postfix-2.12-20140507

2025-08-22 01:49:47 +00:00 · 2014-05-07 00:00:00 -05:00 · 2014-05-07 00:00:00 -05:00 · 542b0c899e
commit 542b0c899e
parent 2cd314309b
27 changed files with 622 additions and 193 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -19605,8 +19605,8 @@ Apologies for any names omitted.
 	unusable; Don't leak dane handle when all TLSA records are
 	unusable.  Viktor Dukhovni. File: smtp/smtp_tls_policy.c.

-	Cleanup: log TLS policy lookups as warnings. Viktor Dukhovni.
-	File: smtp/smtp_connect.c.
+	Cleanup: log TLS policy lookup errors as warnings. Viktor
+	Dukhovni.  File: smtp/smtp_connect.c.

 20140316

@ -19672,3 +19672,42 @@ Apologies for any names omitted.
 	proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
 	tls/tls_scache.h, tls/tls_server.c.

+20140416
+
+	Cleanup: replace "~0 << positive" with "~0U << positive"
+	even if we use only the lower bytes.  Jeffrey Walton.  File:
+	util/mask_addr.c.
+
+20140407
+
+	Documentation: the documentation for Postfix > 2.8 TLS
+	activity logging was incorrect. Loglevel 0 produces no
+	logging. Instead, information is logged only with loglevel
+	1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
+	proto/postconf.proto.
+
+20140501
+
+	Cleanup: postcreen_dnsbl_timeout parameter. Files:
+	mantools/postlink, proto/postconf.proto, global/mail_params.h,
+	postscreen/postscreen.c, postscreen/postscreen_dnsbl.c.
+
+	Cleanup: added table search order information to the
+	postconf(5) manpage. File: proto/postconf.proto.
+
+20140505
+
+	Cleanup: added a client port attribute to the policy
+	delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c.
+
+20140507
+
+	Bugfix (introduced: Postfix 2.11): with connection caching
+	enabled (the default), recipients could be given to the
+	wrong mail server.  Root cause: due to an incorrect predicate,
+	the Postfix SMTP client could save and restore plaintext
+	connections that should not be cached, under nonsensical
+	lookup keys that did not distinguish by destination.  Problem
+	reported by Sahil Tandon, predicate error found by Viktor,
+	redundant connection restore request eliminated by Wietse.
+	File: smtp/smtp_connect.c.
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@ -622,8 +622,8 @@ mail:
        postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply

    /etc/postfix/dnsbl_reply:
-        # Secret DNSBL name        Name in postscreen(8) replies
-        secret.zen.spamhaus.org    zen.spamhaus.org
+        # Secret DNSBL name           Name in postscreen(8) replies
+        secret.zen.dq.spamhaus.net    zen.spamhaus.org

    The texthash: format is similar to hash: except that there is no need to
    run postmap(1) before the file can be used, and that it does not detect
--- a/postfix/README_FILES/SMTPD_ACCESS_README
+++ b/postfix/README_FILES/SMTPD_ACCESS_README
@ -146,6 +146,7 @@ Examples of simple restriction lists are:
        # (available with Postfix 2.10 and later).
        reject_unauth_destination
        reject_rbl_client zen.spamhaus.org,
+        reject_rhsbl_reverse_client dbl.spamhaus.org,
        reject_rhsbl_helo dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org

--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@ -247,27 +247,25 @@ To get additional information about Postfix SMTP server TLS activity you can
 increase the log level from 0..4. Each logging level also includes the
 information that is logged at a lower logging level.

-     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
-    |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr             |EEaarrlliieerr rreelleeaasseess..               |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |0    |Log only a summary message on TLS |Disable logging of TLS activity.|
-    |     |handshake completion -- no logging|                                |
-    |     |of client certificate trust-chain |                                |
-    |     |verification errors if client     |                                |
-    |     |certificate verification is not   |                                |
-    |     |required.                         |                                |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |1    |Also log trust-chain verification |Also log TLS handshake and      |
-    |     |errors and peer certificate       |certificate information.        |
-    |     |summary information.              |                                |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |2    |Also log levels during TLS negotiation.                            |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |3    |Also log hexadecimal and ASCII dump of TLS negotiation process.    |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |4    |Also log hexadecimal and ASCII dump of complete transmission after |
-    |     |STARTTLS.                                                          |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr             |EEaarrlliieerr rreelleeaasseess..              |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |0    |Disable logging of TLS activity.                                  |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |1    |Log only a summary message on TLS |Log the summary message, peer  |
+    |     |handshake completion -- no logging|certificate summary information|
+    |     |of client certificate trust-chain |and unconditionally log trust- |
+    |     |verification errors if client     |chain verification errors.     |
+    |     |certificate verification is not   |                               |
+    |     |required.                         |                               |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |2    |Also log levels during TLS negotiation.                           |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |3    |Also log hexadecimal and ASCII dump of TLS negotiation process.   |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |4    |Also log hexadecimal and ASCII dump of complete transmission after|
+    |     |STARTTLS.                                                         |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |

 Use log level 3 only in case of problems. Use of log level 4 is strongly
 discouraged.
@ -1321,27 +1319,25 @@ To get additional information about Postfix SMTP client TLS activity you can
 increase the loglevel from 0..4. Each logging level also includes the
 information that is logged at a lower logging level.

-     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
-    |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr             |EEaarrlliieerr rreelleeaasseess..               |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |0    |Log only a summary message on TLS |Disable logging of TLS activity.|
-    |     |handshake completion -- no logging|                                |
-    |     |of remote SMTP server certificate |                                |
-    |     |trust-chain verification errors if|                                |
-    |     |server certificate verification is|                                |
-    |     |not required.                     |                                |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |1    |Also log remote SMTP server trust-|Also log TLS handshake and      |
-    |     |chain verification errors and peer|certificate information.        |
-    |     |certificate summary information.  |                                |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |2    |Also log levels during TLS negotiation.                            |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |3    |Also log hexadecimal and ASCII dump of TLS negotiation process.    |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |4    |Also log hexadecimal and ASCII dump of complete transmission after |
-    |     |STARTTLS.                                                          |
-    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr             |EEaarrlliieerr rreelleeaasseess..              |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |0    |Disable logging of TLS activity.                                  |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |1    |Log only a summary message on TLS |Log the summary message and    |
+    |     |handshake completion -- no logging|unconditionally log trust-chain|
+    |     |of remote SMTP server certificate |verification errors.           |
+    |     |trust-chain verification errors if|                               |
+    |     |server certificate verification is|                               |
+    |     |not required.                     |                               |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |2    |Also log levels during TLS negotiation.                           |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |3    |Also log hexadecimal and ASCII dump of TLS negotiation process.   |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |4    |Also log hexadecimal and ASCII dump of complete transmission after|
+    |     |STARTTLS.                                                         |
+    |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |

