postfix-2.3-20051223

2025-08-30 13:48:06 +00:00 · 2005-12-23 00:00:00 -05:00
parent 46ab025e8a
commit 51da02abb8
11 changed files with 226 additions and 173 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -11657,6 +11657,9 @@ Apologies for any names omitted.
 	addresses with numeric domains instead of rejecting them as
 	invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.

+	Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
+	Andreas Winkelmann.
+
 Open problems:

 	"postsuper -r" no longer resets the message arrival time,
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -7,7 +7,8 @@ WWAARRNNIINNGG
 People who go to the trouble of installing Postfix may have the expectation
 that Postfix is more secure than some other mailers. The Cyrus SASL library is
 a lot of code. With this, Postfix becomes as secure as other mail systems that
-use the Cyrus SASL library.
+use the Cyrus SASL library. Dovecot provides an alternative that may be worth
+considering.

 HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn iinnffoorrmmaattiioonn

@@ -27,7 +28,7 @@ search its SASL password table by the sender email address.

 This document covers the following topics:

-  * What SASL versions are supported
+  * What SASL implementations are supported
  * Building Postfix with Dovecot SASL support
  * Building the Cyrus SASL library
  * Building Postfix with Cyrus SASL support
@@ -39,7 +40,7 @@ This document covers the following topics:
  * Enabling SASL authentication in the Postfix SMTP client
  * Credits

-WWhhaatt SSAASSLL vveerrssiioonnss aarree ssuuppppoorrtteedd
+WWhhaatt SSAASSLL iimmpplleemmeennttaattiioonnss aarree ssuuppppoorrtteedd

 This document describes Postfix with the following SASL implementations:

@@ -56,19 +57,23 @@ Postfix, use the following commands:
    % postconf -a (SASL support in the SMTP server)
    % postconf -A (SASL support in the SMTP+LMTP client)

-Needless to say, these commands are not available in Postfix versions before
-2.3.
+Needless to say, these commands are not available in earlier Postfix versions.

 BBuuiillddiinngg PPoossttffiixx wwiitthh DDoovveeccoott SSAASSLL ssuuppppoorrtt

-Dovecot is available via http://www.dovecot.org/. It uses its own daemon
-process for authentication. Building Postfix with Dovecot SASL support is
-relatively easy, because there is no need to link extra libraries into Postfix.
+Dovecot SASL support is available in Postfix 2.3 and later. The Dovecot source
+code is available via http://www.dovecot.org/. At the time of writing, only
+server-side SASL support is available, so you can't use it to authenticate to
+your network provider's server. Dovecot uses its own daemon process for
+authentication. This keeps the Postfix build process simple, because there is
+no need to link extra libraries into Postfix.

 To generate the necessary Makefiles, execute the following in the Postfix top-
 level directory:

-% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
+    % make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
+
+After this, proceed with "make" as described in the INSTALL document.

 Notes:

@@ -79,8 +84,6 @@ Notes:
  * If you also want support for LDAP or TLS, you will have to merge their
    CCARGS and AUXLIBS into the above command line.

-  * After this, proceed with "make" as described in the INSTALL document.
-
 BBuuiillddiinngg tthhee CCyyrruuss SSAASSLL lliibbrraarryy

 Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, which are
@@ -98,9 +101,8 @@ SASL LOGIN authentication method. To enable this authentication method, specify

 BBuuiillddiinngg PPoossttffiixx wwiitthh CCyyrruuss SSAASSLL ssuuppppoorrtt

-To build Postfix with SASL authentication support, the following assumes that
-the Cyrus SASL include files are in /usr/local/include, and that the Cyrus SASL
-libraries are in /usr/local/lib.
+The following assumes that the Cyrus SASL include files are in /usr/local/
+include, and that the Cyrus SASL libraries are in /usr/local/lib.

 On some systems this generates the necessary Makefile definitions:

@@ -154,11 +156,20 @@ and later):

 Note: the SASL login names will be shared with the entire world.

