postfix-3.8-20221207

2025-08-28 12:48:01 +00:00 · 2022-12-07 00:00:00 -05:00 · 2022-12-07 00:00:00 -05:00 · 5835cf11c8
commit 5835cf11c8
parent f54d4f0f18
15 changed files with 283 additions and 203 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -26659,3 +26659,37 @@ Apologies for any names omitted.
 	Documentation: the local_header_rewrite_clients and
 	remote_header_rewrite_domain features also enable adding
 	missing headers. File: proto/postconf.proto.
 20221125
 	Bugfix (introduced: Postfix 3.6): the Postfix TLS client
 	logged a TLS connection as 'Untrusted' instead of 'Trusted',
 	when a matching DANE record was found but the MX RRset was
 	insecure. Fix by Viktor Dukhovni. File: tls/tls_client.c.
 20221128
 	Bugfix (introduced: Postfix 2.2): the smtpd_proxy_client
 	code mis-parsed the last XFORWARD attribute name in the
 	SMTP server's EHLO response. The result was that the
 	smtpd_proxy_client code failed to forward the IDENT attribute.
 	Fix by Andreas Weigel. File: smtpd/smtpd_proxy.c.
 	Typo in MAILLOG_README. Paul Menzel.
 20221207
 	Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
 	lazily bound handles that may fail to work when one attempts
 	to use them, because no provider search happens until one
 	constructs an actual operation context. In sufficiently
 	hostile configurations, Postfix could mistakenly believe
 	that an algorithm is available, when in fact it is not. A
 	similar workaround may be needed for EVP_get_cipherbyname().
 	Fix by Viktor Dukhovni. Files: tls/tls.h, tls/tls_dane.c,
 	tls/tls_fprint.c, tls/tls_misc.c.
 	Bugfix (introduced: Postfix 2.11): the checkok() macro in
 	tls/tls_fprint.c evaluated its argument unconditionally;
 	it should evaluate the argument only if there was no prior
 	error. Found during code review. File: tls/tls_fprint.c.
--- a/postfix/README_FILES/MAILLOG_README
+++ b/postfix/README_FILES/MAILLOG_README
@ -4,7 +4,7 @@ PPoossttffiixx llooggggiinngg ttoo ffiillee oorr ssttdd
 OOvveerrvviieeww
-Postfix supports it own logging system as an alternative to syslog (which
+Postfix supports its own logging system as an alternative to syslog (which
 remains the default). This is available with Postfix version 3.4 or later.
 Topics covered in this document:
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@ -9,6 +9,14 @@ Wish list:
 	Scan Postfix code with github.com/googleprojectzero/weggli
 	(depends on "rust").
 	In tls_fprint.c() rename unsafe macros to upper-case names.
 	For example, checkok() has a function-like name, but it
 	evaluates arguments conditionally. Rename all macros that
 	invoke checkok().
 	Update TLS_README diagram, tlsmgr no longer manages cert
 	info.
 	Consider renaming local_header_rewrite_clients to
 	local_header_canonicalize_clients, as a more accurate name.
 	Optionally support "local_header_canonicalize_classes =
@ -17,6 +25,13 @@ Wish list:
 	And ditto for remote_header_rewrite_domain, whether it
 	should rewrite address, add missing headers, or both.
 	Add weight factors to randmap, for example randmap:{{result1}*99,
 	{result2}*1}. To parse out weights, see postscreen.
 	randmap already allows randmap:{{result}, ...}, to support
 	whitespace and comma in result values, but it should also
 	extract the value from {}.
 	Migrate masquerade_domains from ARGV to STRING_LIST, or
 	deprecate this feature because it breaks table-driven address
 	validation.
--- a/postfix/html/MAILLOG_README.html
+++ b/postfix/html/MAILLOG_README.html
@ -20,7 +20,7 @@ logging to file or stdout</h1>
 <h2>Overview </h2>
-<p> Postfix supports it own logging system as an alternative to
+<p> Postfix supports its own logging system as an alternative to
 syslog (which remains the default). This is available with Postfix
 version 3.4 or later. </p>
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@ -194,37 +194,34 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix version 2.2 and later:
       <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b>
-              Rewrite message header addresses in mail from these clients  and
+              Rewrite or add message  headers  in  mail  from  these  clients,
-              update incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or
+              updating  incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a>
-              $<a href="postconf.5.html#mydomain">mydomain</a>; either  don't  rewrite  message  headers  from  other
+              or $<a href="postconf.5.html#mydomain">mydomain</a>, and adding missing headers.
              clients at all, or rewrite message headers and update incomplete
              addresses with the domain  specified  in  the  <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_re</a>-
              <a href="postconf.5.html#remote_header_rewrite_domain">write_domain</a> parameter.
 <b>BEFORE-SMTPD PROXY AGENT</b>
       Available in Postfix version 2.10 and later:
       <b><a href="postconf.5.html#smtpd_upstream_proxy_protocol">smtpd_upstream_proxy_protocol</a> (empty)</b>
-              The  name of the proxy protocol used by an optional before-smtpd
+              The name of the proxy protocol used by an optional  before-smtpd
              proxy agent.
       <b><a href="postconf.5.html#smtpd_upstream_proxy_timeout">smtpd_upstream_proxy_timeout</a> (5s)</b>
-              The time  limit  for  the  proxy  protocol  specified  with  the
+              The  time  limit  for  the  proxy  protocol  specified  with the
              <a href="postconf.5.html#smtpd_upstream_proxy_protocol">smtpd_upstream_proxy_protocol</a> parameter.
 <b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
-       As  of  version  1.0,  Postfix can be configured to send new mail to an
+       As of version 1.0, Postfix can be configured to send  new  mail  to  an
-       external content filter AFTER the mail is queued. This  content  filter
+       external  content  filter AFTER the mail is queued. This content filter
-       is  expected to inject mail back into a (Postfix or other) MTA for fur-
+       is expected to inject mail back into a (Postfix or other) MTA for  fur-
       ther delivery. See the <a href="FILTER_README.html">FILTER_README</a> document for details.
       <b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b>
-              After the message is queued, send  the  entire  message  to  the
+              After  the  message  is  queued,  send the entire message to the
              specified <i>transport:destination</i>.
