Prereq: "3.10.5"
diff -ur --new-file /var/tmp/postfix-3.10.5/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.10.5/src/global/mail_version.h	2025-10-26 18:48:02.000000000 -0400
+++ ./src/global/mail_version.h	2025-11-25 12:18:20.000000000 -0500
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20251026"
-#define MAIL_VERSION_NUMBER	"3.10.5"
+#define MAIL_RELEASE_DATE	"20251125"
+#define MAIL_VERSION_NUMBER	"3.10.6"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.10.5/HISTORY ./HISTORY
--- /var/tmp/postfix-3.10.5/HISTORY	2025-10-24 11:06:14.000000000 -0400
+++ ./HISTORY	2025-11-25 14:45:54.000000000 -0500
@@ -29208,3 +29208,43 @@
 	with "database X is older than source file Y". Files:
 	util/dict.c, util/dict_db.c, util/dict_dbm.c, util/dict_lmdb.c,
 	util/dict_sdbm.c.
+
+20251024
+
+	Logging: with "smtp_tls_enforce_sts_mx_patterns=yes" and
+	TLSRPT support enabled in a TLS policy plugin, the Postfix
+	SMTP client logs a warning when an MX hostname does not
+	match STS policy MX patterns; it logs a successful match
+	when verbose logging is enabled. File: smtp/smtp_tls_policy.c.
+
+20251027
+
+	Bugfix (defect introduced: Postfix 3.10, date: 20240902):
+	SMTP client null pointer crash when an STS policy plugin
+	sends no policy_string or no mx_pattern attributes. This
+	can happen only during tests with a fake STS plugin. File:
+	smtp/smtp_tlsrpt.c.
+
+20251028
+
+	Documentation: removed incorrect text from the parameter
+	description for smtp_cname_overrides_servername. File:
+	proto/postconf.proto.
+
+20251031
+
+	Bugfix (defect introduced: Postfix 3.10, date 20250117):
+	support for "TLS-Required: no" broke client-side TLS wrappermode
+	support, by downgrading a connection to TLS security level 'may'.
+	The solution is to change the downgrade level for wrappermode
+	connections to 'encrypt'. Rationale: by design, TLS can be
+	optional only for connections that use STARTTLS. The downgrade
+	to unauthenticated 'encrypt' allows a sender to avoid an email
+	delivery problem. Problem reported by Joshua Tyler Cochran.
+	File: smtp/smtp_tls_policy.c.
+
+20251120
+
+	Bugfix (defect introduced: Postfix 2.9, date: 20120307):
+	segfault with duplicate parameter name in "postconf -X" or
+	"postconf -#'. File: postconf/postconf_edit.c.
diff -ur --new-file /var/tmp/postfix-3.10.5/html/postconf.5.html ./html/postconf.5.html
--- /var/tmp/postfix-3.10.5/html/postconf.5.html	2025-10-26 18:52:23.000000000 -0400
+++ ./html/postconf.5.html	2025-11-25 12:31:07.000000000 -0500
@@ -11373,10 +11373,6 @@
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3. </p>
 
-<p> When DNS CNAME records are validated with secure DNS lookups
-(<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later). </p>
-
 <p> This feature is available in Postfix 2.2.9 and later. </p>
 
 
diff -ur --new-file /var/tmp/postfix-3.10.5/man/man5/postconf.5 ./man/man5/postconf.5
--- /var/tmp/postfix-3.10.5/man/man5/postconf.5	2025-10-26 18:52:23.000000000 -0400
+++ ./man/man5/postconf.5	2025-11-25 12:31:07.000000000 -0500
@@ -7136,10 +7136,6 @@
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3.
 .PP
-When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later).
-.PP
 This feature is available in Postfix 2.2.9 and later.
 .SH smtp_connect_timeout (default: 30s)
 The Postfix SMTP client time limit for completing a TCP connection, or
diff -ur --new-file /var/tmp/postfix-3.10.5/proto/postconf.proto ./proto/postconf.proto
--- /var/tmp/postfix-3.10.5/proto/postconf.proto	2025-10-24 10:41:15.000000000 -0400
+++ ./proto/postconf.proto	2025-11-25 12:19:06.000000000 -0500
@@ -11398,10 +11398,6 @@
 password file lookups more predictable. This is the default setting
 as of Postfix 2.3. </p>
 
-<p> When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later). </p>
-
 <p> This feature is available in Postfix 2.2.9 and later. </p>
 