+Older Microsoft SMTP client software implements a non-standard version of the
+AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
+"250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients (in
+addition to conformant clients) use the following:
+
+    /etc/postfix/main.cf:
+        broken_sasl_auth_clients = yes
+
 DDoovveeccoott SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr

-On the Postfix side you need to specify the location of the Dovecot
-authentication daemon socket. We use a pathname relative to the Postfix queue
-directory, so that it will work whether or not Postfix runs chrooted:
+Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side
+you need to specify the location of the Dovecot authentication daemon socket.
+We use a pathname relative to the Postfix queue directory, so that it will work
+whether or not Postfix runs chrooted:

    /etc/postfix/main.cf:
        smtpd_sasl_type = dovecot
@@ -172,15 +183,15 @@ that the Postfix queue is under /var/spool/postfix/.
        auth default {
          ..
          socket listen {
-    	client {
-    	  path = /var/spool/postfix/private/auth
-    	  mode = 0666
-    	}
+            client {
+              path = /var/spool/postfix/private/auth
+              mode = 0666
+            }
          }
        }

-See the Dovecot documentation for how to configure the Dovecot authentication
-server.
+See the Dovecot documentation for how to configure and operate the Dovecot
+authentication server.

 CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr

@@ -314,21 +325,15 @@ authentication.
 To run software chrooted with SASL support is an interesting exercise. It
 probably is not worth the trouble.

-Older Microsoft SMTP client software implements a non-standard version of the
-AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
-"250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients in
-addition to conformant clients, set "broken_sasl_auth_clients = yes" in the
-main.cf file.
-
 TTeessttiinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr

 To test the server side, connect to the SMTP server, and you should be able to
 have a conversation as shown below. Information sent by the client is shown in
 bold font.

-    220 server.host.tld ESMTP Postfix
-    EEHHLLOO cclliieenntt..hhoosstt..ttlldd
-    250-server.host.tld
+    220 server.example.com ESMTP Postfix
+    EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
+    250-server.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-ETRN
@@ -352,9 +357,9 @@ of the following commands:
 The mmencode command is part of the metamail software. MIME::Base64 is
 available from http://www.cpan.org/.

-When posting logs of the SASL negotiations to public lists, please keep in mind
-that username/password information is trivial to recover from the base64-
-encoded form.
+Caution: when posting logs of the SASL negotiations to public lists, please
+keep in mind that username/password information is trivial to recover from the
+base64-encoded form.

 TTrroouubbllee sshhoooottiinngg tthhee SSAASSLL iinntteerrnnaallss

@@ -381,6 +386,7 @@ that is specified with the relayhost parameter or with a transport(5) table.
    /etc/postfix/main.cf:
        smtp_sasl_auth_enable = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        smtp_sasl_type = cyrus

    /etc/postfix/sasl_passwd:
        foo.com                     username:password
@@ -442,6 +448,6 @@ CCrreeddiittss
    reject_unauthenticated_sender_login_mismatch, and revised the docs.
  * Wietse made another iteration through the code to add plug-in support for
    multiple implementations.
-  * The Dovecot plug-in was originally implemented by Timo Sirainen of
-    Procontrol, Finland.
+  * The Dovecot SMTP server plug-in was originally implemented by Timo Sirainen
+    of Procontrol, Finland.

--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -23,6 +23,7 @@
 expectation that Postfix is more secure than some other mailers.
 The Cyrus SASL library is a lot of code. With this, Postfix becomes
 as secure as other mail systems that use the Cyrus SASL library.
+Dovecot provides an alternative that may be worth considering.
 </p>

 <h2><a name="intro">How Postfix uses SASL authentication information</a></h2>
@@ -47,7 +48,7 @@ sender email address. </p>

 <ul>

-<li><a href="#versions">What SASL versions are supported</a>
+<li><a href="#versions">What SASL implementations are supported</a>

 <li><a href="#build_dovecot">Building Postfix with Dovecot SASL
 support</a></li>
@@ -78,7 +79,7 @@ Postfix SMTP client</a></li>

 </ul>

-<h2><a name="versions">What SASL versions are supported</a></h2>
+<h2><a name="versions">What SASL implementations are supported</a></h2>

 <p> This document describes Postfix with the following SASL
 implementations: </p>
@@ -106,23 +107,32 @@ implementations are built into Postfix, use the following commands:
 </pre>
 </blockquote>

