postfix-3.11-20250223-nonprod

2025-08-22 18:07:41 +00:00 · 2025-02-23 00:00:00 -05:00 · 2025-02-23 00:00:00 -05:00 · 64967a0f04
commit 64967a0f04
parent 73ef04f192
64 changed files with 1629 additions and 461 deletions
--- a/postfix/.indent.pro
+++ b/postfix/.indent.pro
@ -302,7 +302,6 @@
 -TRESPONSE
 -TREST_TABLE
 -TRES_CONTEXT
 -TRING
 -TRWR_CONTEXT
 -TSCACHE
 -TSCACHE_CLNT
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -29002,3 +29002,131 @@ Apologies for any names omitted.
 	default smtp_tls_dane_insecure_mx_policy setting resulted in
 	unnecessary 'dnssec_probe' warnings, on systems that disable
 	DNSSEC lookups (the default). File: smtp/smtp_addr.c.
 	Baseline is postfix-3.11-20250223
 NONPROD CODE
 	Feature: support for the REQUIRETLS verb in SMTP. According
 	to RFC 8689, this requires TLS server certificate matching.
 	Files: cleanup/cleanup_api.c, global/cleanup_strflags.c,
 	global/post_mail.c, global/post_mail.c, global/ehlo_mask.[hc],
 	global/ehlo_mask_test.c, local/forward.c, smtpd/smtpd.c,
 	smtp/smtp_connect.c, smtp/smtp_proto.c.
 	Added a configuration parameter "requiretls_enable" (default:
 	yes). Files: cleanup/cleanup_api.c, global/cleanup_strflags.c,
 	global/post_mail.c, global/post_mail.c, global/ehlo_mask.[hc],
 	global/ehlo_mask_test.c, local/forward.c, smtpd/smtpd.c,
 	smtp/smtp_connect.c, smtp/smtp_proto.c.
 	After a certificate check fails, or a remote SMTP server
 	does not announce REQUIRETLS support, the Postfix SMTP
 	client will override the RFC 8689 5.x.x.  status and treat
 	it as a soft error, until there are no more alternate MX
 	servers to try. Files: smtp/smtp.h, smtp/smtp_proto.c,
 	smtp/smtp_trouble.c.
 	When a message received with REQUIRETLS is returned in a
 	delivery status notification, return the message headers
 	only, and do not request delivery with REQUIRETLS. Files:
 	bounce/bounce_notify_service.c, bounce/bounce_one_service.c,
 	bounce/bounce_trace_service.c, bounce/bounce_verp_service.c,
 	bounce/bounce_warn_service.c.
 	Completed: new Postfix sendmail command option "-O requiretls"
 	to request that deliveries over SMTP use the REQUIRETLS
 	extension. The option value "requiretls" is case-insensitive.
 	Files: sendmail/sendmail.c, global/rec_types.h, pickup/pickup.c.
 	Cleanup: new Postfix sendmail command option "-O smtputf8"
 	to request that deliveries over SMTP use the SMTPUTF8
 	extension. This reuses logic that was introduced for
 	REQUIRETLS. The option value "smtputf8" is case-insensitive.
 	Files: sendmail/sendmail.c.
 	Cleanup: when message delivery requires that a remote SMTP
 	server supports SMTPUTF8, try multiple MX servers before
 	returning a message as undeliverable. This reuses logic
 	that was introduced for REQUIRETLS. File: smtp/smtp_proto.c.
 	Completed: support in the pipe(8) daemon to propagate
 	REQUIRETLS through post-queue content filters that pass
 	filtered mail to the Postfix sendmail(1) command. This
 	involves a new a pipe(8) macro ${requiretls} that expands
 	into a suitable sendmail(1) command-line option. A more
 	secretive alternative would be to pass the info with a
 	REQUIRETLS environment variable, but that would require
 	change to the default import_environment setting. Files:
 	pipe/pipe.c, sendmail/sendmail.c.
 	Completed: the SMTP/LMTP client with "flags=X" will not
 	require REQUIRETLS support in the final server. Files:
 	smtp/smtp.c, smtp/smtp_proto.c.
 	Completed: REQUIRETLS support can be disabled in the Postfix
 	SMTP/LMTP client with "{ -o requiretls_enable = no }". This
 	is recommended for a perimeter MTA that hands off mail to
 	internal servers that may not support REQUIRETLS.
 	Completed: smtp_enforce_requiretls list of next-hop domains
 	(or UNIX-domain pathnames) that are ready for REQUIRETLS
 	enforcement. This may help with gradual adoption.
 TODO
 	Encapsulate the sendopts-to-cleanup-flags mapping.
 	sendmail -O TlsRequired option?
 	How do we make it work with multi-instance SMTP-based content
 	filters?  How is this different from the single-instance
 	case?
 	What REQUIRETLS expectations can we enforce when delivering
 	over a UNIX-domain channel? The SMTP/LMTP client currently
 	implements the same behavior as for TCP, except that
 	opportunistic TLS is converted into 'none'.
 	Document how REQUIRETLS works (or does not) with external
 	content filters.
 	- REQUIRETLS will work with Milter-based content filters.
 	- REQUIRETLS will work with smtpd_proxy_filter as long as
 	  the filter passes the entire Postfix SMTP client's MAIL
 	  FROM command line through the filter to the Postfix SMTP
 	  server after the proxy filter. The Postfix proxy filter
 	  client does not need to see REQUIRETLS (or SMTPUTF8)
 	  announcements in the filter's EHLO response.
 	- REQUIRETLS will work with an SMTP-based after-queue content
 	  filters as long as the filter announces REQUIRETLS in the
 	  EHLO response (this could be 'always', or copied from the
 	  after-filter Postfix SMTP server's EHLO response), and
 	  as long as the filter passes the entire MAIL FROM command
 	  from the before-filter Postfix SMTP client to the
 	  after-filter Postfix SMTP server. Apart from that, the
 	  content filter does not need to 'know' that REQUIRETLS
 	  exists.
 	- REQUIRETLS will work with pipe(8)-filter-sendmail(1)
 	  after-queue content filters, by specifying a pipe(8) macro
 	  ${requiretls} which expands to a suitable sendmail(1)
 	  command-line option.
 	- The Postfix LMTP client when run with the -X option will
 	  not require that the LMTP server announces REQUIRETLS
 	  support.
 	- Perimeter MTA configuration: disable REQUIRETLS on the
 	  inbound relay transport when internal infrastructure may
 	  not be suitable for REQUIRETLS enforcement.
 	If a message contains "TLS-Required: no", should a bounce
 	message also contain this header?
 	Ditto for "tls_required_enable = no" and "TLS-Required:
 	no". The header is provided by the sender, and enforcement
 	is up the Postfix SMTP client.
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@ -174,7 +174,7 @@ SMTP(8)                                                                SMTP(8)
       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
       <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
-       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (SMTP REQUIRETLS extension)
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
       Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@ -507,7 +507,7 @@ SMTP(8)                                                                SMTP(8)
              The delimiter between username and password in  sasl_passwd_maps
              lookup results.
-<b><a name="starttls_support_controls">STARTTLS SUPPORT CONTROLS</a></b>
+<b><a name="tls_support_controls">TLS SUPPORT CONTROLS</a></b>
       Detailed  information  about STARTTLS configuration may be found in the
       <a href="TLS_README.html">TLS_README</a> document.
@ -766,7 +766,18 @@ SMTP(8)                                                                SMTP(8)
              Enable  support  for  the  "TLS-Required:  no"  message  header,
              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
-<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
+       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
              Enable  support  for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
       <b><a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a> (empty)</b>
              An optional list  of  next-hop  destinations  that  the  Postfix
              SMTP/LMTP client will enforce REQUIRETLS for, when a message was
              received with the REQUIRETLS option: the  next-hop  server  must
              offer  a  matching  TLS  server certificate, and the server must
              announce REQUIRETLS support).
 <b><a name="obsolete_tls_controls">OBSOLETE TLS CONTROLS</a></b>
       The following configuration parameters  exist  for  compatibility  with
       Postfix  versions  before  2.3.  Support for these will be removed in a
       future release.
--- a/postfix/html/mailq.1.html
+++ b/postfix/html/mailq.1.html
@ -168,12 +168,32 @@ SENDMAIL(1)                                                        SENDMAIL(1)
              Delivery   status   notification   control.   Specify  either  a
              comma-separated list with one or more of <b>failure</b> (send notifica-
              tion  when delivery fails), <b>delay</b> (send notification when deliv-
-              ery is delayed), or <b>success</b> (send notification when the  message
+              ery is delayed), or <b>success</b> (send notification after the message
              is delivered); or specify <b>never</b> (don't send any notifications at
              all).
              This feature is available in Postfix 2.3 and later.
       <b>-O requiretls</b>
              When delivering a message to an SMTP or LMTP server, the connec-
              tion  must  use  TLS with a verified server certificate, and the
              server must support REQUIRETLS. Try multiple servers  if  possi-
              ble, and return the message as undeliverable when these require-
              ments were not satisfied with  any  of  the  servers  that  were
              tried. The "requiretls" option value is case-insensitive.
              This feature is available in Postfix 3.10 and later.
       <b>-O smtputf8</b>
              When  delivering a message to an SMTP or LMTP server, the server
              must support SMTPUTF8. Try multiple  servers  if  possible,  and
              return  the  message as undeliverable when a message contains an
              UTF8 envelope address or message header, but  SMTPUTF8  was  not
              supported  by any of the servers that were tried. The "smtputf8"
              option value is case-insensitive.
              This feature is available in Postfix 3.10 and later.
       <b>-n</b> (ignored)
              Backwards compatibility.
@ -483,6 +503,12 @@ SENDMAIL(1)                                                        SENDMAIL(1)
              the  default  Postfix  instance,  and that are started, stopped,
              etc., together with the default Postfix instance.
       Postfix 3.10 and later:
       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
              Enable support for the ESMTP verb "REQUIRETLS", defined  in  <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
 <b><a name="files">FILES</a></b>
       /var/spool/postfix, mail queue
       /etc/postfix, configuration files
--- a/postfix/html/newaliases.1.html
+++ b/postfix/html/newaliases.1.html
@ -168,12 +168,32 @@ SENDMAIL(1)                                                        SENDMAIL(1)
              Delivery   status   notification   control.   Specify  either  a
              comma-separated list with one or more of <b>failure</b> (send notifica-
              tion  when delivery fails), <b>delay</b> (send notification when deliv-
-              ery is delayed), or <b>success</b> (send notification when the  message
+              ery is delayed), or <b>success</b> (send notification after the message
              is delivered); or specify <b>never</b> (don't send any notifications at
              all).
              This feature is available in Postfix 2.3 and later.
       <b>-O requiretls</b>
              When delivering a message to an SMTP or LMTP server, the connec-
              tion  must  use  TLS with a verified server certificate, and the
              server must support REQUIRETLS. Try multiple servers  if  possi-
              ble, and return the message as undeliverable when these require-
              ments were not satisfied with  any  of  the  servers  that  were
              tried. The "requiretls" option value is case-insensitive.
              This feature is available in Postfix 3.10 and later.
       <b>-O smtputf8</b>
              When  delivering a message to an SMTP or LMTP server, the server
              must support SMTPUTF8. Try multiple  servers  if  possible,  and
              return  the  message as undeliverable when a message contains an
              UTF8 envelope address or message header, but  SMTPUTF8  was  not
              supported  by any of the servers that were tried. The "smtputf8"
              option value is case-insensitive.
              This feature is available in Postfix 3.10 and later.
       <b>-n</b> (ignored)
              Backwards compatibility.
@ -483,6 +503,12 @@ SENDMAIL(1)                                                        SENDMAIL(1)
              the  default  Postfix  instance,  and that are started, stopped,
              etc., together with the default Postfix instance.
