postfix-3.10-20240722

postfix/HISTORY

@@ -22345,7 +22345,7 @@ Apologies for any names omitted.
 	Cleanup: integer wrap-around detection in the MySQL and
 	PostgreSQL clients. This is totally non-critical because
 	Postfix strings are size-limited by design. Files:
-	global/dict_mysqql.c, global/dict_pgsql.c.
+	global/dict_mysql.c, global/dict_pgsql.c.
 
 20160607
 
@@ -28110,6 +28110,45 @@ Apologies for any names omitted.
 
 	Documentation: in the rbl_reply_maps description,added text
 	how it handles reject_rbl_* or reject_rhsbl_* queries with
-	an address filter. Also added text to clarify te differences
+	an address filter. Also added text to clarify the differences
 	between rbl_reply_maps and postscreen_dnsbl_reply_map.
 	File: proto/postconf.proto.
+
+20240623
+
+	Feature: improved rbl_reply_maps usability. After a query
+	with the form domain=address-filter returns no result,
+	rbl_reply_maps will query the tables with the domain (i.e.
+	without the =address-filter). Files: smtpd/smtpd_check.c,
+	proto/postconf.proto, smtpd/smtpd_check_access, smtpd/smtpd_exp.in,
+	smtpd/smtpd_exp.ref.
+
+20240626
+
+	Cleanup: updated SMTP server regression tests for last-minute
+	changes to the wording of deprecation messages. Files:
+	smtpd/smtpd_check_backup.ref, smtpd/smtpd_deprecated.ref,
+	smtpd/smtpd_exp.ref.
+
+20240719
+
+	Bitrot: with MySQL 8.0.35 and later set TLS options with
+	mysql_options() instead of mysql_ssl_set(). Researched by
+	Robert Fuhrer. Files: global/dict_mysql.c, proto/mysql_table.
+
+20240720
+
+	Bitrot: MariaDB Connector/C 3.0.0 lists mysql_options() as
+	deprecated, and recommends using mysql_optionsv() instead.
+	Option names and semantics have not changed. Peter Ajamian.
+	Files: global/dict_mysql.c, proto/mysql_table.
+
+20240721
+
+	Reproducible build: sort the output from 'env'. Scott
+	Kitterman. File: makedefs.
+
+20240722
+
+	Bitrot: some groff version complains about ".ft C" directives
+	in postconf(5) manpages. File: mantools/postconf2man.

postfix/WISHLIST

@@ -16,6 +16,16 @@ Wish list:
 	using FIFOs anymore, and trigger servers could use a proper
 	(attribute, value) protocol.
 
+	Send XFORWARD attributes in the SMTPD policy delegation
+	protocol.
+
+	With "smtpd_reject_unlisted_mumble = no" the Postfix SMTP
+	server should still reject recipients that resolve to the
+	error or retry transport.
+
+	bounce/annotate.sh should include the 'QUICK INSTRUCTIONS'
+	into the bounce.cf.default file.
+
 	The postsceen NON-SMTP test should log the command in
 	the same format as the BARE NEWLINE and PREGREET tests.
 	Consider logging the entire unadulterated command line.

postfix/html/mysql_table.5.html

@@ -258,6 +258,11 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
 
               This parameter is available with Postfix 3.2 and later.
 
+<b>TLS-RELATED SETTINGS</b>
+       See      <a href="https://dev.mysql.com/doc/c-api/en/mysql-options.html">https://dev.mysql.com/doc/c-api/en/mysql-options.html</a>       or
+       <a href="https://mariadb.com/kb/en/mysql_optionsv/">https://mariadb.com/kb/en/mysql_optionsv/</a> for details of the underlying
+       MYSQL_OPT_SSL_* features.
+
        <b>tls_cert_file</b>
               File containing client's X509 certificate.
 
@@ -269,7 +274,7 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
               This parameter is available with Postfix 2.11 and later.
 
