postfix-2.4.0

2025-08-30 21:55:20 +00:00 · 2007-03-28 00:00:00 -05:00
parent 39195f053d
commit 453b66fac7
15 changed files with 351 additions and 559 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -13396,263 +13396,3 @@ Apologies for any names omitted.
 	Workaround: Eric Raymond's man page formatters don't handle
 	low-level *roff .in or .ti controls. We now use .nf and .fi
 	instead. Files: many.
 Wish list:
 	Remove defer(8) and trace(8) references and man pages. These
 	are services not program names.
 	Bind all deliveries to the same local delivery process,
 	making Postfix perform as poorly as monolithic mailers,
 	but giving a possibility to eliminate duplicate deliveries.
 	Maybe declare loop when resolve_local(mxhost) is true?
 	Update message content length when adding/removing headers.
 	Need scache size limit.
 	Update BACKSCATTER_README to use PCRE because that's what I
 	am using now.
 	Make postcat header/body aware so people can grep headers.
 	Make postmap header/body aware so people can test multi-line
 	header checks.
 	REDIRECT should override original recipient info, and
 	probably override DSN as well.
 	Find out if with Sendmail, a Milter "add recipient" request
 	results in NOTIFY=NONE as Postfix does now.
 	Update FILTER_README with mailing list suggestions to tag
 	with a badness indicator and then filter down-stream.
 	Either document or remove the internal_mail_filter_classes
 	feature (it's disabled by default).
 	Build a command-line test driver for the cleanup engine.
 	This allows us to test it with arbitrary record sequences
 	without having to use a live mail queue.
 	Make null local-part handling configurable: either expand
 	into mailer-daemon (current bahavior) or disallow (strict
 	behavior, currently implemented only in the SMTP server).
 	The type of var_message_limit should be changed from int
 	to long or better, to take advantage of LP64 architectures.
 	This also requires checking all expressions in which
 	var_message_limit appears.
 	Add M flag (enable multi-recipient delivery) to pipe daemon.
 	The usage of TLScontext->cache_type is unclear. It specifies
 	a TLS session cache type (smtpd, smtp, or lmtp), but it is
 	sometimes used as an indicator that TLS session caching is
 	unavailable.  In reality, that decision is made by not
 	registering call-back functions for cache maintenance.
 	Postfix TLS library code should copy any strings that it
 	receives from the application, instead of passing them
 	around as pointers. TLScontext->cache_type is a case in
 	point.
 	Are transport:nexthop null fields the same as in the case
 	of default_transport etc. parameters?
 	Don't lose bits when converting st_dev into maildir file
 	name. It's 64 bits on Linux. Found with the BEAM source
 	code analyzer. Is this really a problem, or are they just
 	using 64 bits for upwards compatibility with LP64 systems?
 	Do or don't introduce unknown_reverse_client_reject_code.
 	Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
 	UNIX).
 	Tempfail when a Milter application wants content access,
 	while it is configured in an SMTP server that runs before
 	the smtpd_proxy filter.
 	Log DSN original recipient when rejecting mail.
 	Keep whitespace between label and ":"?
 	Make the map case folding/locking options configurable, if
 	not at run-time then at least at compile time so we get
 	consistent behavior across applications.
 	Investigate what it would take to eliminate oqmgr, and to
 	make the old behavior configurable in a unified queue
 	manager.  This would shave another 2.7 KLOC from the source
 	footprint.
 	Document the case folding strategy for match_list like
 	features.
 	Eliminate the (incoming,deferred)->active rename operation.
 	Softbounce fallback-to-ISP for SOHO users. This requires
 	playing with the soft_error test in the smtp_trouble.c
 	module, and avoiding delivery to backup MX hosts.
 	In the SMTP server, set a "pipelining detected" flag at the
 	start of a session and at protocol synchronization points,
 	so that reject_unauth_pipelining can be specified in any
 	access rule.
 	Centralize main.cf parameter input so that defaults work
 	consistently. What about parameter names that are prefixed
 	with mail delivery transport names?
 	Fix default time unit handling so that we can have a default
 	bounce lifetime of $maximal_queue_lifetime, without causing
 	panics when a non-default maximal_queue_lifetime setting
 	includes no time unit.