       Postfix 3.10 and later:
       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
              Enable support for the ESMTP verb "REQUIRETLS", defined  in  <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
 <b><a name="files">FILES</a></b>
       /var/spool/postfix, mail queue
       /etc/postfix, configuration files
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@ -309,6 +309,15 @@ PIPE(8)                                                                PIPE(8)
                     This information is modified by the <b>hqu</b> flags for quoting
                     and case folding.
              <b>${requiretls}</b>
                     This  feature  should  be  used with content filters that
                     pass filtered mail to the  Postfix  <a href="sendmail.1.html">sendmail(1)</a>  command.
                     The  macro expands to the <a href="sendmail.1.html">sendmail(1)</a> command-line option
                     <b>-Orequiretls</b> if the sender requested  REQUIRETLS,  other-
                     wise it expands to <b>-Onoop</b>.
                     This feature is available as of Postfix 3.10.
              <b>${sasl_method}</b>
                     This macro expands to the name of the SASL authentication
                     mechanism in the  AUTH  command  when  the  Postfix  SMTP
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -5041,6 +5041,17 @@ configuration parameter.  See there for details.  </p>
 <p> This feature is available in Postfix 2.11 and later.  </p>
 </DD>
 <DT><b><a name="lmtp_enforce_requiretls">lmtp_enforce_requiretls</a>
 (default: empty)</b></DT><DD>
 <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a>
 configuration parameter. See there for details. </p>
 <p> This feature is available in Postfix &ge; 3.11. </p>
 </DD>
 <DT><b><a name="lmtp_enforce_tls">lmtp_enforce_tls</a>
@ -8218,6 +8229,13 @@ you really want to match subdomains.
 <a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a>
 </dd>
 <dt> Postfix version 3.11 and later </dt>
 <dd>
 <a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a>,
 <a href="postconf.5.html#lmtp_enforce_requiretls">lmtp_enforce_requiretls</a>
 </dd>
 </dl>
@ -10568,6 +10586,37 @@ the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
 </p>
 </DD>
 <DT><b><a name="requiretls_enable">requiretls_enable</a>
 (default: yes)</b></DT><DD>
 <p> Enable support for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
 <a href="https://tools.ietf.org/html/rfc8689">8689</a>. By issuing this verb in the "MAIL FROM" command, a sender
 specifies that a message must be delivered over TLS connections
 with a verified server certificate, to a server that announces
 "REQUIRETLS" support. This corresponds to the Postfix SMTP client
 TLS security levels "secure", "verify", "fingerprint", dane-only,
 or opportunistic "dane", with a successful certificate match. The
 Postfix SMTP client will try one or more servers, controlled with
 the <a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> parameter, until it finds a server that
 satisfies requirements. Otherwise, Postfix returns the message as
 undeliverable. </p>
 <p> Notes: </p>
 <ul>
 <li> <p> REQUIRETLS enforcement is controlled with <a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a>
 or <a href="postconf.5.html#lmtp_enforce_requiretls">lmtp_enforce_requiretls</a>. </p>
 <li> <p> REQUIRETLS overrides "TLS-Required: no". </p>
 </ul>
 <p> This feature is available in Postfix &ge; 3.11. </p>
 </DD>
 <DT><b><a name="reset_owner_alias">reset_owner_alias</a>
@ -11899,6 +11948,86 @@ RES_USE_DNSSEC and RES_USE_EDNS0 resolver options. </p>
 <p> This feature is available in Postfix 2.11 and later.  </p>
 </DD>
 <DT><b><a name="smtp_enforce_requiretls">smtp_enforce_requiretls</a>
 (default: empty)</b></DT><DD>
 <p> An optional list of next-hop destinations that the Postfix
 SMTP/LMTP client will enforce REQUIRETLS for, when a message was
 received with the REQUIRETLS option: the next-hop server must offer
 a matching TLS server certificate, and the server must announce
 REQUIRETLS support). Such a message will be returned to the sender
 if some REQUIRETLS requirement cannot be satisfied. These "hard"
 REQUIRETLS failures are logged as "REQUIRETLS failure". </p>
 <p> Other messages that were received with the REQUIRETLS option
 will be delivered with REQUIRETLS if possible. If not, a message
 will be delivered as if it was received without the REQUIRETLS
 option. This allows a mail sending site to discover when REQUIRETLS
 can be enforced, without disrupting email deliveries. These "soft"
 REQUIRETLS failures are logged with "REQUIRETLS Debug". </p>
 <p> On a perimeter MTA, it can make sense to turn off REQUIRETLS
 enforcement, or even to turn off REQUIRETLS support, when delivering
 a message to an internal destination. The internal servers may not
 support REQUIRETLS, and their connections may be secured with means
 other than DANE, STS, and the like. </p>
 <p> The supported syntax differs with SMTP and LMTP: </p>
 <ul>
 <li> <p> With SMTP, specify a list of next-hop domain names (without
 the ":port" or ":service" suffix), "/file/name" patterns or
 "<a href="DATABASE_README.html">type:table</a>" lookup tables, separated by commas and/or whitespace.
 Continue long lines by starting the next line with whitespace. A
 "/file/name" pattern is replaced by its contents.  A "<a href="DATABASE_README.html">type:table</a>"
 lookup table is matched when a domain appears as lookup key. Specify
 "!pattern" to exclude a domain. </p>
 <li> <p> With LMTP, specify list of domain names (without the "inet":
 prefix, or  ":port" or ":service" suffix), or UNIX-domain socket
 "/path/name" (without the "unix:" prefix), or "<a href="DATABASE_README.html">type:table</a>" lookup
 tables, separated by commas and/or whitespace. Continue long lines
 by starting the next line with whitespace. A "<a href="DATABASE_README.html">type:table</a>" lookup
 table is matched when a domain appears as lookup key. Specify
 "!pattern" to exclude a domain or socket path. </p>
 </ul>
 <p> Specify the form ".domain" to match any name ending in ".domain".
 To change this behavior, list "<a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a>" or
 "<a href="postconf.5.html#lmtp_enforce_requiretls">lmtp_enforce_requiretls</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
 parameter value.  </p>
 <p>
 SMTP Examples:
 </p>
 <pre>
 # Enforce REQUIRETLS for SMTP with selected next-hop domains.
 <a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a> = example.com, foo.example
 <br>
 # Enforce REQUIRETLS for SMTP with all but a few next-hop domains.
 <a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a> = !foo.example, <a href="DATABASE_README.html#types">static</a>:all
 </pre>
 <p>
 LMTP examples:
 </p>
 <pre>
 # Don't enforce REQUIRETLS
 <a href="postconf.5.html#lmtp_enforce_requiretls">lmtp_enforce_requiretls</a> =
 <br>
 # Enforce REQUIRETLS for specific destinations.
 <a href="postconf.5.html#lmtp_enforce_requiretls">lmtp_enforce_requiretls</a> = /path/to/socket, message-store.example
 </pre>
 <p> This feature is available in Postfix &ge; 3.11. </p>
 </DD>
 <DT><b><a name="smtp_enforce_tls">smtp_enforce_tls</a>
@ -20726,6 +20855,8 @@ If a message contains a "TLS-Required: no" header, then Postfix
 will add that header to a delivery status notification for that
 message. </p>
 <p> Note: REQUIRETLS overrides "TLS-Required: no". </p>
 <p> This feature is available in Postfix &ge; 3.10. </p>
--- a/postfix/html/sendmail.1.html
+++ b/postfix/html/sendmail.1.html
@ -168,12 +168,32 @@ SENDMAIL(1)                                                        SENDMAIL(1)
              Delivery   status   notification   control.   Specify  either  a
              comma-separated list with one or more of <b>failure</b> (send notifica-
              tion  when delivery fails), <b>delay</b> (send notification when deliv-
-              ery is delayed), or <b>success</b> (send notification when the  message
+              ery is delayed), or <b>success</b> (send notification after the message
              is delivered); or specify <b>never</b> (don't send any notifications at
              all).
              This feature is available in Postfix 2.3 and later.
       <b>-O requiretls</b>
              When delivering a message to an SMTP or LMTP server, the connec-
              tion  must  use  TLS with a verified server certificate, and the
              server must support REQUIRETLS. Try multiple servers  if  possi-
              ble, and return the message as undeliverable when these require-
              ments were not satisfied with  any  of  the  servers  that  were
              tried. The "requiretls" option value is case-insensitive.
              This feature is available in Postfix 3.10 and later.
       <b>-O smtputf8</b>
              When  delivering a message to an SMTP or LMTP server, the server
              must support SMTPUTF8. Try multiple  servers  if  possible,  and
              return  the  message as undeliverable when a message contains an
              UTF8 envelope address or message header, but  SMTPUTF8  was  not
              supported  by any of the servers that were tried. The "smtputf8"
              option value is case-insensitive.
              This feature is available in Postfix 3.10 and later.
       <b>-n</b> (ignored)
              Backwards compatibility.
@ -483,6 +503,12 @@ SENDMAIL(1)                                                        SENDMAIL(1)
              the  default  Postfix  instance,  and that are started, stopped,
              etc., together with the default Postfix instance.
       Postfix 3.10 and later:
       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
              Enable support for the ESMTP verb "REQUIRETLS", defined  in  <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
 <b><a name="files">FILES</a></b>
       /var/spool/postfix, mail queue
       /etc/postfix, configuration files
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@ -174,7 +174,7 @@ SMTP(8)                                                                SMTP(8)
       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
       <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
-       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (TLS-Required message header)
+       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (SMTP REQUIRETLS extension)
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
       Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@ -507,7 +507,7 @@ SMTP(8)                                                                SMTP(8)
              The delimiter between username and password in  sasl_passwd_maps
              lookup results.
-<b><a name="starttls_support_controls">STARTTLS SUPPORT CONTROLS</a></b>
+<b><a name="tls_support_controls">TLS SUPPORT CONTROLS</a></b>
       Detailed  information  about STARTTLS configuration may be found in the
       <a href="TLS_README.html">TLS_README</a> document.
@ -766,7 +766,18 @@ SMTP(8)                                                                SMTP(8)
              Enable  support  for  the  "TLS-Required:  no"  message  header,
              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
-<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
+       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
              Enable  support  for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
       <b><a href="postconf.5.html#smtp_enforce_requiretls">smtp_enforce_requiretls</a> (empty)</b>
              An optional list  of  next-hop  destinations  that  the  Postfix
              SMTP/LMTP client will enforce REQUIRETLS for, when a message was
              received with the REQUIRETLS option: the  next-hop  server  must
              offer  a  matching  TLS  server certificate, and the server must
              announce REQUIRETLS support).
 <b><a name="obsolete_tls_controls">OBSOLETE TLS CONTROLS</a></b>
       The following configuration parameters  exist  for  compatibility  with
       Postfix  versions  before  2.3.  Support for these will be removed in a
       future release.
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@ -62,6 +62,7 @@ SMTPD(8)                                                              SMTPD(8)
       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
       <a href="https://tools.ietf.org/html/rfc7505">RFC 7505</a> ("Null MX" No Service Resource Record)
       <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a> (SMTP REQUIRETLS extension)
 <b><a name="diagnostics">DIAGNOSTICS</a></b>
       Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@ -430,7 +431,7 @@ SMTPD(8)                                                              SMTPD(8)
              If  non-empty,  a  filter  for the SASL mechanism names that the
              Postfix SMTP server will announce in the EHLO response.
-<b><a name="starttls_support_controls">STARTTLS SUPPORT CONTROLS</a></b>
+<b><a name="tls_support_controls">TLS SUPPORT CONTROLS</a></b>
       Detailed information about STARTTLS configuration may be found  in  the
       <a href="TLS_README.html">TLS_README</a> document.
@ -655,7 +656,13 @@ SMTPD(8)                                                              SMTPD(8)
              instead of an X.509 certificate, when asking  for  or  requiring
              client authentication.