        <b>tls_CAfile</b>
-              File  containing  certificates for all of the X509 Certification
+              File  containing  X509 certificates for all of the Certification
               Authorities the client will recognize.   Takes  precedence  over
               <b>tls_CApath</b>.
 

postfix/html/postconf.5.html

@@ -2610,7 +2610,8 @@ by an <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> enhanced status
 
 <dt><b>$rbl_domain</b></dt>
 
-<dd>The RBL domain where $rbl_what is denylisted. </dd>
+<dd>The RBL domain (without any <i>=address-filter</i>) where
+$rbl_what is denylisted. </dd>
 
 <dt><b>$rbl_reason</b></dt>
 
@@ -8800,7 +8801,7 @@ the file is read). </p>
 
 <p> NOTE: This feature differs from the Postfix SMTP server's
 <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> feature, where 1) the table search key includes the
-optional "<i>=address</i>" filter, and where 2) the lookup result
+optional "<i>=address-filter</i>", and where 2) the lookup result
 contains free text with <i>$name</i> variables. </p>
 
 <p> This feature is available in Postfix 2.8.  </p>
@@ -9814,7 +9815,10 @@ This feature is available in Postfix 2.0 and later.
 <p>
 Optional lookup tables with RBL or RHSBL response templates. The
 table search key is the reject_rbl_* or reject_rhsbl_* argument,
-including any optional "<i>=address-pattern</i>" filter. </p>
+including any optional "<i>=address-filter</i>".  With Postfix 3.10
+and later, if the result is "not found" and the search key has the
+form <i>domain=address-filter</i>, then <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> will also
+search with the <i>domain</i>. </p>
 
 <p> By default, Postfix uses the
 template as specified with the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> configuration
@@ -9838,20 +9842,26 @@ syntax.
     # variables.
     <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11]
         554 $rbl_class $rbl_what blocked using ZEN - see <a href="https://www.spamhaus.org/query/ip/$client_address">https://www.spamhaus.org/query/ip/$client_address</a> for details
+</pre>
+
+<pre>
+    # Postfix &ge; 3.10: if a search key <i>domain=address-filter</i>
+    # is not found, then <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> will also search with the
+    # <i>domain</i>.
     <i>secret</i>.zen.dq.spamhaus.net
         554 $rbl_class $rbl_what blocked using ZEN - see <a href="https://www.spamhaus.org/query/ip/$client_address">https://www.spamhaus.org/query/ip/$client_address</a> for details
 </pre>
 
 <p>
 NOTE: This feature differs from <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> where
-the table search key is a domain name (no "<i>=address</i>" filter,
-no "<i>*weight</i>" factor) and where the lookup result should be
-a domain name (no free text, no <i>$name</i> variables).
+the table search key is only a domain name (no "<i>=address-filter</i>",
+no "<i>*weight</i>" factor) and where the lookup result
+should be only a domain name (no free text, no <i>$name</i> variables).
 </p>
 
 <p>
 This feature is available in Postfix 2.0 and later.
-The "=address-pattern" filter is available in Postfix 2.8 and later.
+The "=address-filter" feature is available in Postfix 2.8 and later.
 </p>
 
 

postfix/makedefs

@@ -220,7 +220,7 @@ echo "#----------------------------------------------------------------"
 echo "# Start of summary of user-configurable 'make makefiles' options."
 echo "# CCARGS=$CCARGS"
 echo "# AUXLIBS=$AUXLIBS"
-env | grep '^AUXLIBS_' | sed 's/^/# /'
+env | grep '^AUXLIBS_' | sed 's/^/# /' | sort
 echo "# shared=$shared"
 echo "# dynamicmaps=$dynamicmaps"
 echo "# pie=$pie"

