diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 858310bb60c5..f4a51f97ca77 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	postfix
-#PORTVERSION=	3.3.0
-DISTVERSION=	3.3.0-RC1
+PORTVERSION=	3.3.0
 PORTREVISION?=	0
 PORTEPOCH=	1
 CATEGORIES=	mail ipv6
@@ -41,19 +40,20 @@ USE_SUBMAKE=	yes
 SCRIPTS_ENV+=	POSTFIX_DEFAULT_MTA="${POSTFIX_DEFAULT_MTA}"
 
 OPTIONS_SUB=	yes
-OPTIONS_DEFINE=	BDB CDB DOCS EAI INST_BASE LDAP LDAP_SASL LMDB MYSQL \
-		NIS PCRE PGSQL SASL SQLITE TEST TLS
+OPTIONS_DEFINE=	BDB BLACKLISTD CDB DOCS EAI INST_BASE LDAP LDAP_SASL \
+		LMDB MYSQL NIS PCRE PGSQL SASL SQLITE TEST TLS
 
 OPTIONS_RADIO=		RG1
 OPTIONS_RADIO_RG1=	SASLKRB5 SASLKMIT
 OPTIONS_DEFAULT=	EAI PCRE TLS
 
 BDB_USES=		bdb
+BLACKLISTD_EXTRA_PATCHES=	${FILESDIR}/extra-patch-blacklistd
 CDB_LIB_DEPENDS=	libcdb.so:databases/tinycdb
 EAI_LIB_DEPENDS=	libicuuc.so:devel/icu
 LDAP_USE=		OPENLDAP=yes
 LMDB_LIB_DEPENDS=	liblmdb.so:databases/lmdb
-MYSQL_USE=		MYSQL=yes
+MYSQL_USES=		mysql
 PCRE_LIB_DEPENDS=	libpcre.so:devel/pcre
 PGSQL_USES=		pgsql
 SASLKMIT_LIB_DEPENDS=	libkrb5.so:security/krb5
@@ -61,6 +61,7 @@ SASL_LIB_DEPENDS=	libsasl2.so:security/cyrus-sasl2
 SQLITE_USES=		sqlite
 TLS_USES=		ssl
 
+BLACKLISTD_DESC=	Enable blacklistd support (FreeBSD 11.0 and later only)
 CDB_DESC=	CDB maps lookups
 EAI_DESC=	Email Address Internationalization (SMTPUTF8) support
 INST_BASE_DESC=	Install into /usr and /etc/postfix
@@ -196,6 +197,14 @@ POSTFIX_CCARGS+=	-I${BDB_INCLUDE_DIR}
 POSTFIX_AUXLIBS+=	-L${BDB_LIB_DIR} -l${BDB_LIB_NAME}
 .endif
 