 Example:

--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@ -872,8 +872,8 @@ For example: </p>

 <pre>
 /etc/postfix/dnsbl_reply:
-    # Secret DNSBL name        Name in <a href="postscreen.8.html">postscreen(8)</a> replies
-    secret.zen.spamhaus.org    zen.spamhaus.org
+    # Secret DNSBL name           Name in <a href="postscreen.8.html">postscreen(8)</a> replies
+    secret.zen.dq.spamhaus.net    zen.spamhaus.org
 </pre>

 <p> The <a href="DATABASE_README.html#types">texthash</a>: format is similar to <a href="DATABASE_README.html#types">hash</a>: except that there is
--- a/postfix/html/SMTPD_ACCESS_README.html
+++ b/postfix/html/SMTPD_ACCESS_README.html
@ -202,6 +202,7 @@ described in the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
        # (available with Postfix 2.10 and later).
        <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
        <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> zen.spamhaus.org,
+        <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> dbl.spamhaus.org,
        <a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> dbl.spamhaus.org,
        <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> dbl.spamhaus.org

--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@ -384,16 +384,15 @@ logging level. </p>
 <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
 releases. </th> </tr>

-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
 message on TLS handshake completion &mdash; no logging of client
 certificate trust-chain verification errors if client certificate
-verification is not required. </td> <td valign="top"> Disable logging
-of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
-verification errors and peer certificate summary information. </td>
-<td valign="top"> Also log TLS handshake and certificate information.
-</td> </tr>
+verification is not required. </td> <td valign="top"> Log the summary
+message, peer certificate summary information and unconditionally log
+trust-chain verification errors.  </td> </tr>

 <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
 log levels during TLS negotiation.  </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
 <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
 releases. </th> </tr>

-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
-message on TLS handshake completion &mdash; no logging of remote
-SMTP server certificate trust-chain verification errors if server
-certificate verification is not required. </td> <td valign="top">
-Disable logging of TLS activity.</td> </tr>
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity.  </td> </tr>

-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
-SMTP server trust-chain verification errors and peer certificate
-summary information. </td> <td valign="top"> Also log TLS handshake
-and certificate information.  </td> </tr>
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
+message on TLS handshake completion &mdash; no logging of remote SMTP
+server certificate trust-chain verification errors if server certificate
+verification is not required. </td> <td valign="top"> Log the summary
+message and unconditionally log trust-chain verification errors.
+</td> </tr>

 <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
 log levels during TLS negotiation. </td> </tr>
--- a/postfix/html/dnsblog.8.html
+++ b/postfix/html/dnsblog.8.html
@ -19,12 +19,12 @@ DNSBLOG(8)                                                          DNSBLOG(8)

 <b>PROTOCOL</b>
       With each connection, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server receives a DNS white/black-
-       list domain name, IP address, and an ID.   If  the  address  is  listed
-       under the DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the match and
-       replies with the query arguments plus an address list with the  result-
-       ing  IP  addresses  separated by whitespace.  Otherwise it replies with
-       the query arguments plus an empty  address  list.   Finally,  The  <a href="dnsblog.8.html"><b>dns-</b></a>
-       <a href="dnsblog.8.html"><b>blog</b>(8)</a> server closes the connection.
+       list domain name, an IP address, and an  ID.   If  the  IP  address  is
+       listed  under  the  DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the
+       match and replies with the query arguments plus an  address  list  with
+       the  resulting  IP  addresses  separated  by  whitespace.  Otherwise it
+       replies with the query arguments plus an empty address list.   Finally,
+       The <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server closes the connection.

 <b>DIAGNOSTICS</b>
       Problems and transactions are logged to <b>syslogd</b>(8).
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -559,6 +559,10 @@ Examples:
 <p>
 The alias databases that are used for <a href="local.8.html">local(8)</a> delivery. See
 <a href="aliases.5.html">aliases(5)</a> for syntax details.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
 </p>

 <p>
@ -1343,6 +1347,13 @@ are documented in <a href="canonical.5.html">canonical(5)</a>. For an overview o
 manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
 <p>
 If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to
 build the necessary DBM or DB file after every change. The changes
@ -5346,6 +5357,12 @@ Technically, tables listed with $<a href="postconf.5.html#local_recipient_maps">
 lists: Postfix needs to know only if a lookup string is found or
 not, but it does not use the result from table lookup.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 If this parameter is non-empty (the default), then the Postfix SMTP
 server will reject mail for unknown local users.
@ -5742,6 +5759,12 @@ is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">ma
 <a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
 <a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+

 </DD>

@ -5816,6 +5839,12 @@ is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">ma
 <a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
 <a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> For safety reasons, this feature does not allow $number
 substitutions in regular expression maps. </p>

@ -7550,6 +7579,18 @@ parameter. </p>
 <p> This feature is available in Postfix 2.8.  </p>


+</DD>
+
+<DT><b><a name="postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a>
+(default: 10s)</b></DT><DD>
+
+<p> The time limit for DNSBL or DNSWL lookups. This is separate from
+the timeouts in the <a href="dnsblog.8.html">dnsblog(8)</a> daemon which are defined by system
+resolver(3) routines. </p>
+
+<p> This feature is available in Postfix 2.12.  </p>
+
+
 </DD>

 <DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
@ -8157,6 +8198,11 @@ Example:
 <p>
 The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to
 access for the read-only service.
+</p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma.
 Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored.
 </p>

@ -8584,7 +8630,9 @@ supported) is added when mail enters from outside of Postfix.
 </p>

 <p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 </p>

 <p>
@ -8610,11 +8658,6 @@ equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.ht

 </ul>

-<p>
-Specify the types and names of databases to use.  After change,
-run "<b>postmap /etc/postfix/recipient_bcc</b>".
-</p>
-
 <p>
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
@ -8640,6 +8683,14 @@ Example:
 <a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/recipient_bcc
 </pre>

+<p>
+After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+

 </DD>

@ -8728,7 +8779,7 @@ Examples:

