From 45b1555c81ee7e9345040ccdea115103a492fe05 Mon Sep 17 00:00:00 2001
From: Wietse Z Venema <wietse@porcupine.org>
Date: Mon, 2 Dec 2024 00:00:00 -0500
Subject: [PATCH] postfix-3.10-20241202

---
 postfix/HISTORY                             | 55 +++++++++++++
 postfix/README_FILES/LOCAL_RECIPIENT_README | 71 ++++++++++------
 postfix/WISHLIST                            |  4 +
 postfix/html/LOCAL_RECIPIENT_README.html    | 82 ++++++++++++-------
 postfix/html/Makefile.in                    |  3 +-
 postfix/html/lmtp.8.html                    |  6 +-
 postfix/html/postconf.5.html                | 89 +++++++++-----------
 postfix/html/smtp.8.html                    |  6 +-
 postfix/html/spawn.8.html                   | 45 ++++++-----
 postfix/man/man5/postconf.5                 | 68 ++++++++--------
 postfix/man/man8/smtp.8                     |  4 +-
 postfix/man/man8/spawn.8                    | 53 ++++++------
 postfix/mantools/dehtml                     |  6 +-
 postfix/mantools/fixman                     |  2 +
 postfix/mantools/postconf2man               |  2 +
 postfix/mantools/srctoman                   |  2 +
 postfix/proto/LOCAL_RECIPIENT_README.html   | 82 ++++++++++++-------
 postfix/proto/postconf.proto                | 90 ++++++++++-----------
 postfix/proto/stop.double-history           |  1 +
 postfix/proto/stop.spell-history            |  5 ++
 postfix/src/cleanup/cleanup_message.c       | 10 ++-
 postfix/src/global/mail_version.h           |  2 +-
 postfix/src/smtp/smtp.c                     |  2 +-
 postfix/src/spawn/spawn.c                   | 53 +++++++-----
 postfix/src/util/Makefile.in                |  1 +
 postfix/src/util/spawn_command.c            | 12 ++-
 26 files changed, 461 insertions(+), 295 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index afa2e42f1..91f24ead4 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28582,3 +28582,58 @@ Apologies for any names omitted.
 	instead of a message buffer and length. This is in preparation
 	for unix-dgram support in a spawn(8)-like service. Files:
 	master/dgram_server.c, master/mail_server.h, postlogd/postlogd.c.
+
+20241122
+
+	Documentation: updated the LOCAL_RECIPIENT_README text, and
+	pointed there from the local_recipient_maps description in
+	postconf(5). Files: proto/LOCAL_RECIPIENT_README.html,
+	proto/postconf.proto.
+
+20241127
+
+	Documentation: default_delivery_status_filter text. File:
+	proto/postconf.proto.
+
+	Documentation: support to convert superscripts in postconf.proto
+	manpage text from HTML to *roff. The result is a compromise:
+	vertical motion (\v'expr') works with groff, but not with
+	the newer mandoc and with the older UNIX nroff. So we use
+	^ instead.  Files: mantools/fixman, mantools/postconf2man,
+	proto/postconf.proto.
+
+20241129
+
+	Bugfix (introduced: on or before 19891104): the manpage
+	extractor mis-formatted titles with multiple names. File:
+	mantools/srctoman.
+
+20241130
+
+	Bugfix (defect introduced: 19991230): the spawn daemon
+	failed to enforce the command time limit. It was sending
+	the SIGKILL signal using the wrong effective UID and GID.
+	The pipe daemon has always done this right. File:
+	util/spawn_command.c.
+
+20241201
+
+	Bugfix (defect introduced Postfix 3.0). Missing UTF8
+	autodetection for headers that are automatically generated
+	by Postfix (for example, a From: header with UTF8 full name
+	information from the password file). Reported by Michael
+	Tokarev. File: src/cleanup/cleanup_message.c.
+
+20241202
+
+	Cleanup: don't leak parent directory information into
+	documentation checks. File: mantools/dehtml.
+
+	Documentation: reverted a breaking change made 20241122.
+	File: html/Makefile.in.
+
+	Documentation: revised spawn(8) manpage text. This is all
+	that remains of a failed experiment to implement a
+	datagram-based spawn(8) service. It was too difficult to
+	enforce that processes terminate as expected after "postfix
+	reload" etc. File: spawn/spawn.c.
diff --git a/postfix/README_FILES/LOCAL_RECIPIENT_README b/postfix/README_FILES/LOCAL_RECIPIENT_README
index c8b97bdd4..f777c8602 100644
--- a/postfix/README_FILES/LOCAL_RECIPIENT_README
+++ b/postfix/README_FILES/LOCAL_RECIPIENT_README
@@ -21,7 +21,7 @@ recipients correctly.
 
   * Configuring local_recipient_maps in main.cf
   * When you need to change the local_recipient_maps setting in main.cf
-  * Local recipient table format
+  * Local recipient table query format
 
 CCoonnffiigguurriinngg llooccaall__rreecciippiieenntt__mmaappss iinn mmaaiinn..ccff
 
@@ -30,11 +30,13 @@ addresses of local recipients. A recipient address is local when its domain
 matches $mydestination, $inet_interfaces or $proxy_interfaces. If a local
 username or address is not listed in $local_recipient_maps, then the Postfix
 SMTP server will reject the address with "User unknown in local recipient
-table". Other Postfix interfaces may still accept an "unknown" recipient.
+table". Other interfaces such as the Postfix sendmail(1) command may still
+accept an "unknown" recipient.
 
 The default setting, shown below, assumes that you use the default Postfix
 local(8) delivery agent for local delivery, where recipients are either UNIX
-accounts or local aliases:
+accounts (typically, in /etc/passwd) or local aliases (typically, in /etc/
+aliases):
 
     /etc/postfix/main.cf:
         local_recipient_maps = proxy:unix:passwd.byname $alias_maps
@@ -67,19 +69,19 @@ WWhheenn yyoouu nneeeedd ttoo cchhaannggee tthhee llooc
         local_transport = virtual
         local_recipient_maps = $virtual_mailbox_maps
 
-    If you use a different delivery agent for $mydestination etc. domains, see
-    the section "Local recipient table format" below for a description of how
-    the table should be populated.
+    If you don't use the local(8) or virtual(8) delivery agent for
+    $mydestination etc. domains, see the section "Local recipient table format"
+    below for a description of how the table should be populated.
 
   * Problem: you use the mailbox_transport or fallback_transport feature of the
     Postfix local(8) delivery agent in order to deliver mail to non-UNIX
-    accounts.
+    recipients.
 
-    Solution: you need to add the database that lists the non-UNIX users:
+    Solution: you need to add the database that lists the non-UNIX recipients:
 
     /etc/postfix/main.cf
         local_recipient_maps = proxy:unix:passwd.byname, $alias_maps,
-            <the database with non-UNIX accounts>
+            <the database with non-UNIX recipients>
 
     See the section "Local recipient table format" below for a description of
     how the table should be populated.
@@ -88,30 +90,49 @@ WWhheenn yyoouu nneeeedd ttoo cchhaannggee tthhee llooc
     agent.
 
