[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-3.5.4.html]
Fixed in Postfix 3.5.4, 3.4.14:
The connection_reuse attribute in smtp_tls_policy_maps always resulted in an "invalid attribute name" error. Fix by Thorsten Habich.
SMTP over TLS connection reuse always failed for Postfix SMTP client configurations that specify explicit trust anchors (remote SMTP server certificates or public keys). Reported by Thorsten Habich.
Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:
The Postfix SMTP client's DANE implementation would always send an SNI option with the name in a destination's MX record, even if the MX record pointed to a CNAME record. MX records that point to CNAME records are not conformant with RFC5321, and so are rare.
Based on the DANE survey of ~2 million hosts it was found that with the corrected SMTP client behavior, sending SNI with the CNAME-expanded name, the SMTP server would not send a different certificate. This fix should therefore be safe.
You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/.