 <pre>
 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +-
 </pre>

 <pre>
@ -8900,6 +8951,12 @@ listed with $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 If this parameter is non-empty, then the Postfix SMTP server will reject
 mail to unknown relay users. This feature is off by default.
@ -9007,6 +9064,12 @@ domains that no longer exist.  The table format and lookups are
 documented in <a href="relocated.5.html">relocated(5)</a>.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to
 build the necessary DBM or DB file after change, then "<b>postfix
@ -9239,7 +9302,9 @@ by sender address.  The BCC address (multiple results are not
 supported) is added when mail enters from outside of Postfix.  </p>

 <p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 </p>

 <p>
@ -9265,11 +9330,6 @@ equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.ht

 </ul>

-<p>
-Specify the types and names of databases to use.  After change,
-run "<b>postmap /etc/postfix/sender_bcc</b>".
-</p>
-
 <p>
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
@ -9295,6 +9355,14 @@ Example:
 <a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_bcc
 </pre>

+<p>
+After a change, run "<b>postmap /etc/postfix/sender_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+

 </DD>

@ -9352,6 +9420,12 @@ address and @domain. A lookup result of DUNNO terminates the search
 without overriding the global <a href="postconf.5.html#default_transport">default_transport</a> parameter setting.
 This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and
 therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the
 syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>.  Specifically, this does not support the
@ -9377,6 +9451,12 @@ later). This information is overruled with <a href="postconf.5.html#relay_transp
 <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, <a href="postconf.5.html#default_transport">default_transport</a> and with
 the <a href="transport.5.html">transport(5)</a> table. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> For safety reasons, this feature does not allow $number
 substitutions in regular expression maps. </p>

@ -9930,6 +10010,12 @@ remote SMTP server. See <a href="postconf.5.html#smtp_discard_ehlo_keywords">smt
 table is not indexed by hostname for consistency with
 <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> This feature is available in Postfix 2.2 and later. </p>


@ -10146,6 +10232,12 @@ This is needed when the local machine does not have its own Internet
 domain name, but uses something like <i>localdomain.local</i>
 instead.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> The table format and lookups are documented in <a href="generic.5.html">generic(5)</a>;
 examples are shown in the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> and
 <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents. </p>
@ -10406,6 +10498,12 @@ per-destination workarounds for CISCO PIX firewall bugs.  The table
 is not indexed by hostname for consistency with
 <a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a>. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> This feature is available in Postfix 2.4 and later. </p>


@ -10751,6 +10849,12 @@ The Postfix SMTP client opens the lookup table before going to
 chroot jail, so you can leave the password file in /etc/postfix.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+

 </DD>

@ -11505,14 +11609,13 @@ a lower logging level.  </p>

 <dl compact>

-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
 &mdash; no logging of remote SMTP server certificate trust-chain
 verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity.  </dd>
-
-<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information.  </dd>
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors.  </dd>

 <dt> </dt> <dd> 2 Also log levels during TLS negotiation.  </dd>

@ -11796,6 +11899,12 @@ this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls
 <a href="TLS_README.html">TLS_README</a> for a more detailed discussion of TLS security levels.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> The TLS policy table is indexed by the full next-hop destination,
 which is either the recipient domain, or the verbatim next-hop
 specified in the transport table, $<a href="postconf.5.html#local_transport">local_transport</a>, $<a href="postconf.5.html#virtual_transport">virtual_transport</a>,
@ -13379,7 +13488,13 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth,
 etc.) that the Postfix SMTP server will not send in the EHLO response
 to a
 remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> for details.
-The table is not searched by hostname for robustness reasons.  </p>
+The tables are not searched by hostname for robustness reasons.  </p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>

 <p> This feature is available in Postfix 2.2 and later. </p>

@ -14214,7 +14329,7 @@ non-permanent error code.  This feature is available in Postfix

 <dd>Reject the request when Postfix is not final destination for
 the recipient domain, and the RCPT TO domain has 1) no DNS MX and
-no DNS address
+no DNS A
 record or 2) a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later). <br> The
 <a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter specifies the numerical
@ -14814,7 +14929,9 @@ Optional lookup table with the SASL login names that own sender
 </p>

 <p>
-Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables. With lookups from
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.  With lookups from
 indexed files such as DB or DBM, or from networked tables such as
 NIS, LDAP or SQL, the following search operations are done with a
 sender address of <i>user@domain</i>:  </p>
@ -14948,7 +15065,7 @@ Postfix version 2.1 and later. </dd>

 <dd>Reject the request when Postfix is not final destination for
 the sender address, and the MAIL FROM domain has 1) no DNS MX and
-no DNS address
+no DNS A
 record, or 2) a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later). <br> The
 <a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter specifies the numerical
@ -15700,15 +15817,13 @@ a lower logging level.  </p>

 <dl compact>

-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
-&mdash; no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity. </dd>
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>

-<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information. </dd>
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
+&mdash; no logging of client certificate trust-chain verification errors
+if client certificate verification is not required.  With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors.  </dd>

 <dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>

@ -17650,7 +17765,9 @@ for details.
 </p>

 <p>
-Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables.  If you use this
+Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.  If you use this
 feature with local files, run "<b>postmap /etc/postfix/transport</b>"
 after making a change.  </p>

@ -18226,6 +18343,13 @@ This feature is available in Postfix 2.0 and later. The default
 value is backwards compatible with Postfix version 1.1.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
 <p>
 If you use this feature with indexed files, run "<b>postmap
 /etc/postfix/virtual</b>" after changing the file.
@ -18311,6 +18435,12 @@ delivery.
 It does not apply when mail is delivered with a different mail
 delivery program.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 In a lookup table, specify a left-hand side of "@domain.tld" to
 match any user in the specified domain that does not have a specific
@ -18440,6 +18570,12 @@ Optional lookup tables with all valid addresses in the domains that
 match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 In a lookup table, specify a left-hand side of "@domain.tld" to
 match any user in the specified domain that does not have a specific
@ -18547,6 +18683,12 @@ delivery agent uses while writing to the recipient's mailbox.
 It does not apply when mail is delivered with a different mail
 delivery program.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 In a lookup table, specify a left-hand side of "@domain.tld"
 to match any user in the specified domain that does not have a
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@ -228,6 +228,11 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
              greeting" protocol tests, based on its combined DNSBL  score  as
              defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.

