Prereq: "3.6.11"
diff -ur --new-file /var/tmp/postfix-3.6.11/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.6.11/src/global/mail_version.h	2023-09-01 09:12:06.000000000 -0400
+++ ./src/global/mail_version.h	2023-11-01 12:55:57.000000000 -0400
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20230901"
-#define MAIL_VERSION_NUMBER	"3.6.11"
+#define MAIL_RELEASE_DATE	"20231101"
+#define MAIL_VERSION_NUMBER	"3.6.12"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.6.11/HISTORY ./HISTORY
--- /var/tmp/postfix-3.6.11/HISTORY	2023-09-01 09:18:15.000000000 -0400
+++ ./HISTORY	2023-10-31 14:52:19.000000000 -0400
@@ -26008,3 +26008,31 @@
 	This problem was reported first in the context of TLSA
 	record lookups. Files: util/valid_hostname.[hc],
 	dns/dns_lookup.c.
+
+20230929
+
+	Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
+	SMTP server was waiting for a client command instead of
+	replying immediately, after a client certificate verification
+	error in TLS wrappermode. Reported by Andreas Kinzler. File:
+	smtpd/smtpd.c.
+
+20231006
+
+	Usability: the Postfix SMTP server now attempts to log the
+	SASL username after authentication failure. In Postfix
+	logging, this appends ", sasl_username=xxx" after the reason
+	for SASL authentication failure. The logging replaces an
+	unavailable reason with "(reason unavailable)", and replaces
+	an unavailable sasl_username with "(unavailable)". Based
+	on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
+	xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
+
+20231026
+
+	Bugfix (defect introduced: Postfix 2.11): in forward_path,
+	the expression ${recipient_delimiter} would expand to an
+	empty string when a recipient address had no recipient
+	delimiter. Fixed by restoring Postfix 2.10 behavior to use
+	a configured recipient delimiter value. Reported by Tod
+	A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
diff -ur --new-file /var/tmp/postfix-3.6.11/html/postconf.5.html ./html/postconf.5.html
--- /var/tmp/postfix-3.6.11/html/postconf.5.html	2023-06-05 16:58:05.000000000 -0400
+++ ./html/postconf.5.html	2023-11-01 12:40:56.000000000 -0400
@@ -3719,7 +3719,10 @@
 <dt><b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b></dt>
 
 <dd>The address extension delimiter that was found in the recipient
-address (Postfix 2.11 and later), or the system-wide recipient
+address (Postfix 2.11 and later), or the 'first' delimiter specified
+with the system-wide recipient address extension delimiter (Postfix
+3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system-wide recipient
 address extension delimiter (Postfix 2.10 and earlier). </dd>
 
 <dt><b>${name?value}</b></dt>
diff -ur --new-file /var/tmp/postfix-3.6.11/man/man5/postconf.5 ./man/man5/postconf.5
--- /var/tmp/postfix-3.6.11/man/man5/postconf.5	2023-06-05 16:58:05.000000000 -0400
+++ ./man/man5/postconf.5	2023-11-01 12:40:57.000000000 -0400
@@ -2336,7 +2336,10 @@
 .br
 .IP "\fB$recipient_delimiter\fR"
 The address extension delimiter that was found in the recipient
-address (Postfix 2.11 and later), or the system\-wide recipient
+address (Postfix 2.11 and later), or the 'first' delimiter specified
+with the system\-wide recipient address extension delimiter (Postfix
+3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system\-wide recipient
 address extension delimiter (Postfix 2.10 and earlier).
 .br
 .IP "\fB${name?value}\fR"
diff -ur --new-file /var/tmp/postfix-3.6.11/proto/postconf.proto ./proto/postconf.proto
--- /var/tmp/postfix-3.6.11/proto/postconf.proto	2023-06-05 16:21:24.000000000 -0400
+++ ./proto/postconf.proto	2023-10-31 19:40:02.000000000 -0400
@@ -1738,7 +1738,10 @@
 <dt><b>$recipient_delimiter</b></dt>
 
 <dd>The address extension delimiter that was found in the recipient
-address (Postfix 2.11 and later), or the system-wide recipient
+address (Postfix 2.11 and later), or the 'first' delimiter specified
+with the system-wide recipient address extension delimiter (Postfix
+3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system-wide recipient
 address extension delimiter (Postfix 2.10 and earlier). </dd>
 