+.if ${PORT_OPTIONS:MBLACKLISTD}
+. if ${OPSYS} == FreeBSD && (${OSVERSION} >= 1100122)
+POSTFIX_AUXLIBS+=	-lblacklist
+. else
+IGNORE=	blacklistd is only supported on FreeBSD >= 11.0
+. endif
+.endif
+
 .if ${PORT_OPTIONS:MMYSQL}
 DYN_EXT+=		mysql
 POSTFIX_CCARGS+=	-DHAS_MYSQL -I${LOCALBASE}/include/mysql
diff --git a/mail/postfix/distinfo b/mail/postfix/distinfo
index ee9ea005a5c7..f2661c0c8bf6 100644
--- a/mail/postfix/distinfo
+++ b/mail/postfix/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1517758440
-SHA256 (postfix/postfix-3.3.0-RC1.tar.gz) = 8bf16bee213bb5de95cbcab30479f3fd1c7fd2940fd9b4e63a1a6104c1fe3658
-SIZE (postfix/postfix-3.3.0-RC1.tar.gz) = 4418769
+TIMESTAMP = 1519259037
+SHA256 (postfix/postfix-3.3.0.tar.gz) = 7942e89721e30118d7050675b0d976955e3160e21f7898b85a79cac4f4baef39
+SIZE (postfix/postfix-3.3.0.tar.gz) = 4419450
diff --git a/mail/postfix/files/extra-patch-blacklistd b/mail/postfix/files/extra-patch-blacklistd
new file mode 100644
index 000000000000..a9448d978c7d
--- /dev/null
+++ b/mail/postfix/files/extra-patch-blacklistd
@@ -0,0 +1,69 @@
+# PR 225664: support blacklistd on FreeBSD >= 11.0
+#
+--- src/smtpd/Makefile.in.orig	2017-02-05 23:36:32 UTC
++++ src/smtpd/Makefile.in
+@@ -2,14 +2,14 @@ SHELL	= /bin/sh
+ SRCS	= smtpd.c smtpd_token.c smtpd_check.c smtpd_chat.c smtpd_state.c \
+ 	smtpd_peer.c smtpd_sasl_proto.c smtpd_sasl_glue.c smtpd_proxy.c \
+ 	smtpd_xforward.c smtpd_dsn_fix.c smtpd_milter.c smtpd_resolve.c \
+-	smtpd_expand.c smtpd_haproxy.c
++	smtpd_expand.c smtpd_haproxy.c pfilter.c
+ OBJS	= smtpd.o smtpd_token.o smtpd_check.o smtpd_chat.o smtpd_state.o \
+ 	smtpd_peer.o smtpd_sasl_proto.o smtpd_sasl_glue.o smtpd_proxy.o \
+ 	smtpd_xforward.o smtpd_dsn_fix.o smtpd_milter.o smtpd_resolve.o \
+-	smtpd_expand.o smtpd_haproxy.o
++	smtpd_expand.o smtpd_haproxy.o pfilter.o
+ HDRS	= smtpd_token.h smtpd_check.h smtpd_chat.h smtpd_sasl_proto.h \
+ 	smtpd_sasl_glue.h smtpd_proxy.h smtpd_dsn_fix.h smtpd_milter.h \
+-	smtpd_resolve.h smtpd_expand.h
++	smtpd_resolve.h smtpd_expand.h pfilter.h
+ TESTSRC	= smtpd_token_test.c
+ DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+--- src/smtpd/smtpd_sasl_glue.c.orig	2017-02-19 01:58:21 UTC
++++ src/smtpd/smtpd_sasl_glue.c
+@@ -147,6 +147,7 @@
+ #include "smtpd.h"
+ #include "smtpd_sasl_glue.h"
+ #include "smtpd_chat.h"
++#include "pfilter.h" /* for blacklistd(8) */
+ 
+ #ifdef USE_SASL_AUTH
+ 
+@@ -332,6 +333,10 @@ int     smtpd_sasl_authenticate(SMTPD_ST
+ 	else
+ 	    smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
+ 			     STR(state->sasl_reply));
++
++
++	/* notify blacklistd of SASL authentication failure */
++	pfilter_notify(1, vstream_fileno(state->client));
+ 	return (-1);
+     }
+     /* RFC 4954 Section 6. */
+--- src/smtpd/pfilter.h.orig	2018-02-04 15:36:49 UTC
++++ src/smtpd/pfilter.h
+@@ -0,0 +1 @@
++void pfilter_notify(int, int);
+--- src/smtpd/pfilter.c.orig	2018-02-04 15:36:49 UTC
++++ src/smtpd/pfilter.c
+@@ -0,0 +1,19 @@
++#include "pfilter.h"
++#include <stdio.h>	/* for NULL */
++#include <blacklist.h>
++
++static struct blacklist *blstate;
++
++void
++pfilter_notify(int a, int fd)
++{
++	if (blstate == NULL)
++		blstate = blacklist_open();
++	if (blstate == NULL)
++		return;
++	(void)blacklist_r(blstate, a, fd, "smtpd");
++	if (a == 0) {
++		blacklist_close(blstate);
++		blstate = NULL;
++	}
++}
diff --git a/mail/postfix/files/patch-src_global_dict__mysql.c b/mail/postfix/files/patch-src_global_dict__mysql.c
new file mode 100644
index 000000000000..c33b3a403f78
--- /dev/null
+++ b/mail/postfix/files/patch-src_global_dict__mysql.c
@@ -0,0 +1,22 @@
+# PR: 220224 fix build against mysql 8.x
+#
+# from https://dev.mysql.com/doc/refman/5.7/en/mysql-options.html
+# o MYSQL_OPT_SSL_VERIFY_SERVER_CERT (argument type: my_bool *)
+#    This option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0.
+#    Instead, use MYSQL_OPT_SSL_MODE with a value of SSL_MODE_VERIFY_IDENTITY. 
+#
+--- src/global/dict_mysql.c.orig	2017-02-19 01:58:20 UTC
++++ src/global/dict_mysql.c
+@@ -656,7 +656,11 @@ static void plmysql_connect_single(DICT_
+ 		      dict_mysql->tls_key_file, dict_mysql->tls_cert_file,
+ 		      dict_mysql->tls_CAfile, dict_mysql->tls_CApath,
+ 		      dict_mysql->tls_ciphers);
+-#if MYSQL_VERSION_ID >= 50023
++#if MYSQL_VERSION_ID >= 80000 && !defined(MARIADB_VERSION_ID)
++    if (dict_mysql->tls_verify_cert != -1)
++	mysql_options(host->db, MYSQL_OPT_SSL_MODE,
++		      &dict_mysql->tls_verify_cert);
++#elif MYSQL_VERSION_ID >= 50023
+     if (dict_mysql->tls_verify_cert != -1)
+ 	mysql_options(host->db, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+ 		      &dict_mysql->tls_verify_cert);
diff --git a/mail/postfix/files/patch-src__util__sys_defs.h b/mail/postfix/files/patch-src_util_sys__defs.h
similarity index 86%
rename from mail/postfix/files/patch-src__util__sys_defs.h
rename to mail/postfix/files/patch-src_util_sys__defs.h
index 41fbafc106ea..d1633b6c2ab0 100644
--- a/mail/postfix/files/patch-src__util__sys_defs.h
+++ b/mail/postfix/files/patch-src_util_sys__defs.h
@@ -1,6 +1,6 @@
---- src/util/sys_defs.h.orig	2016-05-15 16:39:11 UTC
+--- src/util/sys_defs.h.orig	2017-06-18 19:30:20 UTC
 +++ src/util/sys_defs.h
-@@ -26,6 +26,7 @@
+@@ -30,6 +30,7 @@
  #if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
      || defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \
      || defined(FREEBSD8) || defined(FREEBSD9) || defined(FREEBSD10) \