     Solution: you must disable the local_recipient_maps feature completely, so
-    that Postfix accepts mail for all local addresses:
+    that the Postfix SMTP server accepts mail for all local addresses:
 
     /etc/postfix/main.cf
         local_recipient_maps =
 
-LLooccaall rreecciippiieenntt ttaabbllee ffoorrmmaatt
+LLooccaall rreecciippiieenntt ttaabbllee qquueerryy ffoorrmmaatt
 
-If you use local files in postmap(1) format, then local_recipient_maps expects
-the following table format:
+If local_recipient_maps specifies local files, such as files in postmap(1) or
+postalias(1) format, then the Postfix SMTP server generates the following
+queries:
 
-  * In the left-hand side, specify a bare username, an "@domain.tld" wild-card,
-    or specify a complete "user@domain.tld" address.
+  * The full recipient address. This query supports a non-default
+    local_transport setting with a delivery agent such as lmtp(8) or virtual
+    (8). See "Configuring local_recipient_maps in main.cf: for additional
+    guidance for what lookup tables to specify.
 
-  * You have to specify something on the right-hand side of the table, but the
-    value is ignored by local_recipient_maps.
+  * The recipient address local-part. This query supports the default
+    local_transport setting with the UNIX-compatible local(8) delivery agent;
+    the Postfix SMTP server makes this query only when the recipient domain
+    matches $mydestination, $inet_interfaces or $proxy_interfaces.
 
-If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL, then
-local_recipient_maps does the same queries as for local files in postmap(1)
-format, and expects the same results.
+  * The recipient @domain. This query supports a non-default local_transport
+    setting with a delivery agent such as virtual(8); it is a wildcard for
+    domains that do not have a valid recipient list.
 
-With regular expression tables, Postfix only queries with the full recipient
-address, and not with the bare username or the "@domain.tld" wild-card.
+NOTES:
 
-NOTE: a lookup table should always return a result when the address exists, and
-should always return "not found" when the address does not exist. In
-particular, a zero-length result does not count as a "not found" result.
+  * A lookup table should return a non-empty result when the address exists,
+    and should return "not found" when the address does not exist. In
+    particular, a zero-length (empty) result does not count as a "not found"
+    result.
+
+  * When local_recipient_maps specifies a lookup table based on ldap:,
+    memcache:, mongodb:, mysql:, pgsql:, sqlite:, or other external database,
+    then the Postfix SMTP server queries that lookup table with the same
+    queries as described at the start of this section, and expects the same
+    results.
+
+  * To suppress lookups for the local-part and the @domain wild-card, specify
+    the ddoommaaiinn setting in a Postfix ldap:, memcache:, mongodb:, mysql:, pgsql:,
+    sqlite:, etc., database client configuration file.
+
+  * When local_recipient_maps specifies a lookup table based on pcre:, regexp:,
+    socketmap: or tcp:, Postfix queries that table only with the full recipient
+    address, and not with the local-part or the @domain wild-card.
 
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index cbac5860d..0954a4254 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -2,6 +2,8 @@ Wish list:
 
 	Things to do before the stable release:
 
+	Make the spawn_command fix conditional on compatibility_level.
+
 	make pre-release-check, HTML validator check.
 
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
@@ -16,6 +18,8 @@ Wish list:
 	relay_recipient_maps empty should default to 'no valid
 	recipients'. Subject to compatibility level.
 
+	In mantools/postlink, allow newline etc. in "<a href".
+
 	Add an option for a TLSRPT built-in JSON generator. This
 	would simplify TLSRPT adoption by eliminating a build-time
 	and run-time dependency on the libtlsrpt client library.
diff --git a/postfix/html/LOCAL_RECIPIENT_README.html b/postfix/html/LOCAL_RECIPIENT_README.html
index 6def51dc3..ec8db5017 100644
--- a/postfix/html/LOCAL_RECIPIENT_README.html
+++ b/postfix/html/LOCAL_RECIPIENT_README.html
@@ -45,7 +45,7 @@ in main.cf</a>
 <li><a href="#change">When you need to change the local_recipient_maps
 setting in main.cf</a>
 
-<li><a href="#format">Local recipient table format </a>
+<li><a href="#format">Local recipient table query format </a>
 
 </ul>
 
@@ -58,11 +58,13 @@ local when its domain matches $<a href="postconf.5.html#mydestination">mydestina
 $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. If a local username or address is not listed in
 $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, then the Postfix SMTP server will reject
 the address with "User unknown in local recipient table". Other
-Postfix interfaces may still accept an "unknown" recipient.  </p>
+interfaces such as the Postfix <a href="sendmail.1.html">sendmail(1)</a> command may still accept
+an "unknown" recipient.  </p>
 
 <p> The default setting, shown below, assumes that you use the
 default Postfix <a href="local.8.html">local(8)</a> delivery agent for local delivery, where
-recipients are either UNIX accounts or local aliases: </p>
+recipients are either UNIX accounts (typically, in /etc/passwd) or
+local aliases (typically, in /etc/aliases): </p>
 
 <blockquote>
 <pre>
@@ -112,22 +114,23 @@ setting in main.cf</a></h2>
     <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
 </pre>
 
-    <p> If you use a different delivery agent for $<a href="postconf.5.html#mydestination">mydestination</a>
+    <p> If you don't use the <a href="local.8.html">local(8)</a> or <a href="virtual.8.html">virtual(8)</a> delivery agent
+    for $<a href="postconf.5.html#mydestination">mydestination</a>
     etc. domains, see the section "<a href="#format">Local recipient
     table format</a>" below for a description of how the table
     should be populated.  </p>
 
     <li> <p> Problem: you use the <a href="postconf.5.html#mailbox_transport">mailbox_transport</a> or <a href="postconf.5.html#fallback_transport">fallback_transport</a>
     feature of the Postfix <a href="local.8.html">local(8)</a> delivery agent in order to
-    deliver mail to non-UNIX accounts. </p>
+    deliver mail to non-UNIX recipients. </p>
 
     <p> Solution: you need to add the database that lists the
-    non-UNIX users: </p>
+    non-UNIX recipients: </p>
 
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>
     <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = <a href="proxymap.8.html">proxy</a>:unix:passwd.byname, $<a href="postconf.5.html#alias_maps">alias_maps</a>,
-        &lt;the database with non-UNIX accounts&gt;
+        &lt;the database with non-UNIX recipients&gt;
 </pre>
 
     <p> See the section "<a href="#format">Local recipient table
@@ -138,8 +141,8 @@ setting in main.cf</a></h2>
     local delivery agent. </p>
 
     <p> Solution: you must disable the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> feature
-    completely, so that Postfix accepts mail for all local addresses:
-    </p>
+    completely, so that the Postfix SMTP server accepts mail for
+    all local addresses: </p>
 
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>
@@ -148,34 +151,59 @@ setting in main.cf</a></h2>
 
 </ul>
 
-<h2><a name="format">Local recipient table format</a> </h2>
+<h2><a name="format">Local recipient table query format</a> </h2>
 
-<p> If you use local files in <a href="postmap.1.html">postmap(1)</a> format, then
-<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> expects the following table format:  </p>
+<p> If <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies local files, such as files in
+<a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> format, then the Postfix SMTP server
+generates the following queries:  </p>
 
 <ul>
 
-<li> <p> In the left-hand side, specify a bare username, an
-"@domain.tld" wild-card, or specify a complete "user@domain.tld"
-address.  </p>
+<li> <p> The full recipient address. This query supports a non-default
+<a href="postconf.5.html#local_transport">local_transport</a> setting with a delivery agent such as <a href="lmtp.8.html">lmtp(8)</a> or
+virtual(8). See "<a href="#main_config">Configuring local_recipient_maps
+in main.cf</a>: for additional guidance for what lookup tables to
+specify. </p>
 