postfix/man/man5/mysql_table.5

@@ -277,6 +277,14 @@ set.  If "\fBno\fR", treat the absence of a result set as
 "not found".
 .sp
 This parameter is available with Postfix 3.2 and later.
+.SH "TLS-RELATED SETTINGS"
+.na
+.nf
+.ad
+.fi
+See https://dev.mysql.com/doc/c\-api/en/mysql\-options.html
+or https://mariadb.com/kb/en/mysql_optionsv/ for details of
+the underlying MYSQL_OPT_SSL_* features.
 .IP "\fBtls_cert_file\fR"
 File containing client's X509 certificate.
 .sp
@@ -286,7 +294,7 @@ File containing the private key corresponding to \fBtls_cert_file\fR.
 .sp
 This parameter is available with Postfix 2.11 and later.
 .IP "\fBtls_CAfile\fR"
-File containing certificates for all of the X509 Certification
+File containing X509 certificates for all of the Certification
 Authorities the client will recognize.  Takes precedence over
 \fBtls_CApath\fR.
 .sp

postfix/mantools/postconf2man

@@ -58,8 +58,8 @@ while(<>) {
     $block =~ s/^(<p(re)?>)/.PP\n\1/ if ($wantpp);
     $block =~ s/<p> */\n/g;
     $block =~ s/ *<\/p>/\n/g;
-    $block =~ s/<pre>/\n.nf\n.na\n.ft C\n/g;
-    $block =~ s/<\/pre>/\n.fi\n.ad\n.ft R\n/g;
+    $block =~ s/<pre>/\n.nf\n.na\n/g;
+    $block =~ s/<\/pre>/\n.fi\n.ad\n/g;
     $block =~ s/<dl[^>]*>/\n/g;
     $block =~ s/<ul>/\n/g;
     #$block =~ s/<\/dl>/\n.PP\n/g;

postfix/proto/mysql_table

@@ -267,6 +267,12 @@
 #	"not found".
 # .sp
 #	This parameter is available with Postfix 3.2 and later.
+# TLS-RELATED SETTINGS
+# .ad
+# .fi
+#	See https://dev.mysql.com/doc/c-api/en/mysql-options.html
+#	or https://mariadb.com/kb/en/mysql_optionsv/ for details of
+#	the underlying MYSQL_OPT_SSL_* features.
 # .IP "\fBtls_cert_file\fR"
 #	File containing client's X509 certificate.
 # .sp
@@ -276,7 +282,7 @@
 # .sp
 #	This parameter is available with Postfix 2.11 and later.
 # .IP "\fBtls_CAfile\fR"
-#	File containing certificates for all of the X509 Certification
+#	File containing X509 certificates for all of the Certification
 #	Authorities the client will recognize.  Takes precedence over
 #	\fBtls_CApath\fR.
 # .sp

postfix/proto/postconf.proto

@@ -1194,7 +1194,8 @@ by an RFC 3463 enhanced status code. </dd>
 
 <dt><b>$rbl_domain</b></dt>
 
-<dd>The RBL domain where $rbl_what is denylisted. </dd>
+<dd>The RBL domain (without any <i>=address-filter</i>) where
+$rbl_what is denylisted. </dd>
 
 <dt><b>$rbl_reason</b></dt>
 
@@ -3588,7 +3589,10 @@ The default time unit is s (seconds).  </p>
 <p>
 Optional lookup tables with RBL or RHSBL response templates. The
 table search key is the reject_rbl_* or reject_rhsbl_* argument,
-including any optional "<i>=address-pattern</i>" filter. </p>
+including any optional "<i>=address-filter</i>".  With Postfix 3.10
+and later, if the result is "not found" and the search key has the
+form <i>domain=address-filter</i>, then rbl_reply_maps will also
+search with the <i>domain</i>. </p>
 
 <p> By default, Postfix uses the
 template as specified with the default_rbl_reply configuration
@@ -3612,20 +3616,26 @@ syntax.
     # variables.
     <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11]
         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
+</pre>
+
+<pre>
+    # Postfix &ge; 3.10: if a search key <i>domain=address-filter</i>
+    # is not found, then rbl_reply_maps will also search with the
+    # <i>domain</i>.
     <i>secret</i>.zen.dq.spamhaus.net
         554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details 
 </pre>
 
 <p>
 NOTE: This feature differs from postscreen_dnsbl_reply_map where
-the table search key is a domain name (no "<i>=address</i>" filter,
-no "<i>*weight</i>" factor) and where the lookup result should be
-a domain name (no free text, no <i>$name</i> variables).
+the table search key is only a domain name (no "<i>=address-filter</i>",
+no "<i>*weight</i>" factor) and where the lookup result
+should be only a domain name (no free text, no <i>$name</i> variables).
 </p>
 