-<p> Needless to say, these commands are not available in Postfix
-versions before 2.3. </p>
+<p> Needless to say, these commands are not available in earlier
+Postfix versions. </p>

 <h2><a name="build_dovecot">Building Postfix with Dovecot SASL
 support</a></h2>

-<p> Dovecot is available via <a href="http://www.dovecot.org/">http://www.dovecot.org/</a>. It uses its
-own daemon process for authentication. Building Postfix with Dovecot
-SASL support is relatively easy, because there is no need to link
-extra libraries into Postfix. </p>
+<p> Dovecot SASL support is available in Postfix 2.3 and later. The
+Dovecot source code is available via <a href="http://www.dovecot.org/">http://www.dovecot.org/</a>. At
+the time
+of writing, only server-side SASL support is available, so you can't
+use it to authenticate to your network provider's server. Dovecot
+uses its own daemon process for authentication. This keeps the
+Postfix build process simple, because there is no need to link extra
+libraries into Postfix. </p>

 <p> To generate the necessary Makefiles, execute the following
 in the Postfix top-level directory: </p>

+<blockquote>
 <pre>
 % make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
 </pre>
+</blockquote>
+
+<p> After this, proceed with "<tt>make</tt>" as described in the
+<a href="INSTALL.html">INSTALL</a> document. </p>

 <p> Notes: </p>

@@ -136,9 +146,6 @@ file.  </p>
 <li> <p> If you also want support for LDAP or TLS, you will have to merge
 their CCARGS and AUXLIBS into the above command line. </p>

-<li> <p> After this, proceed with "<tt>make</tt>" as described in the
-<a href="INSTALL.html">INSTALL</a> document. </p>
-
 </ul>

 <h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
@@ -163,7 +170,7 @@ authentication method, specify ``./configure --enable-login''. </p>

 <h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>

-<p> To build Postfix with SASL authentication support, the following
+<p> The following
 assumes that the Cyrus SASL include files are in /usr/local/include,
 and that the Cyrus SASL libraries are in /usr/local/lib. </p>

@@ -250,10 +257,24 @@ SMTP server</a></h2>
 <p> Note: the SASL login names will be shared with the entire world.
 </p>

+<p> Older Microsoft SMTP client software implements a non-standard
+version of the AUTH protocol syntax, and expects that the SMTP
+server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
+stuff".  To accommodate such clients (in addition to conformant
+clients) use the following: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    <a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> = yes
+</pre>
+</blockquote>
+
 <h2><a name="server_dovecot">Dovecot SASL configuration for the
 Postfix SMTP server</a></h2>

-<p> On the Postfix side you need to specify the location of the
+<p> Dovecot SASL support is available in Postfix 2.3 and later.  On
+the Postfix side you need to specify the location of the
 Dovecot authentication daemon socket. We use a pathname relative
 to the Postfix queue directory, so that it will work whether or not
 Postfix runs chrooted: </p>
@@ -277,17 +298,17 @@ Postfix queue is under /var/spool/postfix/. </p>
    auth default {
      ..
      socket listen {
-	client {
-	  path = /var/spool/postfix/private/auth
-	  mode = 0666
-	}
+        client {
+          path = /var/spool/postfix/private/auth
+          mode = 0666
+        }
      }
    }
 </pre>
 </blockquote>

-<p> See the Dovecot documentation for how to configure the Dovecot
-authentication server. </p>
+<p> See the Dovecot documentation for how to configure and operate
+the Dovecot authentication server. </p>

 <h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
 SMTP server</a></h2>
@@ -489,13 +510,6 @@ directory. </p>
 <p> To run software chrooted with SASL support is an interesting
 exercise.  It probably is not worth the trouble. </p>

-<p> Older Microsoft SMTP client software implements a non-standard
-version of the AUTH protocol syntax, and expects that the SMTP
-server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
-stuff".  To accommodate such clients in addition to conformant
-clients, set "<a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> = yes" in the main.cf file.
-</p>
-
 <h2><a name="server_test">Testing SASL authentication in the Postfix
 SMTP server</a></h2>

