diff --git a/.gitignore b/.gitignore
index 6725802..e27edc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/pflogsumm-1.1.5.tar.gz
-SOURCES/postfix-3.3.1.tar.gz
+SOURCES/postfix-3.5.8.tar.gz
diff --git a/.postfix.metadata b/.postfix.metadata
index 0735629..32c6f41 100644
--- a/.postfix.metadata
+++ b/.postfix.metadata
@@ -1,2 +1,2 @@
 d18daa19d725e64c2b7e6c8da458b2d563272645 SOURCES/pflogsumm-1.1.5.tar.gz
-1b56e682298abf947be4921a5c0d50ba8012eee1 SOURCES/postfix-3.3.1.tar.gz
+1dfb10729498be5d387dc730117c2a845dd93ac0 SOURCES/postfix-3.5.8.tar.gz
diff --git a/SOURCES/README-RedHat.txt b/SOURCES/README-RedHat.txt
new file mode 100644
index 0000000..713eaf6
--- /dev/null
+++ b/SOURCES/README-RedHat.txt
@@ -0,0 +1,65 @@
+This Postfix build behaves differently from the upstream postfix-3.5.8.
+It's because in RHEL-8 backward compatibility is kept to postfix-3.3.1.
+
+For the upstream postfix-3.5.8 behavior either run the following commands:
+
+# postconf info_log_address_format=external
+# postconf smtpd_discard_ehlo_keywords=
+# postconf rhel_ipv6_normalize=yes
+
+Or go through the following steps:
+
+1. Change the configuration option 'info_log_address_format' to 'external'.
+In RHEL-8 it's by default set to 'internal' to mitigate [Incompat 20191109].
+
+2. Change the configuration option 'smtpd_discard_ehlo_keywords' to ''.
+In RHEL-8 it's by default set to 'chunking' to mitigate [Incompat 20180826].
+
+3. Add RHEL-8 specific configuration option 'rhel_ipv6_normalize' and set it
+to 'yes'. In RHEL-8 this option was added to mitigate [Incompat 20190427].
+
+Details from the upstream RELEASE_NOTES:
+
+[Incompat 20191109]
+Postfix daemon processes now log the from= and
+to= addresses in external (quoted) form in non-debug logging (info,
+warning, etc.).  This means that when an address localpart contains
+spaces or other special characters, the localpart will be quoted,
+for example:
+
+    from=<"name with spaces"@example.com>
+
+Older Postfix versions would log the internal (unquoted) form:
+
+    from=<name with spaces@example.com>
+
+The external and internal forms are identical for the vast majority
+of email addresses that contain no spaces or other special characters
+in the localpart.
+
+Specify "info_log_address_format = internal" for backwards
+compatibility.
+
+The logging in external form is consistent with the address form
+that Postfix 3.2 and later prefer for table lookups. It is therefore
+the more useful form for non-debug logging.
+
+[Incompat 20180826]
+The Postfix SMTP server announces CHUNKING (BDAT
+command) by default. In the unlikely case that this breaks some
+important remote SMTP client, disable the feature as follows:
+
+/etc/postfix/main.cf:
+    # The logging alternative:
+    smtpd_discard_ehlo_keywords = chunking
+    # The non-logging alternative:
+    smtpd_discard_ehlo_keywords = chunking, silent_discard
+
+See BDAT_README for more.
+
+[Incompat 20190427]
+Postfix now normalizes IP addresses received
+with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency
+with direct connections to Postfix. This may change the appearance
+of logging, and the way that check_client_access will match subnets
+of an IPv6 address.
diff --git a/SOURCES/postfix-3.1.0-alternatives.patch b/SOURCES/postfix-3.1.0-alternatives.patch
deleted file mode 100644
index ff4e6c7..0000000
--- a/SOURCES/postfix-3.1.0-alternatives.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/conf/post-install b/conf/post-install
-index 904cefa..5f1039b 100644
---- a/conf/post-install
-+++ b/conf/post-install
-@@ -532,6 +532,17 @@ test -n "$create" && {
- 	    case $path in
- 	    no|no/*) continue;;
- 	    esac
-+	    # Munge paths for alternatives.
-+	    case $path in
-+		/usr/bin/mailq) path=$path.postfix ;;
-+		/usr/bin/newaliases) path=$path.postfix ;;
-+		/usr/bin/rmail) path=$path.postfix ;;
-+		/usr/sbin/sendmail) path=$path.postfix ;;
-+		/usr/share/man/man1/mailq.1.gz) path=/usr/share/man/man1/mailq.postfix.1.gz ;;
-+		/usr/share/man/man1/newaliases.1.gz) path=/usr/share/man/man1/newaliases.postfix.1.gz ;;
-+		/usr/share/man/man5/aliases.5.gz) path=/usr/share/man/man5/aliases.postfix.5.gz ;;
-+		/usr/share/man/man8/smtpd.8.gz) path=/usr/share/man/man8/smtpd.postfix.8.gz ;;
-+	    esac
- 	    # Pick up the flags.
- 	    case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
- 	    case $flags in *c*) create_flag=1;; *) create_flag=;; esac
diff --git a/SOURCES/postfix-3.1.0-files.patch b/SOURCES/postfix-3.1.0-files.patch
deleted file mode 100644
index 273dbbd..0000000
--- a/SOURCES/postfix-3.1.0-files.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff --git a/conf/postfix-files b/conf/postfix-files
-index a433f4f..3ecdb5b 100644
---- a/conf/postfix-files
-+++ b/conf/postfix-files
-@@ -83,7 +83,6 @@ $shlib_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755
- $meta_directory/dynamicmaps.cf.d:d:root:-:755
- $meta_directory/dynamicmaps.cf:f:root:-:644
- $meta_directory/main.cf.proto:f:root:-:644
--$meta_directory/makedefs.out:f:root:-:644
- $meta_directory/master.cf.proto:f:root:-:644
- $meta_directory/postfix-files.d:d:root:-:755
- $meta_directory/postfix-files:f:root:-:644
-@@ -140,18 +139,13 @@ $command_directory/postqueue:f:root:$setgid_group:2755:u
- $sendmail_path:f:root:-:755
- $newaliases_path:l:$sendmail_path
- $mailq_path:l:$sendmail_path
--$config_directory/LICENSE:f:root:-:644:1
--$config_directory/TLS_LICENSE:f:root:-:644:1
- $config_directory/access:f:root:-:644:p1
--$config_directory/aliases:f:root:-:644:p1
--$config_directory/bounce.cf.default:f:root:-:644:1
- $config_directory/canonical:f:root:-:644:p1
- $config_directory/cidr_table:f:root:-:644:o
- $config_directory/generic:f:root:-:644:p1
- $config_directory/generics:f:root:-:644:o
- $config_directory/header_checks:f:root:-:644:p1
- $config_directory/install.cf:f:root:-:644:o
--$config_directory/main.cf.default:f:root:-:644:1
- $config_directory/main.cf:f:root:-:644:p
- $config_directory/master.cf:f:root:-:644:p
- $config_directory/pcre_table:f:root:-:644:o
-@@ -164,8 +158,8 @@ $config_directory/postfix-script:f:root:-:755:o
- $config_directory/postfix-script-sgid:f:root:-:755:o
- $config_directory/postfix-script-nosgid:f:root:-:755:o
- $config_directory/post-install:f:root:-:755:o
--$manpage_directory/man1/mailq.1:f:root:-:644
--$manpage_directory/man1/newaliases.1:f:root:-:644
-+$manpage_directory/man1/mailq.postfix.1:f:root:-:644
-+$manpage_directory/man1/newaliases.postfix.1:f:root:-:644
- $manpage_directory/man1/postalias.1:f:root:-:644
- $manpage_directory/man1/postcat.1:f:root:-:644
- $manpage_directory/man1/postconf.1:f:root:-:644
-@@ -179,9 +173,9 @@ $manpage_directory/man1/postmap.1:f:root:-:644
- $manpage_directory/man1/postmulti.1:f:root:-:644