+       Available in Postfix version 2.11 and later:
+
+       <b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b>
+              The time limit for DNSBL or DNSWL lookups.
+
 <b>AFTER 220 GREETING TESTS</b>
       These tests are executed after the remote SMTP client receives the "220
       servername" greeting. If a client passes all tests during  this  phase,
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -305,6 +305,10 @@ alias_database = hash:/etc/mail/aliases
 .SH alias_maps (default: see "postconf -d" output)
 The alias databases that are used for \fBlocal\fR(8) delivery. See
 \fBaliases\fR(5) for syntax details.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
 .PP
 The default list is system dependent.  On systems with NIS, the
 default is to search the local alias database, then the NIS alias
@ -765,6 +769,11 @@ login names by Firstname.Lastname.  The table format and lookups
 are documented in \fBcanonical\fR(5). For an overview of Postfix address
 manipulations see the ADDRESS_REWRITING_README document.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+.PP
 If you use this feature, run "\fBpostmap /etc/postfix/canonical\fR" to
 build the necessary DBM or DB file after every change. The changes
 will become visible after a minute or so.  Use "\fBpostfix reload\fR"
@ -3123,6 +3132,10 @@ Technically, tables listed with $local_recipient_maps are used as
 lists: Postfix needs to know only if a lookup string is found or
 not, but it does not use the result from table lookup.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 If this parameter is non-empty (the default), then the Postfix SMTP
 server will reject mail for unknown local users.
 .PP
@ -3382,6 +3395,10 @@ The precedence of \fBlocal\fR(8) delivery features from high to low
 is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
 fallback_transport_maps, fallback_transport and luser_relay.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 .SH mailbox_delivery_lock (default: see "postconf -d" output)
 How to lock a UNIX-style \fBlocal\fR(8) mailbox before attempting delivery.
 For a list of available file locking methods, use the "\fBpostconf
@ -3421,6 +3438,10 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
 fallback_transport_maps, fallback_transport and luser_relay.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 For safety reasons, this feature does not allow $number
 substitutions in regular expression maps.
 .PP
@ -4580,6 +4601,12 @@ its combined DNSBL score as defined with the postscreen_dnsbl_sites
 parameter.
 .PP
 This feature is available in Postfix 2.8.
+.SH postscreen_dnsbl_timeout (default: 10s)
+The time limit for DNSBL or DNSWL lookups. This is separate from
+the timeouts in the \fBdnsblog\fR(8) daemon which are defined by system
+\fBresolver\fR(3) routines.
+.PP
+This feature is available in Postfix 2.12.
 .SH postscreen_dnsbl_ttl (default: 1h)
 The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful DNS blocklist test. During this time, the client IP address
@ -4964,6 +4991,9 @@ proxy_interfaces = 1.2.3.4
 .SH proxy_read_maps (default: see "postconf -d" output)
 The lookup tables that the \fBproxymap\fR(8) server is allowed to
 access for the read-only service.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma.
 Table references that don't begin with proxy: are ignored.
 .PP
 This feature is available in Postfix 2.0 and later.
@ -5175,7 +5205,9 @@ Optional BCC (blind carbon-copy) address lookup tables, indexed by
 recipient address.  The BCC address (multiple results are not
 supported) is added when mail enters from outside of Postfix.
 .PP
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 .PP
 The table search order is as follows:
 .IP \(bu
@ -5195,9 +5227,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
 Look up the "@domain.tld" part.
 .br
 .PP
-Specify the types and names of databases to use.  After change,
-run "\fBpostmap /etc/postfix/recipient_bcc\fR".
-.PP
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
 when the BCC address is undeliverable, as long as all down-stream
@ -5220,6 +5249,10 @@ recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
 .fi
 .ad
 .ft R
+.PP
+After a change, run "\fBpostmap /etc/postfix/recipient_bcc\fR".
+.PP
+This feature is available in Postfix 2.1 and later.
 .SH recipient_canonical_classes (default: envelope_recipient, header_recipient)
 What addresses are subject to recipient_canonical_maps address
 mapping.  By default, recipient_canonical_maps address mapping is
@ -5291,7 +5324,7 @@ recipient_delimiter = +
 .na
 .ft C
 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
 .fi
 .ad
 .ft R
@ -5416,6 +5449,10 @@ listed with $relay_recipient_maps are used as lists: Postfix needs
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 If this parameter is non-empty, then the Postfix SMTP server will reject
 mail to unknown relay users. This feature is off by default.
 .PP
@ -5485,6 +5522,10 @@ Optional lookup tables with new contact information for users or
 domains that no longer exist.  The table format and lookups are
 documented in \fBrelocated\fR(5).
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 If you use this feature, run "\fBpostmap /etc/postfix/relocated\fR" to
 build the necessary DBM or DB file after change, then "\fBpostfix
 reload\fR" to make the changes visible.
@ -5646,7 +5687,9 @@ Optional BCC (blind carbon-copy) address lookup tables, indexed
 by sender address.  The BCC address (multiple results are not
 supported) is added when mail enters from outside of Postfix.
 .PP
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 .PP
 The table search order is as follows:
 .IP \(bu
@ -5666,9 +5709,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
 Look up the "@domain.tld" part.
 .br
 .PP
-Specify the types and names of databases to use.  After change,
-run "\fBpostmap /etc/postfix/sender_bcc\fR".
-.PP
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
 when the BCC address is undeliverable, as long as all down-stream
@ -5691,6 +5731,10 @@ sender_bcc_maps = hash:/etc/postfix/sender_bcc
 .fi
 .ad
 .ft R
+.PP
+After a change, run "\fBpostmap /etc/postfix/sender_bcc\fR".
+.PP
+This feature is available in Postfix 2.1 and later.
 .SH sender_canonical_classes (default: envelope_sender, header_sender)
 What addresses are subject to sender_canonical_maps address
 mapping.  By default, sender_canonical_maps address mapping is
@ -5726,6 +5770,10 @@ address and @domain. A lookup result of DUNNO terminates the search
 without overriding the global default_transport parameter setting.
 This information is overruled with the \fBtransport\fR(5) table.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 Note: this overrides default_transport, not transport_maps, and
 therefore the expected syntax is that of default_transport, not the
 syntax of transport_maps.  Specifically, this does not support the
@ -5745,6 +5793,10 @@ later). This information is overruled with relay_transport,
 sender_dependent_default_transport_maps, default_transport and with
 the \fBtransport\fR(5) table.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 For safety reasons, this feature does not allow $number
 substitutions in regular expression maps.
 .PP
@ -6081,6 +6133,10 @@ remote SMTP server. See smtp_discard_ehlo_keywords for details. The
 table is not indexed by hostname for consistency with
 smtpd_discard_ehlo_keyword_address_maps.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 This feature is available in Postfix 2.2 and later.
 .SH smtp_discard_ehlo_keywords (default: empty)
 A case insensitive list of EHLO keywords (pipelining, starttls,
@ -6246,6 +6302,10 @@ This is needed when the local machine does not have its own Internet
 domain name, but uses something like \fIlocaldomain.local\fR
 instead.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 The table format and lookups are documented in \fBgeneric\fR(5);
 examples are shown in the ADDRESS_REWRITING_README and
 STANDARD_CONFIGURATION_README documents.
@ -6385,6 +6445,10 @@ per-destination workarounds for CISCO PIX firewall bugs.  The table
 is not indexed by hostname for consistency with