-<li> <p> You have to specify something on the right-hand side of
-the table, but the value is ignored by <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>.
+<li> <p> The recipient address local-part. This query supports the
+default <a href="postconf.5.html#local_transport">local_transport</a> setting with the UNIX-compatible <a href="local.8.html">local(8)</a>
+delivery agent; the Postfix SMTP server makes this query only when
+the recipient domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
+$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. </p>
+
+<li> <p> The recipient @domain. This query supports a non-default
+<a href="postconf.5.html#local_transport">local_transport</a> setting with a delivery agent such as <a href="virtual.8.html">virtual(8)</a>;
+it is a wildcard for domains that do not have a valid recipient
+list. </p>
 
 </ul>
 
-<p> If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL,
-then <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> does the same queries as for local files
-in <a href="postmap.1.html">postmap(1)</a> format, and expects the same results.  </p>
+<p> NOTES: </p>
 
-<p> With regular expression tables, Postfix only queries with the
-full recipient address, and not with the bare username or the
-"@domain.tld" wild-card. </p>
+<ul>
 
-<p> NOTE: a lookup table should always return a result when the address
-exists, and should always return "not found" when the address does
-not exist. In particular, a zero-length result does not count as
-a "not found" result. </p>
+<li> <p> A lookup table should return a non-empty result when the
+address exists, and should return "not found" when the address does
+not exist. In particular, a zero-length (empty) result does not
+count as a "not found" result. </p>
+
+<li> <p> When <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a lookup table based
+on <a href="ldap_table.5.html">ldap</a>:, <a href="memcache_table.5.html">memcache</a>:, <a href="mongodb_table.5.html">mongodb</a>:, <a href="mysql_table.5.html">mysql</a>:, <a href="pgsql_table.5.html">pgsql</a>:, <a href="sqlite_table.5.html">sqlite</a>:, or other
+external database, then the Postfix SMTP server queries that lookup
+table with the same queries as described at the start of this
+section, and expects the same results. </p>
+
+<li> <p> To suppress lookups for the <i>local-part</i> and the
+<i>@domain</i> wild-card, specify the <b>domain</b> setting in a
+Postfix <a href="ldap_table.5.html">ldap</a>:, <a href="memcache_table.5.html">memcache</a>:, <a href="mongodb_table.5.html">mongodb</a>:, <a href="mysql_table.5.html">mysql</a>:, <a href="pgsql_table.5.html">pgsql</a>:, <a href="sqlite_table.5.html">sqlite</a>:, etc.,
+database client configuration file. </p>
+
+<li> <p> When <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a lookup table based
+on <a href="pcre_table.5.html">pcre</a>:, <a href="regexp_table.5.html">regexp</a>:, <a href="socketmap_table.html">socketmap</a>: or <a href="tcp_table.5.html">tcp</a>:, Postfix queries that table
+only with the full recipient address, and not with the <i>local-part</i>
+or the <i>@domain</i> wild-card. </p>
+
+</ul>
 
 </body>
 
diff --git a/postfix/html/Makefile.in b/postfix/html/Makefile.in
index 27dcff4e0..af931119e 100644
--- a/postfix/html/Makefile.in
+++ b/postfix/html/Makefile.in
@@ -38,7 +38,8 @@ tidy:	clean
 clobber:
 	rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
 
-$(DAEMONS) $(COMMANDS) $(CONFIG): ../mantools/man2html
+# The following would add man2html to $? in rules for individual files.
+#$(DAEMONS) $(COMMANDS) $(CONFIG): ../mantools/man2html
 
 index.html: ../proto/index.html
 	cp $? $@
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index 945bd926d..3170f70ca 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -5,7 +5,7 @@
 <link rel='stylesheet' type='text/css' href='postfix-doc.css'>
 <title> Postfix manual - smtp(8) </title>
 </head> <body> <pre>
-SMTP,(LMTP)                                                        SMTP,(LMTP)
+SMTP(8)                                                                SMTP(8)
 
 <b><a name="name">NAME</a></b>
        smtp, lmtp - Postfix SMTP+LMTP client
@@ -979,7 +979,7 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
@@ -1153,5 +1153,5 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
        Victor Duchovni
        Morgan Stanley
 
-                                       8                           SMTP,(LMTP)
+                                                                       SMTP(8)
 </pre> </body> </html>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index e34646ea3..6672ade3c 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -2143,10 +2143,13 @@ name of the message delivery transport.
 <DT><b><a name="default_delivery_status_filter">default_delivery_status_filter</a>
 (default: empty)</b></DT><DD>
 
-<p> Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries.  This does not allow
+<p> Optional filter in Postfix delivery agents, to replace the
+delivery status code or explanatory text of successful or unsuccessful
+deliveries. This allows the replacement of a temporary error status
+code (4.X.X) with a permanent error status code (5.X.X) or vice
+versa, but does not allow
 the replacement of a successful status code (2.X.X) with an
-unsuccessful status code (4.X.X or 5.X.X) or vice versa.  </p>
+unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
 
 <p> Note: the (smtp|lmtp)_delivery_status_filter is applied only
 once per recipient: when delivery is successful, when delivery is
@@ -2916,18 +2919,21 @@ Example:
 (default: 2)</b></DT><DD>
 
 <p> The maximal number of digits after the decimal point when logging
-sub-second delay values.  Specify a number in the range 0..6.  </p>
+delay values. Specify a number in the range 0..6. </p>
+
+<p> To improve readability, delays are logged with only a limited
+number of significant digits: </p>
 
 <ul>
 
-<li> <p> Delays &ge; 100s are rounded off to an integral number of
-seconds. </p>
+<li> Delays &ge; 100s are rounded off to an integral number of
+seconds.
 
-<li> <p> Delays &lt; 10^-$<a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> are
-rounded off to "0".  </p>
+<li> Delays &lt; 10<sup>-$<a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a></sup> are
+rounded off to "0".
 
-<li> <p> Other delays are rounded off to two significant digits,
-or fewer if the result would exceed the delay_resolution_limit. </p>
+<li> Other delays are rounded off to two significant digits, or
+fewer if the result would exceed the <a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a>.
 
 </ul>
 
@@ -6271,13 +6277,31 @@ match. </dd>
 <DT><b><a name="local_recipient_maps">local_recipient_maps</a>
 (default: <a href="proxymap.8.html">proxy</a>:unix:passwd.byname $<a href="postconf.5.html#alias_maps">alias_maps</a>)</b></DT><DD>
 
-<p> Lookup tables with all names or addresses of local recipients:
-a recipient address is local when its domain matches $<a href="postconf.5.html#mydestination">mydestination</a>,
-$<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.  Specify @domain as a
-wild-card for domains that do not have a valid recipient list.
+<p> Lookup tables with all names or addresses of valid local
+recipients. A recipient address is local when its domain matches
+$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. </p>
+
+<p> If the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter value is non-empty (the
+default), then the Postfix SMTP server queries <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>
+as specified in "<a href="LOCAL_RECIPIENT_README.html#format">Local
+recipient table query format</a>", and rejects mail for unknown
+local recipients. Other Postfix interfaces such as the Postfix
+<a href="sendmail.1.html">sendmail(1)</a> command may still accept an "unknown" recipient.  </p>
+
+<p> The default <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> setting assumes that <a href="postconf.5.html#local_transport">local_transport</a>
+specifies the UNIX-compatible <a href="local.8.html">local(8)</a> delivery agent which queries
+the UNIX passwd database (typically, /etc.passwd) and the local
+aliases database (typically, /etc/aliases). The <a href="proxymap.8.html">proxy</a>: agent allows
+the Postfix SMTP server to access the UNIX passwd database from
+outside a chroot jail. </p>
+
+<p> For other local mail delivery configurations, see  "<a href="LOCAL_RECIPIENT_README.html#change">When you need to
+change the local_recipient_maps setting in main.cf</a>". </p>
+
+<p>
 Technically, tables listed with $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> are used as
-lists: Postfix needs to know only if a lookup string is found or
-not, but it does not use the result from table lookup.  </p>
+lists: The Postfix SMTP server needs to know only if a lookup string
+is found or not, but it does not use the result from table lookup. </p>
 