- $manpage_directory/man1/postqueue.1:f:root:-:644
- $manpage_directory/man1/postsuper.1:f:root:-:644
--$manpage_directory/man1/sendmail.1:f:root:-:644
-+$manpage_directory/man1/sendmail.postfix.1:f:root:-:644
- $manpage_directory/man5/access.5:f:root:-:644
--$manpage_directory/man5/aliases.5:f:root:-:644
-+$manpage_directory/man5/aliases.postfix.5:f:root:-:644
- $manpage_directory/man5/body_checks.5:f:root:-:644
- $manpage_directory/man5/bounce.5:f:root:-:644
- $manpage_directory/man5/canonical.5:f:root:-:644
-@@ -228,7 +222,7 @@ $manpage_directory/man8/qmqpd.8:f:root:-:644
- $manpage_directory/man8/scache.8:f:root:-:644
- $manpage_directory/man8/showq.8:f:root:-:644
- $manpage_directory/man8/smtp.8:f:root:-:644
--$manpage_directory/man8/smtpd.8:f:root:-:644
-+$manpage_directory/man8/smtpd.postfix.8:f:root:-:644
- $manpage_directory/man8/spawn.8:f:root:-:644
- $manpage_directory/man8/tlsproxy.8:f:root:-:644
- $manpage_directory/man8/tlsmgr.8:f:root:-:644
diff --git a/SOURCES/postfix-3.2.0-config.patch b/SOURCES/postfix-3.2.0-config.patch
deleted file mode 100644
index fd62120..0000000
--- a/SOURCES/postfix-3.2.0-config.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-diff --git a/conf/main.cf b/conf/main.cf
-index 7af8bde..fbe5c62 100644
---- a/conf/main.cf
-+++ b/conf/main.cf
-@@ -132,6 +132,10 @@ mail_owner = postfix
- #inet_interfaces = all
- #inet_interfaces = $myhostname
- #inet_interfaces = $myhostname, localhost
-+inet_interfaces = localhost
-+
-+# Enable IPv4, and IPv6 if supported
-+inet_protocols = all
- 
- # The proxy_interfaces parameter specifies the network interface
- # addresses that this mail system receives mail on by way of a
-@@ -176,7 +180,7 @@ mail_owner = postfix
- #
- # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
- #
--#mydestination = $myhostname, localhost.$mydomain, localhost
-+mydestination = $myhostname, localhost.$mydomain, localhost
- #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
- #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
- #	mail.$mydomain, www.$mydomain, ftp.$mydomain
-@@ -398,7 +402,7 @@ unknown_local_recipient_reject_code = 550
- # "postfix reload" to eliminate the delay.
- #
- #alias_maps = dbm:/etc/aliases
--#alias_maps = hash:/etc/aliases
-+alias_maps = hash:/etc/aliases
- #alias_maps = hash:/etc/aliases, nis:mail.aliases
- #alias_maps = netinfo:/aliases
- 
-@@ -409,7 +413,7 @@ unknown_local_recipient_reject_code = 550
- #
- #alias_database = dbm:/etc/aliases
- #alias_database = dbm:/etc/mail/aliases
--#alias_database = hash:/etc/aliases
-+alias_database = hash:/etc/aliases
- #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
- 
- # ADDRESS EXTENSIONS (e.g., user+foo)
-@@ -479,7 +483,27 @@ unknown_local_recipient_reject_code = 550
- #
- # Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
- # listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
--#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
-+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-+
-+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
-+# server using LMTP (Local Mail Transport Protocol), this is prefered
-+# over the older cyrus deliver program by setting the
-+# mailbox_transport as below:
-+#
-+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-+#
-+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
-+# these settings.
-+#
-+# local_destination_recipient_limit = 300
-+# local_destination_concurrency_limit = 5
-+#
-+# Of course you should adjust these settings as appropriate for the
-+# capacity of the hardware you are using. The recipient limit setting
-+# can be used to take advantage of the single instance message store
-+# capability of Cyrus. The concurrency limit can be used to control
-+# how many simultaneous LMTP sessions will be permitted to the Cyrus
-+# message store.
- #
- # Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
- # subsequent line in master.cf.
-@@ -499,8 +523,7 @@ unknown_local_recipient_reject_code = 550
- # the main.cf file, otherwise the SMTP server will reject mail for    
- # non-UNIX accounts with "User unknown in local recipient table".
- #
--#fallback_transport = lmtp:unix:/file/name
--#fallback_transport = cyrus
-+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
- #fallback_transport =
- 
- # The luser_relay parameter specifies an optional destination address
-@@ -673,4 +696,41 @@ sample_directory =
- # readme_directory: The location of the Postfix README files.
- #
- readme_directory =
--inet_protocols = ipv4
-+
-+# TLS CONFIGURATION
-+#
-+# Basic Postfix TLS configuration by default with self-signed certificate
-+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
-+
-+# The full pathname of a file with the Postfix SMTP server RSA certificate
-+# in PEM format. Intermediate certificates should be included in general,
-+# the server certificate first, then the issuing CA(s) (bottom-up order).
-+#
-+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
-+
-+# The full pathname of a file with the Postfix SMTP server RSA private key
-+# in PEM format. The private key must be accessible without a pass-phrase,
-+# i.e. it must not be encrypted.
-+#
-+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
-+
-+# Announce STARTTLS support to remote SMTP clients, but do not require that
-+# clients use TLS encryption (opportunistic TLS inbound).
-+#
-+smtpd_tls_security_level = may
-+
-+# Directory with PEM format Certification Authority certificates that the
-+# Postfix SMTP client uses to verify a remote SMTP server certificate.
-+#
-+smtp_tls_CApath = /etc/pki/tls/certs
-+
-+# The full pathname of a file containing CA certificates of root CAs
-+# trusted to sign either remote SMTP server certificates or intermediate CA
-+# certificates.
-+#
-+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
-+
-+# Use TLS if this is supported by the remote SMTP server, otherwise use
-+# plaintext (opportunistic TLS outbound).
-+#
-+smtp_tls_security_level = may
-diff --git a/conf/master.cf b/conf/master.cf
-index b67ed59..a9633ba 100644
---- a/conf/master.cf
-+++ b/conf/master.cf
-@@ -96,14 +96,14 @@ scache    unix  -       -       n       -       1       scache
- # Also specify in main.cf: cyrus_destination_recipient_limit=1
- #
- #cyrus     unix  -       n       n       -       -       pipe
--#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
-+#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
- #
- # ====================================================================
- #
- # Old example of delivery via Cyrus.
- #
- #old-cyrus unix  -       n       n       -       -       pipe
--#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
-+#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
- #
- # ====================================================================