 smtp_discard_ehlo_keyword_address_maps.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 This feature is available in Postfix 2.4 and later.
 .SH smtp_pix_workaround_threshold_time (default: 500s)
 How long a message must be queued before the Postfix SMTP client
@ -6633,6 +6697,10 @@ attempt to authenticate to the remote host.
 .PP
 The Postfix SMTP client opens the lookup table before going to
 chroot jail, so you can leave the password file in /etc/postfix.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 .SH smtp_sasl_path (default: empty)
 Implementation-specific information that the Postfix SMTP client
 passes through to
@ -7244,15 +7312,14 @@ Enable additional Postfix SMTP client logging of TLS activity.
 Each logging level also includes the information that is logged at
 a lower logging level.
 .IP ""
-0 Log only a summary message on TLS handshake completion
- no logging of remote SMTP server certificate trust-chain
-verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity.
+0 Disable logging of TLS activity.
 .br
 .IP ""
-1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information.
+1 Log only a summary message on TLS handshake completion
+- no logging of remote SMTP server certificate trust-chain
+verification errors if server certificate verification is not required.
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors.
 .br
 .IP ""
 2 Also log levels during TLS negotiation.
@ -7512,6 +7579,10 @@ policy by next-hop destination; when a non-empty value is specified,
 this overrides the obsolete smtp_tls_per_site parameter.  See
 TLS_README for a more detailed discussion of TLS security levels.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 The TLS policy table is indexed by the full next-hop destination,
 which is either the recipient domain, or the verbatim next-hop
 specified in the transport table, $local_transport, $virtual_transport,
@ -8878,7 +8949,11 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth,
 etc.) that the Postfix SMTP server will not send in the EHLO response
 to a
 remote SMTP client. See smtpd_discard_ehlo_keywords for details.
-The table is not searched by hostname for robustness reasons.
+The tables are not searched by hostname for robustness reasons.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_discard_ehlo_keywords (default: empty)
@ -9445,7 +9520,7 @@ non-permanent error code.  This feature is available in Postfix
 .IP "\fBreject_unknown_recipient_domain\fR"
 Reject the request when Postfix is not final destination for
 the recipient domain, and the RCPT TO domain has 1) no DNS MX and
-no DNS address
+no DNS A
 record or 2) a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later).
 .br
@ -9916,7 +9991,9 @@ This feature is available in Postfix 2.3 and later.
 Optional lookup table with the SASL login names that own sender
 (MAIL FROM) addresses.
 .PP
-Specify zero or more "type:table" lookup tables. With lookups from
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.  With lookups from
 indexed files such as DB or DBM, or from networked tables such as
 NIS, LDAP or SQL, the following search operations are done with a
 sender address of \fIuser@domain\fR:
@ -10019,7 +10096,7 @@ Postfix version 2.1 and later.
 .IP "\fBreject_unknown_sender_domain\fR"
 Reject the request when Postfix is not final destination for
 the sender address, and the MAIL FROM domain has 1) no DNS MX and
-no DNS address
+no DNS A
 record, or 2) a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later).
 .br
@ -10680,16 +10757,14 @@ Enable additional Postfix SMTP server logging of TLS activity.
 Each logging level also includes the information that is logged at
 a lower logging level.
 .IP ""
-0 Log only a summary message on TLS handshake completion
- no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity.
+0 Disable logging of TLS activity.
 .br
 .IP ""
-1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information.
+1 Log only a summary message on TLS handshake completion
+- no logging of client certificate trust-chain verification errors
+if client certificate verification is not required.  With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors.
 .br
 .IP ""
 2 Also log levels during TLS negotiation.
@ -12031,7 +12106,9 @@ Optional lookup tables with mappings from recipient address to
 (message delivery transport, next-hop destination).  See \fBtransport\fR(5)
 for details.
 .PP
-Specify zero or more "type:table" lookup tables.  If you use this
+Specify zero or more "type:table" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.  If you use this
 feature with local files, run "\fBpostmap /etc/postfix/transport\fR"
 after making a change.
 .PP
@ -12361,6 +12438,11 @@ manipulations see the ADDRESS_REWRITING_README document.
 This feature is available in Postfix 2.0 and later. The default
 value is backwards compatible with Postfix version 1.1.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+.PP
 If you use this feature with indexed files, run "\fBpostmap
 /etc/postfix/virtual\fR" after changing the file.
 .PP
@ -12410,6 +12492,10 @@ This parameter is specific to the \fBvirtual\fR(8) delivery agent.
 It does not apply when mail is delivered with a different mail
 delivery program.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 In a lookup table, specify a left-hand side of "@domain.tld" to
 match any user in the specified domain that does not have a specific
 "user@domain.tld" entry.
@ -12488,6 +12574,10 @@ Note 2: the default setting of this parameter is system dependent.
 Optional lookup tables with all valid addresses in the domains that
 match $virtual_mailbox_domains.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 In a lookup table, specify a left-hand side of "@domain.tld" to
 match any user in the specified domain that does not have a specific
 "user@domain.tld" entry.
@ -12551,6 +12641,10 @@ This parameter is specific to the \fBvirtual\fR(8) delivery agent.
 It does not apply when mail is delivered with a different mail
 delivery program.
 .PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
 In a lookup table, specify a left-hand side of "@domain.tld"
 to match any user in the specified domain that does not have a
 specific "user@domain.tld" entry.
--- a/postfix/man/man8/dnsblog.8
+++ b/postfix/man/man8/dnsblog.8
@ -22,8 +22,8 @@ replaced by an UDP client that is built directly into the
 .ad
 .fi
 With each connection, the \fBdnsblog\fR(8) server receives
-a DNS white/blacklist domain name, IP address, and an ID.
-If the address is listed under the DNS white/blacklist, the
+a DNS white/blacklist domain name, an IP address, and an ID.
+If the IP address is listed under the DNS white/blacklist, the
 \fBdnsblog\fR(8) server logs the match and replies with the
 query arguments plus an address list with the resulting IP
 addresses separated by whitespace.  Otherwise it replies
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@ -248,6 +248,10 @@ Available in Postfix version 2.11 and later:
 Allow a remote SMTP client to skip "before" and "after 220
 greeting" protocol tests, based on its combined DNSBL score as
 defined with the postscreen_dnsbl_sites parameter.
+.PP
+Available in Postfix version 2.11 and later:
+.IP "\fBpostscreen_dnsbl_timeout (10s)\fR"
+The time limit for DNSBL or DNSWL lookups.
 .SH "AFTER 220 GREETING TESTS"
 .na
 .nf
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -988,6 +988,7 @@ while (<>) {
    s;\bpostscreen_dnsbl_whitelist_thresh[-</bB>]*\n* *[<bB>]*old\b;<a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">$&</a>;g;
    s;\bpostscreen_dnsbl_action\b;<a href="postconf.5.html#postscreen_dnsbl_action">$&</a>;g;
    s;\bpostscreen_dnsbl_ttl\b;<a href="postconf.5.html#postscreen_dnsbl_ttl">$&</a>;g;
+    s;\bpostscreen_dnsbl_timeout\b;<a href="postconf.5.html#postscreen_dnsbl_timeout">$&</a>;g;
    s;\bpostscreen_for[-</bB>]*\n*[ <bB>]*bid[-</bB>]*\n* *[<bB>]*den_commands\b;<a href="postconf.5.html#postscreen_forbidden_commands">$&</a>;g;
    s;\bpostscreen_helo_required\b;<a href="postconf.5.html#postscreen_helo_required">$&</a>;g;
    s;\bpostscreen_non_smtp_command_enable\b;<a href="postconf.5.html#postscreen_non_smtp_command_enable">$&</a>;g;
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@ -872,8 +872,8 @@ For example: </p>

