Prereq: "3.4.7"
diff -ur --new-file /var/tmp/postfix-3.4.7/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.4.7/src/global/mail_version.h	2019-09-21 12:24:58.000000000 -0400
+++ ./src/global/mail_version.h	2019-11-24 15:40:32.000000000 -0500
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20190921"
-#define MAIL_VERSION_NUMBER	"3.4.7"
+#define MAIL_RELEASE_DATE	"20191124"
+#define MAIL_VERSION_NUMBER	"3.4.8"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.4.7/HISTORY ./HISTORY
--- /var/tmp/postfix-3.4.7/HISTORY	2019-09-21 11:57:46.000000000 -0400
+++ ./HISTORY	2019-11-11 18:01:20.000000000 -0500
@@ -24293,3 +24293,29 @@
 	https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
 	changed the error status, incompatibly, from SSL_ERROR_NONE
 	into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.
+
+20191014
+
+	Bugfix (introduced: Postfix 2.8): don't gratuitously enable
+	all after-220 tests when only one such test is enabled.
+	This made selective tests impossible with 'good' clients.
+	File: postscreen/postscreen_smtpd.c.
+
+	Bugfix: the 20180903 postscreen fix for a misleading
+	"PIPELINING after BDAT" warning looked at the wrong variable.
+	The warning now says "BDAT without valid RCPT", and the
+	error is no longer treated as a command PIPELINING error
+	(but sending BDAT is still a client error, because postscreen
+	rejects all RCPT commands and does not announce PIPELINING
+	support). File: postscreen/postscreen_smtpd.c.
+
+20191109
+
+	Usability: the parser for key/certificate chain files
+	rejected inputs that contain an EC PARAMETERS object. While
+	this is technically correct (the documentation says what
+	types are allowed) this is surprising behavior because the
+	legacy cert/key parameters will accept such inputs. For
+	now, the parser skips object types that it does not know
+	about for usability, and logs a warning because ignoring
+	inputs is not kosher. Viktor and Wietse. File: tls/tls_certkey.c.
diff -ur --new-file /var/tmp/postfix-3.4.7/src/postscreen/postscreen_smtpd.c ./src/postscreen/postscreen_smtpd.c
--- /var/tmp/postfix-3.4.7/src/postscreen/postscreen_smtpd.c	2019-03-10 15:41:51.000000000 -0400
+++ ./src/postscreen/postscreen_smtpd.c	2019-11-11 17:51:04.000000000 -0500
@@ -591,6 +591,8 @@
      * never see DATA from a legitimate client, because 1) the server rejects
      * every recipient, and 2) the server does not announce PIPELINING.
      */
+    msg_info("DATA without valid RCPT from [%s]:%s",
+	     PSC_CLIENT_ADDR_PORT(state));
     if (PSC_SMTPD_NEXT_TOKEN(args) != 0)
 	PSC_CLEAR_EVENT_DROP_SESSION_STATE(state,
 					   psc_smtpd_time_event,
@@ -620,6 +622,8 @@
      * client, because 1) the server rejects every recipient, and 2) the
      * server does not announce PIPELINING.
      */
+    msg_info("BDAT without valid RCPT from [%s]:%s",
+	     PSC_CLIENT_ADDR_PORT(state));
     if (state->ehlo_discard_mask & EHLO_MASK_CHUNKING)
 	PSC_CLEAR_EVENT_DROP_SESSION_STATE(state,
 					   psc_smtpd_time_event,
@@ -1033,7 +1037,7 @@
 	    }
 	}
 	/* Command PIPELINING test. */
-	if ((state->flags & PSC_SMTPD_CMD_FLAG_HAS_PAYLOAD) == 0
+	if ((cmdp->flags & PSC_SMTPD_CMD_FLAG_HAS_PAYLOAD) == 0
 	    && (state->flags & PSC_STATE_MASK_PIPEL_TODO_SKIP)
 	    == PSC_STATE_FLAG_PIPEL_TODO && !PSC_SMTPD_BUFFER_EMPTY(state)) {
 	    printable(command, '?');
@@ -1172,16 +1176,18 @@
     state->read_state = PSC_SMTPD_CMD_ST_ANY;
 
     /*
-     * Opportunistically make postscreen more useful by turning on the
-     * pipelining and non-SMTP command tests when a pre-handshake test
-     * failed, or when some deep test is configured as enabled.
+     * Disable all after-220 tests when we need to reply with 421 and hang up
+     * after reading the next SMTP client command.
      * 
-     * XXX Make "opportunistically" configurable for each test.
+     * Opportunistically make postscreen more useful, by turning on all
+     * after-220 tests when a bad client failed a before-220 test.
+     * 
+     * Otherwise, only apply the explicitly-configured after-220 tests.
      */
-    if ((state->flags & PSC_STATE_FLAG_SMTPD_X21) == 0) {
-	state->flags |= PSC_STATE_MASK_SMTPD_TODO;
-    } else {
+    if (state->flags & PSC_STATE_FLAG_SMTPD_X21) {
 	state->flags &= ~PSC_STATE_MASK_SMTPD_TODO;
+    } else if (state->flags & PSC_STATE_MASK_ANY_FAIL) {
+	state->flags |= PSC_STATE_MASK_SMTPD_TODO;
     }
 
     /*
diff -ur --new-file /var/tmp/postfix-3.4.7/src/tls/tls_certkey.c ./src/tls/tls_certkey.c
--- /var/tmp/postfix-3.4.7/src/tls/tls_certkey.c	2019-03-07 18:57:10.000000000 -0500
+++ ./src/tls/tls_certkey.c	2019-11-09 20:54:25.000000000 -0500
@@ -413,8 +413,7 @@
 		   && strcmp(name, PEM_STRING_DSA) == 0)) {
 	load_pkey(st, pkey_type, buf, buflen);
     } else if (!st->mixed) {
-	msg_warn("error loading %s: unexpected PEM type: %s", st->source, name);
-	st->state = PEM_LOAD_STATE_NOGO;
+	msg_warn("loading %s: ignoring PEM type: %s", st->source, name);
     }
     OPENSSL_free(name);
     OPENSSL_free(header);