 <p>
 Specify zero or more "type:name" lookup tables, separated by
@@ -6285,44 +6309,11 @@ whitespace or comma. Tables will be searched in the specified order
 until a match is found.
 </p>
 
-<p>
-If this parameter is non-empty (the default), then the Postfix SMTP
-server will reject mail for unknown local users. Other Postfix
-interfaces may still accept an "unknown" recipient.  </p>
-
 <p>
 To turn off local recipient checking in the Postfix SMTP server,
 specify "<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =" (i.e. empty).
 </p>
 
-<p>
-The default setting assumes that you use the default Postfix local
-delivery agent for local delivery. You need to update the
-<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> setting if:
-</p>
-
-<ul>
-
-<li>You redefine the local delivery agent in <a href="master.5.html">master.cf</a>.
-
-<li>You redefine the "<a href="postconf.5.html#local_transport">local_transport</a>" setting in <a href="postconf.5.html">main.cf</a>.
-
-<li>You use the "<a href="postconf.5.html#luser_relay">luser_relay</a>", "<a href="postconf.5.html#mailbox_transport">mailbox_transport</a>", or "<a href="postconf.5.html#fallback_transport">fallback_transport</a>"
-feature of the Postfix <a href="local.8.html">local(8)</a> delivery agent.
-
-</ul>
-
-<p>
-Details are described in the <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> file.
-</p>
-
-<p>
-Beware: if the Postfix SMTP server runs chrooted, you need to access
-the passwd file via the <a href="proxymap.8.html">proxymap(8)</a> service, in order to overcome
-chroot access restrictions. The alternative, maintaining a copy of
-the system password file in the chroot jail is not practical.
-</p>
-
 <p>
 Examples:
 </p>
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index 945bd926d..3170f70ca 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -5,7 +5,7 @@
 <link rel='stylesheet' type='text/css' href='postfix-doc.css'>
 <title> Postfix manual - smtp(8) </title>
 </head> <body> <pre>
-SMTP,(LMTP)                                                        SMTP,(LMTP)
+SMTP(8)                                                                SMTP(8)
 
 <b><a name="name">NAME</a></b>
        smtp, lmtp - Postfix SMTP+LMTP client
@@ -979,7 +979,7 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
@@ -1153,5 +1153,5 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
        Victor Duchovni
        Morgan Stanley
 
-                                       8                           SMTP,(LMTP)
+                                                                       SMTP(8)
 </pre> </body> </html>
diff --git a/postfix/html/spawn.8.html b/postfix/html/spawn.8.html
index de957a46f..99478b12e 100644
--- a/postfix/html/spawn.8.html
+++ b/postfix/html/spawn.8.html
@@ -14,15 +14,21 @@ SPAWN(8)                                                              SPAWN(8)
        <b>spawn</b> [generic Postfix daemon options] command_attributes...
 
 <b><a name="description">DESCRIPTION</a></b>
-       The  <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon provides the Postfix equivalent of <b>inetd</b>.  It lis-
-       tens on a port as specified in the Postfix <a href="master.5.html"><b>master.cf</b></a> file and spawns an
-       external  command whenever a connection is established.  The connection
-       can be made over local  IPC  (such  as  UNIX-domain  sockets)  or  over
-       non-local  IPC  (such  as  TCP sockets).  The command's standard input,
-       output and error streams are connected directly  to  the  communication
-       endpoint.
+       The  <a href="spawn.8.html"><b>spawn</b>(8)</a>  daemon monitors a TCP or UNIX-domain stream socket, con-
+       figured in <a href="master.5.html"><b>master.cf</b></a> with a service type <b>inet</b> or <b>unix</b>.
 
-       This daemon expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
+       This daemon spawns an external command whenever a connection is  estab-
+       lished, with the standard input, output and error file descriptors con-
+       nected to the remote client.
+
+       The command process is subject to the time  limit  specified  with  the
+       parameter   <a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a>  (default:  <a href="postconf.5.html#command_time_limit">command_time_limit</a>)  where
+       <i>transport</i> equals the service name field in <a href="master.5.html">master.cf</a>.  A  process  that
+       exceeds the time limit will receive a SIGKILL signal.
+
+       The  <a href="spawn.8.html"><b>spawn</b>(8)</a>  daemon  service typically has a process limit &gt; 1 in its
+       <a href="master.5.html"><b>master.cf</b></a> service definition, so that the number of processes can scale
+       with demand.
 
 <b><a name="command_attribute_syntax">COMMAND ATTRIBUTE SYNTAX</a></b>
        The  external command attributes are given in the <a href="master.5.html"><b>master.cf</b></a> file at the
@@ -43,23 +49,24 @@ SPAWN(8)                                                              SPAWN(8)
               out interpretation of shell meta characters by a  shell  command
               interpreter.
 
-<b><a name="bugs">BUGS</a></b>
-       In  order  to  enforce standard Postfix process resource controls, each
-       <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon process runs only  one  external  command,  and  blocks
-       until  the  command terminates or a time limit is reached.  As such, it
-       presents a noticeable overhead by wasting precious  process  resources.
-       The  <a href="spawn.8.html"><b>spawn</b>(8)</a>  daemon  is  expected to be replaced by a more structural
-       solution.
+              If  a  command argument must contain whitespace, or if a command
+              argument must begin with "{", enclose the argument with "{"  and
+              "}".  This  form  will ignore whitespace after the outer "{" and
+              before the outer "}". Example:
+
+                  argv=/bin/sh -c { shell syntax here }
 
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
        The <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon reports abnormal child exits.  Problems are  logged
        to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
 
 <b><a name="security">SECURITY</a></b>
-       This program needs root privilege in order to execute external commands
-       as the specified user. It is therefore security sensitive.  However the
-       <a href="spawn.8.html"><b>spawn</b>(8)</a>  daemon  does not talk to the external command and thus is not
-       vulnerable to data-driven attacks.
+       The  <a href="spawn.8.html"><b>spawn</b>(8)</a>  daemon needs root privilege in order to execute external
+       commands as the specified user. It is therefore security sensitive.
+
+       However, the <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon does not receive data from or  about  ser-
+       vice  clients  or  external  commands,  and  thus  is not vulnerable to
+       data-driven attacks.
 