 <b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
-       As  of  version  2.1, the Postfix SMTP server can be configured to send
+       As of version 2.1, the Postfix SMTP server can be  configured  to  send
-       incoming mail to a real-time SMTP-based content filter BEFORE  mail  is
+       incoming  mail  to a real-time SMTP-based content filter BEFORE mail is
       queued.  This content filter is expected to inject mail back into Post-
       fix.  See the <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to config-
       ure and operate this feature.
@ -233,40 +230,40 @@ SMTPD(8)                                                              SMTPD(8)
              The hostname and TCP port of the mail filtering proxy server.
       <b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              How  the  Postfix SMTP server announces itself to the proxy fil-
+              How the Postfix SMTP server announces itself to the  proxy  fil-
              ter.
       <b><a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a> (empty)</b>
-              List of options that control how the Postfix SMTP server  commu-
+              List  of options that control how the Postfix SMTP server commu-
              nicates with a before-queue content filter.
       <b><a href="postconf.5.html#smtpd_proxy_timeout">smtpd_proxy_timeout</a> (100s)</b>
-              The  time limit for connecting to a proxy filter and for sending
+              The time limit for connecting to a proxy filter and for  sending
              or receiving information.
 <b>BEFORE QUEUE MILTER CONTROLS</b>
       As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
-       filter)  protocol.  These content filters run outside Postfix. They can
+       filter) protocol. These content filters run outside Postfix.  They  can
-       inspect the SMTP command  stream  and  the  message  content,  and  can
+       inspect  the  SMTP  command  stream  and  the  message content, and can
-       request  modifications  before mail is queued. For details see the <a href="MILTER_README.html">MIL</a>-
+       request modifications before mail is queued. For details see  the  <a href="MILTER_README.html">MIL</a>-
       <a href="MILTER_README.html">TER_README</a> document.
       <b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b>
-              A list of Milter (mail filter) applications for  new  mail  that
+              A  list  of  Milter (mail filter) applications for new mail that
              arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server.
       <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b>
-              The  mail  filter  protocol version and optional protocol exten-
+              The mail filter protocol version and  optional  protocol  exten-
-              sions for communication with  a  Milter  application;  prior  to
+              sions  for  communication  with  a  Milter application; prior to
              Postfix 2.6 the default protocol is 2.
       <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b>
-              The  default  action  when  a  Milter  (mail filter) response is
+              The default action when  a  Milter  (mail  filter)  response  is
-              unavailable (for example, bad Postfix  configuration  or  Milter
+              unavailable  (for  example,  bad Postfix configuration or Milter
              failure).
       <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The  {daemon_name} macro value for Milter (mail filter) applica-
+              The {daemon_name} macro value for Milter (mail filter)  applica-
              tions.
       <b><a href="postconf.5.html#milter_macro_v">milter_macro_v</a> ($<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b>
@ -277,60 +274,60 @@ SMTPD(8)                                                              SMTPD(8)
              tion, and for negotiating protocol options.
       <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b>
-              The  time  limit  for  sending an SMTP command to a Milter (mail
+              The time limit for sending an SMTP command  to  a  Milter  (mail
              filter) application, and for receiving the response.
       <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b>
-              The time limit for sending message content  to  a  Milter  (mail
+              The  time  limit  for  sending message content to a Milter (mail
              filter) application, and for receiving the response.
       <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b>
-              The  macros  that  are sent to Milter (mail filter) applications
+              The macros that are sent to Milter  (mail  filter)  applications
              after completion of an SMTP connection.
       <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b>
-              The macros that are sent to Milter  (mail  filter)  applications
+              The  macros  that  are sent to Milter (mail filter) applications
              after the SMTP HELO or EHLO command.
       <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b>
-              The  macros  that  are sent to Milter (mail filter) applications
+              The macros that are sent to Milter  (mail  filter)  applications
              after the SMTP MAIL FROM command.
       <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b>
-              The macros that are sent to Milter  (mail  filter)  applications
+              The  macros  that  are sent to Milter (mail filter) applications
              after the SMTP RCPT TO command.
       <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b>
-              The  macros  that  are  sent to version 4 or higher Milter (mail
+              The macros that are sent to version 4  or  higher  Milter  (mail
              filter) applications after the SMTP DATA command.
       <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b>
-              The macros that are sent to version 3  or  higher  Milter  (mail
+              The  macros  that  are  sent to version 3 or higher Milter (mail
              filter) applications after an unknown SMTP command.
       <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b>
-              The  macros  that  are sent to Milter (mail filter) applications
+              The macros that are sent to Milter  (mail  filter)  applications
              after the end of the message header.
       <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b>
-              The macros that are sent to Milter  (mail  filter)  applications
+              The  macros  that  are sent to Milter (mail filter) applications
              after the message end-of-data.
       Available in Postfix version 3.1 and later:
       <b><a href="postconf.5.html#milter_macro_defaults">milter_macro_defaults</a> (empty)</b>
-              Optional  list  of  <i>name=value</i> pairs that specify default values
+              Optional list of <i>name=value</i> pairs that  specify  default  values
-              for arbitrary macros that Postfix may send  to  Milter  applica-
+              for  arbitrary  macros  that Postfix may send to Milter applica-
              tions.
       Available in Postfix version 3.2 and later:
       <b><a href="postconf.5.html#smtpd_milter_maps">smtpd_milter_maps</a> (empty)</b>
-              Lookup  tables  with  Milter  settings per remote SMTP client IP
+              Lookup tables with Milter settings per  remote  SMTP  client  IP
              address.
 <b>GENERAL CONTENT INSPECTION CONTROLS</b>
-       The following parameters are applicable for both built-in and  external
+       The  following parameters are applicable for both built-in and external
       content filters.
       Available in Postfix version 2.1 and later:
@ -340,51 +337,51 @@ SMTPD(8)                                                              SMTPD(8)
              ing, or address mapping.
 <b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
-       The following parameters  are  applicable  for  both  before-queue  and
+       The  following  parameters  are  applicable  for  both before-queue and
       after-queue content filtering.
       Available in Postfix version 2.1 and later:
       <b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b>
-              What  remote  SMTP  clients are allowed to use the XFORWARD fea-
+              What remote SMTP clients are allowed to use  the  XFORWARD  fea-
              ture.