-<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
+       Available in Postfix version 3.10 and later:
       <b><a href="postconf.5.html#requiretls_enable">requiretls_enable</a> (yes)</b>
              Enable  support  for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
              <a href="https://tools.ietf.org/html/rfc8689">8689</a>.
 <b><a name="obsolete_tls_controls">OBSOLETE TLS CONTROLS</a></b>
       The following configuration parameters  exist  for  compatibility  with
       Postfix  versions  before  2.3.  Support for these will be removed in a
       future release.
--- a/postfix/makedefs
+++ b/postfix/makedefs
@ -979,7 +979,7 @@ CCARGS="$CCARGS -DSNAPSHOT"
 # Non-production: needs thorough testing, or major changes are still
 # needed before the code stabilizes.
-#CCARGS="$CCARGS -DNONPROD"
+CCARGS="$CCARGS -DNONPROD"
 # Workaround: prepend Postfix include files before other include files.
 CCARGS="-I. -I../../include $CCARGS"
--- a/postfix/man/man1/sendmail.1
+++ b/postfix/man/man1/sendmail.1
@ -158,10 +158,28 @@ Delivery status notification control. Specify either a
 comma\-separated list with one or more of \fBfailure\fR (send
 notification when delivery fails), \fBdelay\fR (send
 notification when delivery is delayed), or \fBsuccess\fR
-(send notification when the message is delivered); or specify
+(send notification after the message is delivered); or specify
 \fBnever\fR (don't send any notifications at all).
 This feature is available in Postfix 2.3 and later.
 .IP "\fB\-O requiretls"
 When delivering a message to an SMTP or LMTP server, the
 connection must use TLS with a verified server certificate,
 and the server must support REQUIRETLS. Try multiple servers if
 possible, and return the message as undeliverable when these
 requirements were not satisfied with any of the servers that
 were tried. The "requiretls" option value is case\-insensitive.
 This feature is available in Postfix 3.10 and later.
 .IP "\fB\-O smtputf8"
 When delivering a message to an SMTP or LMTP server, the server
 must support SMTPUTF8. Try multiple servers if possible, and
 return the message as undeliverable when a message contains an
 UTF8 envelope address or message header, but SMTPUTF8 was not
 supported by any of the servers that were tried. The "smtputf8"
 option value is case\-insensitive.
 This feature is available in Postfix 3.10 and later.
 .IP "\fB\-n\fR (ignored)"
 Backwards compatibility.
 .IP "\fB\-oA\fIalias_database\fR"
@ -462,6 +480,11 @@ these directories belong to additional Postfix instances that share
 the Postfix executable files and documentation with the default
 Postfix instance, and that are started, stopped, etc., together
 with the default Postfix instance.
 .PP
 Postfix 3.10 and later:
 .IP "\fBrequiretls_enable (yes)\fR"
 Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 8689.
 .SH "FILES"
 .na
 .nf
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -3136,6 +3136,11 @@ The LMTP\-specific version of the smtp_dns_support_level
 configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 2.11 and later.
 .SH lmtp_enforce_requiretls (default: empty)
 The LMTP\-specific version of the smtp_enforce_requiretls
 configuration parameter. See there for details.
 .PP
 This feature is available in Postfix >= 3.11.
 .SH lmtp_enforce_tls (default: no)
 The LMTP\-specific version of the smtp_enforce_tls configuration
 parameter.  See there for details.
@ -5046,6 +5051,10 @@ postscreen_access_list
 .IP "Postfix version 3.0 and later"
 smtpd_client_event_limit_exceptions
 .br
 .IP "Postfix version 3.11 and later"
 smtp_enforce_requiretls,
 lmtp_enforce_requiretls
 .br
 .br
 .SH permit_mx_backup_networks (default: empty)
 Restrict the use of the permit_mx_backup SMTP access feature to
@ -6578,6 +6587,28 @@ Require that a \fBlocal\fR(8) recipient's home directory exists
 before mail delivery is attempted. By default this test is disabled.
 It can be useful for environments that import home directories to
 the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
 .SH requiretls_enable (default: yes)
 Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 8689. By issuing this verb in the "MAIL FROM" command, a sender
 specifies that a message must be delivered over TLS connections
 with a verified server certificate, to a server that announces
 "REQUIRETLS" support. This corresponds to the Postfix SMTP client
 TLS security levels "secure", "verify", "fingerprint", dane\-only,
 or opportunistic "dane", with a successful certificate match. The
 Postfix SMTP client will try one or more servers, controlled with
 the smtp_mx_address_limit parameter, until it finds a server that
 satisfies requirements. Otherwise, Postfix returns the message as
 undeliverable.
 .PP
 Notes:
 .IP \(bu
 REQUIRETLS enforcement is controlled with smtp_enforce_requiretls
 or lmtp_enforce_requiretls.
 .IP \(bu
 REQUIRETLS overrides "TLS\-Required: no".
 .br
 .PP
 This feature is available in Postfix >= 3.11.
 .SH reset_owner_alias (default: no)
 Reset the \fBlocal\fR(8) delivery agent's idea of the owner\-alias
 attribute, when delivering mail to a child alias that does not have
@ -7512,6 +7543,77 @@ reasonably\-modern DNS \fBresolver\fR(3) library that implements the
 RES_USE_DNSSEC and RES_USE_EDNS0 resolver options.
 .PP
 This feature is available in Postfix 2.11 and later.
 .SH smtp_enforce_requiretls (default: empty)
 An optional list of next\-hop destinations that the Postfix
 SMTP/LMTP client will enforce REQUIRETLS for, when a message was
 received with the REQUIRETLS option: the next\-hop server must offer
 a matching TLS server certificate, and the server must announce
 REQUIRETLS support). Such a message will be returned to the sender
 if some REQUIRETLS requirement cannot be satisfied. These "hard"
 REQUIRETLS failures are logged as "REQUIRETLS failure".
 .PP
 Other messages that were received with the REQUIRETLS option
 will be delivered with REQUIRETLS if possible. If not, a message
 will be delivered as if it was received without the REQUIRETLS
 option. This allows a mail sending site to discover when REQUIRETLS
 can be enforced, without disrupting email deliveries. These "soft"
 REQUIRETLS failures are logged with "REQUIRETLS Debug".
 .PP
 On a perimeter MTA, it can make sense to turn off REQUIRETLS
 enforcement, or even to turn off REQUIRETLS support, when delivering
 a message to an internal destination. The internal servers may not
 support REQUIRETLS, and their connections may be secured with means
 other than DANE, STS, and the like.
 .PP
 The supported syntax differs with SMTP and LMTP:
 .IP \(bu
 With SMTP, specify a list of next\-hop domain names (without
 the ":port" or ":service" suffix), "/file/name" patterns or
 "type:table" lookup tables, separated by commas and/or whitespace.
 Continue long lines by starting the next line with whitespace. A
 "/file/name" pattern is replaced by its contents.  A "type:table"
 lookup table is matched when a domain appears as lookup key. Specify
 "!pattern" to exclude a domain.
 .IP \(bu
 With LMTP, specify list of domain names (without the "inet":
 prefix, or  ":port" or ":service" suffix), or UNIX\-domain socket
 "/path/name" (without the "unix:" prefix), or "type:table" lookup
 tables, separated by commas and/or whitespace. Continue long lines
 by starting the next line with whitespace. A "type:table" lookup
 table is matched when a domain appears as lookup key. Specify
 "!pattern" to exclude a domain or socket path.
 .br
 .PP
 Specify the form ".domain" to match any name ending in ".domain".
 To change this behavior, list "smtp_enforce_requiretls" or
 "lmtp_enforce_requiretls" in the parent_domain_matches_subdomains
 parameter value.
 .PP
 SMTP Examples:
 .PP
 .nf
 .na
 # Enforce REQUIRETLS for SMTP with selected next\-hop domains.
 smtp_enforce_requiretls = example.com, foo.example
 .br
 # Enforce REQUIRETLS for SMTP with all but a few next\-hop domains.
 smtp_enforce_requiretls = !foo.example, static:all
 .fi
 .ad
 .PP
 LMTP examples:
 .PP
 .nf
 .na
 # Don't enforce REQUIRETLS
 lmtp_enforce_requiretls =
 .br
 # Enforce REQUIRETLS for specific destinations.
 lmtp_enforce_requiretls = /path/to/socket, message\-store.example
 .fi
 .ad
 .PP
 This feature is available in Postfix >= 3.11.
 .SH smtp_enforce_tls (default: no)
 Enforcement mode: require that remote SMTP servers use TLS
 encryption, and never send mail in the clear.  This also requires
@ -14453,6 +14555,8 @@ If a message contains a "TLS\-Required: no" header, then Postfix
 will add that header to a delivery status notification for that
 message.
 .PP
 Note: REQUIRETLS overrides "TLS\-Required: no".
 .PP
 This feature is available in Postfix >= 3.10.
 .SH tls_server_sni_maps (default: empty)
 Optional lookup tables that map names received from remote SMTP
--- a/postfix/man/man8/pipe.8
+++ b/postfix/man/man8/pipe.8
@ -294,6 +294,14 @@ expands to as many command\-line arguments as there are recipients.
 .sp
 This information is modified by the \fBhqu\fR flags for quoting
 and case folding.
 .IP \fB${requiretls}\fR
 This feature should be used with content filters that pass
 filtered mail to the Postfix sendmail(1) command. The macro
 expands to the sendmail(1) command\-line option \fB\-Orequiretls\fR
 if the sender requested REQUIRETLS, otherwise it expands to
 \fB\-Onoop\fR.
 .sp
 This feature is available as of Postfix 3.10.
 .IP \fB${sasl_method}\fR
 This macro expands to the name of the SASL authentication
 mechanism in the AUTH command when the Postfix SMTP server
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@ -190,7 +190,7 @@ RFC 5321 (SMTP protocol)
 RFC 6531 (Internationalized SMTP)
 RFC 6533 (Internationalized Delivery Status Notifications)
 RFC 7672 (SMTP security via opportunistic DANE TLS)
-RFC 8689 (TLS\-Required message header)
+RFC 8689 (SMTP REQUIRETLS extension)
 .SH DIAGNOSTICS
 .ad
 .fi
@ -485,7 +485,7 @@ Available in Postfix version 3.9 and later:
 .IP "\fBsmtp_sasl_password_result_delimiter (:)\fR"
 The delimiter between username and password in sasl_passwd_maps lookup
 results.
-.SH "STARTTLS SUPPORT CONTROLS"
+.SH "TLS SUPPORT CONTROLS"
 .na
 .nf
 .ad
@ -688,7 +688,16 @@ information to report).
 .IP "\fBtls_required_enable (yes)\fR"
 Enable support for the "TLS\-Required: no" message header, defined
 in RFC 8689.
-.SH "OBSOLETE STARTTLS CONTROLS"
+.IP "\fBrequiretls_enable (yes)\fR"
 Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 8689.
 .IP "\fBsmtp_enforce_requiretls (empty)\fR"
 An optional list of next\-hop destinations that the Postfix
 SMTP/LMTP client will enforce REQUIRETLS for, when a message was
 received with the REQUIRETLS option: the next\-hop server must offer
 a matching TLS server certificate, and the server must announce
 REQUIRETLS support).
 .SH "OBSOLETE TLS CONTROLS"
 .na
 .nf
 .ad
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@ -67,6 +67,7 @@ RFC 5321 (SMTP protocol)
 RFC 6531 (Internationalized SMTP)
 RFC 6533 (Internationalized Delivery Status Notifications)
 RFC 7505 ("Null MX" No Service Resource Record)
 RFC 8689 (SMTP REQUIRETLS extension)
 .SH DIAGNOSTICS
 .ad
 .fi
@ -402,7 +403,7 @@ Available in Postfix 3.6 and later:
 .IP "\fBsmtpd_sasl_mechanism_filter (!external, static:rest)\fR"
 If non\-empty, a filter for the SASL mechanism names that the
 Postfix SMTP server will announce in the EHLO response.