@@ -505,9 +519,9 @@ client is shown in bold font. </p>

 <blockquote>
 <pre>
-220 server.host.tld ESMTP Postfix
-<b>EHLO client.host.tld</b>
-250-server.host.tld
+220 server.example.com ESMTP Postfix
+<b>EHLO client.example.com</b>
+250-server.example.com
 250-PIPELINING
 250-SIZE 10240000
 250-ETRN
@@ -542,7 +556,8 @@ you can use one of the following commands: </p>
 <p> The mmencode command is part of the metamail software.
 MIME::Base64 is available from <a href="http://www.cpan.org/">http://www.cpan.org/</a>. </p>

-<p> When posting logs of the SASL negotiations to public lists,
+<p> Caution: when posting logs of the SASL negotiations to public
+lists,
 please keep in mind that username/password information is trivial
 to recover from the base64-encoded form. </p>

@@ -581,6 +596,7 @@ table. </p>
 /etc/postfix/main.cf:
    <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
    <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd
+    <a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> = cyrus

 /etc/postfix/sasl_passwd:
    foo.com                     username:password
@@ -668,8 +684,8 @@ of SuSE Rhein/Main AG.
 <li> Wietse made another iteration through the code to add
 plug-in support for multiple implementations.

-<li> The Dovecot plug-in was originally implemented by Timo Sirainen
-of Procontrol, Finland.
+<li> The Dovecot SMTP server plug-in was originally implemented by
+Timo Sirainen of Procontrol, Finland.

 </ul>

--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@@ -31,28 +31,28 @@ POSTCONF(1)                                                        POSTCONF(1)
              <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b> configuration parameter by specify-
              ing one of the names listed below.

-              This  feature  is  available  with  Postfix 2.3 and
-              later.
-
-              <b>cyrus</b>  This server plug-in is available when  Post-
+              <b>cyrus</b>  This  server plug-in is available when Post-
                     fix is built with Cyrus SASL support.

              <b>dovecot</b>
-                     This  server  plug-in  requires  the Dovecot
+                     This server  plug-in  requires  the  Dovecot
                     authentication server.

+              This  feature  is  available  with  Postfix 2.3 and
+              later.
+
       <b>-A</b>     List the available SASL client plug-in types.   The
              SASL    plug-in   type   is   selected   with   the
              <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>  or   <b><a href="postconf.5.html#lmtp_sasl_type">lmtp_sasl_type</a></b>   configuration
              parameters  by  specifying  one of the names listed
              below.

-              This feature is  available  with  Postfix  2.3  and
-              later.
-
-              <b>cyrus</b>  This  client plug-in is available when Post-
+              <b>cyrus</b>  This client plug-in is available when  Post-
                     fix is built with Cyrus SASL support.

+              This  feature  is  available  with  Postfix 2.3 and
+              later.
+
       <b>-b</b> [<i>template</i><b>_</b><i>file</i>]
              Display the message text that appears at the begin-
              ning  of  delivery  status  notification (DSN) mes-
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@@ -32,8 +32,6 @@ List the available SASL server plug-in types.  The SASL
 plug-in type is selected with the \fBsmtpd_sasl_type\fR
 configuration parameter by specifying one of the names
 listed below.
-
-This feature is available with Postfix 2.3 and later.
 .RS
 .IP \fBcyrus\fR
 This server plug-in is available when Postfix is built with
@@ -42,18 +40,20 @@ Cyrus SASL support.
 This server plug-in requires the Dovecot authentication
 server.
 .RE
+.IP
+This feature is available with Postfix 2.3 and later.
 .IP \fB-A\fR
 List the available SASL client plug-in types.  The SASL
 plug-in type is selected with the \fBsmtp_sasl_type\fR or
 \fBlmtp_sasl_type\fR configuration parameters by specifying
 one of the names listed below.
-
-This feature is available with Postfix 2.3 and later.
 .RS
 .IP \fBcyrus\fR
 This client plug-in is available when Postfix is built with
 Cyrus SASL support.
 .RE
+.IP
+This feature is available with Postfix 2.3 and later.
 .IP "\fB-b\fR [\fItemplate_file\fR]"
 Display the message text that appears at the beginning of
 delivery status notification (DSN) messages, with $\fBname\fR
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -23,6 +23,7 @@
 expectation that Postfix is more secure than some other mailers.
 The Cyrus SASL library is a lot of code. With this, Postfix becomes
 as secure as other mail systems that use the Cyrus SASL library.
+Dovecot provides an alternative that may be worth considering.
 </p>