 <b>SASL AUTHENTICATION CONTROLS</b>
       Postfix SASL support (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenticate remote SMTP
-       clients  to  the  Postfix  SMTP server, and to authenticate the Postfix
+       clients to the Postfix SMTP server, and  to  authenticate  the  Postfix
-       SMTP client to a remote SMTP server.  See the <a href="SASL_README.html">SASL_README</a> document  for
+       SMTP  client to a remote SMTP server.  See the <a href="SASL_README.html">SASL_README</a> document for
       details.
       <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
-              Enable  interoperability with remote SMTP clients that implement
+              Enable interoperability with remote SMTP clients that  implement
              an obsolete version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>).
       <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b>
              Enable SASL authentication in the Postfix SMTP server.
       <b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b>
-              The name of the Postfix SMTP server's local SASL  authentication
+              The  name of the Postfix SMTP server's local SASL authentication
              realm.
       <b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b>
              Postfix SMTP server SASL security options; as of Postfix 2.3 the
-              list of available features depends on the SASL server  implemen-
+              list  of available features depends on the SASL server implemen-
              tation that is selected with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
       <b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b>
-              Optional  lookup  table  with  the SASL login names that own the
+              Optional lookup table with the SASL login  names  that  own  the
              sender (MAIL FROM) addresses.
       Available in Postfix version 2.1 and later:
       <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b>
-              What remote SMTP clients the Postfix SMTP server will not  offer
+              What  remote SMTP clients the Postfix SMTP server will not offer
              AUTH support to.
       Available in Postfix version 2.1 and 2.2:
       <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b>
-              The  application name that the Postfix SMTP server uses for SASL
+              The application name that the Postfix SMTP server uses for  SASL
              server initialization.
       Available in Postfix version 2.3 and later:
@ -395,11 +392,11 @@ SMTPD(8)                                                              SMTPD(8)
       <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b>
              Implementation-specific information that the Postfix SMTP server
-              passes through  to  the  SASL  plug-in  implementation  that  is
+              passes  through  to  the  SASL  plug-in  implementation  that is
              selected with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
       <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b>
-              The  SASL  plug-in  type that the Postfix SMTP server should use
+              The SASL plug-in type that the Postfix SMTP  server  should  use
              for authentication.
       Available in Postfix version 2.5 and later:
@ -411,7 +408,7 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix version 2.11 and later:
       <b><a href="postconf.5.html#smtpd_sasl_service">smtpd_sasl_service</a> (smtp)</b>
-              The  service  name  that  is  passed to the SASL plug-in that is
+              The service name that is passed to  the  SASL  plug-in  that  is
              selected with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b> and <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a></b>.
       Available in Postfix version 3.4 and later:
@ -423,20 +420,20 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix 3.6 and later:
       <b><a href="postconf.5.html#smtpd_sasl_mechanism_filter">smtpd_sasl_mechanism_filter</a> (!external, <a href="DATABASE_README.html#types">static</a>:rest)</b>
-              If  non-empty,  a  filter  for the SASL mechanism names that the
+              If non-empty, a filter for the SASL  mechanism  names  that  the
              Postfix SMTP server will announce in the EHLO response.
 <b>STARTTLS SUPPORT CONTROLS</b>
-       Detailed information about STARTTLS configuration may be found  in  the
+       Detailed  information  about STARTTLS configuration may be found in the
       <a href="TLS_README.html">TLS_README</a> document.
       <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
-              The  SMTP TLS security level for the Postfix SMTP server; when a
+              The SMTP TLS security level for the Postfix SMTP server; when  a
              non-empty value is specified, this overrides the obsolete param-
              eters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
       <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a>)</b>
-              The  SASL  authentication security options that the Postfix SMTP
+              The SASL authentication security options that the  Postfix  SMTP
              server uses for TLS encrypted SMTP sessions.
       <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (see 'postconf -d' output)</b>
@ -444,25 +441,25 @@ SMTPD(8)                                                              SMTPD(8)
              during TLS startup and shutdown handshake procedures.
       <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
-              A  file  containing  (PEM  format)  CA  certificates of root CAs
+              A file containing (PEM  format)  CA  certificates  of  root  CAs
              trusted to sign either remote SMTP client certificates or inter-
              mediate CA certificates.
       <b><a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> (empty)</b>
-              A  directory containing (PEM format) CA certificates of root CAs
+              A directory containing (PEM format) CA certificates of root  CAs
              trusted to sign either remote SMTP client certificates or inter-
              mediate CA certificates.
       <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
-              Force  the  Postfix  SMTP server to issue a TLS session id, even
+              Force the Postfix SMTP server to issue a TLS  session  id,  even
-              when  TLS  session  caching  is   turned   off   (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_ses</a>-
+              when   TLS   session   caching  is  turned  off  (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_ses</a>-
              <a href="postconf.5.html#smtpd_tls_session_cache_database">sion_cache_database</a> is empty).
       <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
              Ask a remote SMTP client for a client certificate.
       <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
-              When  TLS  encryption is optional in the Postfix SMTP server, do
+              When TLS encryption is optional in the Postfix SMTP  server,  do
              not announce or accept SASL authentication over unencrypted con-
              nections.
@ -473,18 +470,18 @@ SMTPD(8)                                                              SMTPD(8)
              File with the Postfix SMTP server RSA certificate in PEM format.
       <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b>
-              List of ciphers or cipher types to exclude from the SMTP  server
+              List  of ciphers or cipher types to exclude from the SMTP server
              cipher list at all TLS security levels.
       <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
              File with the Postfix SMTP server DSA certificate in PEM format.
       <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
-              File with DH parameters that the Postfix SMTP server should  use
+              File  with DH parameters that the Postfix SMTP server should use
              with non-export EDH ciphers.
       <b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
-              File  with DH parameters that the Postfix SMTP server should use
+              File with DH parameters that the Postfix SMTP server should  use
              with export-grade EDH ciphers.
       <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
@ -497,12 +494,12 @@ SMTPD(8)                                                              SMTPD(8)
              Enable additional Postfix SMTP server logging of TLS activity.
       <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b>
-              The minimum TLS cipher grade that the Postfix SMTP  server  will
+              The  minimum  TLS cipher grade that the Postfix SMTP server will
              use with mandatory TLS encryption.
       <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b>
-              Additional  list  of ciphers or cipher types to exclude from the
+              Additional list of ciphers or cipher types to exclude  from  the
-              Postfix SMTP server cipher list at mandatory TLS  security  lev-
+              Postfix  SMTP  server cipher list at mandatory TLS security lev-
              els.
