From 199bdc18e1d14f9ca215433fdd7907fced9cccea Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Wed, 15 Jun 2011 00:00:00 -0500
Subject: [PATCH] postfix-2.9-20110615

---
 postfix/HISTORY                            | 13 ++++++++
 postfix/README_FILES/MULTI_INSTANCE_README |  2 +-
 postfix/WISHLIST                           | 26 +++++++++++++--
 postfix/html/MULTI_INSTANCE_README.html    |  2 +-
 postfix/html/TLS_README.html               |  4 +--
 postfix/html/postconf.5.html               |  2 +-
 postfix/html/smtpd.8.html                  |  6 ++--
 postfix/makedefs                           | 27 +++++++++++++++
 postfix/mantools/postlink                  |  2 +-
 postfix/proto/MULTI_INSTANCE_README.html   |  2 +-
 postfix/src/global/mail_version.h          |  2 +-
 postfix/src/smtpd/Makefile.in              |  2 +-
 postfix/src/smtpd/smtpd_check.c            | 16 +++++++--
 postfix/src/smtpd/smtpd_check.ref          | 38 +++++++++++-----------
 postfix/src/smtpd/smtpd_dnswl.in           |  4 +++
 postfix/src/smtpd/smtpd_dnswl.ref          |  9 +++++
 postfix/src/smtpd/smtpd_exp.ref            |  4 +--
 postfix/src/util/sys_defs.h                |  2 +-
 18 files changed, 124 insertions(+), 39 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 0b653fac5..eca95e4d5 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16828,3 +16828,16 @@ Apologies for any names omitted.
 	Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag.
 	Nothing uses this anymore. Files: postscreen/postscreen.h,
 	postscreen/postscreen_state.c, postscreen/postscreen_tests.c.
+
+20110614
+
+	Linux kernel version 3 support. Linus Torvalds has reset
+	the counters for reasons not related to changes in code.
+	Files: makedefs, util/sys_defs.h.
+
+20110615
+
+	Workaround: some Spamhaus RHSBL rejects lookups with "No
+	IP queries" even if the name has an alphanumerical prefix.
+	We play safe, and skip both RHSBL and RHSWL queries for
+	names ending in a numerical suffix.  File: smtpd/smtpd_check.c.
diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README
index 80a086c2b..3ac94733f 100644
--- a/postfix/README_FILES/MULTI_INSTANCE_README
+++ b/postfix/README_FILES/MULTI_INSTANCE_README
@@ -327,7 +327,7 @@ This uses the postmulti(1) command to invoke postconf(1) in the context
 (MAIL_CONFIG=/etc/postfix-out) of the output instance.
 
   * Lines 1-2: With "authorized_submit_users = root", the superuser can test
-    the postix-out instance with "postmulti -i postfix-out -x sendmail -bv
+    the postfix-out instance with "postmulti -i postfix-out -x sendmail -bv
     recipient...", but otherwise local submission remains disabled.
 
   * Lines 1-2: With "master_service_disable =", the "inet" listeners are re-
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 2bc3bc716..4f0ce0cae 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -15,7 +15,30 @@ Wish list:
 	close-on-exec flags.  This could be a way to mitigate the
 	impact of memory/file leaks, and to implement "postfix
 	reload" support for master(8) features that currently don't
-	support this.
+	support this. 
+
+	Sub-second time resolution. The first benefit is to make
+	per-destination rate delays more usable. Other applications
+	will come up once the support exists. The straightforward
+	approach is to represent all time intervals in milliseconds,
+	and to update all code that makes system calls with a time
+	argument (as well as the compiled-in upper and lower time
+	parameter bounds, which are currently in seconds).
+	Unfortunately, that limits he maximum time interval to less
+	than 25 days on 32-bit systems, and is likely to break
+	compatibility (for starters, it cannot even deal with the
+	compiled-in 100d upper bound on the queue file lifetime).
+	A second option is to have a "compatibility" time base
+	switch between milliseconds and seconds; this means extra
+	changes to all code that makes system calls with a time
+	argument, and the way that the compiled-in upper and lower
+	bounds are specified.  Some of this can be encapsulated in
+	macros like time_to_sec(t), time_to_msec(t) and sec_to_time(t).
+	Finally, it is relatively easy to replace the events(3)
+	interface to use "double" for the time delay arguments, but
+	it is a major pain to convert all main.cf time parameters
+	into doubles (converting only some leads to a documentation
+	nightmare).
 
 	postscreen: wait for DNS completion after early HANGUP
 	and log DNSBL.
@@ -34,7 +57,6 @@ Wish list:
 	whitelisting database before the primary MX connection is
 	closed, because a client may still make a mistake.
 