 	After the 20051222 ISASCII paranoia, lowercase() lowercases
 	ASCII text only.
 	Privacy: remove local command/pathname details from remote
 	delivery status reports, and log them via local msg_warn().
 	Is it safe to cache a connection after it has been used for
 	more than some number of address verification probes?
 	Try to recognize that Resent- headers appear in blocks,
 	newest block first. But don't break on incorrect header
 	block organization.
 	Hard limits on cache sizes (anvil, specifically).
 	Laptop friendliness: make the qmgr remember when the next
 	deferred queue scan needs to be done, and have the pickup
 	server stat() the maildrop directory before searching it.
 	Low: replace_sender/replace_recipient actions in access
 	maps?
 	Low: configurable order of local(8) delivery methods.
 	Med: local and remote source port and IP address for smtpd
 	policy hook.
 	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
 	to limit the total time spent trying to connect.
 	Med: transform IPv4-in-IPv6 address literals to IPv4 form
 	when comparing against local IP addresses?
 	Med: transform IPv4-in-IPv6 address literals to IPv4 form
 	when eliminating MX mailer loops?
 	Med: Postfix requires [] around IPv6 address information
 	in match lists such as mynetworks, debug_peer_list etc.,
 	but the [] must not be specified in access(5) maps. Other
 	places don't care.  For now, this gotcha is documented in
 	IPV6_README and in postconf(5) with each feature that may
 	use IPv6 address information. The general recommendation
 	is not to use [] unless absolutely necessary.
 	Med: the partial address matching of IPv6 addresses in
 	access(5) maps is a bit lame: it repeatedly truncates the
 	last ":octetpair" from the printable address representation
 	until a match is found or until truncation is no longer
 	possible.  Since one or more ":" are usually omitted from
 	the printable IPv6 address representation, this does not
 	really try all the possibilities that one might expect to
 	be tried. For now, this gotcha is documented in access(5).
 	Med: the TLS certificate verification depth parameters never
 	worked.
 	Low: reject HELO with any domain name or IP address that
 	this MTA is the final destination for.
 	Low: should the Delivered-To: test in local(8) be configurable?
 	Low: make mail_addr_find() lookup configurable.
 	Low: update events.c so that 1-second timer requests do not
 	suffer from rounding errors. This is needed for 1-second
 	SMTP session caching time limits. A 1-second interval would
 	become arbitrarily short when an event is scheduled just
 	before the current second rolls over.
 	Low: configurable internal/system locking method.
 	Low: add INSTALL section for pre-existing Postfix systems.
 	Low: add INSTALL section for pre-existing RPM Postfixes.
 	Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
 	Low: noise filter: allow smtp(8) to retry immediately if
 	all MXes return a quick ECONNRESET or 4xx reply during the
 	initial handshake. Retry once? How many times?
 	Low: make post-install a "postfix-only script" so it can
 	take data from the environment instead of main.cf.
 	Low: randomize deferred mail backoff.
 	Med: separate ulimit for delivery to command?
 	Med: option to open queue file early, after MAIL FROM.  This
 	would allow correlation of rejected RCPT TO requests with
 	accepted requests for the same mail transaction.
 	Med: postsuper -r should do something with recipients in
 	bounce logfiles, to make sure the sender will be notified.
 	To be perfectly safe, no process other than the queue manager
 	should move a queue file away from the active queue.
 	This could involve tagging a queue file, and use up another
 	permission bit (postsuper tags a "hot" file, qmgr requeues it).
 	Low: postsuper re-run after renaming files, but only a
 	limited number of times.
 	Low: smtp-source may block when sending large test messages.
 	Med: find a way to log the sender address when MAIL FROM
 	is rejected due to lack of disk space.
 	Low: revise other local delivery agent duplicate filters.
 	Low: all table lookups should consistently use internalized
 	(unquoted) or externalized (quoted) forms as lookup keys.
 	smtpd, qmgr, local, etc. use unquoted address forms as keys.
 	cleanup uses quoted forms.
 	Low: have a configurable list of errno values for mailbox
 	or maildir delivery that result in deferral rather than
 	bouncing mail. What about "killed by signal" exits?
 	Low: after reorganizing configuration parameters, add flags
 	to all parameters whose value can be read from file.