 <pre>
 /etc/postfix/dnsbl_reply:
-    # Secret DNSBL name        Name in postscreen(8) replies
-    secret.zen.spamhaus.org    zen.spamhaus.org
+    # Secret DNSBL name           Name in postscreen(8) replies
+    secret.zen.dq.spamhaus.net    zen.spamhaus.org
 </pre>

 <p> The texthash: format is similar to hash: except that there is
--- a/postfix/proto/SMTPD_ACCESS_README.html
+++ b/postfix/proto/SMTPD_ACCESS_README.html
@ -202,6 +202,7 @@ described in the postconf(5) manual page. </p>
 	# (available with Postfix 2.10 and later).
 	reject_unauth_destination
 	reject_rbl_client zen.spamhaus.org,
+	reject_rhsbl_reverse_client dbl.spamhaus.org,
 	reject_rhsbl_helo dbl.spamhaus.org,
 	reject_rhsbl_sender dbl.spamhaus.org

--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@ -384,16 +384,15 @@ logging level. </p>
 <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
 releases. </th> </tr>

-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
 message on TLS handshake completion &mdash; no logging of client
 certificate trust-chain verification errors if client certificate
-verification is not required. </td> <td valign="top"> Disable logging
-of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
-verification errors and peer certificate summary information. </td>
-<td valign="top"> Also log TLS handshake and certificate information.
-</td> </tr>
+verification is not required. </td> <td valign="top"> Log the summary
+message, peer certificate summary information and unconditionally log
+trust-chain verification errors.  </td> </tr>

 <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
 log levels during TLS negotiation.  </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
 <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
 releases. </th> </tr>

-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
-message on TLS handshake completion &mdash; no logging of remote
-SMTP server certificate trust-chain verification errors if server
-certificate verification is not required. </td> <td valign="top">
-Disable logging of TLS activity.</td> </tr>
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity.  </td> </tr>

-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
-SMTP server trust-chain verification errors and peer certificate
-summary information. </td> <td valign="top"> Also log TLS handshake
-and certificate information.  </td> </tr>
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
+message on TLS handshake completion &mdash; no logging of remote SMTP
+server certificate trust-chain verification errors if server certificate
+verification is not required. </td> <td valign="top"> Log the summary
+message and unconditionally log trust-chain verification errors.
+</td> </tr>

 <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
 log levels during TLS negotiation. </td> </tr>
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -481,6 +481,10 @@ alias_database = hash:/etc/mail/aliases
 <p>
 The alias databases that are used for local(8) delivery. See
 aliases(5) for syntax details.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
 </p>

 <p>
@ -794,6 +798,13 @@ are documented in canonical(5). For an overview of Postfix address
 manipulations see the ADDRESS_REWRITING_README document.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
 <p>
 If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to
 build the necessary DBM or DB file after every change. The changes
@ -2301,6 +2312,12 @@ Technically, tables listed with $local_recipient_maps are used as
 lists: Postfix needs to know only if a lookup string is found or
 not, but it does not use the result from table lookup.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 If this parameter is non-empty (the default), then the Postfix SMTP
 server will reject mail for unknown local users.
@ -3426,7 +3443,9 @@ supported) is added when mail enters from outside of Postfix.
 </p>

 <p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 </p>

 <p>
@ -3452,11 +3471,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.

 </ul>

-<p>
-Specify the types and names of databases to use.  After change,
-run "<b>postmap /etc/postfix/recipient_bcc</b>".
-</p>
-
 <p>
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
@ -3482,6 +3496,14 @@ Example:
 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
 </pre>

+<p>
+After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+
 %PARAM recipient_canonical_maps 

 <p>
@ -3546,7 +3568,7 @@ recipient_delimiter = +

 <pre>
 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
 </pre>

 <pre>
@ -3619,6 +3641,12 @@ listed with $relay_recipient_maps are used as lists: Postfix needs
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 If this parameter is non-empty, then the Postfix SMTP server will reject
 mail to unknown relay users. This feature is off by default.
@ -3687,6 +3715,12 @@ domains that no longer exist.  The table format and lookups are
 documented in relocated(5).
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to
 build the necessary DBM or DB file after change, then "<b>postfix
@ -3749,7 +3783,9 @@ by sender address.  The BCC address (multiple results are not
 supported) is added when mail enters from outside of Postfix.  </p>

 <p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 </p>

 <p>
@ -3775,11 +3811,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.