-
 	Don't forget Apple's code donation for fetching mail from
 	IMAP server.
 
diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html
index 9bd65467f..d4874bae9 100644
--- a/postfix/html/MULTI_INSTANCE_README.html
+++ b/postfix/html/MULTI_INSTANCE_README.html
@@ -420,7 +420,7 @@ context (MAIL_CONFIG=/etc/postfix-out) of the output instance.  </p>
 <ul>
 
 <li> <p> Lines 1-2: With "<a href="postconf.5.html#authorized_submit_users">authorized_submit_users</a> = root", the
-superuser can test the postix-out instance with "postmulti -i
+superuser can test the postfix-out instance with "postmulti -i
 postfix-out -x sendmail -bv recipient...", but otherwise local
 submission remains disabled.  </p>
 
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index b1cda2227..5093f1773 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -865,9 +865,9 @@ cipher from a list supplied by the server. </p>
 <p> By default, the OpenSSL server selects the client's most preferred
 cipher that the server supports. With SSLv3 and later, the server
 may choose its own most preferred cipher that is supported (offered)
-by the client. Setting "<a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> = yes" enables server
+by the client. Setting "<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = yes" enables server
 cipher preferences. The default OpenSSL behaviour applies with
-"<a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> = no". </p>
+"<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = no". </p>
 
 <p> While server cipher selection may in some cases lead to a more secure
 or performant cipher choice, there is some risk of interoperability
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 44e6ebf5d..817eaa6b8 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -15404,7 +15404,7 @@ instead of the client's cipher preference order. </p>
 <p> By default, the OpenSSL server selects the client's most preferred
 cipher that the server supports. With SSLv3 and later, the server may
 choose its own most preferred cipher that is supported (offered) by
-the client. Setting "<a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> = yes" enables server cipher
+the client. Setting "<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = yes" enables server cipher
 preferences. </p>
 
 <p> While server cipher selection may in some cases lead to a more secure
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index adf5300f9..8bcd08697 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -158,7 +158,7 @@ SMTPD(8)                                                              SMTPD(8)
        <b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
               Change  the  behavior  of  the  <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>  time
               limit, from a time limit per read or  write  system
-              call, to a time limit to send or receive a complete
+              call,  to  a time limit to read or write a complete
               record (an SMTP command line, SMTP  response  line,
               SMTP  message  content  line,  or TLS protocol mes-
               sage).
@@ -568,7 +568,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        Available in Postfix version 2.8 and later:
 
-       <b><a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> (no)</b>
+       <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b>
               With SSLv3 and later, use the server's cipher pref-
               erence order instead of the client's cipher prefer-
               ence order.
@@ -857,7 +857,7 @@ SMTPD(8)                                                              SMTPD(8)
        <b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
               Change  the  behavior  of  the  <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>  time
               limit,  from  a time limit per read or write system
-              call, to a time limit to send or receive a complete
+              call, to a time limit to read or write  a  complete
               record  (an  SMTP command line, SMTP response line,
               SMTP message content line,  or  TLS  protocol  mes-
               sage).
diff --git a/postfix/makedefs b/postfix/makedefs
index 282eabcd4..bdfb150da 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -340,6 +340,33 @@ EOF
 		       fi;;
 		esac
 		;;
+    Linux.3*)	SYSTYPE=LINUX3
+		if [ -f /usr/include/db.h ]
+		then
+		    : we are all set
+		elif [ -f /usr/include/db/db.h ]
+		then
+		    CCARGS="$CCARGS -I/usr/include/db"
+		else
+		    # On a properly installed system, Postfix builds
+		    # by including <db.h> and by linking with -ldb
+		    echo "No <db.h> include file found." 1>&2
+		    echo "Install the appropriate db*-devel package first." 1>&2
+		    echo "See the RELEASE_NOTES file for more information." 1>&2
+		    exit 1
+		fi
+		SYSLIBS="-ldb"
+		for name in nsl resolv
+		do
+		    for lib in /usr/lib64 /lib64 /usr/lib /lib
+		    do
+			test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
+			    SYSLIBS="$SYSLIBS -l$name"
+			    break
+			}
+		    done
+		done
+		;;
      GNU.0*|GNU/kFreeBSD.[567]*)
      		SYSTYPE=GNU0
 		# Postfix no longer needs DB 1.85 compatibility
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index eb1baec77..cbb5167b7 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -683,7 +683,7 @@ while (<>) {
     s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
     s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g;
     s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g;
-    s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempts_cipherlist">$&</a>;g;
+    s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g;
     s;\btls_disable_workarounds\b;<a href="postconf.5.html#tls_disable_workarounds">$&</a>;g;
     s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
  
diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html
index 1e5196adb..375c58cab 100644
--- a/postfix/proto/MULTI_INSTANCE_README.html
+++ b/postfix/proto/MULTI_INSTANCE_README.html
@@ -420,7 +420,7 @@ context (MAIL_CONFIG=/etc/postfix-out) of the output instance.  </p>
 <ul>
 