- #
diff --git a/SOURCES/postfix-3.2.0-large-fs.patch b/SOURCES/postfix-3.2.0-large-fs.patch
deleted file mode 100644
index 227d1b7..0000000
--- a/SOURCES/postfix-3.2.0-large-fs.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff --git a/src/util/fsspace.c b/src/util/fsspace.c
-index 50a4aa7..beef3db 100644
---- a/src/util/fsspace.c
-+++ b/src/util/fsspace.c
-@@ -91,8 +91,15 @@ void    fsspace(const char *path, struct fsspace * sp)
- 
-     if (statvfs(path, &fsbuf) < 0)
- 	msg_fatal("statvfs %s: %m", path);
--    sp->block_size = fsbuf.f_frsize;
--    sp->block_free = fsbuf.f_bavail;
-+    if (fsbuf.f_frsize > 0)
-+	sp->block_size = fsbuf.f_frsize;
-+    else
-+	sp->block_size = fsbuf.f_bsize;
-+    /* 4G of FS blocks is surely enough space to put a mail in */
-+    sp->block_free = 0;
-+    sp->block_free = ~sp->block_free;
-+    if (fsbuf.f_bavail < sp->block_free)
-+	sp->block_free = fsbuf.f_bavail;
- #endif
-     if (msg_verbose)
- 	msg_info("%s: %s: block size %lu, blocks free %lu",
-diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
-index 3f570c4..611d9cd 100644
---- a/src/util/sys_defs.h
-+++ b/src/util/sys_defs.h
-@@ -768,8 +768,8 @@ extern int initgroups(const char *, int);
- #define GETTIMEOFDAY(t)	gettimeofday(t,(struct timezone *) 0)
- #define ROOT_PATH	"/bin:/usr/bin:/sbin:/usr/sbin"
- #define FIONREAD_IN_TERMIOS_H
--#define USE_STATFS
--#define STATFS_IN_SYS_VFS_H
-+#define USE_STATVFS
-+#define STATVFS_IN_SYS_STATVFS_H
- #define PREPEND_PLUS_TO_OPTSTRING
- #define HAS_POSIX_REGEXP
- #define HAS_DLOPEN
diff --git a/SOURCES/postfix-3.3.1-posttls-finger-unix-fix.patch b/SOURCES/postfix-3.3.1-posttls-finger-unix-fix.patch
deleted file mode 100644
index cbfe96d..0000000
--- a/SOURCES/postfix-3.3.1-posttls-finger-unix-fix.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/src/posttls-finger/posttls-finger.c b/src/posttls-finger/posttls-finger.c
-index 5f559b4..86a8b01 100644
---- a/src/posttls-finger/posttls-finger.c
-+++ b/src/posttls-finger/posttls-finger.c
-@@ -1409,7 +1409,7 @@ static int connect_dest(STATE *state)
-      */
-     if (state->smtp == 0) {
- 	if (strncmp(dest, "unix:", 5) == 0) {
--	    connect_unix(state, dest + 5);
-+	    state->stream = connect_unix(state, dest + 5);
- 	    if (!state->stream)
- 		msg_info("Failed to establish session to %s: %s",
- 			 dest, vstring_str(state->why->reason));
diff --git a/SOURCES/postfix-3.3.1-ref-search-fix.patch b/SOURCES/postfix-3.3.1-ref-search-fix.patch
deleted file mode 100644
index c7d831e..0000000
--- a/SOURCES/postfix-3.3.1-ref-search-fix.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/src/dns/dns_lookup.c b/src/dns/dns_lookup.c
-index 1ea98b3..1bfeb7e 100644
---- a/src/dns/dns_lookup.c
-+++ b/src/dns/dns_lookup.c
-@@ -396,7 +396,7 @@ static int dns_res_search(const char *name, int class, int type,
-     if (keep_notfound)
- 	/* Prepare for returning a null-padded server reply. */
- 	memset(answer, 0, anslen);
--    len = res_query(name, class, type, answer, anslen);
-+    len = res_search(name, class, type, answer, anslen);
-     /* Begin API creep workaround. */
-     if (len < 0 && h_errno == 0) {
- 	SET_H_ERRNO(TRY_AGAIN);
diff --git a/SOURCES/postfix-3.3.1-tlsv13.patch b/SOURCES/postfix-3.3.1-tlsv13.patch
deleted file mode 100644
index 0dfb935..0000000
--- a/SOURCES/postfix-3.3.1-tlsv13.patch
+++ /dev/null
@@ -1,124 +0,0 @@
---- postfix-3.3.1/man/man5/postconf.5
-+++ postfix-3.3.2/man/man5/postconf.5
-@@ -8076,6 +8077,9 @@
- "SSLv3").  The latest patch levels of Postfix >= 2.6, and all
- versions of Postfix >= 2.10 can explicitly disable support for
- "TLSv1.1" or "TLSv1.2".
-+.PP
-+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3".
- .PP
- At the dane and
- dane\-only security
-@@ -8391,6 +8397,9 @@
- and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
- versions of Postfix >= 2.10 can explicitly disable support for
- "TLSv1.1" or "TLSv1.2"
-+.PP
-+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3".
- .PP
- To include a protocol list its name, to exclude it, prefix the name
- with a "!" character. To exclude SSLv2 for opportunistic TLS set
-@@ -11669,6 +11679,9 @@
- versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
- "TLSv1.2".
- .PP
-+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3".
-+.PP
- Example:
- .PP
- .nf
-@@ -11697,6 +11711,9 @@
- and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
- versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
- "TLSv1.2".
-+.PP
-+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3".
- .PP
- To include a protocol list its name, to exclude it, prefix the name
- with a "!" character. To exclude SSLv2 for opportunistic TLS set
---- postfix-3.3.1/proto/postconf.proto
-+++ postfix-3.3.2/proto/postconf.proto
-@@ -11208,6 +11210,9 @@
- "SSLv3").  The latest patch levels of Postfix &ge; 2.6, and all
- versions of Postfix &ge; 2.10 can explicitly disable support for
- "TLSv1.1" or "TLSv1.2". </p>
-+
-+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3". </p>
- 
- <p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
- <a href="TLS_README.html#client_tls_dane">dane-only</a> security
-@@ -11405,6 +11411,9 @@
- disabled.  The latest patch levels of Postfix &ge; 2.6, and all
- versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
- "TLSv1.2". </p>
-+
-+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3". </p>
- 
- <p> Example: </p>
- 
-@@ -12561,6 +12573,9 @@
- and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
- versions of Postfix &ge; 2.10 can explicitly disable support for
- "TLSv1.1" or "TLSv1.2"</p>
-+
-+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3". </p>
- 
- <p> To include a protocol list its name, to exclude it, prefix the name
- with a "!" character. To exclude SSLv2 for opportunistic TLS set
-@@ -12593,6 +12609,9 @@
- and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
- versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
- "TLSv1.2". </p>
-+
-+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
-+this can be disabled, if need be, via "!TLSv1.3". </p>
- 
- <p> To include a protocol list its name, to exclude it, prefix the name
- with a "!" character. To exclude SSLv2 for opportunistic TLS set
---- postfix-3.3.1/src/tls/tls.h
-+++ postfix-3.3.2/src/tls/tls.h
-@@ -372,10 +415,15 @@
- #define SSL_OP_NO_TLSv1_2	0L	/* Noop */
- #endif
- 
--#ifdef SSL_TXT_TLSV1_3
-+ /*
-+  * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our
-+  * own.
-+  */
-+#define TLS_PROTOCOL_TXT_TLSV1_3	"TLSv1.3"
-+
-+#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
- #define TLS_PROTOCOL_TLSv1_3	(1<<5)	/* TLSv1_3 */
- #else
--#define SSL_TXT_TLSV1_3		"TLSv1.3"
- #define TLS_PROTOCOL_TLSv1_3	0	/* Unknown */
- #undef  SSL_OP_NO_TLSv1_3
- #define SSL_OP_NO_TLSv1_3	0L	/* Noop */