       <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (see 'postconf -d' output)</b>
@ -511,21 +508,21 @@ SMTPD(8)                                                              SMTPD(8)
       <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
              Request that the Postfix SMTP server produces Received:  message
-              headers  that  include information about the protocol and cipher
+              headers that include information about the protocol  and  cipher
-              used, as well as the remote SMTP client  CommonName  and  client
+              used,  as  well  as the remote SMTP client CommonName and client
              certificate issuer CommonName.
       <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
-              With  mandatory  TLS  encryption,  require a trusted remote SMTP
+              With mandatory TLS encryption, require  a  trusted  remote  SMTP
              client certificate in order to allow TLS connections to proceed.
       <b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b>
-              Run  the Postfix SMTP server in the non-standard "wrapper" mode,
+              Run the Postfix SMTP server in TLS "wrapper"  mode,  instead  of
-              instead of using the STARTTLS command.
+              using the STARTTLS command.
       <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
-              The number of pseudo-random bytes that an  <a href="smtp.8.html"><b>smtp</b>(8)</a>  or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
+              The  number  of  pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
-              process  requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
+              process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed  its
              internal pseudo random number generator (PRNG).
       <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b>
@ -541,41 +538,41 @@ SMTPD(8)                                                              SMTPD(8)
              The OpenSSL cipherlist for "export" or higher grade ciphers.
       <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
-              The OpenSSL cipherlist for "NULL"  grade  ciphers  that  provide
+              The  OpenSSL  cipherlist  for  "NULL" grade ciphers that provide
              authentication without encryption.
       Available in Postfix version 2.5 and later:
       <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (see 'postconf -d' output)</b>
-              The   message   digest   algorithm   to  construct  remote  SMTP
+              The  message  digest  algorithm   to   construct   remote   SMTP
-              client-certificate  fingerprints  or  public  key   fingerprints
+              client-certificate   fingerprints  or  public  key  fingerprints
-              (Postfix   2.9   and  later)  for  <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b>  and  <b>per-</b>
+              (Postfix  2.9  and  later)  for  <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b>   and   <b>per-</b>
              <b>mit_tls_clientcerts</b>.
       Available in Postfix version 2.6 and later:
       <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (see postconf -d output)</b>
-              TLS protocols accepted by the Postfix SMTP  server  with  oppor-
+              TLS  protocols  accepted  by the Postfix SMTP server with oppor-
              tunistic TLS encryption.
       <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (medium)</b>
-              The  minimum  TLS cipher grade that the Postfix SMTP server will
+              The minimum TLS cipher grade that the Postfix SMTP  server  will
              use with opportunistic TLS encryption.
       <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
-              File with the Postfix SMTP server ECDSA certificate in PEM  for-
+              File  with the Postfix SMTP server ECDSA certificate in PEM for-
              mat.
       <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
-              File  with the Postfix SMTP server ECDSA private key in PEM for-
+              File with the Postfix SMTP server ECDSA private key in PEM  for-
              mat.
       <b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b>
-              The Postfix SMTP server  security  grade  for  ephemeral  ellip-
+              The  Postfix  SMTP  server  security  grade for ephemeral ellip-
              tic-curve Diffie-Hellman (EECDH) key exchange.
       <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b>
-              The  elliptic curve used by the Postfix SMTP server for sensibly
+              The elliptic curve used by the Postfix SMTP server for  sensibly
              strong ephemeral ECDH key exchange.
       <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b>
@ -586,7 +583,7 @@ SMTPD(8)                                                              SMTPD(8)
       <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b>
              With SSLv3 and later, use the Postfix SMTP server's cipher pref-
-              erence order instead of the remote  client's  cipher  preference
+              erence  order  instead  of the remote client's cipher preference
              order.
       <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
@ -599,7 +596,7 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix version 3.0 and later:
-       <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a>  (Postfix</b> &gt;<b>= 3.0: aes-256-cbc, Postfix</b> &lt; <b>3.0:</b>
+       <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> &gt;<b>= 3.0: aes-256-cbc, Postfix</b> &lt;  <b>3.0:</b>
       <b>aes-128-cbc)</b>
              Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
@ -612,33 +609,33 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix version 3.4 and later:
       <b><a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a> (empty)</b>
-              List of one or more PEM files, each holding one or more  private
+              List  of one or more PEM files, each holding one or more private
              keys directly followed by a corresponding certificate chain.
       <b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b>
-              Optional  lookup tables that map names received from remote SMTP
+              Optional lookup tables that map names received from remote  SMTP
-              clients via the TLS Server Name Indication  (SNI)  extension  to
+              clients  via  the  TLS Server Name Indication (SNI) extension to
              the appropriate keys and certificate chains.
       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
       <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
-              A  workaround  for implementations that hang Postfix while shut-
+              A workaround for implementations that hang Postfix  while  shut-
              ting down a TLS session, until Postfix times out.
       Available in Postfix 3.5 and later:
       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
-              The email address form that will be used  in  non-debug  logging
+              The  email  address  form that will be used in non-debug logging
              (info, warning, etc.).
 <b>OBSOLETE STARTTLS CONTROLS</b>
-       The  following  configuration  parameters  exist for compatibility with
+       The following configuration parameters  exist  for  compatibility  with
-       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       Postfix  versions  before  2.3.  Support for these will be removed in a
       future release.
       <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
-              Opportunistic  TLS:  announce  STARTTLS  support  to remote SMTP
+              Opportunistic TLS: announce  STARTTLS  support  to  remote  SMTP
              clients, but do not require that clients use TLS encryption.
       <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
@ -646,94 +643,94 @@ SMTPD(8)                                                              SMTPD(8)
              and require that clients use TLS encryption.
       <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
-              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP server TLS
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  server  TLS
              cipher list.
 <b>SMTPUTF8 CONTROLS</b>
       Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
       <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable preliminary SMTPUTF8 support for the protocols  described
+              Enable  preliminary SMTPUTF8 support for the protocols described
-              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
       <b><a href="postconf.5.html#strict_smtputf8">strict_smtputf8</a> (no)</b>
              Enable stricter enforcement of the SMTPUTF8 protocol.
       <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect  that  a message requires SMTPUTF8 support for the speci-
+              Detect that a message requires SMTPUTF8 support for  the  speci-
              fied mail origin classes.