-.SH "STARTTLS SUPPORT CONTROLS"
+.SH "TLS SUPPORT CONTROLS"
 .na
 .nf
 .ad
@ -578,7 +579,12 @@ Available in Postfix version 3.9 and later:
 Request that remote SMTP clients send an RFC7250 raw public key
 instead of an X.509 certificate, when asking for or requiring client
 authentication.
-.SH "OBSOLETE STARTTLS CONTROLS"
+.PP
 Available in Postfix version 3.10 and later:
 .IP "\fBrequiretls_enable (yes)\fR"
 Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 8689.
 .SH "OBSOLETE TLS CONTROLS"
 .na
 .nf
 .ad
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -1187,6 +1187,10 @@ while (<>) {
    s;\bignore_srv_lookup_error\b;<a href="postconf.5.html#ignore_srv_lookup_error">$&</a>;g;
    s;\btls_required_enable\b;<a href="postconf.5.html#tls_required_enable">$&</a>;g;
    s;\brequiretls_enable\b;<a href="postconf.5.html#requiretls_enable">$&</a>;g;
    s;\bsmtp_enforce_requiretls\b;<a href="postconf.5.html#smtp_enforce_requiretls">$&</a>;g;
    s;\blmtp_enforce_requiretls\b;<a href="postconf.5.html#lmtp_enforce_requiretls">$&</a>;g;
    s;\bfull_name_encoding_charset\b;<a href="postconf.5.html#full_name_encoding_charset">$&</a>;g;
    s;\bsmtpd_hide_client_session\b;<a href="postconf.5.html#smtpd_hide_client_session">$&</a>;g;
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -3374,6 +3374,13 @@ postscreen_access_list
 smtpd_client_event_limit_exceptions
 </dd>
 <dt> Postfix version 3.11 and later </dt>
 <dd>
 smtp_enforce_requiretls,
 lmtp_enforce_requiretls
 </dd>
 </dl>
 %PARAM propagate_unmatched_extensions canonical, virtual
@ -19553,8 +19560,120 @@ If a message contains a "TLS-Required: no" header, then Postfix
 will add that header to a delivery status notification for that 
 message. </p>
 <p> Note: REQUIRETLS overrides "TLS-Required: no". </p>
 <p> This feature is available in Postfix &ge; 3.10. </p>
 %PARAM requiretls_enable yes
 <p> Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 8689. By issuing this verb in the "MAIL FROM" command, a sender
 specifies that a message must be delivered over TLS connections
 with a verified server certificate, to a server that announces
 "REQUIRETLS" support. This corresponds to the Postfix SMTP client
 TLS security levels "secure", "verify", "fingerprint", dane-only,
 or opportunistic "dane", with a successful certificate match. The
 Postfix SMTP client will try one or more servers, controlled with
 the smtp_mx_address_limit parameter, until it finds a server that
 satisfies requirements. Otherwise, Postfix returns the message as
 undeliverable. </p>
 <p> Notes: </p>
 <ul>
 <li> <p> REQUIRETLS enforcement is controlled with smtp_enforce_requiretls
 or lmtp_enforce_requiretls. </p>
 <li> <p> REQUIRETLS overrides "TLS-Required: no". </p>
 </ul>
 <p> This feature is available in Postfix &ge; 3.11. </p>
 %PARAM smtp_enforce_requiretls empty
 <p> An optional list of next-hop destinations that the Postfix
 SMTP/LMTP client will enforce REQUIRETLS for, when a message was
 received with the REQUIRETLS option: the next-hop server must offer
 a matching TLS server certificate, and the server must announce
 REQUIRETLS support). Such a message will be returned to the sender
 if some REQUIRETLS requirement cannot be satisfied. These "hard"
 REQUIRETLS failures are logged as "REQUIRETLS failure". </p>
 <p> Other messages that were received with the REQUIRETLS option
 will be delivered with REQUIRETLS if possible. If not, a message
 will be delivered as if it was received without the REQUIRETLS
 option. This allows a mail sending site to discover when REQUIRETLS
 can be enforced, without disrupting email deliveries. These "soft"
 REQUIRETLS failures are logged with "REQUIRETLS Debug". </p>
 <p> On a perimeter MTA, it can make sense to turn off REQUIRETLS
 enforcement, or even to turn off REQUIRETLS support, when delivering
 a message to an internal destination. The internal servers may not
 support REQUIRETLS, and their connections may be secured with means
 other than DANE, STS, and the like. </p>
 <p> The supported syntax differs with SMTP and LMTP: </p>
 <ul> 
 <li> <p> With SMTP, specify a list of next-hop domain names (without
 the ":port" or ":service" suffix), "/file/name" patterns or
 "type:table" lookup tables, separated by commas and/or whitespace.
 Continue long lines by starting the next line with whitespace. A
 "/file/name" pattern is replaced by its contents.  A "type:table"
 lookup table is matched when a domain appears as lookup key. Specify
 "!pattern" to exclude a domain. </p>
 <li> <p> With LMTP, specify list of domain names (without the "inet":
 prefix, or  ":port" or ":service" suffix), or UNIX-domain socket
 "/path/name" (without the "unix:" prefix), or "type:table" lookup
 tables, separated by commas and/or whitespace. Continue long lines
 by starting the next line with whitespace. A "type:table" lookup
 table is matched when a domain appears as lookup key. Specify
 "!pattern" to exclude a domain or socket path. </p> 
 </ul>
 <p> Specify the form ".domain" to match any name ending in ".domain".
 To change this behavior, list "smtp_enforce_requiretls" or
 "lmtp_enforce_requiretls" in the parent_domain_matches_subdomains
 parameter value.  </p>
 <p>
 SMTP Examples:
 </p>
 <pre>
 # Enforce REQUIRETLS for SMTP with selected next-hop domains.
 smtp_enforce_requiretls = example.com, foo.example
 <br>
 # Enforce REQUIRETLS for SMTP with all but a few next-hop domains.
 smtp_enforce_requiretls = !foo.example, static:all
 </pre>
 <p>
 LMTP examples:
 </p>
 <pre>
 # Don't enforce REQUIRETLS 
 lmtp_enforce_requiretls =
 <br>
 # Enforce REQUIRETLS for specific destinations.
 lmtp_enforce_requiretls = /path/to/socket, message-store.example
 </pre>
 <p> This feature is available in Postfix &ge; 3.11. </p>
 %PARAM lmtp_enforce_requiretls empty
 <p> The LMTP-specific version of the smtp_enforce_requiretls
 configuration parameter. See there for details. </p>
 <p> This feature is available in Postfix &ge; 3.11. </p>
 %PARAM smtpd_hide_client_session no
 <p> Do not include SMTP client session information in the Postfix
--- a/postfix/proto/stop
+++ b/postfix/proto/stop
@ -1664,6 +1664,9 @@ REQUIRETLS
 RequireTLS
 requiretls
 sendopts
 TODO
 Onoop
 Orequiretls
 tz
 GID
 SIGKILL
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@ -159,10 +159,17 @@ proto  proto socketmap_table
 qmgr qmgr_deliver c qmgr qmgr_message c qmqpd qmqpd c 
 smtp smtp_proto c smtpd smtpd c verify verify c 
 operations Files cleanup cleanup h cleanup cleanup_message c 
- proto postconf proto pipe pipe c 
+ global ehlo_mask_test c local forward c smtpd smtpd c 
 more alternate MX servers to try Files smtp smtp h 
 Files sendmail sendmail c global rec_types h 
 Files sendmail sendmail c 
 Files sendmail sendmail c global rec_types h pickup pickup c 
 pipe pipe c sendmail sendmail c 
 smtp smtp c smtp smtp_proto c 
 bounce bounce c bounce bounce_notify_util c cleanup cleanup c 
 cleanup cleanup_message c smtp smtp c smtp smtp_connect c 
 Documentation edited for clarity Files pipe pipe c 
 servers to try Files smtp smtp h smtp smtp_proto c 
 global mail_params h smtpd smtpd c 
 global mail_params h proto postconf proto smtp smtp c 
 proto postconf proto proto TLS_README html 
--- a/postfix/proto/stop.spell-cc
+++ b/postfix/proto/stop.spell-cc
@ -1858,3 +1858,4 @@ TINYCDB
 getdata
 XXXSENDOPTS
 xtra
 NODICT
--- a/postfix/proto/stop.spell-history
+++ b/postfix/proto/stop.spell-history
@ -100,5 +100,6 @@ Roessner
 bitflags
 Schulze
 tlspol
 TlsRequired
 Gueven
 Oemer
--- a/postfix/src/bounce/bounce_notify_service.c
+++ b/postfix/src/bounce/bounce_notify_service.c
@ -98,6 +98,15 @@ int     bounce_notify_service(int flags, char *service, char *queue_name,
    char   *postmaster;
    int     count;
    /*
     * If the original sender requested REQUIRETLS, return headers only, and
     * do not enforce REQUIRETLS for the delivery status notification.
     */
    if ((sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
 	dsn_ret = DSN_RET_HDRS;
 	sendopts &= ~SOPT_REQUIRETLS_ESMTP;
    }
    /*
     * Initialize. Open queue file, bounce log, etc.
     * 
@ -196,7 +205,8 @@ int     bounce_notify_service(int flags, char *service, char *queue_name,
 		    && bounce_header_dsn(bounce, bounce_info) == 0
 		    && bounce_diagnostic_dsn(bounce, bounce_info,
 					     DSN_NOTIFY_OVERRIDE) > 0) {
-		    bounce_original(bounce, bounce_info, DSN_RET_FULL);
+		    bounce_original(bounce, bounce_info, dsn_ret ?
 				    dsn_ret : DSN_RET_FULL);
 		    bounce_status = post_mail_fclose(bounce);
 		    if (bounce_status == 0)
 			msg_info("%s: postmaster non-delivery notification: %s",
--- a/postfix/src/bounce/bounce_notify_util.c
+++ b/postfix/src/bounce/bounce_notify_util.c
@ -537,6 +537,7 @@ int     bounce_header(VSTREAM *bounce, BOUNCE_INFO *bounce_info,
     * Trade confidentiality against availability.
     */
    if (var_tls_required_enable
 	&& (bounce_info->sendopts & SOPT_REQUIRETLS_ESMTP) == 0
 	&& (bounce_info->sendopts & SOPT_REQUIRETLS_HEADER) != 0)
 	post_mail_fprintf(bounce, "TLS-Required: no");
--- a/postfix/src/bounce/bounce_notify_verp.c
+++ b/postfix/src/bounce/bounce_notify_verp.c
@ -111,6 +111,15 @@ int     bounce_notify_verp(int flags, char *service, char *queue_name,
    if (strcasecmp_utf8(recipient, mail_addr_double_bounce()) == 0)
 	msg_panic("%s: attempt to bounce a double bounce", myname);
    /*
     * If the original sender requested REQUIRETLS, return headers only, and
     * do not enforce REQUIRETLS for the delivery status notification.
     */
    if ((sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
 	dsn_ret = DSN_RET_HDRS;
 	sendopts &= ~SOPT_REQUIRETLS_ESMTP;
    }
    /*
     * Initialize. Open queue file, bounce log, etc.
     */
--- a/postfix/src/bounce/bounce_one_service.c
+++ b/postfix/src/bounce/bounce_one_service.c
@ -96,6 +96,15 @@ int     bounce_one_service(int flags, char *queue_name, char *queue_id,
 				    var_notify_classes);
    VSTRING *new_id = vstring_alloc(10);
    /*
     * If the original sender requested REQUIRETLS, return headers only, and
     * do not enforce REQUIRETLS for the delivery status notification.
     */
    if ((sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
 	dsn_ret = DSN_RET_HDRS;
 	sendopts &= ~SOPT_REQUIRETLS_ESMTP;
    }
    /*
     * Initialize. Open queue file, bounce log, etc.