 	Medium: need in-process caching for map lookups. LDAP servers
 	seem to need this in particular. Need a way to expire cached
 	results that are too old.
 	Low: generic showq protocol, to allow for more intelligent
 	processing than just mailq. Maybe marry this with postsuper.
 	Low: default domain for appending to unqualified recipients,
 	so that unqualified names can be delivered locally.
 	Low: The $process_id_directory setting is not used anywhere
 	in Postfix. Problem reported by Michael Smith, texas.net.
 	This should be documented, or better, the code should warn
 	about attempts to set read-only parameters.
 	Low: postconf -e edits parameters that postconf won't list.
 	Low: while converting 8bit text to quoted-printable, perhaps
 	use =46rom to avoid having to produce >From when delivering
 	to mailbox.
 	virtual_mailbox_path expression like forward_path, so that
 	people can specify prefix and suffix.
--- a/postfix/README_FILES/BACKSCATTER_README
+++ b/postfix/README_FILES/BACKSCATTER_README
@@ -4,7 +4,11 @@ PPoossttffiixx BBaacckkssccaatttteerr HHoowwttoo
 OOvveerrvviieeww
-This document describes features that require Postfix version 2.0 or later.
+This document describes features that require Postfix version 2.0 or later. The
 examples use Perl Compatible Regular Expressions (Postfix pcre: tables), but
 also provide a translation to POSIX regular expressions (Postfix regexp:
 tables). PCRE is preferred primarily because the implementation is often
 faster.
 Topics covered in this document:
@@ -97,8 +101,8 @@ To block such backscatter I use header_checks and body_checks patterns like
 this:
    /etc/postfix/main.cf:
-        header_checks = regexp:/etc/postfix/header_checks
+        header_checks = pcre:/etc/postfix/header_checks
-        body_checks = regexp:/etc/postfix/body_checks
+        body_checks = pcre:/etc/postfix/body_checks
    /etc/postfix/header_checks:
        if /^Received:/
@@ -107,7 +111,7 @@ this:
        /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)
    (porcupine\.org)\)/
            reject forged client name in Received: header: $2
-        /^Received:.* +by +(porcupine\.org)[[:>:]]/
+        /^Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^Message-ID:.* <!&!/ DUNNO
@@ -121,7 +125,7 @@ this:
        /^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)
    (porcupine\.org)\)/
            reject forged client name in Received: header: $2
-        /^[> ]*Received:.* +by +(porcupine\.org)[[:>:]]/
+        /^[> ]*Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^[> ]*Message-ID:.* <!&!/ DUNNO
@@ -130,6 +134,9 @@ this:
 Notes:
  * The example uses pcre: tables mainly for speed; with minor modifications,
    you can use regexp: tables as explained below.
  * The example is simplified for educational purposes. In reality my patterns
    list multiple domain names, as "(domain|domain|...)".
@@ -139,8 +146,9 @@ Notes:
  * The "\(" and "\)" match "(" and ")" literally. Without the "\", the "(" and
    ")" would be grouping operators.
-  * The "[[:>:]]" matches the end of a word. On some systems you should specify
+  * The "\b" is used here to match the end of a word. If you use regexp:
-    "\>" instead. For details see your system documentation.
+    tables, specify "[[:>:]]" (on some systems you should specify "\>" instead;
    for details see your system documentation).
  * The "if /pattern/" and "endif" eliminate unnecessary matching attempts. DO
    NOT indent lines starting with /pattern/ between the "if" and "endif"!
@@ -202,25 +210,29 @@ the backscatter mail that I get claims to be sent from these addresses. Such
 mail is obviously forged and is very easy to stop.
    /etc/postfix/main.cf:
-        header_checks = regexp:/etc/postfix/header_checks
+        header_checks = pcre:/etc/postfix/header_checks
-        body_checks = regexp:/etc/postfix/body_checks
+        body_checks = pcre:/etc/postfix/body_checks
    /etc/postfix/header_checks:
-        /^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+        /^(From|Return-Path):.*\b(user@domain\.tld)\b/
            reject forged sender address in $1: header: $2
    /etc/postfix/body_checks:
-        /^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+        /^[> ]*(From|Return-Path):.*\b(user@domain\.tld)\b/
            reject forged sender address in $1: header: $2
 Notes:
  * The example uses pcre: tables mainly for speed; with minor modifications,
    you can use regexp: tables as explained below.