 <li> <p> Lines 1-2: With "authorized_submit_users = root", the
-superuser can test the postix-out instance with "postmulti -i
+superuser can test the postfix-out instance with "postmulti -i
 postfix-out -x sendmail -bv recipient...", but otherwise local
 submission remains disabled.  </p>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index efb44e55a..03e67d803 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110605"
+#define MAIL_RELEASE_DATE	"20110615"
 #define MAIL_VERSION_NUMBER	"2.9"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in
index 44792befb..dfcd674c2 100644
--- a/postfix/src/smtpd/Makefile.in
+++ b/postfix/src/smtpd/Makefile.in
@@ -38,7 +38,7 @@ update: ../../libexec/$(PROG)
 	cp $(PROG) ../../libexec
 
 SMTPD_CHECK_OBJ = smtpd_state.o smtpd_peer.o smtpd_xforward.o smtpd_dsn_fix.o \
-	smtpd_resolve.o
+	smtpd_resolve.o smtpd_expand.o
 
 smtpd_token: smtpd_token.c $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS) $(SYSLIBS)
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 0768c61b7..2e14dae0d 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3192,6 +3192,7 @@ static const SMTPD_RBL_STATE *find_dnsxl_domain(SMTPD_STATE *state,
     const char *domain;
     const char *reply_addr;
     const char *byte_codes;
+    const char *suffix;
 
     /*
      * Extract the domain, tack on the RBL domain name and query the DNS for
@@ -3203,7 +3204,16 @@ static const SMTPD_RBL_STATE *find_dnsxl_domain(SMTPD_STATE *state,
 	    return (SMTPD_CHECK_DUNNO);
     } else
 	domain = what;
-    if (domain[0] == 0)
+
+    /*
+     * XXX Some Spamhaus RHSBL rejects lookups with "No IP queries" even if
+     * the name has an alphanumerical prefix. We play safe, and skip both
+     * RHSBL and RHSWL queries for names ending in a numerical suffix.
+     */
+    if (domain[0] == 0 || valid_hostname(domain, DONT_GRIPE) == 0)
+	return (SMTPD_CHECK_DUNNO);
+    suffix = strrchr(domain, '.');
+    if (alldig(suffix == 0 ? domain : suffix + 1))
 	return (SMTPD_CHECK_DUNNO);
 
     query = vstring_alloc(100);
@@ -3834,8 +3844,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			 name);
 	    else {
 		cpp += 1;
-		if (state->helo_name
-		    && valid_hostname(state->helo_name, DONT_GRIPE))
+		if (state->helo_name)
 		    status = reject_rbl_domain(state, *cpp, state->helo_name,
 					       SMTPD_NAME_HELO);
 	    }
@@ -5239,6 +5248,7 @@ int     main(int argc, char **argv)
     string_init();
     int_init();
     smtpd_check_init();
+    smtpd_expand_init();
     smtpd_state_init(&state, VSTREAM_IN, "smtpd");
     state.queue_id = "<queue id>";
 
