Prereq: "3.0.8"
diff -cr --new-file /var/tmp/postfix-3.0.8/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-3.0.8/src/global/mail_version.h	2017-01-01 11:48:36.000000000 -0500
--- ./src/global/mail_version.h	2017-06-10 16:23:26.000000000 -0400
***************
*** 20,27 ****
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20170101"
! #define MAIL_VERSION_NUMBER	"3.0.8"
  
  #ifdef SNAPSHOT
  #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- 20,27 ----
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20170610"
! #define MAIL_VERSION_NUMBER	"3.0.9"
  
  #ifdef SNAPSHOT
  #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-3.0.8/HISTORY ./HISTORY
*** /var/tmp/postfix-3.0.8/HISTORY	2017-01-01 11:38:14.000000000 -0500
--- ./HISTORY	2017-06-10 16:05:12.000000000 -0400
***************
*** 21843,21845 ****
--- 21843,21859 ----
  	senders with "smtpd_reject_unlisted_recipient = yes" or
  	with reject_unlisted_sender.  Stephen R. van den Berg (Mr.
  	procmail).  Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
+ 
+ 20170430
+ 
+ 	Safety net: append a null byte to vstring buffers, so that
+ 	C-style string operations won't scribble past the end. File:
+ 	vstring.c.
+ 
+ 20170610
+ 
+ 	Workaround (introduced: Postfix 3.0 20140718): prevent MIME
+ 	downgrade of Postfix-generated message/delivery status.
+ 	It's supposed to be 7bit, therefore quoted-printable encoding
+ 	is not expected. Problem reported by Griff. File:
+ 	bounce/bounce_notify_util.c.
diff -cr --new-file /var/tmp/postfix-3.0.8/src/bounce/bounce_notify_util.c ./src/bounce/bounce_notify_util.c
*** /var/tmp/postfix-3.0.8/src/bounce/bounce_notify_util.c	2015-01-26 15:00:13.000000000 -0500
--- ./src/bounce/bounce_notify_util.c	2017-06-10 14:47:25.000000000 -0400
***************
*** 637,643 ****
  		      (bounce_info->smtputf8 & SMTPUTF8_FLAG_REQUESTED) ?
  		      "global-" : "");
      /* Fix 20140709: addresses may be 8bit. */
!     if (NOT_7BIT_MIME(bounce_info))
  	post_mail_fprintf(bounce, "Content-Transfer-Encoding: %s",
  			  bounce_info->mime_encoding);
  
--- 637,645 ----
  		      (bounce_info->smtputf8 & SMTPUTF8_FLAG_REQUESTED) ?
  		      "global-" : "");
      /* Fix 20140709: addresses may be 8bit. */
!     if (NOT_7BIT_MIME(bounce_info)
!     /* BC Fix 20170610: prevent MIME downgrade of message/delivery-status. */
! 	&& (bounce_info->smtputf8 & SMTPUTF8_FLAG_REQUESTED))
  	post_mail_fprintf(bounce, "Content-Transfer-Encoding: %s",
  			  bounce_info->mime_encoding);
  
diff -cr --new-file /var/tmp/postfix-3.0.8/src/util/vstring.c ./src/util/vstring.c
*** /var/tmp/postfix-3.0.8/src/util/vstring.c	2014-12-25 11:47:17.000000000 -0500
--- ./src/util/vstring.c	2017-06-10 16:21:48.000000000 -0400
***************
*** 280,285 ****
--- 280,289 ----
  #include "vbuf_print.h"
  #include "vstring.h"
  
+ #ifndef SSIZE_T_MAX
+ #define SSIZE_T_MAX __MAXINT__(ssize_t)
+ #endif
+ 
  /* vstring_extend - variable-length string buffer extension policy */
  
  static void vstring_extend(VBUF *bp, ssize_t incr)
***************
*** 299,308 ****
       * (The tests are redundant as long as mymalloc() and myrealloc() reject
       * negative length parameters).
       */
!     new_len = bp->len + (bp->len > incr ? bp->len : incr);
!     if (new_len <= bp->len)
  	msg_fatal("vstring_extend: length overflow");
!     bp->data = (unsigned char *) myrealloc((void *) bp->data, new_len);
      bp->len = new_len;
      bp->ptr = bp->data + used;
      bp->cnt = bp->len - used;
--- 303,315 ----
       * (The tests are redundant as long as mymalloc() and myrealloc() reject
       * negative length parameters).
       */
!     if (bp->len > incr)
! 	incr = bp->len;
!     if (bp->len > SSIZE_T_MAX - incr - 1)
  	msg_fatal("vstring_extend: length overflow");
!     new_len = bp->len + incr;
!     bp->data = (unsigned char *) myrealloc((void *) bp->data, new_len + 1);
!     bp->data[new_len] = 0;
      bp->len = new_len;
      bp->ptr = bp->data + used;
      bp->cnt = bp->len - used;
***************
*** 342,353 ****
  {
      VSTRING *vp;
  
!     if (len < 1)
  	msg_panic("vstring_alloc: bad length %ld", (long) len);
      vp = (VSTRING *) mymalloc(sizeof(*vp));
      vp->vbuf.flags = 0;
      vp->vbuf.len = 0;
!     vp->vbuf.data = (unsigned char *) mymalloc(len);
      vp->vbuf.len = len;
      VSTRING_RESET(vp);
      vp->vbuf.data[0] = 0;
--- 349,361 ----
  {
      VSTRING *vp;
  
!     if (len < 1 || len > SSIZE_T_MAX - 1)
  	msg_panic("vstring_alloc: bad length %ld", (long) len);
      vp = (VSTRING *) mymalloc(sizeof(*vp));
      vp->vbuf.flags = 0;
      vp->vbuf.len = 0;
!     vp->vbuf.data = (unsigned char *) mymalloc(len + 1);
!     vp->vbuf.data[len] = 0;
      vp->vbuf.len = len;
      VSTRING_RESET(vp);
      vp->vbuf.data[0] = 0;