-@@ -383,7 +431,7 @@
- 
- #define TLS_KNOWN_PROTOCOLS \
- 	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
--	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
-+	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
- #define TLS_SSL_OP_PROTOMASK(m) \
- 	    ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
- 	     | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
---- postfix-3.3.1/src/tls/tls_misc.c
-+++ postfix-3.3.2/src/tls/tls_misc.c
-@@ -279,7 +306,7 @@
-     SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
-     SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
-     SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
--    SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
-+    TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
-     0, TLS_PROTOCOL_INVALID,
- };
- 
diff --git a/SOURCES/postfix-3.3.3-alternatives.patch b/SOURCES/postfix-3.3.3-alternatives.patch
new file mode 100644
index 0000000..2c3ba18
--- /dev/null
+++ b/SOURCES/postfix-3.3.3-alternatives.patch
@@ -0,0 +1,22 @@
+diff --git a/conf/post-install b/conf/post-install
+index 25ef7e6..4fd6434 100644
+--- a/conf/post-install
++++ b/conf/post-install
+@@ -537,6 +537,17 @@ test -n "$create" && {
+ 	    case $path in
+ 	    no|no/*) continue;;
+ 	    esac
++	    # Munge paths for alternatives.
++	    case $path in
++		/usr/bin/mailq) path=$path.postfix ;;
++		/usr/bin/newaliases) path=$path.postfix ;;
++		/usr/bin/rmail) path=$path.postfix ;;
++		/usr/sbin/sendmail) path=$path.postfix ;;
++		/usr/share/man/man1/mailq.1.gz) path=/usr/share/man/man1/mailq.postfix.1.gz ;;
++		/usr/share/man/man1/newaliases.1.gz) path=/usr/share/man/man1/newaliases.postfix.1.gz ;;
++		/usr/share/man/man5/aliases.5.gz) path=/usr/share/man/man5/aliases.postfix.5.gz ;;
++		/usr/share/man/man8/smtpd.8.gz) path=/usr/share/man/man8/smtpd.postfix.8.gz ;;
++	    esac
+ 	    # Pick up the flags.
+ 	    case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
+ 	    case $flags in *c*) create_flag=1;; *) create_flag=;; esac
diff --git a/SOURCES/postfix-3.4.0-files.patch b/SOURCES/postfix-3.4.0-files.patch
new file mode 100644
index 0000000..ad73553
--- /dev/null
+++ b/SOURCES/postfix-3.4.0-files.patch
@@ -0,0 +1,63 @@
+diff --git a/conf/postfix-files b/conf/postfix-files
+index 4ed9d1f..19711d2 100644
+--- a/conf/postfix-files
++++ b/conf/postfix-files
+@@ -83,7 +83,6 @@ $shlib_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755
+ $meta_directory/dynamicmaps.cf.d:d:root:-:755
+ $meta_directory/dynamicmaps.cf:f:root:-:644
+ $meta_directory/main.cf.proto:f:root:-:644
+-$meta_directory/makedefs.out:f:root:-:644
+ $meta_directory/master.cf.proto:f:root:-:644
+ $meta_directory/postfix-files.d:d:root:-:755
+ $meta_directory/postfix-files:f:root:-:644
+@@ -141,18 +140,13 @@ $command_directory/postqueue:f:root:$setgid_group:2755:u
+ $sendmail_path:f:root:-:755
+ $newaliases_path:l:$sendmail_path
+ $mailq_path:l:$sendmail_path
+-$config_directory/LICENSE:f:root:-:644:1
+-$config_directory/TLS_LICENSE:f:root:-:644:1
+ $config_directory/access:f:root:-:644:p1
+-$config_directory/aliases:f:root:-:644:p1
+-$config_directory/bounce.cf.default:f:root:-:644:1
+ $config_directory/canonical:f:root:-:644:p1
+ $config_directory/cidr_table:f:root:-:644:o
+ $config_directory/generic:f:root:-:644:p1
+ $config_directory/generics:f:root:-:644:o
+ $config_directory/header_checks:f:root:-:644:p1
+ $config_directory/install.cf:f:root:-:644:o
+-$config_directory/main.cf.default:f:root:-:644:1
+ $config_directory/main.cf:f:root:-:644:p
+ $config_directory/master.cf:f:root:-:644:p
+ $config_directory/pcre_table:f:root:-:644:o
+@@ -165,8 +159,8 @@ $config_directory/postfix-script:f:root:-:755:o
+ $config_directory/postfix-script-sgid:f:root:-:755:o
+ $config_directory/postfix-script-nosgid:f:root:-:755:o
+ $config_directory/post-install:f:root:-:755:o
+-$manpage_directory/man1/mailq.1:f:root:-:644
+-$manpage_directory/man1/newaliases.1:f:root:-:644
++$manpage_directory/man1/mailq.postfix.1:f:root:-:644
++$manpage_directory/man1/newaliases.postfix.1:f:root:-:644
+ $manpage_directory/man1/postalias.1:f:root:-:644
+ $manpage_directory/man1/postcat.1:f:root:-:644
+ $manpage_directory/man1/postconf.1:f:root:-:644
+@@ -180,9 +174,9 @@ $manpage_directory/man1/postmap.1:f:root:-:644
+ $manpage_directory/man1/postmulti.1:f:root:-:644
+ $manpage_directory/man1/postqueue.1:f:root:-:644
+ $manpage_directory/man1/postsuper.1:f:root:-:644
+-$manpage_directory/man1/sendmail.1:f:root:-:644
++$manpage_directory/man1/sendmail.postfix.1:f:root:-:644
+ $manpage_directory/man5/access.5:f:root:-:644
+-$manpage_directory/man5/aliases.5:f:root:-:644
++$manpage_directory/man5/aliases.postfix.5:f:root:-:644
+ $manpage_directory/man5/body_checks.5:f:root:-:644
+ $manpage_directory/man5/bounce.5:f:root:-:644
+ $manpage_directory/man5/canonical.5:f:root:-:644
+@@ -230,7 +224,7 @@ $manpage_directory/man8/qmqpd.8:f:root:-:644
+ $manpage_directory/man8/scache.8:f:root:-:644
+ $manpage_directory/man8/showq.8:f:root:-:644
+ $manpage_directory/man8/smtp.8:f:root:-:644
+-$manpage_directory/man8/smtpd.8:f:root:-:644
++$manpage_directory/man8/smtpd.postfix.8:f:root:-:644
+ $manpage_directory/man8/spawn.8:f:root:-:644
+ $manpage_directory/man8/tlsproxy.8:f:root:-:644
+ $manpage_directory/man8/tlsmgr.8:f:root:-:644
diff --git a/SOURCES/postfix-3.4.0-large-fs.patch b/SOURCES/postfix-3.4.0-large-fs.patch
new file mode 100644
index 0000000..fbc55f1
--- /dev/null
+++ b/SOURCES/postfix-3.4.0-large-fs.patch
@@ -0,0 +1,37 @@
+diff --git a/src/util/fsspace.c b/src/util/fsspace.c
+index 50a4aa7..beef3db 100644
+--- a/src/util/fsspace.c
++++ b/src/util/fsspace.c
+@@ -91,8 +91,15 @@ void    fsspace(const char *path, struct fsspace * sp)
+ 
+     if (statvfs(path, &fsbuf) < 0)
+ 	msg_fatal("statvfs %s: %m", path);
+-    sp->block_size = fsbuf.f_frsize;
+-    sp->block_free = fsbuf.f_bavail;
++    if (fsbuf.f_frsize > 0)
++	sp->block_size = fsbuf.f_frsize;
++    else
++	sp->block_size = fsbuf.f_bsize;
++    /* 4G of FS blocks is surely enough space to put a mail in */
++    sp->block_free = 0;
++    sp->block_free = ~sp->block_free;
++    if (fsbuf.f_bavail < sp->block_free)
++	sp->block_free = fsbuf.f_bavail;
+ #endif
+     if (msg_verbose)
+ 	msg_info("%s: %s: block size %lu, blocks free %lu",
+diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
+index a8d2571..ad07498 100644
+--- a/src/util/sys_defs.h
++++ b/src/util/sys_defs.h
+@@ -769,8 +769,8 @@ extern int initgroups(const char *, int);
+ #define GETTIMEOFDAY(t)	gettimeofday(t,(struct timezone *) 0)
+ #define ROOT_PATH	"/bin:/usr/bin:/sbin:/usr/sbin"
+ #define FIONREAD_IN_TERMIOS_H
+-#define USE_STATFS
+-#define STATFS_IN_SYS_VFS_H
++#define USE_STATVFS
++#define STATVFS_IN_SYS_STATVFS_H