       Available in Postfix version 3.2 and later:
       <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable  'transitional'  compatibility   between   IDNA2003   and
+              Enable   'transitional'   compatibility   between  IDNA2003  and
-              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
+              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
              form that is used for DNS lookups.
 <b>VERP SUPPORT CONTROLS</b>
-       With VERP style delivery, each recipient of a message receives  a  cus-
+       With  VERP  style delivery, each recipient of a message receives a cus-
-       tomized  copy of the message with his/her own recipient address encoded
+       tomized copy of the message with his/her own recipient address  encoded
       in the envelope sender address.  The <a href="VERP_README.html">VERP_README</a> file describes config-
-       uration  and operation details of Postfix support for variable envelope
+       uration and operation details of Postfix support for variable  envelope
-       return path addresses.  VERP style delivery is requested with the  SMTP
+       return  path addresses.  VERP style delivery is requested with the SMTP
-       XVERP  command  or  with  the  "sendmail -V" command-line option and is
+       XVERP command or with the "sendmail  -V"  command-line  option  and  is
       available in Postfix version 1.1 and later.
       <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
              The two default VERP delimiter characters.
       <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
-              The characters Postfix accepts as VERP delimiter  characters  on
+              The  characters  Postfix accepts as VERP delimiter characters on
              the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line and in SMTP commands.
       Available in Postfix version 1.1 and 2.0:
       <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
-              What  remote  SMTP clients are allowed to specify the XVERP com-
+              What remote SMTP clients are allowed to specify the  XVERP  com-
              mand.
       Available in Postfix version 2.1 and later:
       <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
-              What remote SMTP clients are allowed to specify the  XVERP  com-
+              What  remote  SMTP clients are allowed to specify the XVERP com-
              mand.
 <b>TROUBLE SHOOTING CONTROLS</b>
-       The  <a href="DEBUG_README.html">DEBUG_README</a>  document describes how to debug parts of the Postfix
+       The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of  the  Postfix
-       mail system. The methods vary from making the software  log  a  lot  of
+       mail  system.  The  methods  vary from making the software log a lot of
       detail, to running some daemon processes under control of a call tracer
       or debugger.
       <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment in verbose logging level when a  nexthop  destina-
+              The  increment  in verbose logging level when a nexthop destina-
-              tion,  remote client or server name or network address matches a
+              tion, remote client or server name or network address matches  a
              pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
       <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional list of nexthop destination, remote  client  or  server
+              Optional  list  of  nexthop destination, remote client or server
-              name  or  network  address  patterns that, if matched, cause the
+              name or network address patterns that,  if  matched,  cause  the
-              verbose logging level to increase by  the  amount  specified  in
+              verbose  logging  level  to  increase by the amount specified in
              $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
       <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster notifications about mail delivery
+              The recipient of postmaster notifications  about  mail  delivery
              problems that are caused by policy, resource, software or proto-
              col errors.
       <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What   categories  of  Postfix-generated  mail  are  subject  to
+              What  categories  of  Postfix-generated  mail  are  subject   to
-              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
              <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
       <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
              The list of error classes that are reported to the postmaster.
       <b><a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> (empty)</b>
-              Optional  information  that  is appended after each Postfix SMTP
+              Optional information that is appended after  each  Postfix  SMTP
              server 4XX or 5XX response.
       <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
-              Safety net to keep mail queued that would otherwise be  returned
+              Safety  net to keep mail queued that would otherwise be returned
              to the sender.
       Available in Postfix version 2.1 and later:
@ -744,45 +741,46 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix version 2.10 and later:
       <b><a href="postconf.5.html#smtpd_log_access_permit_actions">smtpd_log_access_permit_actions</a> (empty)</b>
-              Enable logging of the named  "permit"  actions  in  SMTP  server
+              Enable  logging  of  the  named  "permit" actions in SMTP server
-              access  lists (by default, the SMTP server logs "reject" actions
+              access lists (by default, the SMTP server logs "reject"  actions
              but not "permit" actions).
 <b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
-       As of Postfix version 2.0, the SMTP server  rejects  mail  for  unknown
+       As  of  Postfix  version  2.0, the SMTP server rejects mail for unknown
       recipients. This prevents the mail queue from clogging up with undeliv-
-       erable MAILER-DAEMON messages. Additional information on this topic  is
+       erable  MAILER-DAEMON messages. Additional information on this topic is
       in the <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
       <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
-              Display  the  name  of the recipient table in the "User unknown"
+              Display the name of the recipient table in  the  "User  unknown"
              responses.
       <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
-              Optional address mapping lookup tables for message  headers  and
+              Optional  address  mapping lookup tables for message headers and
              envelopes.
       <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
-              Optional  address  mapping lookup tables for envelope and header
+              Optional address mapping lookup tables for envelope  and  header
              recipient addresses.
       <b><a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> (empty)</b>
-              Optional address mapping lookup tables for envelope  and  header
+              Optional  address  mapping lookup tables for envelope and header
              sender addresses.
       Parameters concerning known/unknown local recipients:
       <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b>
-              The  list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a>
+              The list of domains that are delivered via the  $<a href="postconf.5.html#local_transport">local_transport</a>
              mail delivery transport.
       <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The network interface addresses that this mail  system  receives
+              The  local  network  interface  addresses  that this mail system
-              mail on.
+              receives mail on.
       <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The  network  interface addresses that this mail system receives
+              The remote network interface addresses  that  this  mail  system
-              mail on by way of a proxy or network address translation unit.
+              receives  mail  on by way of a proxy or network address transla-
              tion unit.
       <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
              The Internet protocols Postfix will attempt to use  when  making
@ -818,13 +816,13 @@ SMTPD(8)                                                              SMTPD(8)
       domains:
       <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
-              Postfix  is  final destination for the specified list of virtual
+              Postfix  is the final destination for the specified list of vir-
-              alias domains, that is, domains  for  which  all  addresses  are
+              tual alias domains, that is, domains for which all addresses are
              aliased to addresses in other local or remote domains.
       <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
              Optional  lookup  tables  that  alias specific mail addresses or
-              domains to other local or remote address.
+              domains to other local or remote addresses.
       <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
              The Postfix SMTP server reply  code  when  a  recipient  address
@ -836,9 +834,9 @@ SMTPD(8)                                                              SMTPD(8)
       domains:
       <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
-              Postfix is final destination for the specified list of  domains;
+              Postfix is the final  destination  for  the  specified  list  of
-              mail  is  delivered  via  the  $<a href="postconf.5.html#virtual_transport">virtual_transport</a>  mail delivery
+              domains;  mail  is  delivered  via  the  $<a href="postconf.5.html#virtual_transport">virtual_transport</a> mail
-              transport.