 </ul>

-<p>
-Specify the types and names of databases to use.  After change,
-run "<b>postmap /etc/postfix/sender_bcc</b>".
-</p>
-
 <p>
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
@ -3805,6 +3836,14 @@ Example:
 sender_bcc_maps = hash:/etc/postfix/sender_bcc
 </pre>

+<p>
+After a change, run "<b>postmap /etc/postfix/sender_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+
 %PARAM sender_canonical_maps 

 <p>
@ -4405,6 +4444,12 @@ The Postfix SMTP client opens the lookup table before going to
 chroot jail, so you can leave the password file in /etc/postfix.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 %PARAM smtp_sasl_security_options noplaintext, noanonymous

 <p> Postfix SMTP client SASL security options; as of Postfix 2.3
@ -5897,7 +5942,7 @@ non-permanent error code.  This feature is available in Postfix

 <dd>Reject the request when Postfix is not final destination for
 the recipient domain, and the RCPT TO domain has 1) no DNS MX and
-no DNS address
+no DNS A
 record or 2) a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later). <br> The
 unknown_address_reject_code parameter specifies the numerical
@ -6226,7 +6271,9 @@ Optional lookup table with the SASL login names that own sender
 </p>

 <p>
-Specify zero or more "type:table" lookup tables. With lookups from
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.  With lookups from
 indexed files such as DB or DBM, or from networked tables such as
 NIS, LDAP or SQL, the following search operations are done with a
 sender address of <i>user@domain</i>:  </p>
@ -6356,7 +6403,7 @@ Postfix version 2.1 and later. </dd>

 <dd>Reject the request when Postfix is not final destination for
 the sender address, and the MAIL FROM domain has 1) no DNS MX and
-no DNS address
+no DNS A
 record, or 2) a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later). <br> The
 unknown_address_reject_code parameter specifies the numerical
@ -6565,7 +6612,9 @@ for details.
 </p>

 <p>
-Specify zero or more "type:table" lookup tables.  If you use this
+Specify zero or more "type:table" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.  If you use this
 feature with local files, run "<b>postmap /etc/postfix/transport</b>"
 after making a change.  </p>

@ -6823,6 +6872,13 @@ This feature is available in Postfix 2.0 and later. The default
 value is backwards compatible with Postfix version 1.1.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
 <p>
 If you use this feature with indexed files, run "<b>postmap
 /etc/postfix/virtual</b>" after changing the file.
@ -7651,6 +7707,12 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
 fallback_transport_maps, fallback_transport and luser_relay.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 %PARAM mailbox_delivery_lock see "postconf -d" output

 <p>
@ -7872,6 +7934,11 @@ This is a read-only parameter.
 <p>
 The lookup tables that the proxymap(8) server is allowed to 
 access for the read-only service.
+</p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma.
 Table references that don't begin with proxy: are ignored.
 </p>

@ -8493,6 +8560,12 @@ delivery.
 It does not apply when mail is delivered with a different mail
 delivery program.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 In a lookup table, specify a left-hand side of "@domain.tld" to
 match any user in the specified domain that does not have a specific
@ -8602,6 +8675,12 @@ Optional lookup tables with all valid addresses in the domains that
 match $virtual_mailbox_domains.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 In a lookup table, specify a left-hand side of "@domain.tld" to
 match any user in the specified domain that does not have a specific
@ -8684,6 +8763,12 @@ delivery agent uses while writing to the recipient's mailbox.
 It does not apply when mail is delivered with a different mail
 delivery program.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p>
 In a lookup table, specify a left-hand side of "@domain.tld"
 to match any user in the specified domain that does not have a
@ -8789,6 +8874,12 @@ remote SMTP server. See smtp_discard_ehlo_keywords for details. The
 table is not indexed by hostname for consistency with
 smtpd_discard_ehlo_keyword_address_maps. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> This feature is available in Postfix 2.2 and later. </p>

 %PARAM smtpd_discard_ehlo_keyword_address_maps
@ -8798,7 +8889,13 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth,
 etc.) that the Postfix SMTP server will not send in the EHLO response
 to a
 remote SMTP client. See smtpd_discard_ehlo_keywords for details.
-The table is not searched by hostname for robustness reasons.  </p>
+The tables are not searched by hostname for robustness reasons.  </p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>

 <p> This feature is available in Postfix 2.2 and later. </p>

@ -9129,15 +9226,13 @@ a lower logging level.  </p>

 <dl compact>

-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
-&mdash; no logging of remote SMTP client certificate trust-chain verification 
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity. </dd>
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>

-<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information. </dd>
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
+&mdash; no logging of client certificate trust-chain verification errors
+if client certificate verification is not required.  With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors.  </dd>

 <dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>

@ -9553,14 +9648,13 @@ a lower logging level.  </p>

 <dl compact>

-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
 &mdash; no logging of remote SMTP server certificate trust-chain
 verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity.  </dd>
-
-<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information.  </dd>
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors.  </dd>

 <dt> </dt> <dd> 2 Also log levels during TLS negotiation.  </dd>

@ -9937,6 +10031,12 @@ This is needed when the local machine does not have its own Internet
 domain name, but uses something like <i>localdomain.local</i>
 instead.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> The table format and lookups are documented in generic(5);
 examples are shown in the ADDRESS_REWRITING_README and
 STANDARD_CONFIGURATION_README documents. </p>
@ -10062,6 +10162,12 @@ later). This information is overruled with relay_transport,
 sender_dependent_default_transport_maps, default_transport and with
 the transport(5) table. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> For safety reasons, this feature does not allow $number
 substitutions in regular expression maps. </p>

@ -10467,6 +10573,12 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
 fallback_transport_maps, fallback_transport and luser_relay.  </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> For safety reasons, this feature does not allow $number
 substitutions in regular expression maps. </p>
 
@ -10637,6 +10749,12 @@ this overrides the obsolete smtp_tls_per_site parameter.  See
 TLS_README for a more detailed discussion of TLS security levels.
 </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> The TLS policy table is indexed by the full next-hop destination,
 which is either the recipient domain, or the verbatim next-hop
 specified in the transport table, $local_transport, $virtual_transport,
@ -11830,6 +11948,12 @@ per-destination workarounds for CISCO PIX firewall bugs.  The table
 is not indexed by hostname for consistency with
 smtp_discard_ehlo_keyword_address_maps. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> This feature is available in Postfix 2.4 and later. </p>

 %PARAM lmtp_pix_workarounds
@ -13856,6 +13980,12 @@ address and @domain. A lookup result of DUNNO terminates the search
 without overriding the global default_transport parameter setting.
 This information is overruled with the transport(5) table. </p>

+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
 <p> Note: this overrides default_transport, not transport_maps, and
 therefore the expected syntax is that of default_transport, not the
 syntax of transport_maps.  Specifically, this does not support the
@ -14179,6 +14309,13 @@ the file is read). </p>