     */
@ -162,7 +171,8 @@ int     bounce_one_service(int flags, char *queue_name, char *queue_id,
 		    && bounce_recipient_log(bounce, bounce_info) == 0
 		    && bounce_header_dsn(bounce, bounce_info) == 0
 		    && bounce_recipient_dsn(bounce, bounce_info) == 0)
-		    bounce_original(bounce, bounce_info, DSN_RET_FULL);
+		    bounce_original(bounce, bounce_info, dsn_ret ?
 				    dsn_ret : DSN_RET_FULL);
 		bounce_status = post_mail_fclose(bounce);
 		if (bounce_status == 0)
 		    msg_info("%s: postmaster non-delivery notification: %s",
--- a/postfix/src/bounce/bounce_trace_service.c
+++ b/postfix/src/bounce/bounce_trace_service.c
@ -95,6 +95,15 @@ int     bounce_trace_service(int flags, char *service, char *queue_name,
    int     count;
    const char *sender;
    /*
     * If the original sender requested REQUIRETLS, do not enforce REQUIRETLS
     * for the delivery status notification. The trace service always returns
     * headers only.
     */
    if ((sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
 	sendopts &= ~SOPT_REQUIRETLS_ESMTP;
    }
    /*
     * For consistency with fail/delay notifications, send notification for a
     * non-bounce message as a single-bounce message, send notification for a
--- a/postfix/src/bounce/bounce_warn_service.c
+++ b/postfix/src/bounce/bounce_warn_service.c
@ -98,6 +98,15 @@ int     bounce_warn_service(int unused_flags, char *service, char *queue_name,
    char   *postmaster;
    int     count;
    /*
     * If the original sender requested REQUIRETLS, return headers only, and
     * do not enforce REQUIRETLS for the delivery status notification.
     */
    if ((sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
 	dsn_ret = DSN_RET_HDRS;
 	sendopts &= ~SOPT_REQUIRETLS_ESMTP;
    }
    /*
     * Initialize. Open queue file, bounce log, etc.
     * 
@ -185,7 +194,8 @@ int     bounce_warn_service(int unused_flags, char *service, char *queue_name,
 		    && bounce_header_dsn(bounce, bounce_info) == 0
 		    && bounce_diagnostic_dsn(bounce, bounce_info,
 					     DSN_NOTIFY_OVERRIDE) > 0) {
-		    bounce_original(bounce, bounce_info, DSN_RET_FULL);
+		    bounce_original(bounce, bounce_info, dsn_ret ?
 				    dsn_ret : DSN_RET_FULL);
 		    bounce_status = post_mail_fclose(bounce);
 		    if (bounce_status == 0)
 			msg_info("%s: postmaster delay notification: %s",
--- a/postfix/src/cleanup/cleanup_api.c
+++ b/postfix/src/cleanup/cleanup_api.c
@ -80,6 +80,8 @@
 /* .IP CLEANUP_FLAG_AUTOUTF8
 /*	Autodetection: request SMTPUTF8 support if the message
 /*	contains an UTF8 message header, sender, or recipient.
 /* .IP CLEANUP_FLAG_REQUIRETLS
 /*	The sender requested REQUIRETLS (RFC 8689) enforcement.
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
 /*	or \fBpostlogd\fR(8).
@ -208,9 +210,15 @@ void    cleanup_control(CLEANUP_STATE *state, int flags)
    } else {
 	state->err_mask = ~0;
    }
    /*
     * Propagate requests that are specified at the envelope level. This may
     * be augmented later with information derived from message content.
     */
    if (state->flags & CLEANUP_FLAG_SMTPUTF8)
 	state->sendopts |= SMTPUTF8_FLAG_REQUESTED;
-    /* TODO(wietse) REQUIRETLS. */
+    if (state->flags & CLEANUP_FLAG_REQUIRETLS)
 	state->sendopts |= SOPT_REQUIRETLS_ESMTP;
    if (msg_verbose)
 	msg_info("server flags = %s", cleanup_strflags(state->flags));
 }
--- a/postfix/src/global/Makefile.in
+++ b/postfix/src/global/Makefile.in
@ -124,7 +124,7 @@ TESTPROG= domain_list dot_lockfile mail_addr_crunch mail_addr_find \
 	off_cvt quote_822_local rec2stream recdump resolve_clnt \
 	resolve_local rewrite_clnt stream2rec string_list tok822_parse \
 	quote_821_local mail_conf_time mime_state strip_addr \
-	verify_clnt xtext anvil_clnt scache ehlo_mask \
+	verify_clnt xtext anvil_clnt scache ehlo_mask_test \
 	valid_mailhost_addr own_inet_addr header_body_checks \
 	data_redirect addr_match_list safe_ultostr verify_sender_addr \
 	mail_version mail_dict server_acl uxtext mail_parm_split \
@ -336,7 +336,7 @@ anvil_clnt: $(LIB) $(LIBS)
 scache: scache.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
-ehlo_mask: ehlo_mask.c $(LIB) $(LIBS)
+ehlo_mask_test: ehlo_mask_test.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 valid_mailhost_addr: valid_mailhost_addr.c $(LIB) $(LIBS)
@ -412,7 +412,7 @@ config_known_tcp_ports: config_known_tcp_ports.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 tests: tok822_test mime_tests strip_addr_test tok822_limit_test \
-	xtext_test scache_multi_test ehlo_mask_test \
+	xtext_test scache_multi_test test_ehlo_mask \
 	namadr_list_test mail_conf_time_test header_body_checks_tests \
 	mail_version_test server_acl_test resolve_local_test maps_test \
 	safe_ultostr_test mail_parm_split_test fold_addr_test \
@ -612,10 +612,8 @@ scache_multi_test: scache scache_multi.in scache_multi.ref
 	diff scache_multi.ref scache_multi.tmp
 	rm -f scache_multi.tmp
-ehlo_mask_test: ehlo_mask ehlo_mask.in ehlo_mask.ref
+test_ehlo_mask: ehlo_mask_test
-	$(SHLIB_ENV) $(VALGRIND) ./ehlo_mask <ehlo_mask.in >ehlo_mask.tmp
+	$(SHLIB_ENV) $(VALGRIND) ./ehlo_mask_test
 	diff ehlo_mask.ref ehlo_mask.tmp
 	rm -f ehlo_mask.tmp
 namadr_list_test: namadr_list namadr_list.in namadr_list.ref
 	-$(SHLIB_ENV) sh namadr_list.in >namadr_list.tmp 2>&1
@ -1461,6 +1459,16 @@ ehlo_mask.o: ../../include/vbuf.h
 ehlo_mask.o: ../../include/vstring.h
 ehlo_mask.o: ehlo_mask.c
 ehlo_mask.o: ehlo_mask.h
 ehlo_mask_test.o: ../../include/check_arg.h
 ehlo_mask_test.o: ../../include/msg.h
 ehlo_mask_test.o: ../../include/msg_vstream.h
 ehlo_mask_test.o: ../../include/stringops.h
 ehlo_mask_test.o: ../../include/sys_defs.h
 ehlo_mask_test.o: ../../include/vbuf.h
 ehlo_mask_test.o: ../../include/vstream.h
 ehlo_mask_test.o: ../../include/vstring.h
 ehlo_mask_test.o: ehlo_mask.h
 ehlo_mask_test.o: ehlo_mask_test.c
 ext_prop.o: ../../include/check_arg.h
 ext_prop.o: ../../include/name_mask.h
 ext_prop.o: ../../include/sys_defs.h
--- a/postfix/src/global/addr_match_list.c
+++ b/postfix/src/global/addr_match_list.c
@ -42,6 +42,10 @@
 /*	Request that addr_match_list_match() logs a warning and
 /*	returns zero with list->error set to a non-zero dictionary
 /*	error code, instead of raising a fatal error.
 /* .IP MATCH_FLAG_NOFILE
 /*	Disable special handling for /file/name.
 /* .IP MATCH_FLAG_NODICT
 /*	Disable special handling for type:name.
 /* .PP
 /*	Specify MATCH_FLAG_NONE to request none of the above.
 /*	The last argument is a list of patterns, or the absolute
@ -67,6 +71,9 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	Wietse Venema
 /*	porcupine.org
 /*--*/
 /* System library. */
--- a/postfix/src/global/cleanup_strflags.c
+++ b/postfix/src/global/cleanup_strflags.c
@ -55,6 +55,7 @@ static struct cleanup_flag_map cleanup_flag_map[] = {
    CLEANUP_FLAG_SMTP_REPLY, "enable_smtp_reply",
    CLEANUP_FLAG_SMTPUTF8, "smtputf8_requested",
    CLEANUP_FLAG_AUTOUTF8, "smtputf8_autodetect",
    CLEANUP_FLAG_REQUIRETLS, "requiretls_requested",
 };
 /* cleanup_strflags - map flags code to printable string */
--- a/postfix/src/global/cleanup_user.h
+++ b/postfix/src/global/cleanup_user.h
@ -25,6 +25,7 @@
 #define CLEANUP_FLAG_SMTP_REPLY	(1<<7)	/* Enable SMTP reply */
 #define CLEANUP_FLAG_SMTPUTF8	(1<<8)	/* SMTPUTF8 requested */
 #define CLEANUP_FLAG_AUTOUTF8	(1<<9)	/* Autodetect SMTPUTF8 */
 #define CLEANUP_FLAG_REQUIRETLS	(1<<10)	/* REQUIRETLS requested */
 #define CLEANUP_FLAG_FILTER_ALL	(CLEANUP_FLAG_FILTER | CLEANUP_FLAG_MILTER)
--- a/postfix/src/global/domain_list.c
+++ b/postfix/src/global/domain_list.c
@ -45,6 +45,10 @@
 /*	Request that domain_list_match() logs a warning and returns
 /*	zero, with list->error set to a non-zero dictionary error
 /*	code, instead of raising a fatal error.
 /* .IP MATCH_FLAG_NOFILE
 /*	Disable special handling for /file/name.
 /* .IP MATCH_FLAG_NODICT
 /*	Disable special handling for type:name.
 /* .PP
 /*	Specify MATCH_FLAG_NONE to request none of the above.
 /*	The last argument is a list of domain patterns, or the name of
@ -69,6 +73,9 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	Wietse Venema
 /*	porcupine.org
 /*--*/
 /* System library. */
--- a/postfix/src/global/ehlo_mask.c
+++ b/postfix/src/global/ehlo_mask.c
@ -20,6 +20,7 @@
 /*	#define EHLO_MASK_DSN		(1<<11)
 /*	#define EHLO_MASK_SMTPUTF8	(1<<12)
 /*	#define EHLO_MASK_CHUNKING	(1<<13)
 /*	#define EHLO_MASK_REQUIRETLS	(1<<14)
 /*	#define EHLO_MASK_SILENT	(1<<15)
 /*
 /*	int	ehlo_mask(keyword_list)
@ -70,22 +71,22 @@
  * The lookup table.