 <h2><a name="intro">How Postfix uses SASL authentication information</a></h2>
@@ -47,7 +48,7 @@ sender email address. </p>

 <ul>

-<li><a href="#versions">What SASL versions are supported</a>
+<li><a href="#versions">What SASL implementations are supported</a>

 <li><a href="#build_dovecot">Building Postfix with Dovecot SASL
 support</a></li>
@@ -78,7 +79,7 @@ Postfix SMTP client</a></li>

 </ul>

-<h2><a name="versions">What SASL versions are supported</a></h2>
+<h2><a name="versions">What SASL implementations are supported</a></h2>

 <p> This document describes Postfix with the following SASL
 implementations: </p>
@@ -106,23 +107,32 @@ implementations are built into Postfix, use the following commands:
 </pre>
 </blockquote>

-<p> Needless to say, these commands are not available in Postfix
-versions before 2.3. </p>
+<p> Needless to say, these commands are not available in earlier
+Postfix versions. </p>

 <h2><a name="build_dovecot">Building Postfix with Dovecot SASL
 support</a></h2>

-<p> Dovecot is available via http://www.dovecot.org/. It uses its
-own daemon process for authentication. Building Postfix with Dovecot
-SASL support is relatively easy, because there is no need to link
-extra libraries into Postfix. </p>
+<p> Dovecot SASL support is available in Postfix 2.3 and later. The
+Dovecot source code is available via http://www.dovecot.org/. At
+the time
+of writing, only server-side SASL support is available, so you can't
+use it to authenticate to your network provider's server. Dovecot
+uses its own daemon process for authentication. This keeps the
+Postfix build process simple, because there is no need to link extra
+libraries into Postfix. </p>

 <p> To generate the necessary Makefiles, execute the following
 in the Postfix top-level directory: </p>

+<blockquote>
 <pre>
 % make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
 </pre>
+</blockquote>
+
+<p> After this, proceed with "<tt>make</tt>" as described in the
+INSTALL document. </p>

 <p> Notes: </p>

@@ -136,9 +146,6 @@ file.  </p>
 <li> <p> If you also want support for LDAP or TLS, you will have to merge
 their CCARGS and AUXLIBS into the above command line. </p>

-<li> <p> After this, proceed with "<tt>make</tt>" as described in the
-INSTALL document. </p>
-
 </ul>

 <h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
@@ -163,7 +170,7 @@ authentication method, specify ``./configure --enable-login''. </p>

 <h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>

-<p> To build Postfix with SASL authentication support, the following
+<p> The following
 assumes that the Cyrus SASL include files are in /usr/local/include,
 and that the Cyrus SASL libraries are in /usr/local/lib. </p>

@@ -250,10 +257,24 @@ SMTP server</a></h2>
 <p> Note: the SASL login names will be shared with the entire world.
 </p>

+<p> Older Microsoft SMTP client software implements a non-standard
+version of the AUTH protocol syntax, and expects that the SMTP
+server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
+stuff".  To accommodate such clients (in addition to conformant
+clients) use the following: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    broken_sasl_auth_clients = yes
+</pre>
+</blockquote>
+
 <h2><a name="server_dovecot">Dovecot SASL configuration for the
 Postfix SMTP server</a></h2>

-<p> On the Postfix side you need to specify the location of the
+<p> Dovecot SASL support is available in Postfix 2.3 and later.  On
+the Postfix side you need to specify the location of the
 Dovecot authentication daemon socket. We use a pathname relative
 to the Postfix queue directory, so that it will work whether or not
 Postfix runs chrooted: </p>
@@ -277,17 +298,17 @@ Postfix queue is under /var/spool/postfix/. </p>
    auth default {
      ..
      socket listen {
-	client {
-	  path = /var/spool/postfix/private/auth
-	  mode = 0666
-	}
+        client {
+          path = /var/spool/postfix/private/auth
+          mode = 0666
+        }
      }
    }
 </pre>
 </blockquote>