  * The example is simplified for educational purposes. In reality, my patterns
    list multiple email addresses as "(user1@domain1\.tld|user2@domain2\.tld)".
-  * The "[[:<:]]" and "[[:>:]]" match the beginning and end of a word,
+  * The two "\b" as used in "\b(user@domain\.tld)\b" match the beginning and
-    respectively. On some systems you should specify "\<" and "\>" instead. For
+    end of a word, respectively. If you use regexp: tables, specify "[[:<:]]
-    details see your system documentation.
+    and [[:>:]]" (on some systems you should specify "\< and \>" instead; for
    details see your system documentation).
  * The "\." matches "." literally. Without the "\", the "." would match any
    character.
--- a/postfix/README_FILES/OVERVIEW
+++ b/postfix/README_FILES/OVERVIEW
@@ -209,12 +209,13 @@ queues.
    Network -> smtpd(8) <-> anvil(8)
-  * The bounce(8), defer(8) and trace(8) servers each maintain their own queue
+  * The bounce(8), defer(8) and trace(8) services each maintain their own queue
-    directory trees with per-message logfiles. This information is used to send
+    directory trees with per-message logfiles. Postfix uses this information
-    delivery or non-delivery notifications to the sender.
+    when sending "failed", "delayed" or "success" delivery status notifications
    to the sender.
-    The trace(8) service implements support for the Postfix "sendmail -bv" and
+    The trace(8) service also implements support for the Postfix "sendmail -bv"
-    "sendmail -v" commands which produce reports about how Postfix delivers
+    and "sendmail -v" commands which produce reports about how Postfix delivers
    mail, and is available with Postfix version 2.1 and later. See DEBUG_README
    for examples.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -14,6 +14,8 @@ specifies the release date of a stable release or snapshot release.
 Major changes - critical
 ------------------------
 See RELEASE_NOTES-2.3 if you upgrade from Postfix 2.2 or earlier.
 [Incompat 20070122] To take advantage of the new support for BSD
 kqueue, Linux epoll, or Solaris /dev/poll, you must restart (not
 reload) Postfix after upgrading from Postfix 2.3.
@@ -42,8 +44,8 @@ creates mailbox dotlock files on all systems. This prevents problems
 with GNU POP3D which subverts kernel locking by creating a new
 mailbox file and deleting the old one.
-Major changes - milter
+Major changes - Milter support
----------------------
+------------------------------
 [Feature 20070121] The support for Milter header modification
 requests was revised.  With minimal change in the on-disk representation,
@@ -55,8 +57,13 @@ format is entirely backwards compatible with Postfix 2.3.
 body.  Postfix now implements all the header/body modification
 requests that are available with Sendmail 8.13.
-Major changes - tls
+[Incompat 20070116] A new field is added to the queue file "size"
-------------------
+record that specifies the message content length.  Postfix 2.3 and
 older Postfix 2.4 snapshots will ignore this field, and will report
 the message size as it was before the body was replaced.
 Major changes - TLS support
 ---------------------------
 [Incompat 20061214] The check_smtpd_policy client sends TLS certificate
 attributes (client ccert_subject, ccert_issuer) only after successful
@@ -113,35 +120,34 @@ default_recipient_refill_delay (how long to wait between refill
 operations). These two parameters act as defaults for optional
 per-transport settings.
-Major changes - delivery status notification
+Major changes - delivery status notifications
--------------------------------------------
+---------------------------------------------
 [Incompat 20061209] Small changes were made to the default bounce
 message templates, to prevent HTML-aware software from hiding or
 removing the text "<postmaster>", and producing misleading text.
-[Incompat 20060806] [Incompat 20060806] Postfix no longer announces
+[Incompat 20060806] Postfix no longer announces its name in delivery
-its name in delivery status notifications.  Users believe that
+status notifications.  Users believe that Wietse provides a free
-Wietse provides a free help desk service that solves all their email
+help desk service that solves all their email problems.
 problems.