  */
 static const NAME_MASK ehlo_mask_table[] = {
-    "8BITMIME", EHLO_MASK_8BITMIME,
+    EHLO_VERB_8BITMIME, EHLO_MASK_8BITMIME,
-    "AUTH", EHLO_MASK_AUTH,
+    EHLO_VERB_AUTH, EHLO_MASK_AUTH,
-    "ETRN", EHLO_MASK_ETRN,
+    EHLO_VERB_ETRN, EHLO_MASK_ETRN,
-    "PIPELINING", EHLO_MASK_PIPELINING,
+    EHLO_VERB_PIPELINING, EHLO_MASK_PIPELINING,
-    "SIZE", EHLO_MASK_SIZE,
+    EHLO_VERB_SIZE, EHLO_MASK_SIZE,
-    "VERP", EHLO_MASK_VERP,
+    EHLO_VERB_VERP, EHLO_MASK_VERP,
-    "VRFY", EHLO_MASK_VRFY,
+    EHLO_VERB_VRFY, EHLO_MASK_VRFY,
-    "XCLIENT", EHLO_MASK_XCLIENT,
+    EHLO_VERB_XCLIENT, EHLO_MASK_XCLIENT,
-    "XFORWARD", EHLO_MASK_XFORWARD,
+    EHLO_VERB_XFORWARD, EHLO_MASK_XFORWARD,
-    "STARTTLS", EHLO_MASK_STARTTLS,
+    EHLO_VERB_STARTTLS, EHLO_MASK_STARTTLS,
-    "ENHANCEDSTATUSCODES", EHLO_MASK_ENHANCEDSTATUSCODES,
+    EHLO_VERB_ENHANCEDSTATUSCODES, EHLO_MASK_ENHANCEDSTATUSCODES,
-    "DSN", EHLO_MASK_DSN,
+    EHLO_VERB_DSN, EHLO_MASK_DSN,
-    "EHLO_MASK_SMTPUTF8", EHLO_MASK_SMTPUTF8,
+    EHLO_VERB_SMTPUTF8, EHLO_MASK_SMTPUTF8,
-    "SMTPUTF8", EHLO_MASK_SMTPUTF8,
+    EHLO_VERB_CHUNKING, EHLO_MASK_CHUNKING,
-    "CHUNKING", EHLO_MASK_CHUNKING,
+    EHLO_VERB_REQUIRETLS, EHLO_MASK_REQUIRETLS,
-    "SILENT-DISCARD", EHLO_MASK_SILENT,	/* XXX In-band signaling */
+    EHLO_VERB_SILENT, EHLO_MASK_SILENT,
    0,
 };
@ -114,32 +115,3 @@ const char *str_ehlo_mask(int mask_bits)
     */
    return (str_name_mask("ehlo bitmask", ehlo_mask_table, mask_bits));
 }
 #ifdef TEST
 /*
  * Stand-alone test program.
  */
 #include <stdlib.h>
 #include <vstream.h>
 #include <vstring.h>
 #include <vstring_vstream.h>
 int     main(int unused_argc, char **unused_argv)
 {
    int     mask_bits;
    VSTRING *buf = vstring_alloc(1);
    const char *mask_string;
    while (vstring_get_nonl(buf, VSTREAM_IN) != VSTREAM_EOF) {
 	mask_bits = ehlo_mask(vstring_str(buf));
 	mask_string = str_ehlo_mask(mask_bits);
 	vstream_printf("%s -> 0x%x -> %s\n", vstring_str(buf), mask_bits,
 		       mask_string);
 	vstream_fflush(VSTREAM_OUT);
    }
    vstring_free(buf);
    exit(0);
 }
 #endif
--- a/postfix/src/global/ehlo_mask.h
+++ b/postfix/src/global/ehlo_mask.h
@ -12,7 +12,7 @@
 /* .nf
 /*
-  * External interface.
+  * Bit flags.
  */
 #define EHLO_MASK_8BITMIME	(1<<0)	/* start of first byte */
 #define EHLO_MASK_PIPELINING	(1<<1)
@ -29,8 +29,32 @@
 #define EHLO_MASK_DSN		(1<<11)
 #define EHLO_MASK_SMTPUTF8	(1<<12)
 #define EHLO_MASK_CHUNKING	(1<<13)
-#define EHLO_MASK_SILENT	(1<<15)
+#define EHLO_MASK_REQUIRETLS	(1<<14)
 #define EHLO_MASK_SILENT	(1<<15)	/* in-band signaling */
 /*
  * ESMTP verbs.
  */
 #define EHLO_VERB_8BITMIME 	"8BITMIME"
 #define EHLO_VERB_PIPELINING 	"PIPELINING"
 #define EHLO_VERB_SIZE 		"SIZE"
 #define EHLO_VERB_VRFY 		"VRFY"
 #define EHLO_VERB_ETRN 		"ETRN"
 #define EHLO_VERB_AUTH 		"AUTH"
 #define EHLO_VERB_VERP 		"VERP"
 #define EHLO_VERB_STARTTLS 	"STARTTLS"
 #define EHLO_VERB_XCLIENT 	"XCLIENT"
 #define EHLO_VERB_XFORWARD 	"XFORWARD"
 #define EHLO_VERB_ENHANCEDSTATUSCODES 	"ENHANCEDSTATUSCODES"
 #define EHLO_VERB_DSN 		"DSN"
 #define EHLO_VERB_SMTPUTF8 	"SMTPUTF8"
 #define EHLO_VERB_CHUNKING 	"CHUNKING"
 #define EHLO_VERB_REQUIRETLS 	"REQUIRETLS"
 #define EHLO_VERB_SILENT 	"SILENT-DISCARD"	/* in-band signaling */
 /*
  * Functions.
  */
 extern int ehlo_mask(const char *);
 extern const char *str_ehlo_mask(int);
--- a/postfix/src/global/ehlo_mask.in
+++ b/postfix/src/global/ehlo_mask.in
@ -1,3 +0,0 @@
 starttls, 8bitmime, verp, etrn, etrn
 foobar, auth, pipelining, size, vrfy
 xclient, xforward
--- a/postfix/src/global/ehlo_mask.ref
+++ b/postfix/src/global/ehlo_mask.ref
@ -1,3 +0,0 @@
 starttls, 8bitmime, verp, etrn, etrn -> 0xd1 -> 8BITMIME ETRN VERP STARTTLS
 foobar, auth, pipelining, size, vrfy -> 0x2e -> AUTH PIPELINING SIZE VRFY
 xclient, xforward -> 0x300 -> XCLIENT XFORWARD
--- a/postfix/src/global/ehlo_mask_test.c
+++ b/postfix/src/global/ehlo_mask_test.c
@ -0,0 +1,121 @@
 /*
  * System library.
  */
 #include <sys_defs.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stringops.h>
 /*
  * Utility library.
  */
 #include <msg.h>
 #include <msg_vstream.h>
 #include <vstream.h>
 #include <vstring.h>
 /*
  * Global library.
  */
 #include <ehlo_mask.h>
 /*
  * Tests and test cases.
  */
 typedef struct TEST_CASE {
    const char *label;			/* identifies test case */
    int     mask;
    const char *want;
 } TEST_CASE;
 /*
  * Verify that each verb has its unique bit mask.
  */
 static const TEST_CASE test_cases[] = {
    {"EHLO_MASK_8BITMIME",
 	EHLO_MASK_8BITMIME,
 	"8BITMIME"
    },
    {"EHLO_MASK_PIPELINING",
 	EHLO_MASK_PIPELINING,
 	"PIPELINING"
    },
    {"EHLO_MASK_SIZE",
 	EHLO_MASK_SIZE,
 	"SIZE"
    },
    {"EHLO_MASK_VRFY",
 	EHLO_MASK_VRFY,
 	"VRFY"
    },
    {"EHLO_MASK_ETRN",
 	EHLO_MASK_ETRN,
 	"ETRN"
    },
    {"EHLO_MASK_AUTH",
 	EHLO_MASK_AUTH,
 	"AUTH"
    },
    {"EHLO_MASK_VERP",
 	EHLO_MASK_VERP,
 	"VERP"
    },
    {"EHLO_MASK_STARTTLS",
 	EHLO_MASK_STARTTLS,
 	"STARTTLS"
    },
    {"EHLO_MASK_XCLIENT",
 	EHLO_MASK_XCLIENT,
 	"XCLIENT"
    },
    {"EHLO_MASK_ENHANCEDSTATUSCODES",
 	EHLO_MASK_ENHANCEDSTATUSCODES,
 	"ENHANCEDSTATUSCODES"
    },
    {"EHLO_MASK_DSN",
 	EHLO_MASK_DSN,
 	"DSN"
    },
    {"EHLO_MASK_SMTPUTF8",
 	EHLO_MASK_SMTPUTF8,
 	"SMTPUTF8"
    },
    {"EHLO_MASK_CHUNKING",
 	EHLO_MASK_CHUNKING,
 	"CHUNKING"
    },
    {"EHLO_MASK_REQUIRETLS",
 	EHLO_MASK_REQUIRETLS,
 	"REQUIRETLS"
    },
    {"EHLO_MASK_SILENT",
 	EHLO_MASK_SILENT,
 	"SILENT-DISCARD"
    },
    {0},
 };
 int     main(int argc, char **argv)
 {
    const TEST_CASE *tp;
    int     pass = 0;
    int     fail = 0;
    const char *got;
    msg_vstream_init(sane_basename((VSTRING *) 0, argv[0]), VSTREAM_ERR);
    for (tp = test_cases; tp->label != 0; tp++) {
 	msg_info("RUN  %s", tp->label);
 	got = str_ehlo_mask(tp->mask);
 	if (strcmp(got, tp->want) != 0) {
 	    msg_warn("got result '%s', want: '%s'", got, tp->want);
 	    fail++;
 	    msg_info("FAIL %s", tp->label);
 	} else {
 	    msg_info("PASS %s", tp->label);
 	    pass++;
 	}
    }
    msg_info("PASS=%d FAIL=%d", pass, fail);
    exit(fail != 0);
 }
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@ -128,6 +128,7 @@
 /*	int	var_smtputf8_enable;
 /*	int	var_strict_smtputf8;
 /*	char	*var_smtputf8_autoclass;
 /*	int	var_requiretls_enable;
 /*	int	var_tls_required_enable;
 /*	int     var_idna2003_compat;
 /*	char	*var_compatibility_level;
@ -370,6 +371,7 @@ char   *var_dsn_filter;
 int     var_smtputf8_enable;
 int     var_strict_smtputf8;
 char   *var_smtputf8_autoclass;
 int     var_requiretls_enable;
 int     var_tls_required_enable;
 int     var_idna2003_compat;
 char   *var_compatibility_level;
@ -757,6 +759,7 @@ void    mail_params_init()
 	VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable,
 	VAR_IDNA2003_COMPAT, DEF_IDNA2003_COMPAT, &var_idna2003_compat,
 	VAR_RESPECTFUL_LOGGING, DEF_RESPECTFUL_LOGGING, &var_respectful_logging,
 	VAR_REQUIRETLS_ENABLE, DEF_REQUIRETLS_ENABLE, &var_requiretls_enable,
 	VAR_TLSREQUIRED_ENABLE, DEF_TLSREQUIRED_ENABLE, &var_tls_required_enable,
 	0,
    };
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@ -4383,6 +4383,17 @@ extern int var_idna2003_compat;
 #define DEF_TLSREQUIRED_ENABLE		"yes"
 extern int var_tls_required_enable;
 #define VAR_REQUIRETLS_ENABLE		"requiretls_enable"
 #define DEF_REQUIRETLS_ENABLE		"yes"
 extern int var_requiretls_enable;
 #define VAR_SMTP_ENFORCE_REQUIRETLS	"smtp_enforce_requiretls"
 #define DEF_SMTP_ENFORCE_REQUIRETLS	""
 extern char *var_smtp_enforce_requiretls;
 #define VAR_LMTP_ENFORCE_REQUIRETLS	"lmtp_enforce_requiretls"
 #define DEF_LMTP_ENFORCE_REQUIRETLS	""
 /*
  * Workaround for future incompatibility. Our implementation of RFC 2308
  * negative reply caching relies on the promise that res_query() and
--- a/postfix/src/global/namadr_list.c
+++ b/postfix/src/global/namadr_list.c
@ -51,6 +51,10 @@
 /*	Request that namadr_list_match() logs a warning and returns
 /*	zero with list->error set to a non-zero dictionary error
 /*	code, instead of raising a fatal error.
 /* .IP MATCH_FLAG_NOFILE
 /*	Disable special handling for /file/name.
 /* .IP MATCH_FLAG_NODICT
 /*	Disable special handling for type:name.
