Prereq: "2.11.1"
diff -cr --new-file /var/tmp/postfix-2.11.1/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-2.11.1/src/global/mail_version.h	2014-05-07 13:20:21.000000000 -0400
--- ./src/global/mail_version.h	2014-10-13 18:31:44.000000000 -0400
***************
*** 20,27 ****
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20140507"
! #define MAIL_VERSION_NUMBER	"2.11.1"
  
  #ifdef SNAPSHOT
  #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- 20,27 ----
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20141013"
! #define MAIL_VERSION_NUMBER	"2.11.2"
  
  #ifdef SNAPSHOT
  #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-2.11.1/HISTORY ./HISTORY
*** /var/tmp/postfix-2.11.1/HISTORY	2014-05-07 13:45:58.000000000 -0400
--- ./HISTORY	2014-10-13 18:32:42.000000000 -0400
***************
*** 19574,19576 ****
--- 19574,19602 ----
  	reported by Sahil Tandon, predicate error found by Viktor,
  	redundant connection restore request eliminated by Wietse.
  	File: smtp/smtp_connect.c.
+ 
+ 20140619
+ 
+ 	Bugfix (introduced: 2001): qmqpd null pointer bug when it
+ 	logs a lost connection while not in a mail transaction.
+ 	Reported by Michal Adamek. File: qmqpd/qmqpd.c.
+ 
+ 20140920
+ 
+ 	Bugfix (introduced: 20080212): incorrect client name in
+ 	reject messages from check_reverse_client_hostname_access
+ 	and check_reverse_client_hostname_{mx,ns}_access.  They
+ 	replied with the verified client name, instead of the name
+ 	that was rejected.  Problem reported by Reindl Harald. File:
+ 	smtpd/smtpd_check.c.
+ 
+ 20141012
+ 
+ 	Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
+ 	action added headers ABOVE Postfix's own Received: header,
+ 	exposing Postfix's own Received: header to Milters (protocol
+ 	violation) and hiding the PREPENDed header from Milters.
+ 	The latter caused problems for DMARC implementations with
+ 	SPF policy plus DKIM Milter.  PREPENDed headers are now
+ 	added BELOW Postfix's own Received: header and remain visible
+ 	to Milters. File: smtpd/smtpd.c.
diff -cr --new-file /var/tmp/postfix-2.11.1/src/qmqpd/qmqpd.c ./src/qmqpd/qmqpd.c
*** /var/tmp/postfix-2.11.1/src/qmqpd/qmqpd.c	2012-11-05 11:34:59.000000000 -0500
--- ./src/qmqpd/qmqpd.c	2014-06-19 13:05:27.000000000 -0400
***************
*** 706,712 ****
       */
      if (state->reason && state->where)
  	msg_info("%s: %s: %s while %s",
! 	      state->queue_id, state->namaddr, state->reason, state->where);
  }
  
  /* qmqpd_service - service one client */
--- 706,713 ----
       */
      if (state->reason && state->where)
  	msg_info("%s: %s: %s while %s",
! 		 state->queue_id ? state->queue_id : "NOQUEUE",
! 		 state->namaddr, state->reason, state->where);
  }
  
  /* qmqpd_service - service one client */
diff -cr --new-file /var/tmp/postfix-2.11.1/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
*** /var/tmp/postfix-2.11.1/src/smtpd/smtpd.c	2014-01-06 13:52:27.000000000 -0500
--- ./src/smtpd/smtpd.c	2014-10-13 18:11:40.000000000 -0400
***************
*** 2985,2997 ****
      }
  
      /*
-      * PREPEND message headers.
-      */
-     if (state->prepend)
- 	for (cpp = state->prepend->argv; *cpp; cpp++)
- 	    out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
- 
-     /*
       * Suppress our own Received: header in the unlikely case that we are an
       * intermediate proxy.
       */
--- 2985,2990 ----
***************
*** 3080,3085 ****
--- 3073,3090 ----
  		    "\t(envelope-from %s)", STR(state->buffer));
  #endif
      }
+ 
+     /*
+      * PREPEND message headers below our own Received: header. According
+      * https://www.milter.org/developers/api/smfi_insheader, Milters see only
+      * headers that have been sent by the SMTP client and those header
+      * modifications by earlier filters. Based on this we allow Milters to
+      * see headers added by access map or by policy service.
+      */
+     if (state->prepend)
+ 	for (cpp = state->prepend->argv; *cpp; cpp++)
+ 	    out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
+ 
      smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
      state->where = SMTPD_AFTER_DATA;
  
diff -cr --new-file /var/tmp/postfix-2.11.1/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c
*** /var/tmp/postfix-2.11.1/src/smtpd/smtpd_check.c	2013-11-12 13:00:11.000000000 -0500
--- ./src/smtpd/smtpd_check.c	2014-09-20 20:34:20.000000000 -0400
***************
*** 3844,3850 ****
  					 SMTPD_NAME_CLIENT, def_acl);
  	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) {
  	    status = check_namadr_access(state, *cpp, state->reverse_name, state->addr,
! 					 FULL, &found, state->namaddr,
  					 SMTPD_NAME_REV_CLIENT, def_acl);
  	    forbid_whitelist(state, name, status, state->reverse_name);
  	} else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) {
--- 3844,3850 ----
  					 SMTPD_NAME_CLIENT, def_acl);
  	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) {
  	    status = check_namadr_access(state, *cpp, state->reverse_name, state->addr,
! 					 FULL, &found, state->reverse_name,
  					 SMTPD_NAME_REV_CLIENT, def_acl);
  	    forbid_whitelist(state, name, status, state->reverse_name);
  	} else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) {
***************
*** 3927,3940 ****
  	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) {
  	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
  		status = check_server_access(state, *cpp, state->reverse_name,
! 					     T_NS, state->namaddr,
  					     SMTPD_NAME_REV_CLIENT, def_acl);
  		forbid_whitelist(state, name, status, state->reverse_name);
  	    }
  	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) {
  	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
  		status = check_server_access(state, *cpp, state->reverse_name,
! 					     T_MX, state->namaddr,
  					     SMTPD_NAME_REV_CLIENT, def_acl);
  		forbid_whitelist(state, name, status, state->reverse_name);
  	    }
--- 3927,3940 ----
  	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) {
  	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
  		status = check_server_access(state, *cpp, state->reverse_name,
! 					     T_NS, state->reverse_name,
  					     SMTPD_NAME_REV_CLIENT, def_acl);
  		forbid_whitelist(state, name, status, state->reverse_name);
  	    }
  	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) {
  	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
  		status = check_server_access(state, *cpp, state->reverse_name,
! 					     T_MX, state->reverse_name,
  					     SMTPD_NAME_REV_CLIENT, def_acl);
  		forbid_whitelist(state, name, status, state->reverse_name);
  	    }