-<p> See the Dovecot documentation for how to configure the Dovecot
-authentication server. </p>
+<p> See the Dovecot documentation for how to configure and operate
+the Dovecot authentication server. </p>

 <h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
 SMTP server</a></h2>
@@ -489,13 +510,6 @@ directory. </p>
 <p> To run software chrooted with SASL support is an interesting
 exercise.  It probably is not worth the trouble. </p>

-<p> Older Microsoft SMTP client software implements a non-standard
-version of the AUTH protocol syntax, and expects that the SMTP
-server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
-stuff".  To accommodate such clients in addition to conformant
-clients, set "broken_sasl_auth_clients = yes" in the main.cf file.
-</p>
-
 <h2><a name="server_test">Testing SASL authentication in the Postfix
 SMTP server</a></h2>

@@ -505,9 +519,9 @@ client is shown in bold font. </p>

 <blockquote>
 <pre>
-220 server.host.tld ESMTP Postfix
-<b>EHLO client.host.tld</b>
-250-server.host.tld
+220 server.example.com ESMTP Postfix
+<b>EHLO client.example.com</b>
+250-server.example.com
 250-PIPELINING
 250-SIZE 10240000
 250-ETRN
@@ -542,7 +556,8 @@ you can use one of the following commands: </p>
 <p> The mmencode command is part of the metamail software.
 MIME::Base64 is available from http://www.cpan.org/. </p>

-<p> When posting logs of the SASL negotiations to public lists,
+<p> Caution: when posting logs of the SASL negotiations to public
+lists,
 please keep in mind that username/password information is trivial
 to recover from the base64-encoded form. </p>

@@ -581,6 +596,7 @@ table. </p>
 /etc/postfix/main.cf:
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+    smtp_sasl_type = cyrus

 /etc/postfix/sasl_passwd:
    foo.com                     username:password
@@ -668,8 +684,8 @@ reject_unauthenticated_sender_login_mismatch, and revised the docs.
 <li> Wietse made another iteration through the code to add
 plug-in support for multiple implementations.

-<li> The Dovecot plug-in was originally implemented by Timo Sirainen
-of Procontrol, Finland.
+<li> The Dovecot SMTP server plug-in was originally implemented by
+Timo Sirainen of Procontrol, Finland.

 </ul>

--- a/postfix/src/bounce/bounce_templates.c
+++ b/postfix/src/bounce/bounce_templates.c
@@ -92,21 +92,6 @@
 /*
  * The fail template is for permanent failure.
  */
-static const char *def_bounce_failure_body[];
-
-static const BOUNCE_TEMPLATE def_bounce_failure_template = {
-    0,
-    BOUNCE_TMPL_CLASS_FAILURE,
-    "[built-in]",
-    "us-ascii",
-    MAIL_ATTR_ENC_7BIT,
-    MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)",
-    "Undelivered Mail Returned to Sender",
-    "Postmaster Copy: Undelivered Mail",
-    def_bounce_failure_body,
-    &def_bounce_failure_template,
-};
-
 static const char *def_bounce_failure_body[] = {
    "This is the $mail_name program at host $myhostname.",
    "",
@@ -122,24 +107,22 @@ static const char *def_bounce_failure_body[] = {
    0,
 };

- /*
-  * The delay template is for delayed mail notifications.
-  */
-static const char *def_bounce_delay_body[];
-
-static const BOUNCE_TEMPLATE def_bounce_delay_template = {
+static const BOUNCE_TEMPLATE def_bounce_failure_template = {
    0,
-    BOUNCE_TMPL_CLASS_DELAY,
+    BOUNCE_TMPL_CLASS_FAILURE,
    "[built-in]",
    "us-ascii",
    MAIL_ATTR_ENC_7BIT,
    MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)",
-    "Delayed Mail (still being retried)",
-    "Postmaster Warning: Delayed Mail",
-    def_bounce_delay_body,
-    &def_bounce_delay_template
+    "Undelivered Mail Returned to Sender",
+    "Postmaster Copy: Undelivered Mail",
+    def_bounce_failure_body,
+    &def_bounce_failure_template,
 };