+              delivery transport.
       <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
              Optional lookup tables with all valid addresses in  the  domains
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@ -190,12 +190,9 @@ filtering, or address mapping.
 .PP
 Available in Postfix version 2.2 and later:
 .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR"
-Rewrite message header addresses in mail from these clients and
+Rewrite or add message headers in mail from these clients,
-update incomplete addresses with the domain name in $myorigin or
+updating incomplete addresses with the domain name in $myorigin or
-$mydomain; either don't rewrite message headers from other clients
+$mydomain, and adding missing headers.
 at all, or rewrite message headers and update incomplete addresses
 with the domain specified in the remote_header_rewrite_domain
 parameter.
 .SH "BEFORE-SMTPD PROXY AGENT"
 .na
 .nf
@ -473,7 +470,7 @@ CommonName.
 With mandatory TLS encryption, require a trusted remote SMTP client
 certificate in order to allow TLS connections to proceed.
 .IP "\fBsmtpd_tls_wrappermode (no)\fR"
-Run the Postfix SMTP server in the non\-standard "wrapper" mode,
+Run the Postfix SMTP server in TLS "wrapper" mode,
 instead of using the STARTTLS command.
 .IP "\fBtls_daemon_random_bytes (32)\fR"
 The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
@ -584,7 +581,7 @@ cipher list.
 Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 .IP "\fBsmtputf8_enable (yes)\fR"
 Enable preliminary SMTPUTF8 support for the protocols described
-in RFC 6531..6533.
+in RFC 6531, RFC 6532, and RFC 6533.
 .IP "\fBstrict_smtputf8 (no)\fR"
 Enable stricter enforcement of the SMTPUTF8 protocol.
 .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR"
@ -694,10 +691,10 @@ Parameters concerning known/unknown local recipients:
 The list of domains that are delivered via the $local_transport
 mail delivery transport.
 .IP "\fBinet_interfaces (all)\fR"
-The network interface addresses that this mail system receives
+The local network interface addresses that this mail system receives
 mail on.
 .IP "\fBproxy_interfaces (empty)\fR"
-The network interface addresses that this mail system receives mail
+The remote network interface addresses that this mail system receives mail
 on by way of a proxy or network address translation unit.
 .IP "\fBinet_protocols (see 'postconf -d output')\fR"
 The Internet protocols Postfix will attempt to use when making
@ -726,12 +723,12 @@ a list of lookup tables that does not match the recipient address.
 Parameters concerning known/unknown recipients in virtual alias
 domains:
 .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
-Postfix is final destination for the specified list of virtual
+Postfix is the final destination for the specified list of virtual
 alias domains, that is, domains for which all addresses are aliased
 to addresses in other local or remote domains.
 .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
 Optional lookup tables that alias specific mail addresses or domains
-to other local or remote address.
+to other local or remote addresses.
 .IP "\fBunknown_virtual_alias_reject_code (550)\fR"
 The Postfix SMTP server reply code when a recipient address matches
 $virtual_alias_domains, and $virtual_alias_maps specifies a list
@ -740,7 +737,7 @@ of lookup tables that does not match the recipient address.
 Parameters concerning known/unknown recipients in virtual mailbox
 domains:
 .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
-Postfix is final destination for the specified list of domains;
+Postfix is the final destination for the specified list of domains;
 mail is delivered via the $virtual_transport mail delivery transport.
 .IP "\fBvirtual_mailbox_maps (empty)\fR"
 Optional lookup tables with all valid addresses in the domains that
--- a/postfix/proto/MAILLOG_README.html
+++ b/postfix/proto/MAILLOG_README.html
@ -20,7 +20,7 @@ logging to file or stdout</h1>
 <h2>Overview </h2>
-<p> Postfix supports it own logging system as an alternative to
+<p> Postfix supports its own logging system as an alternative to
 syslog (which remains the default). This is available with Postfix
 version 3.4 or later. </p>
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20221023"
+#define MAIL_RELEASE_DATE	"20221207"
 #define MAIL_VERSION_NUMBER	"3.8"
 #ifdef SNAPSHOT
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@ -172,12 +172,9 @@
 /* .PP
 /*	Available in Postfix version 2.2 and later:
 /* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR"
-/*	Rewrite message header addresses in mail from these clients and
+/*	Rewrite or add message headers in mail from these clients,
-/*	update incomplete addresses with the domain name in $myorigin or
+/*	updating incomplete addresses with the domain name in $myorigin or
-/*	$mydomain; either don't rewrite message headers from other clients
+/*	$mydomain, and adding missing headers.
 /*	at all, or rewrite message headers and update incomplete addresses
 /*	with the domain specified in the remote_header_rewrite_domain
 /*	parameter.
 /* BEFORE-SMTPD PROXY AGENT
 /* .ad
 /* .fi
@ -439,7 +436,7 @@
 /*	With mandatory TLS encryption, require a trusted remote SMTP client
 /*	certificate in order to allow TLS connections to proceed.
 /* .IP "\fBsmtpd_tls_wrappermode (no)\fR"
-/*	Run the Postfix SMTP server in the non-standard "wrapper" mode,
+/*	Run the Postfix SMTP server in TLS "wrapper" mode,
 /*	instead of using the STARTTLS command.
 /* .IP "\fBtls_daemon_random_bytes (32)\fR"
 /*	The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
@ -546,7 +543,7 @@
 /*	Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 /* .IP "\fBsmtputf8_enable (yes)\fR"
 /*	Enable preliminary SMTPUTF8 support for the protocols described
-/*	in RFC 6531..6533.
+/*	in RFC 6531, RFC 6532, and RFC 6533.
 /* .IP "\fBstrict_smtputf8 (no)\fR"
 /*	Enable stricter enforcement of the SMTPUTF8 protocol.
 /* .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR"
@ -650,10 +647,10 @@
 /*	The list of domains that are delivered via the $local_transport
 /*	mail delivery transport.
 /* .IP "\fBinet_interfaces (all)\fR"
-/*	The network interface addresses that this mail system receives
+/*	The local network interface addresses that this mail system receives
 /*	mail on.