-Major changes - etrn
+Major changes - ETRN support
--------------------
+----------------------------
 [Feature 20061217] More precise queue flushing with the ETRN,
 "postqueue -s site", and "sendmail -qRsite" commands, after
 minimization of race conditions.  New per-queue-file flushing with
 "postqueue -i queueid" and "sendmail -qIqueueid".
-Major changes - small office/home office
+Major changes - small office/home office support
----------------------------------------
+------------------------------------------------
 [Incompat 20061217] Postfix no longer requires a domain name. It
 uses "localdomain" as the default Internet domain name when no
 domain is specified via main.cf or via the machine's hostname.
-Major changes - access control
+Major changes - SMTP access control
------------------------------
+-----------------------------------
 [Incompat 20061214] The check_smtpd_policy client sends TLS certificate
 attributes (client ccert_subject, ccert_issuer) only after successful
@@ -190,11 +196,3 @@ on/off configurable.  This introduces new parameters: smtp_pix_workarounds
 (default: disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
 (workarounds indexed by server IP address).  The default settings
 are backwards compatible.
 Major changes - other
 ---------------------
 [Incompat 20070116] A new field is added to the queue file "size"
 record that specifies the message content length.  Postfix 2.3 and
 older Postfix 2.4 versions will ignore this field, and will report
 the message size as it was before the body was replaced.
--- a/postfix/RELEASE_NOTES-2.3
+++ b/postfix/RELEASE_NOTES-2.3
--- a/postfix/TODO
+++ b/postfix/TODO
@@ -1,5 +0,0 @@
 What needs to be done before Postfix 2.4.0 is finished:
 - Update BACKSCATTER_README with PCRE rules.
 - Truncate wish list from HISTORY.
--- a/postfix/conf/header_checks
+++ b/postfix/conf/header_checks
@@ -66,6 +66,11 @@
 #        time, even when a message  header  spans  multiple  lines.
 #        Body lines are always examined one line at a time.
 # 
 # COMPATIBILITY
 #        With Postfix version 2.2 and earlier specify "postmap -fq"
 #        to query a table that contains case sensitive patterns. By
 #        default,  regexp: and pcre: patterns are case insensitive.
 # 
 # TABLE FORMAT
 #        This document assumes that header  and  body_checks  rules
 #        are  specified  in  the form of Postfix regular expression
@@ -289,7 +294,7 @@
 #               line is not carried over to the next line.
 # 
 #        o      If text in the message body is encoded  (RFC  2045)
-#               then the rules have to specified  for  the  encoded
+#               then the rules need to be specified for the encoded
 #               form.
 # 
 #        o      Likewise, when message  headers  are  encoded  (RFC
--- a/postfix/html/BACKSCATTER_README.html
+++ b/postfix/html/BACKSCATTER_README.html
@@ -21,7 +21,10 @@ Backscatter Howto</h1>
 <h2>Overview </h2>
 This document describes features that require Postfix version 2.0
-or later.
+or later.  The examples use Perl Compatible Regular Expressions
 (Postfix <a href="pcre_table.5.html">pcre</a>: tables), but also provide a translation to POSIX
 regular expressions (Postfix <a href="regexp_table.5.html">regexp</a>: tables). PCRE is preferred
 primarily because the implementation is often faster.</p>
 <p> Topics covered in this document: </p>
@@ -174,8 +177,8 @@ patterns like this: </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
+    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks
-    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
+    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks
 /etc/postfix/header_checks:
    if /^Received:/
@@ -183,7 +186,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -196,7 +199,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^[&gt; ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^[&gt; ]*Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^[&gt; ]*Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^[&gt; ]*Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -209,6 +212,9 @@ patterns like this: </p>
 <ul>
 <li> <p> The example uses <a href="pcre_table.5.html">pcre</a>: tables mainly for speed; with minor
 modifications, you can use <a href="regexp_table.5.html">regexp</a>: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality my patterns list multiple domain names, as
 "<tt>(domain|domain|...)</tt>".  </p>
@@ -220,9 +226,10 @@ the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
 and "<tt>)</tt>" literally. Without the "<tt>\</tt>", the "<tt>(</tt>"
 and "<tt>)</tt>" would be grouping operators.  </p>
-<li> <p> The "<tt>[[:&gt;:]]</tt>" matches the end of a word. On
+<li> <p> The "<tt>\b</tt>" is used here to match the end of a word.