 <p> This feature is available in Postfix 2.8.  </p>

+%PARAM postscreen_dnsbl_timeout 10s
+
+<p> The time limit for DNSBL or DNSWL lookups. This is separate from
+the timeouts in the dnsblog(8) daemon which are defined by system
+resolver(3) routines. </p>
+
+<p> This feature is available in Postfix 2.12.  </p>
 %PARAM postscreen_bare_newline_action ignore

 <p> The action that postscreen(8) takes when a remote SMTP client sends
--- a/postfix/src/dnsblog/dnsblog.c
+++ b/postfix/src/dnsblog/dnsblog.c
@ -14,8 +14,8 @@
 /* .ad
 /* .fi
 /*	With each connection, the \fBdnsblog\fR(8) server receives
-/*	a DNS white/blacklist domain name, IP address, and an ID.
-/*	If the address is listed under the DNS white/blacklist, the
+/*	a DNS white/blacklist domain name, an IP address, and an ID.
+/*	If the IP address is listed under the DNS white/blacklist, the
 /*	\fBdnsblog\fR(8) server logs the match and replies with the
 /*	query arguments plus an address list with the resulting IP
 /*	addresses separated by whitespace.  Otherwise it replies
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@ -3447,6 +3447,10 @@ extern int var_psc_dnsbl_ttl;
 #define	DEF_PSC_DNSBL_REPLY	""
 extern char *var_psc_dnsbl_reply;

+#define VAR_PSC_DNSBL_TMOUT	"postscreen_dnsbl_timeout"
+#define DEF_PSC_DNSBL_TMOUT	"10s"
+extern int var_psc_dnsbl_tmout;
+
 #define VAR_PSC_PIPEL_ENABLE	"postscreen_pipelining_enable"
 #define DEF_PSC_PIPEL_ENABLE	0
 extern bool var_psc_pipel_enable;
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20140406"
+#define MAIL_RELEASE_DATE	"20140507"
 #define MAIL_VERSION_NUMBER	"2.12"

 #ifdef SNAPSHOT
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@ -220,6 +220,10 @@
 /*	Allow a remote SMTP client to skip "before" and "after 220
 /*	greeting" protocol tests, based on its combined DNSBL score as
 /*	defined with the postscreen_dnsbl_sites parameter.
+/* .PP
+/*	Available in Postfix version 2.11 and later:
+/* .IP "\fBpostscreen_dnsbl_timeout (10s)\fR"
+/*	The time limit for DNSBL or DNSWL lookups.
 /* AFTER 220 GREETING TESTS
 /* .ad
 /* .fi
@ -473,6 +477,7 @@ int     var_psc_dnsbl_thresh;
 int     var_psc_dnsbl_wthresh;
 char   *var_psc_dnsbl_action;
 int     var_psc_dnsbl_ttl;
+int     var_psc_dnsbl_tmout;

 bool    var_psc_pipel_enable;
 char   *var_psc_pipel_action;
@ -1122,6 +1127,8 @@ int     main(int argc, char **argv)
 	VAR_PSC_CACHE_SCAN, DEF_PSC_CACHE_SCAN, &var_psc_cache_scan, 0, 0,
 	VAR_PSC_WATCHDOG, DEF_PSC_WATCHDOG, &var_psc_watchdog, 10, 0,
 	VAR_PSC_UPROXY_TMOUT, DEF_PSC_UPROXY_TMOUT, &var_psc_uproxy_tmout, 1, 0,
+	VAR_PSC_DNSBL_TMOUT, DEF_PSC_DNSBL_TMOUT, &var_psc_dnsbl_tmout, 1, 0,
+
 	0,
    };
    static const CONFIG_BOOL_TABLE bool_table[] = {
--- a/postfix/src/postscreen/postscreen_dnsbl.c
+++ b/postfix/src/postscreen/postscreen_dnsbl.c
@ -86,7 +86,6 @@
 /*
  * Talking to the DNSBLOG service.
  */
-#define DNSBLOG_TIMEOUT			10
 static char *psc_dnsbl_service;

 /*
@ -425,7 +424,7 @@ static void psc_dnsbl_receive(int event, char *context)
 	    PSC_CALL_BACK_NOTIFY(score, PSC_NULL_EVENT);
    } else if (event == EVENT_TIME) {
 	msg_warn("dnsblog reply timeout %ds for %s",
-		 DNSBLOG_TIMEOUT, (char *) vstream_context(stream));
+		 var_psc_dnsbl_tmout, (char *) vstream_context(stream));
    }
    /* Here, score may be a null pointer. */
    vstream_fclose(stream);
@ -521,7 +520,7 @@ int     psc_dnsbl_request(const char *client_addr,
 	    continue;
 	}
 	PSC_READ_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive,
-			       (char *) stream, DNSBLOG_TIMEOUT);
+			       (char *) stream, var_psc_dnsbl_tmout);
 	score->pending_lookups += 1;
    }
    return (PSC_CALL_BACK_INDEX_OF_LAST(score));
--- a/postfix/src/smtp/smtp.h
+++ b/postfix/src/smtp/smtp.h
@ -195,7 +195,7 @@ typedef struct SMTP_STATE {
 	STR((state)->iterator->request_nexthop)[0] = 0; \
    }

-#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0)
+#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0)


 /*
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@ -666,6 +666,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list,
 #endif
    SMTP_ITER_SAVE_DEST(state->iterator);
    if (*addr_list && SMTP_RCPT_LEFT(state) > 0
+	&& HAVE_NEXTHOP_STATE(state)
 	&& (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
 	session_count = 1;
 	smtp_update_addr_list(addr_list, STR(iter->addr), session_count);
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@ -3616,6 +3616,7 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
 		   ATTR_TYPE_STR, MAIL_ATTR_ACT_PROTO_NAME, state->protocol,
 		      ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, state->addr,
 		      ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_NAME, state->name,
+		      ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_PORT, state->port,
 			  ATTR_TYPE_STR, MAIL_ATTR_ACT_REVERSE_CLIENT_NAME,
 			  state->reverse_name,
 			  ATTR_TYPE_STR, MAIL_ATTR_ACT_HELO_NAME,
--- a/postfix/src/util/mask_addr.c
+++ b/postfix/src/util/mask_addr.c
@ -61,7 +61,7 @@ void    mask_addr(unsigned char *addr_bytes,
    network_bits %= CHAR_BIT;

    if (network_bits != 0)
-	*p++ &= ~0 << (CHAR_BIT - network_bits);
+	*p++ &= ~0U << (CHAR_BIT - network_bits);

    while (p < addr_bytes + addr_byte_count)
 	*p++ = 0;