Prereq: "3.5.20"
diff -ur --new-file /var/tmp/postfix-3.5.20/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.5.20/src/global/mail_version.h	2023-06-05 16:40:09.000000000 -0400
+++ ./src/global/mail_version.h	2023-09-01 09:07:38.000000000 -0400
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20230605"
-#define MAIL_VERSION_NUMBER	"3.5.20"
+#define MAIL_RELEASE_DATE	"20230901"
+#define MAIL_VERSION_NUMBER	"3.5.21"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.5.20/HISTORY ./HISTORY
--- /var/tmp/postfix-3.5.20/HISTORY	2023-06-05 16:34:00.000000000 -0400
+++ ./HISTORY	2023-09-01 09:18:15.000000000 -0400
@@ -25346,3 +25346,28 @@
 	(default: no) to disconnect remote SMTP clients that violate
 	RFC 2920 (or 5321) command pipelining constraints. Files:
 	global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
+
+20230815
+
+	Bugfix (bug introduced: 20140218): when opportunistic TLS fails
+	during or after the handshake, don't require that a probe
+	message spent a minimum time-in-queue before falling back to
+	plaintext. Problem reported by Serg. File: smtp/smtp.h.
+
+20230819
+
+	Bugfix (defect introduced: 19980207): the valid_hostname()
+	check in the Postfix DNS client library was blocking unusual
+	but legitimate wildcard names (*.name) in some DNS lookup
+	results and lookup requests. Examples:
+
+            name          class/type value
+            *.one.example   IN CNAME *.other.example
+            *.other.example IN A     10.0.0.1
+            *.other.example IN TLSA  ..certificate info...
+
+	Such syntax is blesed in RFC 1034 section 4.3.3.
+
+	This problem was reported first in the context of TLSA
+	record lookups. Files: util/valid_hostname.[hc],
+	dns/dns_lookup.c.
diff -ur --new-file /var/tmp/postfix-3.5.20/src/dns/dns_lookup.c ./src/dns/dns_lookup.c
--- /var/tmp/postfix-3.5.20/src/dns/dns_lookup.c	2021-01-16 11:24:08.000000000 -0500
+++ ./src/dns/dns_lookup.c	2023-09-01 09:06:29.000000000 -0400
@@ -657,7 +657,7 @@
     if (valid_hostaddr(name, DONT_GRIPE)) {
 	result = PASS_NAME;
 	gripe = "numeric domain name";
-    } else if (!valid_hostname(name, DO_GRIPE)) {
+    } else if (!valid_hostname(name, DO_GRIPE | DO_WILDCARD)) {
 	result = REJECT_NAME;
 	gripe = "malformed domain name";
     } else {
@@ -978,7 +978,7 @@
     /*
      * The Linux resolver misbehaves when given an invalid domain name.
      */
-    if (strcmp(name, ".") && !valid_hostname(name, DONT_GRIPE)) {
+    if (strcmp(name, ".") && !valid_hostname(name, DONT_GRIPE | DO_WILDCARD)) {
 	if (why)
 	    vstring_sprintf(why,
 		   "Name service error for %s: invalid host or domain name",
diff -ur --new-file /var/tmp/postfix-3.5.20/src/smtp/smtp.h ./src/smtp/smtp.h
--- /var/tmp/postfix-3.5.20/src/smtp/smtp.h	2019-06-15 15:19:51.000000000 -0400
+++ ./src/smtp/smtp.h	2023-09-01 09:06:29.000000000 -0400
@@ -481,17 +481,19 @@
 	(session->state->request->msg_stats.active_arrival.tv_sec - \
 	 session->state->request->msg_stats.incoming_arrival.tv_sec)
 
+#define TRACE_REQ_ONLY	(DEL_REQ_TRACE_ONLY(state->request->flags))
+
 #define PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE \
 	(session->tls_context == 0 \
 	    && state->tls->level == TLS_LEV_MAY \
-	    && PREACTIVE_DELAY >= var_min_backoff_time \
+	    && (TRACE_REQ_ONLY || PREACTIVE_DELAY >= var_min_backoff_time) \
 	    && !HAVE_SASL_CREDENTIALS)
 
 #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \
 	(session->tls_context != 0 \
 	    && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \
 	    && state->tls->level == TLS_LEV_MAY \
-	    && PREACTIVE_DELAY >= var_min_backoff_time \
+	    && (TRACE_REQ_ONLY || PREACTIVE_DELAY >= var_min_backoff_time) \
 	    && !HAVE_SASL_CREDENTIALS)
 
  /*
diff -ur --new-file /var/tmp/postfix-3.5.20/src/util/valid_hostname.c ./src/util/valid_hostname.c
--- /var/tmp/postfix-3.5.20/src/util/valid_hostname.c	2015-01-29 07:16:48.000000000 -0500
+++ ./src/util/valid_hostname.c	2023-09-01 09:06:29.000000000 -0400
@@ -83,7 +83,7 @@
 
 /* valid_hostname - screen out bad hostnames */
 
-int     valid_hostname(const char *name, int gripe)
+int     valid_hostname(const char *name, int flags)
 {
     const char *myname = "valid_hostname";
     const char *cp;
@@ -91,6 +91,7 @@
     int     label_count = 0;
     int     non_numeric = 0;
     int     ch;
+    int     gripe = flags & DO_GRIPE;
 
     /*
      * Trivial cases first.
@@ -116,6 +117,15 @@
 	    }
 	    if (!ISDIGIT(ch))
 		non_numeric = 1;
+	} else if ((flags & DO_WILDCARD) && ch == '*') {
+	    if (label_length || label_count || (cp[1] && cp[1] != '.')) {
+		if (gripe)
+		    msg_warn("%s: '*' can be the first label only: %.100s", myname, name);
+		return (0);
+	    }
+	    label_count++;
+	    label_length++;
+	    non_numeric = 1;
 	} else if (ch == '.') {
 	    if (label_length == 0 || cp[1] == 0) {
 		if (gripe)
diff -ur --new-file /var/tmp/postfix-3.5.20/src/util/valid_hostname.h ./src/util/valid_hostname.h
--- /var/tmp/postfix-3.5.20/src/util/valid_hostname.h	2012-06-15 15:17:32.000000000 -0400
+++ ./src/util/valid_hostname.h	2023-09-01 09:06:29.000000000 -0400
@@ -18,6 +18,8 @@
 
 #define DONT_GRIPE		0
 #define DO_GRIPE		1
+#define DONT_WILDCARD		0
+#define DO_WILDCARD		(1<<1)
 
 extern int valid_hostname(const char *, int);
 extern int valid_hostaddr(const char *, int);