 %PARAM lmtp_cname_overrides_servername yes
diff -ur --new-file /var/tmp/postfix-3.10.5/src/postconf/postconf_edit.c ./src/postconf/postconf_edit.c
--- /var/tmp/postfix-3.10.5/src/postconf/postconf_edit.c	2025-10-23 16:03:49.000000000 -0400
+++ ./src/postconf/postconf_edit.c	2025-11-25 12:20:32.000000000 -0500
@@ -209,8 +209,10 @@
 	    msg_panic("pcf_edit_main: unknown mode %d", mode);
 	}
 	if ((cvalue = htable_find(table, pattern)) != 0) {
-	    msg_warn("ignoring earlier request: '%s = %s'",
-		     pattern, cvalue->value);
+	    if (edit_value && cvalue->value 
+		&& strcmp(edit_value, cvalue->value) != 0)
+		msg_warn("ignoring earlier request: '%s = %s'",
+			 pattern, cvalue->value);
 	    htable_delete(table, pattern, myfree);
 	}
 	cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
diff -ur --new-file /var/tmp/postfix-3.10.5/src/smtp/smtp_tls_policy.c ./src/smtp/smtp_tls_policy.c
--- /var/tmp/postfix-3.10.5/src/smtp/smtp_tls_policy.c	2025-10-24 10:41:15.000000000 -0400
+++ ./src/smtp/smtp_tls_policy.c	2025-11-25 14:31:07.000000000 -0500
@@ -187,9 +187,16 @@
 	} else
 #endif
 	    aname = name;
-	for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++)
-	    if (match_sts_mx_host_pattern(*pattp, aname))
+	for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++) {
+	    if (match_sts_mx_host_pattern(*pattp, aname)) {
+		if (msg_verbose)
+		    msg_info("MX name '%s' matches STS MX pattern for '%s'",
+		    aname, tls->ext_policy_domain ? tls->ext_policy_domain : "");
 		return (1);
+	    }
+	}
+	msg_warn("MX name '%s' does not match STS MX pattern for '%s'",
+		 aname, tls->ext_policy_domain ? tls->ext_policy_domain : "");
 	return (0);
     }
     /* No applicable policy name patterns. */
@@ -725,8 +732,13 @@
     if (STATE_TLS_NOT_REQUIRED(iter->parent)) {
 	if (msg_verbose)
 	    msg_info("%s: no tls policy lookup", __func__);
-	if (tls->level > TLS_LEV_MAY)
-	    tls->level = TLS_LEV_MAY;
+	if (var_smtp_tls_wrappermode) {
+	    if (tls->level > TLS_LEV_ENCRYPT)
+		tls->level = TLS_LEV_ENCRYPT;
+	} else {
+	    if (tls->level > TLS_LEV_MAY)
+		tls->level = TLS_LEV_MAY;
+	}
     } else if (tls_policy) {
 	tls_policy_lookup(tls, &site_level, dest, "next-hop destination");
     } else if (tls_per_site) {
diff -ur --new-file /var/tmp/postfix-3.10.5/src/smtp/smtp_tlsrpt.c ./src/smtp/smtp_tlsrpt.c
--- /var/tmp/postfix-3.10.5/src/smtp/smtp_tlsrpt.c	2024-10-10 18:15:24.000000000 -0400
+++ ./src/smtp/smtp_tlsrpt.c	2025-11-25 14:23:32.000000000 -0500
@@ -306,13 +306,15 @@
     if (tls->ext_policy_type == 0)
 	msg_panic("smtp_tlsrpt_set_ext_policy: no policy type");
 
+#define ARGV_OR_NULL(ap) ((ap) ? (ap)->argv : 0)
+
     switch (policy_type_val =
 	    convert_tlsrpt_policy_type(tls->ext_policy_type)) {
     case TLSRPT_POLICY_STS:
 	trw_set_tls_policy(state->tlsrpt, policy_type_val,
-			(const char *const *) tls->ext_policy_strings->argv,
+		(const char *const *) ARGV_OR_NULL(tls->ext_policy_strings),
 			   tls->ext_policy_domain,
-		     (const char *const *) tls->ext_mx_host_patterns->argv);
+	     (const char *const *) ARGV_OR_NULL(tls->ext_mx_host_patterns));
 	break;
     case TLSRPT_NO_POLICY_FOUND:
 	smtp_tlsrpt_set_no_policy(state);