+ #define PREPEND_PLUS_TO_OPTSTRING
+ #define HAS_POSIX_REGEXP
+ #define HAS_DLOPEN
diff --git a/SOURCES/postfix-3.4.4-chroot-example-fix.patch b/SOURCES/postfix-3.4.4-chroot-example-fix.patch
new file mode 100644
index 0000000..5870b4c
--- /dev/null
+++ b/SOURCES/postfix-3.4.4-chroot-example-fix.patch
@@ -0,0 +1,35 @@
+--- a/examples/chroot-setup/LINUX2	2006-01-01 15:53:58.000000000 -0800
++++ b/examples/chroot-setup/LINUX2	2016-11-27 00:45:52.145301784 -0800
+@@ -45,14 +45,14 @@
+ # 20060101 /lib64 support by Keith Owens.
+ #
+ 
+-CP="cp -p"
++CP="cp -p -Z"
+ 
+ cond_copy() {
+   # find files as per pattern in $1
+   # if any, copy to directory $2
+   dir=`dirname "$1"`
+   pat=`basename "$1"`
+-  lr=`find "$dir" -maxdepth 1 -name "$pat"`
++  lr=`find "$dir/" -maxdepth 1 -name "$pat"`
+   if test ! -d "$2" ; then exit 1 ; fi
+   if test "x$lr" != "x" ; then $CP $1 "$2" ; fi
+ } 
+@@ -63,8 +63,8 @@
+ POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
+ cd ${POSTFIX_DIR}
+ 
+-mkdir -p etc lib usr/lib/zoneinfo
+-test -d /lib64 && mkdir -p lib64
++mkdir -p -Z etc lib usr/lib/zoneinfo
++test -d /lib64 && mkdir -p -Z lib64
+ 
+ # find localtime (SuSE 5.3 does not have /etc/localtime)
+ lt=/etc/localtime
+@@ -88,4 +88,3 @@
+   cond_copy '/lib64/libdb.so*' lib64
+ fi
+ 
+-postfix reload
diff --git a/SOURCES/postfix-3.5.0-config.patch b/SOURCES/postfix-3.5.0-config.patch
new file mode 100644
index 0000000..da42263
--- /dev/null
+++ b/SOURCES/postfix-3.5.0-config.patch
@@ -0,0 +1,145 @@
+diff --git a/conf/main.cf b/conf/main.cf
+index 7af8bde..495e346 100644
+--- a/conf/main.cf
++++ b/conf/main.cf
+@@ -132,6 +132,10 @@ mail_owner = postfix
+ #inet_interfaces = all
+ #inet_interfaces = $myhostname
+ #inet_interfaces = $myhostname, localhost
++inet_interfaces = localhost
++
++# Enable IPv4, and IPv6 if supported
++inet_protocols = all
+ 
+ # The proxy_interfaces parameter specifies the network interface
+ # addresses that this mail system receives mail on by way of a
+@@ -176,7 +180,7 @@ mail_owner = postfix
+ #
+ # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
+ #
+-#mydestination = $myhostname, localhost.$mydomain, localhost
++mydestination = $myhostname, localhost.$mydomain, localhost
+ #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+ #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
+ #	mail.$mydomain, www.$mydomain, ftp.$mydomain
+@@ -398,7 +402,7 @@ unknown_local_recipient_reject_code = 550
+ # "postfix reload" to eliminate the delay.
+ #
+ #alias_maps = dbm:/etc/aliases
+-#alias_maps = hash:/etc/aliases
++alias_maps = hash:/etc/aliases
+ #alias_maps = hash:/etc/aliases, nis:mail.aliases
+ #alias_maps = netinfo:/aliases
+ 
+@@ -409,7 +413,7 @@ unknown_local_recipient_reject_code = 550
+ #
+ #alias_database = dbm:/etc/aliases
+ #alias_database = dbm:/etc/mail/aliases
+-#alias_database = hash:/etc/aliases
++alias_database = hash:/etc/aliases
+ #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+ 
+ # ADDRESS EXTENSIONS (e.g., user+foo)
+@@ -479,7 +483,27 @@ unknown_local_recipient_reject_code = 550
+ #
+ # Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
+ # listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+-#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
++#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
++
++# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
++# server using LMTP (Local Mail Transport Protocol), this is prefered
++# over the older cyrus deliver program by setting the
++# mailbox_transport as below:
++#
++# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
++#
++# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
++# these settings.
++#
++# local_destination_recipient_limit = 300
++# local_destination_concurrency_limit = 5
++#
++# Of course you should adjust these settings as appropriate for the
++# capacity of the hardware you are using. The recipient limit setting
++# can be used to take advantage of the single instance message store
++# capability of Cyrus. The concurrency limit can be used to control
++# how many simultaneous LMTP sessions will be permitted to the Cyrus
++# message store.
+ #
+ # Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+ # subsequent line in master.cf.
+@@ -499,8 +523,7 @@ unknown_local_recipient_reject_code = 550
+ # the main.cf file, otherwise the SMTP server will reject mail for    
+ # non-UNIX accounts with "User unknown in local recipient table".
+ #
+-#fallback_transport = lmtp:unix:/file/name
+-#fallback_transport = cyrus
++#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+ #fallback_transport =
+ 
+ # The luser_relay parameter specifies an optional destination address
+@@ -673,4 +696,41 @@ sample_directory =
+ # readme_directory: The location of the Postfix README files.
+ #
+ readme_directory =
+-inet_protocols = ipv4
++
++# TLS CONFIGURATION
++#
++# Basic Postfix TLS configuration by default with self-signed certificate
++# for inbound SMTP and also opportunistic TLS for outbound SMTP.
++
++# The full pathname of a file with the Postfix SMTP server RSA certificate
++# in PEM format. Intermediate certificates should be included in general,
++# the server certificate first, then the issuing CA(s) (bottom-up order).
++#
++smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
++
++# The full pathname of a file with the Postfix SMTP server RSA private key
++# in PEM format. The private key must be accessible without a pass-phrase,
++# i.e. it must not be encrypted.
++#
++smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
++
++# Announce STARTTLS support to remote SMTP clients, but do not require that
++# clients use TLS encryption (opportunistic TLS inbound).
++#
++smtpd_tls_security_level = may
++
++# Directory with PEM format Certification Authority certificates that the
++# Postfix SMTP client uses to verify a remote SMTP server certificate.
++#
++smtp_tls_CApath = /etc/pki/tls/certs
++
++# The full pathname of a file containing CA certificates of root CAs
++# trusted to sign either remote SMTP server certificates or intermediate CA
++# certificates.
++#
++smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
++
++# Use TLS if this is supported by the remote SMTP server, otherwise use
++# plaintext (opportunistic TLS outbound).
++#
++smtp_tls_security_level = may
+diff --git a/conf/master.cf b/conf/master.cf
+index c0f2508..05c5d07 100644
+--- a/conf/master.cf
++++ b/conf/master.cf
+@@ -98,14 +98,14 @@ postlog   unix-dgram n  -       n       -       1       postlogd
+ # Also specify in main.cf: cyrus_destination_recipient_limit=1
+ #
+ #cyrus     unix  -       n       n       -       -       pipe
+-#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
++#  flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+ #