 /* .IP "\fBproxy_interfaces (empty)\fR"
-/*	The network interface addresses that this mail system receives mail
+/*	The remote network interface addresses that this mail system receives mail
 /*	on by way of a proxy or network address translation unit.
 /* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
 /*	The Internet protocols Postfix will attempt to use when making
@ -682,12 +679,12 @@
 /*	Parameters concerning known/unknown recipients in virtual alias
 /*	domains:
 /* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
-/*	Postfix is final destination for the specified list of virtual
+/*	Postfix is the final destination for the specified list of virtual
 /*	alias domains, that is, domains for which all addresses are aliased
 /*	to addresses in other local or remote domains.
 /* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
 /*	Optional lookup tables that alias specific mail addresses or domains
-/*	to other local or remote address.
+/*	to other local or remote addresses.
 /* .IP "\fBunknown_virtual_alias_reject_code (550)\fR"
 /*	The Postfix SMTP server reply code when a recipient address matches
 /*	$virtual_alias_domains, and $virtual_alias_maps specifies a list
@ -696,7 +693,7 @@
 /*	Parameters concerning known/unknown recipients in virtual mailbox
 /*	domains:
 /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
-/*	Postfix is final destination for the specified list of domains;
+/*	Postfix is the final destination for the specified list of domains;
 /*	mail is delivered via the $virtual_transport mail delivery transport.
 /* .IP "\fBvirtual_mailbox_maps (empty)\fR"
 /*	Optional lookup tables with all valid addresses in the domains that
--- a/postfix/src/smtpd/smtpd_proxy.c
+++ b/postfix/src/smtpd/smtpd_proxy.c
@ -388,7 +388,7 @@ static int smtpd_proxy_connect(SMTPD_STATE *state)
     */
    server_xforward_features = 0;
    lines = STR(proxy->reply);
-    while ((words = mystrtok(&lines, "\n")) != 0) {
+    while ((words = mystrtok(&lines, "\r\n")) != 0) {
 	if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t")) != 0) {
 	    if (strcasecmp(word, XFORWARD_CMD) == 0)
 		while ((word = mystrtok(&words, " \t")) != 0)
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@ -647,6 +647,7 @@ extern TLS_TLSA *tlsa_prepend(TLS_TLSA *, uint8_t, uint8_t, uint8_t,
 /*
  * tls_fprint.c
  */
 extern const EVP_MD *tls_digest_byname(const char *, EVP_MD_CTX **);
 extern char *tls_digest_encode(const unsigned char *, int);
 extern char *tls_cert_fprint(X509 *, const char *);
 extern char *tls_pkey_fprint(X509 *, const char *);
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@ -324,6 +324,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
     * checks are now performed internally in OpenSSL.
     */
    if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) {
 	TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
 	if (TLScontext->must_fail) {
 	    msg_panic("%s: cert valid despite trust init failure",
 		      TLScontext->namaddr);
@ -352,8 +353,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
 			     TLScontext->namaddr, peername);
 		tls_dane_log(TLScontext);
 	    }
-	} else
+	}
 	    TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
    }
    /*
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@ -823,7 +823,7 @@ int     tls_dane_enable(TLS_SESS_STATE *TLScontext)
 /* tls_dane_digest_init - configure supported DANE digests */
-void    tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD * fpt_alg)
+void    tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD *fpt_alg)
 {
    dane_mtype mtypes[256];
    char   *cp;
@ -930,7 +930,7 @@ void    tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD * fpt_alg)
 	}
 	mtypes[codepoint].ord = ++ord;
-	if ((mtypes[codepoint].alg = EVP_get_digestbyname(algname)) == 0) {
+	if ((mtypes[codepoint].alg = tls_digest_byname(algname, NULL)) == 0) {
 	    msg_warn("%s: digest algorithm \"%s\"(%d) unknown",
 		     VAR_TLS_DANE_DIGESTS, algname, codepoint);
 	    continue;
@ -1132,11 +1132,11 @@ static void load_tlsa_args(SSL *ssl, char *argv[])
    case 0:
 	break;
    case 1:
-	if ((md = EVP_get_digestbyname(LN_sha256)) == 0)
+	if ((md = tls_digest_byname(LN_sha256, NULL)) == 0)
 	    msg_fatal("Digest %s not found", LN_sha256);
 	break;
    case 2:
-	if ((md = EVP_get_digestbyname(LN_sha512)) == 0)
+	if ((md = tls_digest_byname(LN_sha512, NULL)) == 0)
 	    msg_fatal("Digest %s not found", LN_sha512);
 	break;
    default:
--- a/postfix/src/tls/tls_fprint.c
+++ b/postfix/src/tls/tls_fprint.c
@ -6,6 +6,10 @@
 /* SYNOPSIS
 /*	#include <tls.h>
 /*
 /*	EVP_MD *tls_digest_byname(const char *mdalg, EVP_MD_CTX **mdctxPtr)
 /*	const char *mdalg;
 /*	EVP_MD_CTX **mdctxPtr;
 /*
 /*	char	*tls_serverid_digest(TLScontext, props, ciphers)
 /*	TLS_SESS_STATE *TLScontext;
 /*	const TLS_CLIENT_START_PROPS *props;
@ -23,6 +27,13 @@
 /*	X509	*peercert;
 /*	const char *mdalg;
 /* DESCRIPTION
 /*	tls_digest_byname() constructs, and optionally returns, an EVP_MD_CTX
 /*	handle for performing digest operations with the algorithm named by the
 /*	mdalg parameter.  The return value is non-null on success, and holds a
 /*	digest algorithm handle.  If the mdctxPtr argument is non-null the
 /*	created context is returned to the caller, who is then responsible for
 /*	deleting it by calling EVP_MD_ctx_free() once it is no longer needed.
 /*
 /*	tls_digest_encode() converts a binary message digest to a hex ASCII
 /*	format with ':' separators between each pair of hex digits.
 /*	The return value is dynamically allocated with mymalloc(),
@ -50,6 +61,8 @@
 /*	free it with myfree().
 /*
 /*	Arguments:
 /* .IP mdalg
 /*	A digest algorithm name, such as "sha256".
 /* .IP peercert
 /*	Server or client X.509 certificate.
 /* .IP md_buf
@ -60,6 +73,9 @@
 /*	Name of a message digest algorithm suitable for computing secure
 /*	(1st pre-image resistant) message digests of certificates. For now,
 /*	md5, sha1, or member of SHA-2 family if supported by OpenSSL.