 /* .PP
 /*	Specify MATCH_FLAG_NONE to request none of the above.
 /*	The last argument is a list of patterns, or the absolute
@ -75,6 +79,9 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	Wietse Venema
 /*	porcupine.org
 /*--*/
 /* System library. */
--- a/postfix/src/global/post_mail.c
+++ b/postfix/src/global/post_mail.c
@ -225,8 +225,8 @@ static void post_mail_init(VSTREAM *stream, const char *sender,
    int     cleanup_flags =
    int_filt_flags(source_class) | CLEANUP_FLAG_MASK_INTERNAL
    | smtputf8_autodetect(source_class)
    | ((sendopts & SOPT_REQUIRETLS_ESMTP) ? CLEANUP_FLAG_REQUIRETLS : 0)
    | ((sendopts & SMTPUTF8_FLAG_REQUESTED) ? CLEANUP_FLAG_SMTPUTF8 : 0);
    /* TODO(wietse) REQUIRETLS. */
    GETTIMEOFDAY(&now);
    date = mail_date(now.tv_sec);
--- a/postfix/src/global/rec_type.h
+++ b/postfix/src/global/rec_type.h
@ -110,7 +110,7 @@
 /*
  * The subset of inputs that the postdrop command allows.
  */
-#define REC_TYPE_POST_ENVELOPE	"MFSRVAin"
+#define REC_TYPE_POST_ENVELOPE	"MCFSRVAin"
 #define REC_TYPE_POST_CONTENT	"XLN"
 #define REC_TYPE_POST_EXTRACT	"EAR"
--- a/postfix/src/global/string_list.c
+++ b/postfix/src/global/string_list.c
@ -39,6 +39,10 @@
 /*	Request that string_list_match() logs a warning and returns
 /*	zero with list->error set to a non-zero dictionary error
 /*	code, instead of raising a fatal error.
 /* .IP MATCH_FLAG_NOFILE
 /*	Disable special handling for /file/name.
 /* .IP MATCH_FLAG_NODICT
 /*	Disable special handling for type:name.
 /* .PP
 /*	Specify MATCH_FLAG_NONE to request none of the above.
 /*	The last argument specifies a list of string patterns.
@ -61,6 +65,9 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	Wietse Venema
 /*	porcupine.org
 /*--*/
 /* System library. */
--- a/postfix/src/local/forward.c
+++ b/postfix/src/local/forward.c
@ -163,9 +163,10 @@ static FORWARD_INFO *forward_open(DELIVER_REQUEST *request, const char *sender)
 #define FORWARD_CLEANUP_FLAGS \
 	(CLEANUP_FLAG_BOUNCE | CLEANUP_FLAG_MASK_INTERNAL \
 	| smtputf8_autodetect(MAIL_SRC_MASK_FORWARD) \
 	| ((request->sendopts & SOPT_REQUIRETLS_ESMTP) ? \
 	CLEANUP_FLAG_REQUIRETLS : 0) \
 	| ((request->sendopts & SMTPUTF8_FLAG_REQUESTED) ? \
 	CLEANUP_FLAG_SMTPUTF8 : 0))
 	/* TODO(wietse) REQUIRETLS. */
    attr_print(cleanup, ATTR_FLAG_NONE,
 	       SEND_ATTR_INT(MAIL_ATTR_FLAGS, FORWARD_CLEANUP_FLAGS),
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@ -236,6 +236,7 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
    char   *attr_value;
    char   *saved_attr;
    int     skip_attr;
    ssize_t count;
    /*
     * Limit the input record size. All front-end programs should protect the
@ -246,7 +247,7 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
     * 
     * We must allow PTR records here because of "postsuper -r".
     */
-    for (;;) {
+    for (count = 0; /* void */; count++) {
 	if ((type = rec_get(qfile, buf, var_line_limit)) < 0
 	    || strchr(expected, type) == 0)
 	    return (file_read_error(info, type));
@ -264,6 +265,9 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
 	}
 	if (type == REC_TYPE_TIME)
 	    time_seen = 1;
 	if (type == REC_TYPE_SIZE && count > 5)
 	    /* Discard SIZE record not at beginning of segment. */
 	    continue;
 	/*
 	 * XXX Workaround: REC_TYPE_FILT (used in envelopes) == REC_TYPE_CONT
--- a/postfix/src/pipe/Makefile.in
+++ b/postfix/src/pipe/Makefile.in
@ -83,6 +83,7 @@ pipe.o: ../../include/pipe_command.h
 pipe.o: ../../include/quote_822_local.h
 pipe.o: ../../include/quote_flags.h
 pipe.o: ../../include/recipient_list.h
 pipe.o: ../../include/sendopts.h
 pipe.o: ../../include/sent.h
 pipe.o: ../../include/set_eugid.h
 pipe.o: ../../include/split_addr.h
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@ -284,6 +284,14 @@
 /* .sp
 /*	This information is modified by the \fBhqu\fR flags for quoting
 /*	and case folding.
 /* .IP \fB${requiretls}\fR
 /*	This feature should be used with content filters that pass
 /*	filtered mail to the Postfix sendmail(1) command. The macro
 /*	expands to the sendmail(1) command-line option \fB-Orequiretls\fR
 /*	if the sender requested REQUIRETLS, otherwise it expands to
 /*	\fB-Onoop\fR.
 /* .sp
 /*	This feature is available as of Postfix 3.10.
 /* .IP \fB${sasl_method}\fR
 /*	This macro expands to the name of the SASL authentication
 /*	mechanism in the AUTH command when the Postfix SMTP server
@ -519,6 +527,7 @@
 #include <delivered_hdr.h>
 #include <fold_addr.h>
 #include <mail_parm_split.h>
 #include <sendopts.h>
 /* Single server skeleton. */
@ -553,6 +562,7 @@
 #define PIPE_DICT_SASL_SENDER	"sasl_sender"	/* key */
 #define PIPE_DICT_QUEUE_ID	"queue_id"	/* key */
 #define PIPE_DICT_ENVID		"envid"	/* key */
 #define PIPE_DICT_REQUIRETLS	"requiretls"	/* key */
 /*
  * Flags used to pass back the type of special parameter found by
@ -659,6 +669,7 @@ static int parse_callback(int type, VSTRING *buf, void *context)
 	PIPE_DICT_SASL_SENDER, 0,
 	PIPE_DICT_QUEUE_ID, 0,
 	PIPE_DICT_ENVID, 0,
 	PIPE_DICT_REQUIRETLS, 0,
 	0, 0,
    };
    struct cmd_flags *p;
@ -1290,6 +1301,9 @@ static int deliver_message(DELIVER_REQUEST *request, char *service, char **argv)
 		request->queue_id);
    dict_update(PIPE_DICT_TABLE, PIPE_DICT_ENVID,
 		request->dsn_envid);
    dict_update(PIPE_DICT_TABLE, PIPE_DICT_REQUIRETLS,
 		(request->sendopts & SOPT_REQUIRETLS_ESMTP)
 		&& var_requiretls_enable ? "-Orequiretls" : "-Onoop");
    vstring_free(buf);
    if ((expanded_argv = expand_argv(service, attr.command,
--- a/postfix/src/sendmail/Makefile.in
+++ b/postfix/src/sendmail/Makefile.in
@ -86,6 +86,7 @@ sendmail.o: ../../include/recipient_list.h
 sendmail.o: ../../include/record.h
 sendmail.o: ../../include/resolve_clnt.h
 sendmail.o: ../../include/safe.h
 sendmail.o: ../../include/sendopts.h
 sendmail.o: ../../include/set_ugid.h
 sendmail.o: ../../include/split_at.h
 sendmail.o: ../../include/stringops.h
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@ -152,10 +152,28 @@
 /*	comma-separated list with one or more of \fBfailure\fR (send
 /*	notification when delivery fails), \fBdelay\fR (send
 /*	notification when delivery is delayed), or \fBsuccess\fR
-/*	(send notification when the message is delivered); or specify
+/*	(send notification after the message is delivered); or specify
 /*	\fBnever\fR (don't send any notifications at all).
 /*
 /*	This feature is available in Postfix 2.3 and later.
 /* .IP "\fB-O requiretls"
 /*	When delivering a message to an SMTP or LMTP server, the
 /*	connection must use TLS with a verified server certificate,
 /*	and the server must support REQUIRETLS. Try multiple servers if
 /*	possible, and return the message as undeliverable when these
 /*	requirements were not satisfied with any of the servers that
 /*	were tried. The "requiretls" option value is case-insensitive.
 /*
 /*	This feature is available in Postfix 3.10 and later.
 /* .IP "\fB-O smtputf8"
 /*	When delivering a message to an SMTP or LMTP server, the server
 /*	must support SMTPUTF8. Try multiple servers if possible, and
 /*	return the message as undeliverable when a message contains an
 /*	UTF8 envelope address or message header, but SMTPUTF8 was not
 /*	supported by any of the servers that were tried. The "smtputf8"
 /*	option value is case-insensitive.
 /*
 /*	This feature is available in Postfix 3.10 and later.
 /* .IP "\fB-n\fR (ignored)"
 /*	Backwards compatibility.
 /* .IP "\fB-oA\fIalias_database\fR"
@ -434,6 +452,11 @@
 /*	the Postfix executable files and documentation with the default
 /*	Postfix instance, and that are started, stopped, etc., together
 /*	with the default Postfix instance.
 /* .PP
 /*	Postfix 3.10 and later:
 /* .IP "\fBrequiretls_enable (yes)\fR"
 /*	Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 /*	8689.
 /* FILES
 /*	/var/spool/postfix, mail queue
 /*	/etc/postfix, configuration files
@ -537,6 +560,7 @@
 #include <user_acl.h>
 #include <dsn_mask.h>
 #include <mail_parm_split.h>
 #include <sendopts.h>
 /* Application-specific. */
@ -589,6 +613,11 @@ static const CONFIG_STR_TABLE str_table[] = {
    0,
 };
 /*
  * Sender options.
  */
 static int sm_sendopts;
 /*
  * Silly little macros (SLMs).
  */
@ -788,6 +817,14 @@ static void enqueue(const int flags, const char *encoding,
     * With "sendmail -N", instead of a per-message NOTIFY record we store one
     * per recipient so that we can simplify the implementation somewhat.