 <p>
 This feature is available in Postfix 2.0 and later.
-The "=address-pattern" filter is available in Postfix 2.8 and later.
+The "=address-filter" feature is available in Postfix 2.8 and later.
 </p>
 
 %PARAM receive_override_options 
@@ -15451,7 +15461,7 @@ the file is read). </p>
 
 <p> NOTE: This feature differs from the Postfix SMTP server's
 rbl_reply_maps feature, where 1) the table search key includes the
-optional "<i>=address</i>" filter, and where 2) the lookup result
+optional "<i>=address-filter</i>", and where 2) the lookup result
 contains free text with <i>$name</i> variables. </p>
 
 <p> This feature is available in Postfix 2.8.  </p>

postfix/proto/stop

@@ -1606,3 +1606,7 @@ GTEST
 javascript
 SMFI
 RHSBL
+Ajamian
+groff
+MariaDB
+Fuhrer

postfix/proto/stop.spell-cc

@@ -1840,3 +1840,4 @@ fhHoqvx
 foqvx
 ILP
 xxfi
+optionsv

postfix/src/global/dict_mysql.c

@@ -119,6 +119,15 @@
 #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_VERIFY_SERVER_CERT
 #elif MYSQL_VERSION_ID >= 80000
 #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_MODE
+#endif
+
+ /*
+  * MariaDB Connector/C 3.0.0 lists mysql_options() as deprecated and
+  * recommends using mysql_optionsv() instead. Option names and semantics
+  * have not changed.
+  */
+#if defined(MARIADB_PACKAGE_VERSION_ID) && MARIADB_PACKAGE_VERSION_ID >= 30000
+#define mysql_options	mysql_optionsv
 #endif
 
 /* need some structs to help organize things */
@@ -598,12 +607,27 @@ static void plmysql_connect_single(DICT_MYSQL *dict_mysql, HOST *host)
 	mysql_options(host->db, MYSQL_READ_DEFAULT_FILE, dict_mysql->option_file);
     if (dict_mysql->option_group && dict_mysql->option_group[0])
 	mysql_options(host->db, MYSQL_READ_DEFAULT_GROUP, dict_mysql->option_group);
+#if MYSQL_VERSION_ID >= 80035
+    /* Preferred API. */
+    if (dict_mysql->tls_key_file)
+	mysql_options(host->db, MYSQL_OPT_SSL_KEY, dict_mysql->tls_key_file);
+    if (dict_mysql->tls_cert_file)
+	mysql_options(host->db, MYSQL_OPT_SSL_CERT, dict_mysql->tls_cert_file);
+    if (dict_mysql->tls_CAfile)
+	mysql_options(host->db, MYSQL_OPT_SSL_CA, dict_mysql->tls_CAfile);
+    if (dict_mysql->tls_CApath)
+	mysql_options(host->db, MYSQL_OPT_SSL_CAPATH, dict_mysql->tls_CApath);
+    if (dict_mysql->tls_ciphers)
+	mysql_options(host->db, MYSQL_OPT_SSL_CIPHER, dict_mysql->tls_ciphers);
+#else
+    /* Deprecated API. */
     if (dict_mysql->tls_key_file || dict_mysql->tls_cert_file ||
 	dict_mysql->tls_CAfile || dict_mysql->tls_CApath || dict_mysql->tls_ciphers)
 	mysql_ssl_set(host->db,
 		      dict_mysql->tls_key_file, dict_mysql->tls_cert_file,
 		      dict_mysql->tls_CAfile, dict_mysql->tls_CApath,
 		      dict_mysql->tls_ciphers);
+#endif
 #if defined(DICT_MYSQL_SSL_VERIFY_SERVER_CERT)
     if (dict_mysql->tls_verify_cert != -1)
 	mysql_options(host->db, DICT_MYSQL_SSL_VERIFY_SERVER_CERT,

