diff --git a/postfix/HISTORY b/postfix/HISTORY
index 64c2bef1e..ba0653d27 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -12622,8 +12622,23 @@ Apologies for any names omitted.
 	Bugfix: don't panic in smtp_rcpt_cleanup() after detecting
 	a damaged queue file record. File: smtp/smtp_proto.c.
 
+20060726
+
+	Bugfix: the 20051013 change to enforce the message size
+	limit in the SMTP server didn't work for size limits close
+	enough to INT_MAX. File: smtpd/smtpd.c.
+
+	Bugfix: after an SMTP client was rejected with "smtpd_delay_reject
+	= no", the SMTP server would panic as it generated spurious
+	Milter requests for unrecognized commands.  File: smtpd/smtpd.c.
+
 Wish list:
 
+	The type of var_message_limit should be changed from int
+	to long or better, to take advantage of LP64 architectures.
+	This also requires checking all expressions in which
+	var_message_limit appears.
+
 	Add M flag (enable multi-recipient delivery) to pipe daemon.
 
 	The usage of TLScontext->cache_type is unclear. It specifies
diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c
index 5cab391d7..e4acad297 100644
--- a/postfix/src/cleanup/cleanup_milter.c
+++ b/postfix/src/cleanup/cleanup_milter.c
@@ -1624,6 +1624,8 @@ static void usage(void)
     msg_warn("    del_rcpt addr");
 }
 
+/* flatten_args unparse partial command line */
+
 static void flatten_args(VSTRING *buf, char **argv)
 {
     char  **cpp;
@@ -1637,6 +1639,8 @@ static void flatten_args(VSTRING *buf, char **argv)
     VSTRING_TERMINATE(buf);
 }
 
+/* open_queue_file - open an unedited queue file (all-zero dummy PTRs) */
+
 static void open_queue_file(CLEANUP_STATE *state, const char *path)
 {
     VSTRING *buf = vstring_alloc(100);
@@ -1647,6 +1651,13 @@ static void open_queue_file(CLEANUP_STATE *state, const char *path)
     long    rcpt_count;
     long    qmgr_opts;
 
+    if (state->dst != 0) {
+	msg_warn("closing %s", cleanup_path);
+	vstream_fclose(state->dst);
+	state->dst = 0;
+	myfree(cleanup_path);
+	cleanup_path = 0;
+    }
     if ((state->dst = vstream_fopen(path, O_RDWR, 0)) == 0) {
 	msg_warn("open %s: %m", path);
     } else {
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 082a4a126..3e63728cc 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1396,10 +1396,6 @@ extern bool var_smtp_sasl_enable;
 #define DEF_SMTP_SASL_PASSWD	""
 extern char *var_smtp_sasl_passwd;
 
-#define VAR_SMTP_SASL_ENFORCE	"smtp_sasl_auth_enforce"
-#define DEF_SMTP_SASL_ENFORCE	1
-extern bool var_smtp_sasl_enforce;
-
 #define VAR_SMTP_SASL_OPTS	"smtp_sasl_security_options"
 #define DEF_SMTP_SASL_OPTS	"noplaintext, noanonymous"
 extern char *var_smtp_sasl_opts;
@@ -1495,9 +1491,6 @@ extern bool var_lmtp_sasl_enable;
 #define DEF_LMTP_SASL_PASSWD	""
 extern char *var_lmtp_sasl_passwd;
 
-#define VAR_LMTP_SASL_ENFORCE	"lmtp_sasl_auth_enforce"
-#define DEF_LMTP_SASL_ENFORCE	1
-
 #define VAR_LMTP_SASL_OPTS	"lmtp_sasl_security_options"
 #define DEF_LMTP_SASL_OPTS	"noplaintext, noanonymous"
 extern char *var_lmtp_sasl_opts;
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 033693439..90cc673b6 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20060725"
+#define MAIL_RELEASE_DATE	"20060726"
 #define MAIL_VERSION_NUMBER	"2.4"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 00098b56e..8dcc789b4 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -2643,11 +2643,13 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	    && (state->proxy == 0 ? (++start, --len) == 0 : len == 1))
 	    break;
 	if (state->err == CLEANUP_STAT_OK) {
-	    state->act_size += len + 2;
-	    if (var_message_limit > 0 && state->act_size > var_message_limit)
+	    if (var_message_limit > 0 && var_message_limit - state->act_size < len + 2)
 		state->err = CLEANUP_STAT_SIZE;
-	    else if (out_record(out_stream, curr_rec_type, start, len) < 0)
-		state->err = out_error;
+	    else {
+		state->act_size += len + 2;
+		if (out_record(out_stream, curr_rec_type, start, len) < 0)
+		    state->err = out_error;
+	    }
 	}
     }
     state->where = SMTPD_AFTER_DOT;
@@ -3964,6 +3966,16 @@ static void smtpd_proto(SMTPD_STATE *state)
 		    smtpd_chat_reply(state, "221 2.7.0 Error: I can break rules, too. Goodbye.");
 		    break;
 		}
+	    }
+	    /* XXX We use the real client for connect access control. */
+	    if (state->access_denied && cmdp->action != quit_cmd) {
+		smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
+				 state->namaddr);	/* RFC 2821 Sec 3.1 */
+		state->error_count++;
+		continue;
+	    }
+	    /* state->access_denied == 0 || cmdp->action == quit_cmd */
+	    if (cmdp->name == 0) {
 		if (smtpd_milters != 0
 		    && SMTPD_STAND_ALONE(state) == 0
 		    && (err = milter_unknown_event(smtpd_milters,
@@ -3976,13 +3988,6 @@ static void smtpd_proto(SMTPD_STATE *state)
 		state->error_count++;
 		continue;
 	    }
-	    /* XXX We use the real client for connect access control. */
-	    if (state->access_denied && cmdp->action != quit_cmd) {
-		smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
-				 state->namaddr);	/* RFC 2821 Sec 3.1 */
-		state->error_count++;
-		continue;
-	    }
 #ifdef USE_TLS
 	    if (state->tls_enforce_tls &&
 		!state->tls_context &&