+ /*
+  * The delay template is for delayed mail notifications.
+  */
 static const char *def_bounce_delay_body[] = {
    "This is the $mail_name program at host $myhostname.",
    "",
@@ -160,11 +143,34 @@ static const char *def_bounce_delay_body[] = {
    0,
 };

+static const BOUNCE_TEMPLATE def_bounce_delay_template = {
+    0,
+    BOUNCE_TMPL_CLASS_DELAY,
+    "[built-in]",
+    "us-ascii",
+    MAIL_ATTR_ENC_7BIT,
+    MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)",
+    "Delayed Mail (still being retried)",
+    "Postmaster Warning: Delayed Mail",
+    def_bounce_delay_body,
+    &def_bounce_delay_template
+};
+
 /*
  * The success template is for "delivered", "expanded" and "relayed" success
  * notifications.
  */
-static const char *def_bounce_success_body[];
+static const char *def_bounce_success_body[] = {
+    "This is the $mail_name program at host $myhostname.",
+    "",
+    "Your message was successfully delivered to the destination(s)",
+    "listed below. If the message was delivered to mailbox you will",
+    "receive no further notifications. Otherwise you may still receive",
+    "notifications of mail delivery errors from other systems.",
+    "",
+    "                   The $mail_name program",
+    0,
+};

 static const BOUNCE_TEMPLATE def_bounce_success_template = {
    0,
@@ -179,23 +185,18 @@ static const BOUNCE_TEMPLATE def_bounce_success_template = {
    &def_bounce_success_template,
 };

-static const char *def_bounce_success_body[] = {
-    "This is the $mail_name program at host $myhostname.",
-    "",
-    "Your message was successfully delivered to the destination(s)",
-    "listed below. If the message was delivered to mailbox you will",
-    "receive no further notifications. Otherwise you may still receive",
-    "notifications of mail delivery errors from other systems.",
-    "",
-    "                   The $mail_name program",
-    0,
-};
-
 /*
  * The "verify" template is for verbose delivery (sendmail -v) and for
  * address verification (sendmail -bv).
  */
-static const char *def_bounce_verify_body[];
+static const char *def_bounce_verify_body[] = {
+    "This is the $mail_name program at host $myhostname.",
+    "",
+    "Enclosed is the mail delivery report that you requested.",
+    "",
+    "                   The $mail_name program",
+    0,
+};

 static const BOUNCE_TEMPLATE def_bounce_verify_template = {
    0,
@@ -210,15 +211,6 @@ static const BOUNCE_TEMPLATE def_bounce_verify_template = {
    &def_bounce_verify_template,
 };

-static const char *def_bounce_verify_body[] = {
-    "This is the $mail_name program at host $myhostname.",
-    "",
-    "Enclosed is the mail delivery report that you requested.",
-    "",
-    "                   The $mail_name program",
-    0,
-};
-
 /*
  * SLMs.
  */
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20051222"
+#define MAIL_RELEASE_DATE	"20051223"
 #define MAIL_VERSION_NUMBER	"2.3"

 #ifdef SNAPSHOT
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -26,8 +26,6 @@
 /*	plug-in type is selected with the \fBsmtpd_sasl_type\fR
 /*	configuration parameter by specifying one of the names
 /*	listed below.
-/*
-/*	This feature is available with Postfix 2.3 and later.
 /* .RS
 /* .IP \fBcyrus\fR
 /*	This server plug-in is available when Postfix is built with
@@ -36,18 +34,20 @@
 /*	This server plug-in requires the Dovecot authentication
 /*	server.
 /* .RE
+/* .IP
+/*	This feature is available with Postfix 2.3 and later.
 /* .IP \fB-A\fR
 /*	List the available SASL client plug-in types.  The SASL
 /*	plug-in type is selected with the \fBsmtp_sasl_type\fR or
 /*	\fBlmtp_sasl_type\fR configuration parameters by specifying
 /*	one of the names listed below.
-/*
-/*	This feature is available with Postfix 2.3 and later.
 /* .RS
 /* .IP \fBcyrus\fR
 /*	This client plug-in is available when Postfix is built with
 /*	Cyrus SASL support.
 /* .RE
+/* .IP
+/*	This feature is available with Postfix 2.3 and later.
 /* .IP "\fB-b\fR [\fItemplate_file\fR]"
 /*	Display the message text that appears at the beginning of
 /*	delivery status notification (DSN) messages, with $\fBname\fR
@@ -281,7 +281,7 @@
 #define SHOW_LOCKS	(1<<5)		/* show mailbox lock methods */
 #define SHOW_EVAL	(1<<6)		/* expand right-hand sides */
 #define SHOW_SASL_SERV	(1<<7)		/* show server auth plugin types */
-#define SHOW_SASL_CLNT	(1<<7)		/* show client auth plugin types */
+#define SHOW_SASL_CLNT	(1<<8)		/* show client auth plugin types */