-some systems you should specify "<tt>\&gt;</tt>" instead. For details
+If you use <a href="regexp_table.5.html">regexp</a>: tables, specify "<tt>[[:&gt;:]]</tt>" (on some
-see your system documentation. </p>
+systems you should specify "<tt>\&gt;</tt>" instead; for details
 see your system documentation).
 <li> <p> The "if /pattern/" and "endif" eliminate unnecessary
 matching attempts. DO NOT indent lines starting with /pattern/
@@ -311,15 +318,15 @@ and is very easy to stop.
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
+    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks
-    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
+    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks
 /etc/postfix/header_checks:
-    /^(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 /etc/postfix/body_checks:
-    /^[&gt; ]*(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^[&gt; ]*(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 </pre>
 </blockquote>
@@ -328,14 +335,18 @@ and is very easy to stop.
 <ul>
 <li> <p> The example uses <a href="pcre_table.5.html">pcre</a>: tables mainly for speed; with minor
 modifications, you can use <a href="regexp_table.5.html">regexp</a>: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality, my patterns list multiple email addresses as
 "<tt>(user1@domain1\.tld|user2@domain2\.tld)</tt>".  </p>
-<li> <p> The "<tt>[[:&lt;:]]</tt>" and "<tt>[[:&gt;:]]</tt>" match
+<li> <p> The two "<tt>\b</tt>" as used in "<tt>\b(user@domain\.tld)\b</tt>"
-the beginning and end of a word, respectively. On some systems you
+match the beginning and end of a word, respectively.  If you use
-should specify "<tt>\&lt;</tt>" and "<tt>\&gt;</tt>" instead. For
+<a href="regexp_table.5.html">regexp</a>: tables, specify "<tt>[[:&lt;:]]</tt> and <tt>[[:&gt;:]]</tt>"
-details see your system documentation. </p>
+(on some systems you should specify "<tt>\&lt;</tt> and <tt>\&gt;</tt>"
 instead; for details see your system documentation).  </p>
 <li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
 the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
--- a/postfix/html/OVERVIEW.html
+++ b/postfix/html/OVERVIEW.html
@@ -460,12 +460,13 @@ bgcolor="#f0f0ff"> <br> <a href="smtpd.8.html">smtpd(8)</a><br><br> </td> <td> <
 </table>
-<li> <p> The <a href="bounce.8.html">bounce(8)</a>, <a href="defer.8.html">defer(8)</a> and <a href="trace.8.html">trace(8)</a> servers each maintain
+<li> <p> The <a href="bounce.8.html">bounce(8)</a>, <a href="defer.8.html">defer(8)</a> and <a href="trace.8.html">trace(8)</a> services each maintain
-their own queue directory trees with per-message logfiles. This
+their own queue directory trees with per-message logfiles. Postfix
-information is used to send delivery or non-delivery notifications
+uses this information when sending "failed", "delayed" or "success"
-to the sender. </p>
+delivery status notifications to the sender. </p>
-<p> The <a href="trace.8.html">trace(8)</a> service implements support for the Postfix "sendmail
+<p> The <a href="trace.8.html">trace(8)</a> service also implements support for the Postfix
 "sendmail
 -bv" and "sendmail -v" commands which produce reports about how
 Postfix delivers mail, and is available with Postfix version 2.1
 and later. See <a href="DEBUG_README.html#trace_mail"> DEBUG_README
--- a/postfix/html/header_checks.5.html
+++ b/postfix/html/header_checks.5.html
@@ -72,6 +72,11 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
       time, even when a message  header  spans  multiple  lines.
       Body lines are always examined one line at a time.
 <b>COMPATIBILITY</b>
       With Postfix version 2.2 and earlier specify "<b>postmap -fq</b>"
       to query a table that contains case sensitive patterns. By
       default,  <a href="regexp_table.5.html">regexp</a>: and <a href="pcre_table.5.html">pcre</a>: patterns are case insensitive.
 <b>TABLE FORMAT</b>
       This document assumes that header  and  <a href="postconf.5.html#body_checks">body_checks</a>  rules
       are  specified  in  the form of Postfix regular expression
@@ -295,7 +300,7 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
              line is not carried over to the next line.