diff --git a/postfix/src/smtpd/smtpd_check.ref b/postfix/src/smtpd/smtpd_check.ref
index 50c85f7e3..898997125 100644
--- a/postfix/src/smtpd/smtpd_check.ref
+++ b/postfix/src/smtpd/smtpd_check.ref
@@ -82,7 +82,7 @@ OK
 >>> helo_restrictions permit_naked_ip_address,reject_invalid_hostname,reject_unknown_hostname
 OK
 >>> helo 123.123.123.123
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 OK
 >>> #
 >>> # Test the sender restrictions
@@ -317,73 +317,73 @@ OK
 >>> helo_restrictions permit_naked_ip_address,reject_non_fqdn_hostname
 OK
 >>> helo [1.2.3.4]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 OK
 >>> helo [321.255.255.255]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[321.255.255.255]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[321.255.255.255]>
 501 5.5.2 <[321.255.255.255]>: Helo command rejected: invalid ip address
 >>> helo [0.255.255.255]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[0.255.255.255]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[0.255.255.255]>
 501 5.5.2 <[0.255.255.255]>: Helo command rejected: invalid ip address
 >>> helo [1.2.3.321]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3.321]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3.321]>
 501 5.5.2 <[1.2.3.321]>: Helo command rejected: invalid ip address
 >>> helo [1.2.3]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3]>
 501 5.5.2 <[1.2.3]>: Helo command rejected: invalid ip address
 >>> helo [1.2.3.4.5]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3.4.5]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3.4.5]>
 501 5.5.2 <[1.2.3.4.5]>: Helo command rejected: invalid ip address
 >>> helo [1..2.3.4]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1..2.3.4]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1..2.3.4]>
 501 5.5.2 <[1..2.3.4]>: Helo command rejected: invalid ip address
 >>> helo [.1.2.3.4]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[.1.2.3.4]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[.1.2.3.4]>
 501 5.5.2 <[.1.2.3.4]>: Helo command rejected: invalid ip address
 >>> helo [1.2.3.4.5.]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3.4.5.]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3.4.5.]>
 501 5.5.2 <[1.2.3.4.5.]>: Helo command rejected: invalid ip address
 >>> helo 1.2.3.4
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 OK
 >>> helo 321.255.255.255
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <321.255.255.255>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<321.255.255.255>
 501 5.5.2 <321.255.255.255>: Helo command rejected: invalid ip address
 >>> helo 0.255.255.255
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <0.255.255.255>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<0.255.255.255>
 501 5.5.2 <0.255.255.255>: Helo command rejected: invalid ip address
 >>> helo 1.2.3.321
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3.321>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3.321>
 501 5.5.2 <1.2.3.321>: Helo command rejected: invalid ip address
 >>> helo 1.2.3
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3>
 501 5.5.2 <1.2.3>: Helo command rejected: invalid ip address
 >>> helo 1.2.3.4.5
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3.4.5>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3.4.5>
 501 5.5.2 <1.2.3.4.5>: Helo command rejected: invalid ip address
 >>> helo 1..2.3.4
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1..2.3.4>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1..2.3.4>
 501 5.5.2 <1..2.3.4>: Helo command rejected: invalid ip address
 >>> helo .1.2.3.4
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <.1.2.3.4>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<.1.2.3.4>
 501 5.5.2 <.1.2.3.4>: Helo command rejected: invalid ip address
 >>> helo 1.2.3.4.5.
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
 ./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3.4.5.>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3.4.5.>
 501 5.5.2 <1.2.3.4.5.>: Helo command rejected: invalid ip address
 >>> #
diff --git a/postfix/src/smtpd/smtpd_dnswl.in b/postfix/src/smtpd/smtpd_dnswl.in
index 891e0c75f..147dbcaca 100644
--- a/postfix/src/smtpd/smtpd_dnswl.in
+++ b/postfix/src/smtpd/smtpd_dnswl.in
@@ -54,3 +54,7 @@ client example.tld 168.100.189.2
 rcpt rname@rdomain
 # Authorized destination - accept.
 rcpt wietse@porcupine.org
+# Numeric TLD - dunno.
+rcpt wietse@12345
+rcpt wietse@12345.porcupine.org
+rcpt wietse@porcupine.12345
diff --git a/postfix/src/smtpd/smtpd_dnswl.ref b/postfix/src/smtpd/smtpd_dnswl.ref
index fc8940546..14d989874 100644
--- a/postfix/src/smtpd/smtpd_dnswl.ref
+++ b/postfix/src/smtpd/smtpd_dnswl.ref
@@ -83,3 +83,12 @@ OK
 >>> # Authorized destination - accept.
 >>> rcpt wietse@porcupine.org
 OK
+>>> # Numeric TLD - dunno.
+>>> rcpt wietse@12345
+./smtpd_check: <queue id>: reject: RCPT from example.tld[168.100.189.2]: 554 5.7.1 <wietse@12345>: Relay access denied; to=<wietse@12345> proto=SMTP helo=<foobar>
+554 5.7.1 <wietse@12345>: Relay access denied
+>>> rcpt wietse@12345.porcupine.org
+OK
+>>> rcpt wietse@porcupine.12345
+./smtpd_check: <queue id>: reject: RCPT from example.tld[168.100.189.2]: 554 5.7.1 <wietse@porcupine.12345>: Relay access denied; to=<wietse@porcupine.12345> proto=SMTP helo=<foobar>
+554 5.7.1 <wietse@porcupine.12345>: Relay access denied
diff --git a/postfix/src/smtpd/smtpd_exp.ref b/postfix/src/smtpd/smtpd_exp.ref
index c4d518afa..7a41e21bd 100644
--- a/postfix/src/smtpd/smtpd_exp.ref
+++ b/postfix/src/smtpd/smtpd_exp.ref
@@ -49,8 +49,8 @@ OK
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org=127.0.0.2; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
-554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org=127.0.0.2
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org
 >>> client foo 127.0.0.1
 OK
 >>> rcpt rname@rdomain
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index 4688f9be0..bbe370f2b 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -708,7 +708,7 @@ extern int initgroups(const char *, int);
  /*
   * LINUX.
   */
-#ifdef LINUX2
+#if defined(LINUX2) || defined(LINUX3)
 #define SUPPORTED
 #include <sys/types.h>
 #define UINT32_TYPE	unsigned int