 <b><a name="configuration_parameters">CONFIGURATION PARAMETERS</a></b>
        Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically  as  <a href="spawn.8.html"><b>spawn</b>(8)</a>  processes
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index cb314735f..a4463da00 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -1302,8 +1302,11 @@ Use \fItransport\fR_delivery_slot_loan to specify a
 transport\-specific override, where \fItransport\fR is the master.cf
 name of the message delivery transport.
 .SH default_delivery_status_filter (default: empty)
-Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries.  This does not allow
+Optional filter in Postfix delivery agents, to replace the
+delivery status code or explanatory text of successful or unsuccessful
+deliveries. This allows the replacement of a temporary error status
+code (4.X.X) with a permanent error status code (5.X.X) or vice
+versa, but does not allow
 the replacement of a successful status code (2.X.X) with an
 unsuccessful status code (4.X.X or 5.X.X) or vice versa.
 .PP
@@ -1843,7 +1846,10 @@ defer_transports = smtp
 .ad
 .SH delay_logging_resolution_limit (default: 2)
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.  Specify a number in the range 0..6.
+delay values. Specify a number in the range 0..6.
+.PP
+To improve readability, delays are logged with only a limited
+number of significant digits:
 .IP \(bu
 Delays >= 100s are rounded off to an integral number of
 seconds.
@@ -1851,8 +1857,8 @@ seconds.
 Delays < 10^\-$delay_logging_resolution_limit are
 rounded off to "0".
 .IP \(bu
-Other delays are rounded off to two significant digits,
-or fewer if the result would exceed the delay_resolution_limit.
+Other delays are rounded off to two significant digits, or
+fewer if the result would exceed the delay_logging_resolution_limit.
 .br
 .PP
 The format of the "delays=a/b/c/d" logging is as follows:
@@ -3798,44 +3804,38 @@ Examples:
 .PP
 This feature is available in Postfix 3.6 and later.
 .SH local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)
-Lookup tables with all names or addresses of local recipients:
-a recipient address is local when its domain matches $mydestination,
-$inet_interfaces or $proxy_interfaces.  Specify @domain as a
-wild\-card for domains that do not have a valid recipient list.
+Lookup tables with all names or addresses of valid local
+recipients. A recipient address is local when its domain matches
+$mydestination, $inet_interfaces or $proxy_interfaces.
+.PP
+If the local_recipient_maps parameter value is non\-empty (the
+default), then the Postfix SMTP server queries local_recipient_maps
+as specified in "Local
+recipient table query format", and rejects mail for unknown
+local recipients. Other Postfix interfaces such as the Postfix
+\fBsendmail\fR(1) command may still accept an "unknown" recipient.
+.PP
+The default local_recipient_maps setting assumes that local_transport
+specifies the UNIX\-compatible \fBlocal\fR(8) delivery agent which queries
+the UNIX passwd database (typically, /etc.passwd) and the local
+aliases database (typically, /etc/aliases). The proxy: agent allows
+the Postfix SMTP server to access the UNIX passwd database from
+outside a chroot jail.
+.PP
+For other local mail delivery configurations, see  "When you need to
+change the local_recipient_maps setting in main.cf".
+.PP
 Technically, tables listed with $local_recipient_maps are used as
-lists: Postfix needs to know only if a lookup string is found or
-not, but it does not use the result from table lookup.
+lists: The Postfix SMTP server needs to know only if a lookup string
+is found or not, but it does not use the result from table lookup.
 .PP
 Specify zero or more "type:name" lookup tables, separated by
 whitespace or comma. Tables will be searched in the specified order
 until a match is found.
 .PP
-If this parameter is non\-empty (the default), then the Postfix SMTP
-server will reject mail for unknown local users. Other Postfix
-interfaces may still accept an "unknown" recipient.
-.PP
 To turn off local recipient checking in the Postfix SMTP server,
 specify "local_recipient_maps =" (i.e. empty).
 .PP
-The default setting assumes that you use the default Postfix local
-delivery agent for local delivery. You need to update the
-local_recipient_maps setting if:
-.IP \(bu
-You redefine the local delivery agent in master.cf.
-.IP \(bu
-You redefine the "local_transport" setting in main.cf.
-.IP \(bu
-You use the "luser_relay", "mailbox_transport", or "fallback_transport"
-feature of the Postfix \fBlocal\fR(8) delivery agent.
-.br
-.PP
-Details are described in the LOCAL_RECIPIENT_README file.
-.PP
-Beware: if the Postfix SMTP server runs chrooted, you need to access
-the passwd file via the \fBproxymap\fR(8) service, in order to overcome
-chroot access restrictions. The alternative, maintaining a copy of
-the system password file in the chroot jail is not practical.
-.PP
 Examples:
 .PP
 .nf
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index 966f51f4f..aa2298dfc 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -1,4 +1,4 @@
-.TH SMTP, LMTP 8 
+.TH SMTP 8 
 .ad
 .fi
 .SH NAME
@@ -874,7 +874,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBdisable_dns_lookups (no)\fR"
 Disable DNS lookups in the Postfix SMTP and LMTP clients.
 .IP "\fBinet_interfaces (all)\fR"
diff --git a/postfix/man/man8/spawn.8 b/postfix/man/man8/spawn.8
index 65ced92ac..cdc8229d3 100644
--- a/postfix/man/man8/spawn.8
+++ b/postfix/man/man8/spawn.8
@@ -12,17 +12,23 @@ Postfix external command spawner
 .SH DESCRIPTION
 .ad
 .fi
-The \fBspawn\fR(8) daemon provides the Postfix equivalent
-of \fBinetd\fR.
-It listens on a port as specified in the Postfix \fBmaster.cf\fR file
-and spawns an external command whenever a connection is established.
-The connection can be made over local IPC (such as UNIX\-domain
-sockets) or over non\-local IPC (such as TCP sockets).
-The command's standard input, output and error streams are connected
-directly to the communication endpoint.
+The \fBspawn\fR(8) daemon monitors a TCP or UNIX\-domain stream
+socket, configured in \fBmaster.cf\fR with a service type
+\fBinet\fR or \fBunix\fR.
 
-This daemon expects to be run from the \fBmaster\fR(8) process
-manager.
+This daemon spawns an external command whenever a connection
+is established, with the standard input, output and error file
+descriptors connected to the remote client.
+
+The command process is subject to the time limit specified
+with the parameter \fItransport\fR_time_limit (default:
+command_time_limit) where \fItransport\fR equals the service
+name field in master.cf. A process that exceeds the time limit
+will receive a SIGKILL signal.
+
+The \fBspawn\fR(8) daemon service typically has a process limit >
+1 in its \fBmaster.cf\fR service definition, so that the number
+of processes can scale with demand.
 .SH "COMMAND ATTRIBUTE SYNTAX"
 .na
 .nf
@@ -43,16 +49,14 @@ The command to be executed. This must be specified as the
 last command attribute.
 The command is executed directly, i.e. without interpretation of
 shell meta characters by a shell command interpreter.
-.SH BUGS
-.ad
+.sp
+If a command argument must contain whitespace, or if a command
+argument must begin with "{", enclose the argument with "{" and
+"}". This form will ignore whitespace after the outer "{" and
+before the outer "}". Example:
+.sp
 .fi
-In order to enforce standard Postfix process resource controls,
-each \fBspawn\fR(8) daemon process runs only one external
-command, and blocks until the command terminates or a time
-limit is reached.
-As such, it presents a noticeable overhead by wasting precious
-process resources. The \fBspawn\fR(8) daemon is expected to be
-replaced by a more structural solution.
+    argv=/bin/sh \-c { shell syntax here }
 .SH DIAGNOSTICS
 .ad
 .fi
@@ -63,10 +67,13 @@ Problems are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8).
 .nf
 .fi
 .ad
-This program needs root privilege in order to execute external
-commands as the specified user. It is therefore security sensitive.
-However the \fBspawn\fR(8) daemon does not talk to the external command
-and thus is not vulnerable to data\-driven attacks.
+The \fBspawn\fR(8) daemon needs root privilege in order to
+execute external commands as the specified user. It is therefore
+security sensitive.
+
+However, the \fBspawn\fR(8) daemon does not receive data from
+or about service clients or external commands, and thus is not
+vulnerable to data\-driven attacks.
 .SH "CONFIGURATION PARAMETERS"
 .na
 .nf
diff --git a/postfix/mantools/dehtml b/postfix/mantools/dehtml
index 9a3be6f3f..9289a88ea 100755
--- a/postfix/mantools/dehtml
+++ b/postfix/mantools/dehtml
@@ -3,7 +3,7 @@
 for i
 do
     case $i in
-    /*) lynx -width=256 -dump file://localhost$i;;
-     *) lynx -width=256 -dump file://localhost`pwd`/$i;;
+    /*) lynx -width=256 -dump file://$i;;
+     *) lynx -width=256 -dump file://`pwd`/$i;;
     esac
-done | grep -v 'file://localhost/'
+done | grep -v 'file:///'
diff --git a/postfix/mantools/fixman b/postfix/mantools/fixman
index 6c2c6ea91..2e3939aca 100755
--- a/postfix/mantools/fixman
+++ b/postfix/mantools/fixman
@@ -93,6 +93,8 @@ sub emit_text
 	$block =~ s/&ge;/>=/g;
 	$block =~ s/&lt;/</g;
 	$block =~ s/&gt;/>/g;
+	$block =~ s/<sup>/^/g;
+	$block =~ s;</sup>;;g;
 