       <b>o</b>      If text in the message body is encoded  (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC  2045</a>)
-              then the rules have to specified  for  the  encoded
+              then the rules need to be specified for the encoded
              form.
       <b>o</b>      Likewise, when message  headers  are  encoded  (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC</a>
--- a/postfix/man/man5/header_checks.5
+++ b/postfix/man/man5/header_checks.5
@@ -8,17 +8,15 @@ Postfix built-in content inspection
 .SH "SYNOPSIS"
 .na
 .nf
 .nf
 \fBheader_checks = pcre:/etc/postfix/header_checks\fR
 .br
 \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
 .br
 \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
 .br
 \fBbody_checks = pcre:/etc/postfix/body_checks\fR
 .sp
 \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
 .br
 \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
 .fi
 .SH DESCRIPTION
 .ad
 .fi
@@ -66,6 +64,15 @@ message headers is treated as body content.
 Note: message headers are examined one logical header at a time,
 even when a message header spans multiple lines. Body lines are
 always examined one line at a time.
 .SH "COMPATIBILITY"
 .na
 .nf
 .ad
 .fi
 With Postfix version 2.2 and earlier specify "\fBpostmap
 -fq\fR" to query a table that contains case sensitive
 patterns. By default, regexp: and pcre: patterns are case
 insensitive.
 .SH "TABLE FORMAT"
 .na
 .nf
@@ -273,7 +280,7 @@ line at a time. A decision made for one line is not carried over
 to the next line.
 .IP \(bu
 If text in the message body is encoded
-(RFC 2045) then the rules have to specified for the encoded
+(RFC 2045) then the rules need to be specified for the encoded
 form.
 .IP \(bu
 Likewise, when message headers are encoded (RFC
--- a/postfix/proto/BACKSCATTER_README.html
+++ b/postfix/proto/BACKSCATTER_README.html
@@ -21,7 +21,10 @@ Backscatter Howto</h1>
 <h2>Overview </h2>
 This document describes features that require Postfix version 2.0
-or later.
+or later.  The examples use Perl Compatible Regular Expressions
 (Postfix pcre: tables), but also provide a translation to POSIX
 regular expressions (Postfix regexp: tables). PCRE is preferred
 primarily because the implementation is often faster.</p>
 <p> Topics covered in this document: </p>
@@ -174,8 +177,8 @@ patterns like this: </p>
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    header_checks = regexp:/etc/postfix/header_checks
+    header_checks = pcre:/etc/postfix/header_checks
-    body_checks = regexp:/etc/postfix/body_checks
+    body_checks = pcre:/etc/postfix/body_checks
 /etc/postfix/header_checks:
    if /^Received:/
@@ -183,7 +186,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -196,7 +199,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^[&gt; ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^[&gt; ]*Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^[&gt; ]*Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^[&gt; ]*Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -209,6 +212,9 @@ patterns like this: </p>
 <ul>
 <li> <p> The example uses pcre: tables mainly for speed; with minor
 modifications, you can use regexp: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality my patterns list multiple domain names, as
 "<tt>(domain|domain|...)</tt>".  </p>
@@ -220,9 +226,10 @@ the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
 and "<tt>)</tt>" literally. Without the "<tt>\</tt>", the "<tt>(</tt>"
 and "<tt>)</tt>" would be grouping operators.  </p>
-<li> <p> The "<tt>[[:&gt;:]]</tt>" matches the end of a word. On
+<li> <p> The "<tt>\b</tt>" is used here to match the end of a word.
-some systems you should specify "<tt>\&gt;</tt>" instead. For details
+If you use regexp: tables, specify "<tt>[[:&gt;:]]</tt>" (on some
-see your system documentation. </p>
+systems you should specify "<tt>\&gt;</tt>" instead; for details
 see your system documentation).
 <li> <p> The "if /pattern/" and "endif" eliminate unnecessary
 matching attempts. DO NOT indent lines starting with /pattern/
@@ -311,15 +318,15 @@ and is very easy to stop.