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240622"
+#define MAIL_RELEASE_DATE	"20240722"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT

postfix/src/smtpd/smtpd_check.c

@@ -3570,15 +3570,21 @@ static int rbl_reject_reply(SMTPD_STATE *state, const SMTPD_RBL_STATE *rbl,
     /*
      * Use the server-specific reply template or use the default one.
      */
+    rbl_exp.domain = mystrdup(rbl_domain);
+    (void) split_at(rbl_exp.domain, '=');
     if (*var_rbl_reply_maps) {
 	template = maps_find(rbl_reply_maps, rbl_domain, DICT_FLAG_NONE);
-	if (rbl_reply_maps->error)
+	if (template == 0 && rbl_reply_maps->error == 0
+	    && strcmp(rbl_domain, rbl_exp.domain) != 0)
+	    template = maps_find(rbl_reply_maps, rbl_exp.domain,
+				 DICT_FLAG_NONE);
+	if (template == 0 && rbl_reply_maps->error != 0) {
+	    myfree(rbl_exp.domain);
 	    reject_server_error(state);
+	}
     }
     why = vstring_alloc(100);
     rbl_exp.state = state;
-    rbl_exp.domain = mystrdup(rbl_domain);
-    (void) split_at(rbl_exp.domain, '=');
     rbl_exp.what = what;
     rbl_exp.class = reply_class;
     rbl_exp.txt = (rbl->txt == 0 ? "" : rbl->txt);

postfix/src/smtpd/smtpd_check_access

@@ -41,6 +41,10 @@ blackholes.mail-abuse.org	$rbl_code client=$client
  rbl_code=$rbl_code rbl_domain=$rbl_domain rbl_txt=$rbl_txt rbl_what=$rbl_what
  rbl_class=$rbl_class
 
+dnsbltest.porcupine.org=127.0.0.3	 $rbl_code service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain=127.0.0.3 ${rbl_reason?; $rbl_reason}
+
+dnsbltest.porcupine.org	 $rbl_code SERVICE UNAVAILABLE; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
+
 rhsbl.porcupine.org	$rbl_code client=$client
  client_address=$client_address
  client_name=$client_name helo_name=$helo_name 

postfix/src/smtpd/smtpd_check_backup.ref

@@ -17,7 +17,7 @@ OK
 >>> recipient_restrictions permit_mx_backup,reject
 OK
 >>> rcpt wietse@wzv.porcupine.org
-./smtpd_check: warning: support for restriction "permit_mx_backup" will be removed from Postfix; instead, use "relay_domains"
+./smtpd_check: warning: support for restriction "permit_mx_backup" will be removed from Postfix; instead, specify "relay_domains"
 OK
 >>> rcpt wietse@backup.porcupine.org
 OK

postfix/src/smtpd/smtpd_deprecated.ref

@@ -10,7 +10,7 @@ OK
 >>> mail sname@sdomain.example
 OK
 >>> rcpt rname@rdomain.example
-./smtpd_check: warning: restriction permit_naked_ip_address has been removed in Postfix 3.9; use permit_mynetworks or permit_sasl_authenticated instead
+./smtpd_check: warning: support for restriction "permit_naked_ip_address" has been removed in Postfix 3.9; instead, specify "permit_mynetworks" or "permit_sasl_authenticated"
 ./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain.example> to=<rname@rdomain.example> proto=SMTP helo=<127.0.0.2>
 451 4.3.5 Server configuration error
 >>> #
@@ -27,7 +27,7 @@ OK
 >>> mail sname@sdomain.example
 OK
 >>> rcpt rname@rdomain.example
-./smtpd_check: warning: support for restriction "check_relay_domains" has been removed in Postfix 3.9; use "reject_unauth_destination" instead
+./smtpd_check: warning: support for restriction "check_relay_domains" has been removed in Postfix 3.9; instead, specify "reject_unauth_destination"
 ./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain.example> to=<rname@rdomain.example> proto=SMTP helo=<127.0.0.2>
 451 4.3.5 Server configuration error
 >>> #