 	# Peep-hole optimizer.
 	$block =~ s/^\s+//g;
diff --git a/postfix/mantools/postconf2man b/postfix/mantools/postconf2man
index c3e7f8113..83a0beeee 100755
--- a/postfix/mantools/postconf2man
+++ b/postfix/mantools/postconf2man
@@ -86,6 +86,8 @@ while(<>) {
     $block =~ s/&amp;/\&/g;
     $block =~ s/&ndash;/-/g;
     $block =~ s/&mdash;/-/g;
+    $block =~ s/<sup>/^/g;
+    $block =~ s;</sup>;;g;
     $block =~ s/\s+\n/\n/g;
     $block =~ s/^\n//g;
     $block =~ s/\s*<\s*nroffescape\s+([^ >]+)\s*>\s*/\n\1\n/g;
diff --git a/postfix/mantools/srctoman b/postfix/mantools/srctoman
index 9102201c6..e48f379cd 100755
--- a/postfix/mantools/srctoman
+++ b/postfix/mantools/srctoman
@@ -63,7 +63,9 @@ do
 	/^NAME[ 	]*$/{
 	    N
 	    s/^.*\n'"$B"'[ 	]*//
+	    s/[ 	]*$//
 	    h
+	    s/,.*\( [0-9][^ ]*\)$/\1/
 	    y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/
 	    s/^.*$/.TH & '"$SECT"'\
 .ad\
diff --git a/postfix/proto/LOCAL_RECIPIENT_README.html b/postfix/proto/LOCAL_RECIPIENT_README.html
index 991c340cc..b666bc312 100644
--- a/postfix/proto/LOCAL_RECIPIENT_README.html
+++ b/postfix/proto/LOCAL_RECIPIENT_README.html
@@ -45,7 +45,7 @@ in main.cf</a>
 <li><a href="#change">When you need to change the local_recipient_maps
 setting in main.cf</a>
 
-<li><a href="#format">Local recipient table format </a>
+<li><a href="#format">Local recipient table query format </a>
 
 </ul>
 
@@ -58,11 +58,13 @@ local when its domain matches $mydestination, $inet_interfaces or
 $proxy_interfaces. If a local username or address is not listed in
 $local_recipient_maps, then the Postfix SMTP server will reject
 the address with "User unknown in local recipient table". Other
-Postfix interfaces may still accept an "unknown" recipient.  </p>
+interfaces such as the Postfix sendmail(1) command may still accept
+an "unknown" recipient.  </p>
 
 <p> The default setting, shown below, assumes that you use the
 default Postfix local(8) delivery agent for local delivery, where
-recipients are either UNIX accounts or local aliases: </p>
+recipients are either UNIX accounts (typically, in /etc/passwd) or
+local aliases (typically, in /etc/aliases): </p>
 
 <blockquote>
 <pre>
@@ -112,22 +114,23 @@ setting in main.cf</a></h2>
     local_recipient_maps = $virtual_mailbox_maps
 </pre>
 
-    <p> If you use a different delivery agent for $mydestination
+    <p> If you don't use the local(8) or virtual(8) delivery agent
+    for $mydestination
     etc. domains, see the section "<a href="#format">Local recipient
     table format</a>" below for a description of how the table
     should be populated.  </p>
 
     <li> <p> Problem: you use the mailbox_transport or fallback_transport
     feature of the Postfix local(8) delivery agent in order to
-    deliver mail to non-UNIX accounts. </p>
+    deliver mail to non-UNIX recipients. </p>
 
     <p> Solution: you need to add the database that lists the
-    non-UNIX users: </p>
+    non-UNIX recipients: </p>
 
 <pre>
 /etc/postfix/main.cf
     local_recipient_maps = proxy:unix:passwd.byname, $alias_maps,
-        &lt;the database with non-UNIX accounts&gt;
+        &lt;the database with non-UNIX recipients&gt;
 </pre>
 
     <p> See the section "<a href="#format">Local recipient table
@@ -138,8 +141,8 @@ setting in main.cf</a></h2>
     local delivery agent. </p>
 
     <p> Solution: you must disable the local_recipient_maps feature
-    completely, so that Postfix accepts mail for all local addresses:
-    </p>
+    completely, so that the Postfix SMTP server accepts mail for
+    all local addresses: </p>
 
 <pre>
 /etc/postfix/main.cf
@@ -148,34 +151,59 @@ setting in main.cf</a></h2>
 
 </ul>
 
-<h2><a name="format">Local recipient table format</a> </h2>
+<h2><a name="format">Local recipient table query format</a> </h2>
 
-<p> If you use local files in postmap(1) format, then
-local_recipient_maps expects the following table format:  </p>
+<p> If local_recipient_maps specifies local files, such as files in
+postmap(1) or postalias(1) format, then the Postfix SMTP server
+generates the following queries:  </p>
 
 <ul>
 
-<li> <p> In the left-hand side, specify a bare username, an
-"@domain.tld" wild-card, or specify a complete "user@domain.tld"
-address.  </p>
+<li> <p> The full recipient address. This query supports a non-default
+local_transport setting with a delivery agent such as lmtp(8) or
+virtual(8). See "<a href="#main_config">Configuring local_recipient_maps
+in main.cf</a>: for additional guidance for what lookup tables to
+specify. </p>
 
-<li> <p> You have to specify something on the right-hand side of
-the table, but the value is ignored by local_recipient_maps.
+<li> <p> The recipient address local-part. This query supports the
+default local_transport setting with the UNIX-compatible local(8)
+delivery agent; the Postfix SMTP server makes this query only when
+the recipient domain matches $mydestination, $inet_interfaces or
+$proxy_interfaces. </p>
+
+<li> <p> The recipient @domain. This query supports a non-default
+local_transport setting with a delivery agent such as virtual(8);
+it is a wildcard for domains that do not have a valid recipient
+list. </p>
 
 </ul>
 
-<p> If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL,
-then local_recipient_maps does the same queries as for local files
-in postmap(1) format, and expects the same results.  </p>
+<p> NOTES: </p>
 
-<p> With regular expression tables, Postfix only queries with the
-full recipient address, and not with the bare username or the
-"@domain.tld" wild-card. </p>
+<ul>
 