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    header_checks = regexp:/etc/postfix/header_checks
+    header_checks = pcre:/etc/postfix/header_checks
-    body_checks = regexp:/etc/postfix/body_checks
+    body_checks = pcre:/etc/postfix/body_checks
 /etc/postfix/header_checks:
-    /^(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 /etc/postfix/body_checks:
-    /^[&gt; ]*(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^[&gt; ]*(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 </pre>
 </blockquote>
@@ -328,14 +335,18 @@ and is very easy to stop.
 <ul>
 <li> <p> The example uses pcre: tables mainly for speed; with minor
 modifications, you can use regexp: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality, my patterns list multiple email addresses as
 "<tt>(user1@domain1\.tld|user2@domain2\.tld)</tt>".  </p>
-<li> <p> The "<tt>[[:&lt;:]]</tt>" and "<tt>[[:&gt;:]]</tt>" match
+<li> <p> The two "<tt>\b</tt>" as used in "<tt>\b(user@domain\.tld)\b</tt>"
-the beginning and end of a word, respectively. On some systems you
+match the beginning and end of a word, respectively.  If you use
-should specify "<tt>\&lt;</tt>" and "<tt>\&gt;</tt>" instead. For
+regexp: tables, specify "<tt>[[:&lt;:]]</tt> and <tt>[[:&gt;:]]</tt>"
-details see your system documentation. </p>
+(on some systems you should specify "<tt>\&lt;</tt> and <tt>\&gt;</tt>"
 instead; for details see your system documentation).  </p>
 <li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
 the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
--- a/postfix/proto/OVERVIEW.html
+++ b/postfix/proto/OVERVIEW.html
@@ -460,12 +460,13 @@ bgcolor="#f0f0ff"> <br> smtpd(8)<br><br> </td> <td> <tt> &lt;-&gt;
 </table>
-<li> <p> The bounce(8), defer(8) and trace(8) servers each maintain
+<li> <p> The bounce(8), defer(8) and trace(8) services each maintain
-their own queue directory trees with per-message logfiles. This
+their own queue directory trees with per-message logfiles. Postfix
-information is used to send delivery or non-delivery notifications
+uses this information when sending "failed", "delayed" or "success"
-to the sender. </p>
+delivery status notifications to the sender. </p>
-<p> The trace(8) service implements support for the Postfix "sendmail
+<p> The trace(8) service also implements support for the Postfix
 "sendmail
 -bv" and "sendmail -v" commands which produce reports about how
 Postfix delivers mail, and is available with Postfix version 2.1
 and later. See <a href="DEBUG_README.html#trace_mail"> DEBUG_README
--- a/postfix/proto/header_checks
+++ b/postfix/proto/header_checks
@@ -4,17 +4,15 @@
 # SUMMARY
 #	Postfix built-in content inspection
 # SYNOPSIS
 # .nf
 #	\fBheader_checks = pcre:/etc/postfix/header_checks\fR
 # .br
 #	\fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
 # .br
 #	\fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
 # .br
 #	\fBbody_checks = pcre:/etc/postfix/body_checks\fR
 # .sp
 #	\fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
 # .br
 #	\fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
 # .fi
 # DESCRIPTION
 #	This document describes access control on the content of
 #	message headers and message body lines; it is implemented
@@ -60,6 +58,13 @@
 #	Note: message headers are examined one logical header at a time,
 #	even when a message header spans multiple lines. Body lines are
 #	always examined one line at a time.
 # COMPATIBILITY
 # .ad
 # .fi
 #       With Postfix version 2.2 and earlier specify "\fBpostmap
 #       -fq\fR" to query a table that contains case sensitive
 #       patterns. By default, regexp: and pcre: patterns are case
 #       insensitive.
 # TABLE FORMAT
 # .ad
 # .fi
@@ -284,7 +289,7 @@
 #	to the next line.
 # .IP \(bu
 #	If text in the message body is encoded
-#	(RFC 2045) then the rules have to specified for the encoded
+#	(RFC 2045) then the rules need to be specified for the encoded
 #	form.
 # .IP \(bu
 #	Likewise, when message headers are encoded (RFC
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20070327"
+#define MAIL_RELEASE_DATE	"20070328"
-#define MAIL_VERSION_NUMBER	"2.4.0-RC10"
+#define MAIL_VERSION_NUMBER	"2.4.0"
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE