[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-2.9.6.html]
Postfix stable release 2.9.6, and legacy releases 2.8.14, 2.7.13, 2.6.19 are available. They contain fixes and workarounds that are also part of Postfix 2.10.
Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP client and server used an incorrect procedure to compute TLS certificate PUBLIC-KEY fingerprints (these may be used in the check_ccert_access and in smtp_tls_policy_maps features). Support for certificate PUBLIC-KEY finger prints was introduced with Postfix 2.9; there is no known problem with the certificate fingerprint algorithms available since Postfix 2.2.
Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending a migration from configuration files with incorrect Postfix 2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct fingerprints used by Postfix 2.9.6 and later.
See the RELEASE_NOTES file for more details.
All supported releases:
The postconf(1) master.cf parser didn't support "clusters" of daemon command-line option letters.
The local(8) delivery agent dereferenced a null pointer while delivering to null command (for example, "|" in a .forward file). Reported by Gilles Chehade.
A memory leak fix for tls_misc.c was documented but not included.
You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/.