-<p> NOTE: a lookup table should always return a result when the address
-exists, and should always return "not found" when the address does
-not exist. In particular, a zero-length result does not count as
-a "not found" result. </p>
+<li> <p> A lookup table should return a non-empty result when the
+address exists, and should return "not found" when the address does
+not exist. In particular, a zero-length (empty) result does not
+count as a "not found" result. </p>
+
+<li> <p> When local_recipient_maps specifies a lookup table based
+on ldap:, memcache:, mongodb:, mysql:, pgsql:, sqlite:, or other
+external database, then the Postfix SMTP server queries that lookup
+table with the same queries as described at the start of this
+section, and expects the same results. </p>
+
+<li> <p> To suppress lookups for the <i>local-part</i> and the
+<i>@domain</i> wild-card, specify the <b>domain</b> setting in a
+Postfix ldap:, memcache:, mongodb:, mysql:, pgsql:, sqlite:, etc.,
+database client configuration file. </p>
+
+<li> <p> When local_recipient_maps specifies a lookup table based
+on pcre:, regexp:, socketmap: or tcp:, Postfix queries that table
+only with the full recipient address, and not with the <i>local-part</i>
+or the <i>@domain</i> wild-card. </p>
+
+</ul>
 
 </body>
 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 7bb61c6f6..7b26017b0 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -2462,13 +2462,32 @@ into concurrency per domain.  </p>
 
 %PARAM local_recipient_maps proxy:unix:passwd.byname $alias_maps
 
-<p> Lookup tables with all names or addresses of local recipients:
-a recipient address is local when its domain matches $mydestination,
-$inet_interfaces or $proxy_interfaces.  Specify @domain as a
-wild-card for domains that do not have a valid recipient list.
+<p> Lookup tables with all names or addresses of valid local
+recipients. A recipient address is local when its domain matches
+$mydestination, $inet_interfaces or $proxy_interfaces. </p>
+
+<p> If the local_recipient_maps parameter value is non-empty (the
+default), then the Postfix SMTP server queries local_recipient_maps
+as specified in "<a href="LOCAL_RECIPIENT_README.html#format">Local
+recipient table query format</a>", and rejects mail for unknown
+local recipients. Other Postfix interfaces such as the Postfix
+sendmail(1) command may still accept an "unknown" recipient.  </p>
+
+<p> The default local_recipient_maps setting assumes that local_transport
+specifies the UNIX-compatible local(8) delivery agent which queries
+the UNIX passwd database (typically, /etc.passwd) and the local
+aliases database (typically, /etc/aliases). The proxy: agent allows
+the Postfix SMTP server to access the UNIX passwd database from
+outside a chroot jail. </p>
+
+<p> For other local mail delivery configurations, see <!-- filler
+--> "<a href="LOCAL_RECIPIENT_README.html#change">When you need to
+change the local_recipient_maps setting in main.cf</a>". </p>
+
+<p>
 Technically, tables listed with $local_recipient_maps are used as
-lists: Postfix needs to know only if a lookup string is found or
-not, but it does not use the result from table lookup.  </p>
+lists: The Postfix SMTP server needs to know only if a lookup string
+is found or not, but it does not use the result from table lookup. </p>
 
 <p>
 Specify zero or more "type:name" lookup tables, separated by
@@ -2476,44 +2495,11 @@ whitespace or comma. Tables will be searched in the specified order
 until a match is found.
 </p>
 
-<p>
-If this parameter is non-empty (the default), then the Postfix SMTP
-server will reject mail for unknown local users. Other Postfix
-interfaces may still accept an "unknown" recipient.  </p>
-
 <p>
 To turn off local recipient checking in the Postfix SMTP server,
 specify "local_recipient_maps =" (i.e. empty).
 </p>
 
-<p>
-The default setting assumes that you use the default Postfix local
-delivery agent for local delivery. You need to update the
-local_recipient_maps setting if:
-</p>
-
-<ul>
-
-<li>You redefine the local delivery agent in master.cf.
-
-<li>You redefine the "local_transport" setting in main.cf.
-
-<li>You use the "luser_relay", "mailbox_transport", or "fallback_transport"
-feature of the Postfix local(8) delivery agent.
-
-</ul>
-
-<p>
-Details are described in the LOCAL_RECIPIENT_README file.
-</p>
-
-<p>
-Beware: if the Postfix SMTP server runs chrooted, you need to access
-the passwd file via the proxymap(8) service, in order to overcome
-chroot access restrictions. The alternative, maintaining a copy of
-the system password file in the chroot jail is not practical.
-</p>
-
 <p>
 Examples:
 </p>
@@ -10862,18 +10848,21 @@ DNS lookup and increases the maximal inbound delivery rate. </p>
 %PARAM delay_logging_resolution_limit 2
 
 <p> The maximal number of digits after the decimal point when logging
-sub-second delay values.  Specify a number in the range 0..6.  </p>
+delay values. Specify a number in the range 0..6. </p>
+
+<p> To improve readability, delays are logged with only a limited
+number of significant digits: </p>
 
 <ul>
 
-<li> <p> Delays &ge; 100s are rounded off to an integral number of
-seconds. </p>
+<li> Delays &ge; 100s are rounded off to an integral number of
+seconds.
 
-<li> <p> Delays &lt; 10^-$delay_logging_resolution_limit are
-rounded off to "0".  </p>
+<li> Delays &lt; 10<sup>-$delay_logging_resolution_limit</sup> are
+rounded off to "0".
 
-<li> <p> Other delays are rounded off to two significant digits,
-or fewer if the result would exceed the delay_resolution_limit. </p>
+<li> Other delays are rounded off to two significant digits, or
+fewer if the result would exceed the delay_logging_resolution_limit.
 
 </ul>
 
@@ -17055,10 +17044,13 @@ later. </p>
 
 %PARAM default_delivery_status_filter
 
-<p> Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries.  This does not allow
+<p> Optional filter in Postfix delivery agents, to replace the
+delivery status code or explanatory text of successful or unsuccessful
+deliveries. This allows the replacement of a temporary error status
+code (4.X.X) with a permanent error status code (5.X.X) or vice
+versa, but does not allow
 the replacement of a successful status code (2.X.X) with an
-unsuccessful status code (4.X.X or 5.X.X) or vice versa.  </p>
+unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
 
 <p> Note: the (smtp|lmtp)_delivery_status_filter is applied only
 once per recipient: when delivery is successful, when delivery is
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index 422982039..f0ef0c55b 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -145,3 +145,4 @@ proto  proto socketmap_table qmqpd qmqpd c tls tls_misc c
  proto socketmap_table qmqpd qmqpd c tls tls_misc c 
  a dependency for html html File html Makefile in 
  master dgram_server c master mail_server h postlogd postlogd c 
+ reload etc File spawn spawn c 
diff --git a/postfix/proto/stop.spell-history b/postfix/proto/stop.spell-history
index 8414697fa..e7fa73e8f 100644
--- a/postfix/proto/stop.spell-history
+++ b/postfix/proto/stop.spell-history
@@ -90,3 +90,8 @@ dereferenced
 MEMCACHE
 sed
 Wayback
+fixman
+mandoc
+v'expr
+roff
+diffs
diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c
index 0ff602c5d..1530eeb25 100644
--- a/postfix/src/cleanup/cleanup_message.c
+++ b/postfix/src/cleanup/cleanup_message.c
@@ -729,8 +729,9 @@ static void cleanup_header_done_callback(void *context)
 	    vstring_sprintf(state->temp1, "%s.%s@%s",
 			    time_stamp, state->queue_id, var_myhostname);
 	}
-	cleanup_out_format(state, REC_TYPE_NORM, "%sMessage-Id: <%s>",
-			   state->resent, vstring_str(state->temp1));
+	vstring_sprintf(state->temp2, "%sMessage-Id: <%s>",
+			state->resent, vstring_str(state->temp1));
+	cleanup_out_header(state, state->temp2);
 	msg_info("%s: %smessage-id=<%s>",
 		 state->queue_id, *state->resent ? "resent-" : "",
 		 vstring_str(state->temp1));
@@ -751,8 +752,9 @@ static void cleanup_header_done_callback(void *context)
     if ((state->hdr_rewrite_context || var_always_add_hdrs)
 	&& (state->headers_seen & (1 << (state->resent[0] ?
 				       HDR_RESENT_DATE : HDR_DATE))) == 0) {
-	cleanup_out_format(state, REC_TYPE_NORM, "%sDate: %s",
+	vstring_sprintf(state->temp2, "%sDate: %s",
 		      state->resent, mail_date(state->arrival_time.tv_sec));
+	cleanup_out_header(state, state->temp2);
     }
 
