the tls_eecdh_auto_curves default value to avoid problems with network infrastructure that mishandles TLS hello messages larger than one (Ethernet) TCP segment. This problem is more generally known as "protocol ossification".
Miscellaneous changes:
Deprecation of obsolete parameters. Postfix programs log a warning that these parameters will be removed. See DEPRECATION_README for a list of deprecated parameters.
JSON output support with "postconf -j|-jM|-jF|-jP", "postalias -jq|-js", "postmap -jq|-js", and "postmulti -jl". No support is planned for JSON input support.
Milter support: improved Milter error handling for messages that arrive over a long-lived SMTP connection, by changing the default milter_default_action from "tempfail" to the new "shutdown" action (i.e. disconnect the remote SMTP client). This was already back-ported to earlier stable releases.
There are more changes; see RELEASE_NOTES for those.
You can find the Postfix source code at the mirrors listed at https://www.postfix.org/.