postfix/src/smtpd/smtpd_exp.in

@@ -29,6 +29,9 @@ client foo 127.0.0.2
 rcpt rname@rdomain
 client foo 127.0.0.1
 rcpt rname@rdomain
+recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org=127.0.0.3
+client foo 127.0.0.3
+rcpt rname@rdomain
 #
 # RHSBL sender domain name
 #
@@ -60,3 +63,15 @@ recipient_restrictions reject_rhsbl_helo,rhsbl.porcupine.org
 helo example.tld
 mail sname@sdomain
 rcpt rname@rdomain
+#
+# rbl_reply_maps lookup error
+#
+smtpd_delay_reject 0
+mynetworks 127.0.0.0/8,168.100.3.0/28
+relay_domains porcupine.org
+rbl_reply_maps fail:1_rbl_reply_maps
+helo foobar
+mail sname@sdomain
+recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org
+client foo 127.0.0.2
+rcpt rname@rdomain

postfix/src/smtpd/smtpd_exp.ref

@@ -25,13 +25,13 @@ OK
 >>> client spike.porcupine.org 168.100.3.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; use "reject_rbl_client domain-name" instead
+./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; instead, specify "reject_rbl_client domain-name"
 ./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.3.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
 451 4.3.5 Server configuration error
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; use "reject_rbl_client domain-name" instead
+./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; instead, specify "reject_rbl_client domain-name"
 ./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
 451 4.3.5 Server configuration error
 >>> #
@@ -44,19 +44,26 @@ OK
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
-554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
 >>> recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org=127.0.0.2
 OK
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
-554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+554 5.7.1 SERVICE UNAVAILABLE; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
 >>> client foo 127.0.0.1
 OK
 >>> rcpt rname@rdomain
 OK
+>>> recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org=127.0.0.3
+OK
+>>> client foo 127.0.0.3
+OK
+>>> rcpt rname@rdomain
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.3]: 554 5.7.1 service unavailable; Client host [127.0.0.3] blocked using dnsbltest.porcupine.org=127.0.0.3 ; DNS blocklist test; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+554 5.7.1 service unavailable; Client host [127.0.0.3] blocked using dnsbltest.porcupine.org=127.0.0.3 ; DNS blocklist test
 >>> #
 >>> # RHSBL sender domain name
 >>> #
@@ -111,3 +118,26 @@ OK
 >>> rcpt rname@rdomain
 ./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.3.2]: 554 5.7.1 client=spike.porcupine.org[168.100.3.2] client_address=168.100.3.2 client_name=spike.porcupine.org helo_name=example.tld  sender=sname@sdomain sender_name=sname  sender_domain=sdomain recipient=rname@rdomain recipient_name=rname recipient_domain=rdomain rbl_code=554 rbl_domain=rhsbl.porcupine.org rbl_txt=RHSBL test rbl_what=example.tld rbl_class=Helo command; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
 554 5.7.1 client=spike.porcupine.org[168.100.3.2] client_address=168.100.3.2 client_name=spike.porcupine.org helo_name=example.tld  sender=sname@sdomain sender_name=sname  sender_domain=sdomain recipient=rname@rdomain recipient_name=rname recipient_domain=rdomain rbl_code=554 rbl_domain=rhsbl.porcupine.org rbl_txt=RHSBL test rbl_what=example.tld rbl_class=Helo command
+>>> #
+>>> # rbl_reply_maps lookup error
+>>> #
+>>> smtpd_delay_reject 0
+OK
+>>> mynetworks 127.0.0.0/8,168.100.3.0/28
+OK
+>>> relay_domains porcupine.org
+OK
+>>> rbl_reply_maps fail:1_rbl_reply_maps
+OK
+>>> helo foobar
+OK
+>>> mail sname@sdomain
+OK
+>>> recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org
+OK
+>>> client foo 127.0.0.2
+OK
+>>> rcpt rname@rdomain
+./smtpd_check: warning: fail:1_rbl_reply_maps lookup error for "dnsbltest.porcupine.org"
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+451 4.3.5 Server configuration error