     /*
@@ -815,7 +817,7 @@ static void cleanup_header_done_callback(void *context)
 	    vstring_sprintf(state->temp2, "%sFrom: %s",
 			    state->resent, vstring_str(state->temp1));
 	}
-	CLEANUP_OUT_BUF(state, REC_TYPE_NORM, state->temp2);
+	cleanup_out_header(state, state->temp2);
     }
 
     /*
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 9cb1f0934..dcb9c7192 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20241122"
+#define MAIL_RELEASE_DATE	"20241202"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index b06535979..b1db77063 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -830,7 +830,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBdisable_dns_lookups (no)\fR"
 /*	Disable DNS lookups in the Postfix SMTP and LMTP clients.
 /* .IP "\fBinet_interfaces (all)\fR"
diff --git a/postfix/src/spawn/spawn.c b/postfix/src/spawn/spawn.c
index 445329f1e..ec6d1a1b8 100644
--- a/postfix/src/spawn/spawn.c
+++ b/postfix/src/spawn/spawn.c
@@ -6,17 +6,23 @@
 /* SYNOPSIS
 /*	\fBspawn\fR [generic Postfix daemon options] command_attributes...
 /* DESCRIPTION
-/*	The \fBspawn\fR(8) daemon provides the Postfix equivalent
-/*	of \fBinetd\fR.
-/*	It listens on a port as specified in the Postfix \fBmaster.cf\fR file
-/*	and spawns an external command whenever a connection is established.
-/*	The connection can be made over local IPC (such as UNIX-domain
-/*	sockets) or over non-local IPC (such as TCP sockets).
-/*	The command's standard input, output and error streams are connected
-/*	directly to the communication endpoint.
+/*	The \fBspawn\fR(8) daemon monitors a TCP or UNIX-domain stream
+/*	socket, configured in \fBmaster.cf\fR with a service type
+/*	\fBinet\fR or \fBunix\fR.
 /*
-/*	This daemon expects to be run from the \fBmaster\fR(8) process
-/*	manager.
+/*	This daemon spawns an external command whenever a connection
+/*	is established, with the standard input, output and error file
+/*	descriptors connected to the remote client.
+/*
+/*	The command process is subject to the time limit specified
+/*	with the parameter \fItransport\fR_time_limit (default:
+/*	command_time_limit) where \fItransport\fR equals the service
+/*	name field in master.cf. A process that exceeds the time limit
+/*	will receive a SIGKILL signal.
+/*
+/*	The \fBspawn\fR(8) daemon service typically has a process limit >
+/*	1 in its \fBmaster.cf\fR service definition, so that the number
+/*	of processes can scale with demand.
 /* COMMAND ATTRIBUTE SYNTAX
 /* .ad
 /* .fi
@@ -35,24 +41,27 @@
 /*	last command attribute.
 /*	The command is executed directly, i.e. without interpretation of
 /*	shell meta characters by a shell command interpreter.
-/* BUGS
-/*	In order to enforce standard Postfix process resource controls,
-/*	each \fBspawn\fR(8) daemon process runs only one external
-/*	command, and blocks until the command terminates or a time
-/*	limit is reached.
-/*	As such, it presents a noticeable overhead by wasting precious
-/*	process resources. The \fBspawn\fR(8) daemon is expected to be
-/*	replaced by a more structural solution.
+/* .sp
+/*	If a command argument must contain whitespace, or if a command
+/*	argument must begin with "{", enclose the argument with "{" and
+/*	"}". This form will ignore whitespace after the outer "{" and
+/*	before the outer "}". Example:
+/* .sp
+/* .fi
+/*	    argv=/bin/sh -c { shell syntax here }
 /* DIAGNOSTICS
 /*	The \fBspawn\fR(8) daemon reports abnormal child exits.
 /*	Problems are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8).
 /* SECURITY
 /* .fi
 /* .ad
-/*	This program needs root privilege in order to execute external
-/*	commands as the specified user. It is therefore security sensitive.
-/*	However the \fBspawn\fR(8) daemon does not talk to the external command
-/*	and thus is not vulnerable to data-driven attacks.
+/*	The \fBspawn\fR(8) daemon needs root privilege in order to
+/*	execute external commands as the specified user. It is therefore
+/*	security sensitive.
+/*
+/*	However, the \fBspawn\fR(8) daemon does not receive data from
+/*	or about service clients or external commands, and thus is not
+/*	vulnerable to data-driven attacks.
 /* CONFIGURATION PARAMETERS
 /* .ad
 /* .fi
diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in
index 77781bc0a..e7566a726 100644
--- a/postfix/src/util/Makefile.in
+++ b/postfix/src/util/Makefile.in
@@ -2717,6 +2717,7 @@ spawn_command.o: check_arg.h
 spawn_command.o: clean_env.h
 spawn_command.o: exec_command.h
 spawn_command.o: msg.h
+spawn_command.o: set_eugid.h
 spawn_command.o: set_ugid.h
 spawn_command.o: spawn_command.c
 spawn_command.o: spawn_command.h
diff --git a/postfix/src/util/spawn_command.c b/postfix/src/util/spawn_command.c
index 739e0125b..90fb223a0 100644
--- a/postfix/src/util/spawn_command.c
+++ b/postfix/src/util/spawn_command.c
@@ -94,6 +94,7 @@
 #include <msg.h>
 #include <timed_wait.h>
 #include <set_ugid.h>
+#include <set_eugid.h>
 #include <argv.h>
 #include <spawn_command.h>
 #include <exec_command.h>
@@ -245,7 +246,8 @@ WAIT_STATUS_T spawn_command(int key,...)
     case 0:
 	if (args.uid != (uid_t) - 1 || args.gid != (gid_t) - 1)
 	    set_ugid(args.uid, args.gid);
-	setsid();
+	if (setsid() < 0)
+	    msg_warn("child: setsid: %m");
 
 	/*
 	 * Pipe plumbing.
@@ -301,9 +303,15 @@ WAIT_STATUS_T spawn_command(int key,...)
 	 */
 	if ((err = timed_waitpid(pid, &wait_status, 0, args.time_limit)) < 0
 	    && errno == ETIMEDOUT) {
+	    uid_t   saved_euid = geteuid();
+	    gid_t   saved_egid = getegid();
+
 	    msg_warn("%s: process id %lu: command time limit exceeded",
 		     args.command, (unsigned long) pid);
-	    kill(-pid, SIGKILL);
+	    set_eugid(args.uid, args.gid);
+	    if (kill(-pid, SIGKILL) < 0)
+		msg_warn("parent: kill: %m");
+	    set_eugid(saved_euid, saved_egid);
 	    err = waitpid(pid, &wait_status, 0);
 	}
 	if (err < 0)