+ # ====================================================================
+ #
+ # Old example of delivery via Cyrus.
+ #
+ #old-cyrus unix  -       n       n       -       -       pipe
+-#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
++#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+ #
+ # ====================================================================
+ #
diff --git a/SOURCES/postfix-3.5.8-back-compat-3.3.1.patch b/SOURCES/postfix-3.5.8-back-compat-3.3.1.patch
new file mode 100644
index 0000000..c444912
--- /dev/null
+++ b/SOURCES/postfix-3.5.8-back-compat-3.3.1.patch
@@ -0,0 +1,158 @@
+diff --git a/src/global/mail_params.c b/src/global/mail_params.c
+index 91c70f7..483613c 100644
+--- a/src/global/mail_params.c
++++ b/src/global/mail_params.c
+@@ -379,6 +379,8 @@ int     warn_compat_break_smtputf8_enable;
+ int     warn_compat_break_chroot;
+ int     warn_compat_break_relay_restrictions;
+ 
++bool    var_rhel_ipv6_normalize;
++
+ /* check_myhostname - lookup hostname and validate */
+ 
+ static const char *check_myhostname(void)
+@@ -825,6 +827,7 @@ void    mail_params_init()
+ 	VAR_LONG_QUEUE_IDS, DEF_LONG_QUEUE_IDS, &var_long_queue_ids,
+ 	VAR_STRICT_SMTPUTF8, DEF_STRICT_SMTPUTF8, &var_strict_smtputf8,
+ 	VAR_ENABLE_ORCPT, DEF_ENABLE_ORCPT, &var_enable_orcpt,
++	VAR_RHEL_IPV6_NORMALIZE, DEF_RHEL_IPV6_NORMALIZE, &var_rhel_ipv6_normalize,
+ 	0,
+     };
+     const char *cp;
+diff --git a/src/global/mail_params.h b/src/global/mail_params.h
+index e4358ca..74459d9 100644
+--- a/src/global/mail_params.h
++++ b/src/global/mail_params.h
+@@ -3153,7 +3153,7 @@ extern char *var_local_rwr_clients;
+   * EHLO keyword filter.
+   */
+ #define VAR_SMTPD_EHLO_DIS_WORDS	"smtpd_discard_ehlo_keywords"
+-#define DEF_SMTPD_EHLO_DIS_WORDS	""
++#define DEF_SMTPD_EHLO_DIS_WORDS	"chunking"
+ extern char *var_smtpd_ehlo_dis_words;
+ 
+ #define VAR_SMTPD_EHLO_DIS_MAPS		"smtpd_discard_ehlo_keyword_address_maps"
+@@ -4199,9 +4199,13 @@ extern int var_postlogd_watchdog;
+ #define INFO_LOG_ADDR_FORM_NAME_INTERNAL	"internal"
+ 
+ #define VAR_INFO_LOG_ADDR_FORM	"info_log_address_format"
+-#define DEF_INFO_LOG_ADDR_FORM	INFO_LOG_ADDR_FORM_NAME_EXTERNAL
++#define DEF_INFO_LOG_ADDR_FORM	INFO_LOG_ADDR_FORM_NAME_INTERNAL
+ extern char *var_info_log_addr_form;
+ 
++#define VAR_RHEL_IPV6_NORMALIZE	"rhel_ipv6_normalize"
++#define DEF_RHEL_IPV6_NORMALIZE	0
++extern bool var_rhel_ipv6_normalize;
++
+ /* LICENSE
+ /* .ad
+ /* .fi
+diff --git a/src/smtpd/smtpd.c b/src/smtpd/smtpd.c
+index da7227f..53e640e 100644
+--- a/src/smtpd/smtpd.c
++++ b/src/smtpd/smtpd.c
+@@ -4334,6 +4334,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+     SMTPD_TOKEN *argp;
+     char   *raw_value;
+     char   *attr_value;
++    const char *bare_value;
+     char   *attr_name;
+     int     update_namaddr = 0;
+     int     name_status;
+@@ -4481,15 +4482,31 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+ 		UPDATE_STR(state->addr, attr_value);
+ 		UPDATE_STR(state->rfc_addr, attr_value);
+ 	    } else {
+-		neuter(attr_value, NEUTER_CHARACTERS, '?');
+-		if (normalize_mailhost_addr(attr_value, &state->rfc_addr,
++		if (var_rhel_ipv6_normalize) {
++			neuter(attr_value, NEUTER_CHARACTERS, '?');
++		}
++		if ((var_rhel_ipv6_normalize &&
++		    normalize_mailhost_addr(attr_value, &state->rfc_addr,
+ 					    &state->addr,
+-					    &state->addr_family) < 0) {
++					    &state->addr_family) < 0) ||
++		    (!var_rhel_ipv6_normalize &&
++			(bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
+ 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
+ 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
+ 				     XCLIENT_ADDR, attr_value);
+ 		    return (-1);
+ 		}
++		if (!var_rhel_ipv6_normalize) {
++		    UPDATE_STR(state->addr, bare_value);
++		    UPDATE_STR(state->rfc_addr, attr_value);
++#ifdef HAS_IPV6
++		    if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":",
++			    sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0)
++			state->addr_family = AF_INET6;
++		    else
++#endif
++			state->addr_family = AF_INET;
++                }
+ 	    }
+ 	    update_namaddr = 1;
+ 	}
+@@ -4569,17 +4586,25 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+ 		attr_value = SERVER_ADDR_UNKNOWN;
+ 		UPDATE_STR(state->dest_addr, attr_value);
+ 	    } else {
++		if (var_rhel_ipv6_normalize) {
+ #define NO_NORM_RFC_ADDR		((char **) 0)
+ #define NO_NORM_ADDR_FAMILY	((int *) 0)
+-		neuter(attr_value, NEUTER_CHARACTERS, '?');
+-		if (normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
++			neuter(attr_value, NEUTER_CHARACTERS, '?');
++		}
++		if ((var_rhel_ipv6_normalize &&
++		    normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
+ 					    &state->dest_addr,
+-					    NO_NORM_ADDR_FAMILY) < 0) {
++					    NO_NORM_ADDR_FAMILY) < 0) ||
++		    (!var_rhel_ipv6_normalize &&
++			(bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
+ 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
+ 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
+ 				     XCLIENT_DESTADDR, attr_value);
+ 		    return (-1);
+ 		}
++		if (!var_rhel_ipv6_normalize) {
++			UPDATE_STR(state->dest_addr, bare_value);
++		}
+ 	    }
+ 	    /* XXX Require same address family as client address. */
+ 	}
+@@ -4690,6 +4715,7 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+     SMTPD_TOKEN *argp;
+     char   *raw_value;
+     char   *attr_value;
++    const char *bare_value;
+     char   *attr_name;
+     int     updated = 0;
+     static const NAME_CODE xforward_flags[] = {
+@@ -4808,15 +4834,22 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+ 		UPDATE_STR(state->xforward.addr, attr_value);
+ 	    } else {
+ 		neuter(attr_value, NEUTER_CHARACTERS, '?');
+-		if (normalize_mailhost_addr(attr_value,
++		if ((var_rhel_ipv6_normalize &&
++		    normalize_mailhost_addr(attr_value,
+ 					    &state->xforward.rfc_addr,
+ 					    &state->xforward.addr,
+-					    NO_NORM_ADDR_FAMILY) < 0) {
++					    NO_NORM_ADDR_FAMILY) < 0) ||
++		    (!var_rhel_ipv6_normalize &&
++			(bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
+ 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
+ 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
+ 				     XFORWARD_ADDR, attr_value);
+ 		    return (-1);
+ 		}
++		if (!var_rhel_ipv6_normalize) {
++		    UPDATE_STR(state->xforward.addr, bare_value);
++		    UPDATE_STR(state->xforward.rfc_addr, attr_value);
++		}
+ 	    }
+ 	    break;
+ 
diff --git a/SPECS/postfix.spec b/SPECS/postfix.spec
index 8c91f14..5dc9c82 100644
--- a/SPECS/postfix.spec
+++ b/SPECS/postfix.spec
@@ -6,6 +6,7 @@
 %bcond_without sqlite
 %bcond_without cdb
 %bcond_without ldap
+%bcond_without lmdb
 %bcond_without pcre
 %bcond_without sasl
 %bcond_without tls
@@ -47,13 +48,13 @@
 