 /* .IP mdctxPtr
 /*	Pointer to an (EVP_MD_CTX *) handle, or NULL if only probing for
 /*	algorithm support without immediate use in mind.
 /* .IP buf
 /*	Input data for the message digest algorithm mdalg.
 /* .IP len
@ -114,7 +130,7 @@
 static const char hexcodes[] = "0123456789ABCDEF";
-#define checkok(ret)	(ok &= ((ret) ? 1 : 0))
+#define checkok(stillok) (ok = ok && (stillok))
 #define digest_object(p) digest_data((unsigned char *)(p), sizeof(*(p)))
 #define digest_data(p, l) checkok(digest_bytes(mdctx, (p), (l)))
 #define digest_string(s) checkok(digest_chars(mdctx, (s)))
@ -182,6 +198,44 @@ static int tls_digest_tlsa(EVP_MD_CTX *mdctx, TLS_TLSA *tlsa)
    return (ok);
 }
 /* tls_digest_byname - test availability or prepare to use digest */
 const EVP_MD *tls_digest_byname(const char *mdalg, EVP_MD_CTX **mdctxPtr)
 {
    const EVP_MD *md;
    EVP_MD_CTX *mdctx = NULL;
    int     ok = 1;
    /*
     * In OpenSSL 3.0, because of dynamically variable algorithm providers,
     * there is a time-of-check/time-of-use issue that means that abstract
     * algorithm handles returned by EVP_get_digestbyname() can (and not
     * infrequently do) return ultimately unusable algorithms, to check for
     * actual availability, one needs to use the new EVP_MD_fetch() API, or
     * indirectly check usability by creating a concrete context. We take the
     * latter approach here (works for 1.1.1 without #ifdef).
     * 
     * Note that EVP_MD_CTX_{create,destroy} were renamed to, respectively,
     * EVP_MD_CTX_{new,free} in OpenSSL 1.1.0.
     */
    checkok(md = EVP_get_digestbyname(mdalg));
    /*
     * Sanity check: Newer shared libraries could (hypothentical ABI break)
     * allow larger digests, we avoid such poison algorithms.
     */
    checkok(EVP_MD_size(md) <= EVP_MAX_MD_SIZE);
    checkok(mdctx = EVP_MD_CTX_new());
    checkok(EVP_DigestInit_ex(mdctx, md, NULL));
    if (ok && mdctxPtr != 0)
 	*mdctxPtr = mdctx;
    else
 	EVP_MD_CTX_free(mdctx);
    return (ok ? md : 0);
 }
 /* tls_serverid_digest - suffix props->serverid with parameter digest */
 char   *tls_serverid_digest(TLS_SESS_STATE *TLScontext,
@ -189,7 +243,6 @@ char   *tls_serverid_digest(TLS_SESS_STATE *TLScontext,
 			            const char *ciphers)
 {
    EVP_MD_CTX *mdctx;
    const EVP_MD *md;
    const char *mdalg;
    unsigned char md_buf[EVP_MAX_MD_SIZE];
    unsigned int md_len;
@ -205,17 +258,17 @@ char   *tls_serverid_digest(TLS_SESS_STATE *TLScontext,
     * default digest, but DANE requires sha256 and sha512, so if we must
     * fall back to our default digest, DANE support won't be available.  We
     * panic if the fallback algorithm is not available, as it was verified
-     * available in tls_client_init() and must not simply vanish.
+     * available in tls_client_init() and must not simply vanish.  Our
     * provider set is not expected to change once the OpenSSL library is
     * initialised.
     */
-    if ((md = EVP_get_digestbyname(mdalg = "sha256")) == 0
+    if (tls_digest_byname(mdalg = LN_sha256, &mdctx) == 0
-	&& (md = EVP_get_digestbyname(mdalg = props->mdalg)) == 0)
+	&& tls_digest_byname(mdalg = props->mdalg, &mdctx) == 0)
-	msg_panic("digest algorithm \"%s\" not found", mdalg);
+	msg_panic("digest algorithm \"%s\" not found", props->mdalg);
    /* Salt the session lookup key with the OpenSSL runtime version. */
    sslversion = OpenSSL_version_num();
    mdctx = EVP_MD_CTX_create();
    checkok(EVP_DigestInit_ex(mdctx, md, NULL));
    digest_string(props->helo ? props->helo : "");
    digest_object(&sslversion);
    digest_string(props->protocols);
@ -306,18 +359,15 @@ char   *tls_digest_encode(const unsigned char *md_buf, int md_len)
 static char *tls_data_fprint(const unsigned char *buf, int len, const char *mdalg)
 {
-    EVP_MD_CTX *mdctx;
+    EVP_MD_CTX *mdctx = NULL;
    const EVP_MD *md;
    unsigned char md_buf[EVP_MAX_MD_SIZE];
    unsigned int md_len;
    int     ok = 1;
    /* Previously available in "init" routine. */
-    if ((md = EVP_get_digestbyname(mdalg)) == 0)
+    if (tls_digest_byname(mdalg, &mdctx) == 0)
 	msg_panic("digest algorithm \"%s\" not found", mdalg);
    mdctx = EVP_MD_CTX_create();
    checkok(EVP_DigestInit_ex(mdctx, md, NULL));
    digest_data(buf, len);
    checkok(EVP_DigestFinal_ex(mdctx, md_buf, &md_len));
    EVP_MD_CTX_destroy(mdctx);
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@ -1575,25 +1575,13 @@ long    tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, size_t len,
 const EVP_MD *tls_validate_digest(const char *dgst)
 {
    const EVP_MD *md_alg;
    unsigned int md_len;
    /*
     * If the administrator specifies an unsupported digest algorithm, fail
     * now, rather than in the middle of a TLS handshake.
     */
-    if ((md_alg = EVP_get_digestbyname(dgst)) == 0) {
+    if ((md_alg = tls_digest_byname(dgst, NULL)) == 0)
 	msg_warn("Digest algorithm \"%s\" not found", dgst);
 	return (0);
    }
    /*
     * Sanity check: Newer shared libraries may use larger digests.
     */
    if ((md_len = EVP_MD_size(md_alg)) > EVP_MAX_MD_SIZE) {
 	msg_warn("Digest algorithm \"%s\" output size %u too large",
 		 dgst, md_len);
 	return (0);
    }
    return md_alg;
 }