 /*
  * Lookup table for in-core parameter info.
--- a/postfix/src/util/name_code.c
+++ b/postfix/src/util/name_code.c
@@ -36,7 +36,7 @@
 /*	For convenience the constant NAME_CODE_FLAG_NONE requests
 /*	no special processing.
 /*
-/*	str_name_code() translates a number to its equivalend string.
+/*	str_name_code() translates a number to its equivalent string.
 /* DIAGNOSTICS
 /*	When the search fails, the result is the "name not found" code
 /*	or the null pointer, respectively.
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@@ -11,6 +11,14 @@
 /*	This module implements the Dovecot SASL server-side authentication
 /*	plug-in.
 /*
+/* .IP server_type
+/*	The plug-in type that was specified to xsasl_server_init().
+/*	The argument is ignored, because the Dovecot plug-in
+/*	implements only one plug-in type.
+/* .IP path_info
+/*	The location of the Dovecot authentication server's UNIX-domain
+/*	socket. Note: the Dovecot plug-in uses late binding, therefore
+/*	all connect operations are done with Postfix privileges.
 /* DIAGNOSTICS
 /*	Fatal: out of memory.
 /*
@@ -68,6 +76,12 @@
 #define AUTH_PROTOCOL_MAJOR_VERSION 1
 #define AUTH_PROTOCOL_MINOR_VERSION 0

+ /*
+  * Encorce read/write time limits, so that we can produce accurate
+  * diagnostics instead of getting killed by the watchdog timer.
+  */
+#define AUTH_TIMEOUT	10
+
 /*
  * Class variables.
  */
@@ -108,6 +122,8 @@ static int xsasl_dovecot_server_next(XSASL_SERVER *, const char *, VSTRING *);
 static const char *xsasl_dovecot_server_get_mechanism_list(XSASL_SERVER *);
 static const char *xsasl_dovecot_server_get_username(XSASL_SERVER *);

+/* xsasl_dovecot_server_connect - initial auth server handshake */
+ 
 static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
 {
    const char *myname = "xsasl_dovecot_server_connect";
@@ -120,13 +136,15 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
    if (msg_verbose)
 	msg_info("%s: Connecting", myname);

-    if ((fd = unix_connect(xp->socket_path, BLOCKING, 0)) < 0) {
+    if ((fd = unix_connect(xp->socket_path, BLOCKING, AUTH_TIMEOUT)) < 0) {
 	msg_warn("SASL: Connect to %s failed: %m", xp->socket_path);
 	return (-1);
    }
    sasl_stream = vstream_fdopen(fd, O_RDWR);
-    vstream_control(sasl_stream, VSTREAM_CTL_PATH,
-		    xp->socket_path, VSTREAM_CTL_END);
+    vstream_control(sasl_stream,
+		    VSTREAM_CTL_PATH, xp->socket_path,
+		    VSTREAM_CTL_TIMEOUT, AUTH_TIMEOUT,
+		    VSTREAM_CTL_END);

    vstream_fprintf(sasl_stream,
 		    "VERSION\t%u\t%u\n"
@@ -192,6 +210,8 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
    return (0);
 }

+/* xsasl_dovecot_server_disconnect - dispose of server connection state */
+
 static void xsasl_dovecot_server_disconnect(XSASL_DOVECOT_SERVER_IMPL *xp)
 {
    if (xp->sasl_stream) {