 Name: postfix
 Summary: Postfix Mail Transport Agent
-Version: 3.3.1
-Release: 12%{?dist}.1
+Version: 3.5.8
+Release: 1%{?dist}
 Epoch: 2
 Group: System Environment/Daemons
 URL: http://www.postfix.org
 License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
-Requires(post): systemd
+Requires(post): systemd hostname
 Requires(post): %{_sbindir}/alternatives
 Requires(post): %{_bindir}/openssl
 Requires(post): %{_bindir}/hostname
@@ -63,7 +64,7 @@ Requires(preun): %{_sbindir}/alternatives
 Requires(preun): systemd
 Requires(postun): systemd
 # Required by /usr/libexec/postfix/postfix-script
-Requires: diffutils
+Requires: diffutils, findutils
 Provides: MTA smtpd smtpdaemon server(smtp)
 
 Source0: ftp://ftp.porcupine.org/mirrors/postfix-release/official/%{name}-%{version}.tar.gz
@@ -71,6 +72,7 @@ Source2: postfix.service
 Source3: README-Postfix-SASL-RedHat.txt
 Source4: postfix.aliasesdb
 Source5: postfix-chroot-update
+Source6: README-RedHat.txt
 
 # Sources 50-99 are upstream [patch] contributions
 
@@ -86,17 +88,15 @@ Source101: postfix-pam.conf
 
 # Patches
 
-Patch1: postfix-3.2.0-config.patch
-Patch2: postfix-3.1.0-files.patch
-Patch3: postfix-3.1.0-alternatives.patch
-Patch4: postfix-3.2.0-large-fs.patch
-Patch5: postfix-3.3.1-posttls-finger-unix-fix.patch
+Patch1: postfix-3.5.0-config.patch
+Patch2: postfix-3.4.0-files.patch
+Patch3: postfix-3.3.3-alternatives.patch
+Patch4: postfix-3.4.0-large-fs.patch
 Patch9: pflogsumm-1.1.5-datecalc.patch
 # rhbz#1384871, sent upstream
 Patch10: pflogsumm-1.1.5-ipv6-warnings-fix.patch
-# rhbz#1723950, included upstream
-Patch11: postfix-3.3.1-ref-search-fix.patch
-Patch12: postfix-3.3.1-tlsv13.patch
+Patch11: postfix-3.4.4-chroot-example-fix.patch
+Patch12: postfix-3.5.8-back-compat-3.3.1.patch
 
 # Optional patches - set the appropriate environment variables to include
 #                    them when building the package/spec file
@@ -105,9 +105,10 @@ Patch12: postfix-3.3.1-tlsv13.patch
 # Determine the different packages required for building postfix
 BuildRequires: libdb-devel, perl-generators, pkgconfig, zlib-devel
 BuildRequires: systemd-units, libicu-devel, libnsl2-devel
-BuildRequires: gcc, m4
+BuildRequires: gcc, m4, findutils
 
 %{?with_ldap:BuildRequires: openldap-devel}
+%{?with_lmdb:BuildRequires: lmdb-devel}
 %{?with_sasl:BuildRequires: cyrus-sasl-devel}
 %{?with_pcre:BuildRequires: pcre-devel}
 %{?with_mysql:BuildRequires: mariadb-connector-c-devel}
@@ -190,6 +191,16 @@ This provides support for LDAP maps in Postfix. If you plan to use LDAP
 maps with Postfix, you need this.
 %endif
 
+%if %{with lmdb}
+%package lmdb
+Summary: Postfix LDMB map support
+Requires: %{name} = %{epoch}:%{version}-%{release}
+
+%description lmdb
+This provides support for LMDB maps in Postfix. If you plan to use LMDB
+maps with Postfix, you need this.
+%endif
+
 %if %{with pcre}
 %package pcre
 Summary: Postfix PCRE map support
@@ -207,7 +218,6 @@ maps with Postfix, you need this.
 %patch2 -p1 -b .files
 %patch3 -p1 -b .alternatives
 %patch4 -p1 -b .large-fs
-%patch5 -p1 -b .posttls-finger-unix-fix
 
 # Change DEF_SHLIB_DIR according to build host
 sed -i \
@@ -221,8 +231,10 @@ pushd pflogsumm-%{pflogsumm_ver}
 %patch10 -p1 -b .ipv6-warnings-fix
 popd
 %endif
-%patch11 -p1 -b .ref-search-fix
-%patch12 -p1 -b .tlsv13
+%patch11 -p1 -b .chroot-example-fix
+# Improve backward compatibility with postfix-3.3.1,
+# for details see rhbz#1688389
+%patch12 -p1 -b .back-compat-3.3.1
 
 for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do
 	iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@@ -230,8 +242,8 @@ for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do
 done
 
 %build
-unset AUXLIBS AUXLIBS_LDAP AUXLIBS_PCRE AUXLIBS_MYSQL AUXLIBS_PGSQL AUXLIBS_SQLITE AUXLIBS_CDB
-CCARGS="-fPIC"
+unset AUXLIBS AUXLIBS_LDAP AUXLIBS_LMDB AUXLIBS_PCRE AUXLIBS_MYSQL AUXLIBS_PGSQL AUXLIBS_SQLITE AUXLIBS_CDB
+CCARGS="-fPIC -fcommon"
 AUXLIBS="-lnsl"
 