 <dt><b>${name?value}</b></dt>
diff -ur --new-file /var/tmp/postfix-3.6.11/src/local/local_expand.c ./src/local/local_expand.c
--- /var/tmp/postfix-3.6.11/src/local/local_expand.c	2014-12-06 20:35:33.000000000 -0500
+++ ./src/local/local_expand.c	2023-10-26 16:28:20.000000000 -0400
@@ -138,6 +138,8 @@
     } else if (STREQ(name, "recipient_delimiter")) {
 	rcpt_delim[0] =
 	    local->state->msg_attr.local[strlen(local->state->msg_attr.user)];
+	if (rcpt_delim[0] == 0)
+	    rcpt_delim[0] = var_rcpt_delim[0];
 	rcpt_delim[1] = 0;
 	return (rcpt_delim[0] ? rcpt_delim : 0);
 #if 0
diff -ur --new-file /var/tmp/postfix-3.6.11/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
--- /var/tmp/postfix-3.6.11/src/smtpd/smtpd.c	2023-06-05 16:23:05.000000000 -0400
+++ ./src/smtpd/smtpd.c	2023-10-26 18:39:56.000000000 -0400
@@ -5133,15 +5133,16 @@
     if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) {
 
 	/*
-	 * Fetch and reject the next command (should be EHLO), then
-	 * disconnect (side-effect of returning "421 ...".
+	 * In non-wrappermode, fetch the next command (should be EHLO). Reply
+	 * with 421, then disconnect (as a side-effect of replying with 421).
 	 */
 	cert_present = TLS_CERT_IS_PRESENT(state->tls_context);
 	msg_info("NOQUEUE: abort: TLS from %s: %s",
 		 state->namaddr, cert_present ?
 		 "Client certificate not trusted" :
 		 "No client certificate presented");
-	smtpd_chat_query(state);
+	if (var_smtpd_tls_wrappermode == 0)
+	    smtpd_chat_query(state);
 	smtpd_chat_reply(state, "421 4.7.1 %s Error: %s",
 			 var_myhostname, cert_present ?
 			 "Client certificate not trusted" :
diff -ur --new-file /var/tmp/postfix-3.6.11/src/smtpd/smtpd_sasl_glue.c ./src/smtpd/smtpd_sasl_glue.c
--- /var/tmp/postfix-3.6.11/src/smtpd/smtpd_sasl_glue.c	2020-08-30 17:03:46.000000000 -0400
+++ ./src/smtpd/smtpd_sasl_glue.c	2023-10-30 19:20:15.000000000 -0400
@@ -340,9 +340,11 @@
 	}
     }
     if (status != XSASL_AUTH_DONE) {
-	msg_warn("%s: SASL %s authentication failed: %s",
-		 state->namaddr, sasl_method,
-		 STR(state->sasl_reply));
+	sasl_username = xsasl_server_get_username(state->sasl_server);
+	msg_warn("%s: SASL %.100s authentication failed: %s, sasl_username=%.100s",
+		 state->namaddr, sasl_method, *STR(state->sasl_reply) ?
+		 STR(state->sasl_reply) : "(reason unavailable)",
+		 sasl_username ? sasl_username : "(unavailable)");
 	/* RFC 4954 Section 6. */
 	if (status == XSASL_AUTH_TEMP)
 	    smtpd_chat_reply(state, "454 4.7.0 Temporary authentication failure: %s",
diff -ur --new-file /var/tmp/postfix-3.6.11/src/xsasl/xsasl_cyrus_server.c ./src/xsasl/xsasl_cyrus_server.c
--- /var/tmp/postfix-3.6.11/src/xsasl/xsasl_cyrus_server.c	2016-06-25 20:45:17.000000000 -0400
+++ ./src/xsasl/xsasl_cyrus_server.c	2023-10-30 19:20:15.000000000 -0400
@@ -625,16 +625,15 @@
     /*
      * XXX Do not free(serverout).
      */
+    if (server->username)
+	myfree(server->username);
     sasl_status = sasl_getprop(server->sasl_conn, SASL_USERNAME, &serverout);
     if (sasl_status != SASL_OK || serverout == 0) {
-	msg_warn("%s: sasl_getprop SASL_USERNAME botch: %s",
-		 myname, xsasl_cyrus_strerror(sasl_status));
-	return (0);
+	server->username = 0;
+    } else {
+	server->username = mystrdup(serverout);
+	printable(server->username, '?');
     }
-    if (server->username)
-	myfree(server->username);
-    server->username = mystrdup(serverout);
-    printable(server->username, '?');
     return (server->username);
 }