 %ifarch s390 s390x ppc
@@ -242,6 +254,10 @@ CCARGS="${CCARGS} -fsigned-char"
   CCARGS="${CCARGS} -DHAS_LDAP -DLDAP_DEPRECATED=1 %{?with_sasl:-DUSE_LDAP_SASL}"
   AUXLIBS_LDAP="-lldap -llber"
 %endif
+%if %{with lmdb}
+  CCARGS="${CCARGS} -DHAS_LMDB"
+  AUXLIBS_LMDB="-llmdb"
+%endif
 %if %{with pcre}
   # -I option required for pcre 3.4 (and later?)
   CCARGS="${CCARGS} -DHAS_PCRE -I%{_includedir}/pcre"
@@ -292,19 +308,17 @@ LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-Wl,-z,relro,-z,now}"
 # way how to get them in
 make -f Makefile.init makefiles shared=yes dynamicmaps=yes \
   %{?_hardened_build:pie=yes} CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}" \
-  AUXLIBS_LDAP="${AUXLIBS_LDAP}" AUXLIBS_PCRE="${AUXLIBS_PCRE}" \
-  AUXLIBS_MYSQL="${AUXLIBS_MYSQL}" AUXLIBS_PGSQL="${AUXLIBS_PGSQL}" \
-  AUXLIBS_SQLITE="${AUXLIBS_SQLITE}" AUXLIBS_CDB="${AUXLIBS_CDB}"\
+  AUXLIBS_LDAP="${AUXLIBS_LDAP}" AUXLIBS_LMDB="${AUXLIBS_LMDB}" \
+  AUXLIBS_PCRE="${AUXLIBS_PCRE}" AUXLIBS_MYSQL="${AUXLIBS_MYSQL}" \
+  AUXLIBS_PGSQL="${AUXLIBS_PGSQL}" AUXLIBS_SQLITE="${AUXLIBS_SQLITE}" \
+  AUXLIBS_CDB="${AUXLIBS_CDB}" \
   DEBUG="" SHLIB_RPATH="-Wl,-rpath,%{postfix_shlib_dir} $LDFLAGS" \
   OPT="$RPM_OPT_FLAGS -fno-strict-aliasing -Wno-comment" \
   POSTFIX_INSTALL_OPTS=-keep-build-mtime
 
-make %{?_smp_mflags}
+%make_build
 
 %install
-rm -rf $RPM_BUILD_ROOT
-mkdir -p $RPM_BUILD_ROOT
-
 # install postfix into $RPM_BUILD_ROOT
 
 # Move stuff around so we don't conflict with sendmail
@@ -344,8 +358,8 @@ for i in active bounce corrupt defer deferred flush incoming private saved maild
     mkdir -p $RPM_BUILD_ROOT%{postfix_queue_dir}/$i
 done
 
-# install performance benchmark tools by hand
-for i in smtp-sink smtp-source ; do
+# install performance benchmark and test tools by hand
+for i in smtp-sink smtp-source posttls-finger ; do
   install -c -m 755 bin/$i $RPM_BUILD_ROOT%{postfix_command_dir}/
   install -c -m 755 man/man1/$i.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 done
@@ -367,7 +381,7 @@ install -m 644 %{SOURCE101} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/smtp.postfix
 
 # prepare documentation
 mkdir -p $RPM_BUILD_ROOT%{postfix_doc_dir}
-cp -p %{SOURCE3} COMPATIBILITY LICENSE TLS_ACKNOWLEDGEMENTS TLS_LICENSE $RPM_BUILD_ROOT%{postfix_doc_dir}
+cp -p %{SOURCE3} %{SOURCE6} COMPATIBILITY LICENSE TLS_ACKNOWLEDGEMENTS TLS_LICENSE $RPM_BUILD_ROOT%{postfix_doc_dir}
 
 mkdir -p $RPM_BUILD_ROOT%{postfix_doc_dir}/examples{,/chroot-setup}
 cp -pr examples/{qmail-local,smtpd-policy} $RPM_BUILD_ROOT%{postfix_doc_dir}/examples
@@ -422,7 +436,7 @@ function split_file
 # split global dynamic maps configuration to individual sub-packages
 pushd $RPM_BUILD_ROOT%{postfix_config_dir}
 for map in %{?with_mysql:mysql} %{?with_pgsql:pgsql} %{?with_sqlite:sqlite} \
-%{?with_cdb:cdb} %{?with_ldap:ldap} %{?with_pcre:pcre}; do
+%{?with_cdb:cdb} %{?with_ldap:ldap} %{?with_lmdb:lmdb} %{?with_pcre:pcre}; do
   rm -f dynamicmaps.cf.d/"$map" "postfix-files.d/$map"
   split_file "^\s*$map\b" "$map" dynamicmaps.cf
   sed -i "s|postfix-$map\\.so|%{postfix_shlib_dir}/\\0|" "dynamicmaps.cf.d/$map"
@@ -557,6 +571,8 @@ exit 0
 %exclude %{postfix_doc_dir}/README_FILES/CDB_README
 %exclude %{_mandir}/man5/ldap_table.5*
 %exclude %{postfix_doc_dir}/README_FILES/LDAP_README
+%exclude %{_mandir}/man5/lmdb_table.5*
+%exclude %{postfix_doc_dir}/README_FILES/LMDB_README
 %exclude %{_mandir}/man5/pcre_table.5*
 %exclude %{postfix_doc_dir}/README_FILES/PCRE_README
 
@@ -597,6 +613,7 @@ exit 0
 
 %attr(0755, root, root) %{postfix_command_dir}/smtp-sink
 %attr(0755, root, root) %{postfix_command_dir}/smtp-source
+%attr(0755, root, root) %{postfix_command_dir}/posttls-finger
 
 %attr(0755, root, root) %{postfix_command_dir}/postalias
 %attr(0755, root, root) %{postfix_command_dir}/postcat
@@ -633,6 +650,7 @@ exit 0
 %attr(0755, root, root) %{postfix_daemon_dir}/postfix-wrapper
 %attr(0755, root, root) %{postfix_daemon_dir}/postmulti-script
 %attr(0755, root, root) %{postfix_daemon_dir}/postscreen
+%attr(0755, root, root) %{postfix_daemon_dir}/postlogd
 %attr(0755, root, root) %{postfix_daemon_dir}/proxymap
 %attr(0755, root, root) %{postfix_shlib_dir}/libpostfix-*.so
 %{_bindir}/mailq.postfix
@@ -711,6 +729,15 @@ exit 0
 %attr(0644, root, root) %{postfix_doc_dir}/README_FILES/LDAP_README
 %endif
 
+%if %{with lmdb}
+%files lmdb
+%attr(0644, root, root) %{postfix_config_dir}/dynamicmaps.cf.d/lmdb
+%attr(0644, root, root) %{postfix_config_dir}/postfix-files.d/lmdb
+%attr(0755, root, root) %{postfix_shlib_dir}/postfix-lmdb.so
+%attr(0644, root, root) %{_mandir}/man5/lmdb_table.5*
+%attr(0644, root, root) %{postfix_doc_dir}/README_FILES/LMDB_README
+%endif
+
 %if %{with pcre}
 %files pcre
 %attr(0644, root, root) %{postfix_config_dir}/dynamicmaps.cf.d/pcre
@@ -721,9 +748,9 @@ exit 0
 %endif
 
 %changelog
-* Tue Jan 26 2021 Jan Zerdik <jzerdik@redhat.com> - 2:3.3.1-12.1
-- Backported support for disabling of TLSv1.3
-  Resolves: rhbz#1919233
+* Fri Nov 13 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 2:3.5.8-1
+- New version
+  Resolves: rhbz#1688389
 
 * Mon Dec 16 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2:3.3.1-12
 - Fixed DNS resolver to use ref_search instead of ref_query