     */
    if (sm_sendopts)
 	rec_fprintf(dst, REC_TYPE_SIZE, REC_TYPE_SIZE_FORMAT,
 		    (REC_TYPE_SIZE_CAST1) ~ 0,	/* message segment size */
 		    (REC_TYPE_SIZE_CAST2) ~ 0,	/* content offset */
 		    (REC_TYPE_SIZE_CAST3) ~ 0,	/* recipient count */
 		    (REC_TYPE_SIZE_CAST4) ~ 0,	/* qmgr options */
 		    (REC_TYPE_SIZE_CAST5) ~ 0,	/* content length */
 		    (REC_TYPE_SIZE_CAST6) sm_sendopts);
    if (dsn_envid)
 	rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s",
 		    MAIL_ATTR_DSN_ENVID, dsn_envid);
@ -1251,7 +1288,20 @@ int     main(int argc, char **argv)
 	    break;
 	case 'N':
 	    if ((dsn_notify = dsn_notify_mask(optarg)) == 0)
-		msg_warn("bad -N option value -- ignored");
+		msg_warn("bad -N option value: '%s' -- ignored", optarg);
 	    break;
 	case 'O':
 	    /* NOOP is used to implement ${requiretls} in pipe(8). */
 	    if (strcasecmp(optarg, "REQUIRETLS") == 0) {
 		sm_sendopts |= SOPT_REQUIRETLS_ESMTP;
 	    if (var_requiretls_enable == 0)
 		msg_warn("'-O requiretls' was requested, but the "
 			 "configuration is 'requiretls_enable = no'");
 	    } else if (strcasecmp(optarg, "SMTPUTF8") == 0) {
 		sm_sendopts |= SOPT_SMTPUTF8_REQUESTED;
 	    } else if (strcasecmp(optarg, "NOOP") != 0) {
 		msg_warn("bad -O option value: '%s' -- ignored", optarg);
 	    }
 	    break;
 	case 'R':
 	    if ((dsn_ret = dsn_ret_code(optarg)) == 0)
--- a/postfix/src/smtp/Makefile.in
+++ b/postfix/src/smtp/Makefile.in
@ -84,6 +84,7 @@ smtp.o: ../../include/deliver_request.h
 smtp.o: ../../include/delivered_hdr.h
 smtp.o: ../../include/dict.h
 smtp.o: ../../include/dns.h
 smtp.o: ../../include/domain_list.h
 smtp.o: ../../include/dsn.h
 smtp.o: ../../include/dsn_buf.h
 smtp.o: ../../include/ext_prop.h
@ -134,6 +135,7 @@ smtp_addr.o: ../../include/check_arg.h
 smtp_addr.o: ../../include/deliver_request.h
 smtp_addr.o: ../../include/dict.h
 smtp_addr.o: ../../include/dns.h
 smtp_addr.o: ../../include/domain_list.h
 smtp_addr.o: ../../include/dsn.h
 smtp_addr.o: ../../include/dsn_buf.h
 smtp_addr.o: ../../include/header_body_checks.h
@ -178,6 +180,7 @@ smtp_chat.o: ../../include/cleanup_user.h
 smtp_chat.o: ../../include/deliver_request.h
 smtp_chat.o: ../../include/dict.h
 smtp_chat.o: ../../include/dns.h
 smtp_chat.o: ../../include/domain_list.h
 smtp_chat.o: ../../include/dsn.h
 smtp_chat.o: ../../include/dsn_buf.h
 smtp_chat.o: ../../include/dsn_util.h
@ -229,6 +232,7 @@ smtp_connect.o: ../../include/deliver_pass.h
 smtp_connect.o: ../../include/deliver_request.h
 smtp_connect.o: ../../include/dict.h
 smtp_connect.o: ../../include/dns.h
 smtp_connect.o: ../../include/domain_list.h
 smtp_connect.o: ../../include/dsn.h
 smtp_connect.o: ../../include/dsn_buf.h
 smtp_connect.o: ../../include/header_body_checks.h
@ -284,6 +288,7 @@ smtp_key.o: ../../include/check_arg.h
 smtp_key.o: ../../include/deliver_request.h
 smtp_key.o: ../../include/dict.h
 smtp_key.o: ../../include/dns.h
 smtp_key.o: ../../include/domain_list.h
 smtp_key.o: ../../include/dsn.h
 smtp_key.o: ../../include/dsn_buf.h
 smtp_key.o: ../../include/header_body_checks.h
@ -321,6 +326,7 @@ smtp_map11.o: ../../include/check_arg.h
 smtp_map11.o: ../../include/deliver_request.h
 smtp_map11.o: ../../include/dict.h
 smtp_map11.o: ../../include/dns.h
 smtp_map11.o: ../../include/domain_list.h
 smtp_map11.o: ../../include/dsn.h
 smtp_map11.o: ../../include/dsn_buf.h
 smtp_map11.o: ../../include/header_body_checks.h
@ -361,6 +367,7 @@ smtp_misc.o: ../../include/check_arg.h
 smtp_misc.o: ../../include/deliver_request.h
 smtp_misc.o: ../../include/dict.h
 smtp_misc.o: ../../include/dns.h
 smtp_misc.o: ../../include/domain_list.h
 smtp_misc.o: ../../include/dsn.h
 smtp_misc.o: ../../include/dsn_buf.h
 smtp_misc.o: ../../include/ext_prop.h
@ -404,6 +411,7 @@ smtp_proto.o: ../../include/defer.h
 smtp_proto.o: ../../include/deliver_request.h
 smtp_proto.o: ../../include/dict.h
 smtp_proto.o: ../../include/dns.h
 smtp_proto.o: ../../include/domain_list.h
 smtp_proto.o: ../../include/dsn.h
 smtp_proto.o: ../../include/dsn_buf.h
 smtp_proto.o: ../../include/dsn_mask.h
@ -470,6 +478,7 @@ smtp_rcpt.o: ../../include/deliver_completed.h
 smtp_rcpt.o: ../../include/deliver_request.h
 smtp_rcpt.o: ../../include/dict.h
 smtp_rcpt.o: ../../include/dns.h
 smtp_rcpt.o: ../../include/domain_list.h
 smtp_rcpt.o: ../../include/dsn.h
 smtp_rcpt.o: ../../include/dsn_buf.h
 smtp_rcpt.o: ../../include/dsn_mask.h
@ -510,6 +519,7 @@ smtp_reuse.o: ../../include/check_arg.h
 smtp_reuse.o: ../../include/deliver_request.h
 smtp_reuse.o: ../../include/dict.h
 smtp_reuse.o: ../../include/dns.h
 smtp_reuse.o: ../../include/domain_list.h
 smtp_reuse.o: ../../include/dsn.h
 smtp_reuse.o: ../../include/dsn_buf.h
 smtp_reuse.o: ../../include/header_body_checks.h
@ -551,6 +561,7 @@ smtp_sasl_auth_cache.o: ../../include/deliver_request.h
 smtp_sasl_auth_cache.o: ../../include/dict.h
 smtp_sasl_auth_cache.o: ../../include/dict_proxy.h
 smtp_sasl_auth_cache.o: ../../include/dns.h
 smtp_sasl_auth_cache.o: ../../include/domain_list.h
 smtp_sasl_auth_cache.o: ../../include/dsn.h
 smtp_sasl_auth_cache.o: ../../include/dsn_buf.h
 smtp_sasl_auth_cache.o: ../../include/dsn_util.h
@ -591,6 +602,7 @@ smtp_sasl_glue.o: ../../include/check_arg.h
 smtp_sasl_glue.o: ../../include/deliver_request.h
 smtp_sasl_glue.o: ../../include/dict.h
 smtp_sasl_glue.o: ../../include/dns.h
 smtp_sasl_glue.o: ../../include/domain_list.h
 smtp_sasl_glue.o: ../../include/dsn.h
 smtp_sasl_glue.o: ../../include/dsn_buf.h
 smtp_sasl_glue.o: ../../include/header_body_checks.h
@ -636,6 +648,7 @@ smtp_sasl_proto.o: ../../include/check_arg.h
 smtp_sasl_proto.o: ../../include/deliver_request.h
 smtp_sasl_proto.o: ../../include/dict.h
 smtp_sasl_proto.o: ../../include/dns.h
 smtp_sasl_proto.o: ../../include/domain_list.h
 smtp_sasl_proto.o: ../../include/dsn.h
 smtp_sasl_proto.o: ../../include/dsn_buf.h
 smtp_sasl_proto.o: ../../include/header_body_checks.h
@ -677,6 +690,7 @@ smtp_session.o: ../../include/debug_peer.h
 smtp_session.o: ../../include/deliver_request.h
 smtp_session.o: ../../include/dict.h
 smtp_session.o: ../../include/dns.h
 smtp_session.o: ../../include/domain_list.h
 smtp_session.o: ../../include/dsn.h
 smtp_session.o: ../../include/dsn_buf.h
 smtp_session.o: ../../include/header_body_checks.h
@ -717,6 +731,7 @@ smtp_state.o: ../../include/debug_peer.h
 smtp_state.o: ../../include/deliver_request.h
 smtp_state.o: ../../include/dict.h
 smtp_state.o: ../../include/dns.h
 smtp_state.o: ../../include/domain_list.h
 smtp_state.o: ../../include/dsn.h
 smtp_state.o: ../../include/dsn_buf.h
 smtp_state.o: ../../include/header_body_checks.h
@ -757,6 +772,7 @@ smtp_tls_policy.o: ../../include/ctable.h
 smtp_tls_policy.o: ../../include/deliver_request.h
 smtp_tls_policy.o: ../../include/dict.h
 smtp_tls_policy.o: ../../include/dns.h
 smtp_tls_policy.o: ../../include/domain_list.h
 smtp_tls_policy.o: ../../include/dsn.h
 smtp_tls_policy.o: ../../include/dsn_buf.h
 smtp_tls_policy.o: ../../include/header_body_checks.h
@ -799,6 +815,7 @@ smtp_tlsrpt.o: ../../include/check_arg.h
 smtp_tlsrpt.o: ../../include/deliver_request.h
 smtp_tlsrpt.o: ../../include/dict.h
 smtp_tlsrpt.o: ../../include/dns.h
 smtp_tlsrpt.o: ../../include/domain_list.h
 smtp_tlsrpt.o: ../../include/dsn.h
 smtp_tlsrpt.o: ../../include/dsn_buf.h
 smtp_tlsrpt.o: ../../include/header_body_checks.h
@ -843,6 +860,7 @@ smtp_trouble.o: ../../include/deliver_completed.h
 smtp_trouble.o: ../../include/deliver_request.h
 smtp_trouble.o: ../../include/dict.h
 smtp_trouble.o: ../../include/dns.h
 smtp_trouble.o: ../../include/domain_list.h
 smtp_trouble.o: ../../include/dsn.h
 smtp_trouble.o: ../../include/dsn_buf.h
 smtp_trouble.o: ../../include/header_body_checks.h
@ -884,6 +902,7 @@ smtp_unalias.o: ../../include/check_arg.h
 smtp_unalias.o: ../../include/deliver_request.h
 smtp_unalias.o: ../../include/dict.h
 smtp_unalias.o: ../../include/dns.h
 smtp_unalias.o: ../../include/domain_list.h
 smtp_unalias.o: ../../include/dsn.h
 smtp_unalias.o: ../../include/dsn_buf.h
 smtp_unalias.o: ../../include/header_body_checks.h
--- a/postfix/src/smtp/lmtp_params.c
+++ b/postfix/src/smtp/lmtp_params.c
@ -68,6 +68,7 @@
 	VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0,
 	VAR_USE_SRV_LOOKUP, DEF_USE_SRV_LOOKUP, &var_use_srv_lookup, 0, 0,
 	VAR_LMTP_TLSRPT_SOCKNAME, DEF_LMTP_TLSRPT_SOCKNAME, &var_smtp_tlsrpt_sockname, 0, 0,
 	VAR_LMTP_ENFORCE_REQUIRETLS, DEF_LMTP_ENFORCE_REQUIRETLS, &var_smtp_enforce_requiretls, 0, 0,
 	0,
    };
    static const CONFIG_TIME_TABLE lmtp_time_table[] = {
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@ -172,7 +172,7 @@
 /*	RFC 6531 (Internationalized SMTP)
 /*	RFC 6533 (Internationalized Delivery Status Notifications)
 /*	RFC 7672 (SMTP security via opportunistic DANE TLS)
-/*	RFC 8689 (TLS-Required message header)
+/*	RFC 8689 (SMTP REQUIRETLS extension)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
 /*	or \fBpostlogd\fR(8).
@ -453,7 +453,7 @@
 /* .IP "\fBsmtp_sasl_password_result_delimiter (:)\fR"
 /*	The delimiter between username and password in sasl_passwd_maps lookup
 /*	results.
-/* STARTTLS SUPPORT CONTROLS
+/* TLS SUPPORT CONTROLS
 /* .ad
 /* .fi
 /*	Detailed information about STARTTLS configuration may be found
@ -654,7 +654,16 @@
 /* .IP "\fBtls_required_enable (yes)\fR"
 /*	Enable support for the "TLS-Required: no" message header, defined
 /*	in RFC 8689.
-/* OBSOLETE STARTTLS CONTROLS
+/* .IP "\fBrequiretls_enable (yes)\fR"
 /*	Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 /*	8689.
 /* .IP "\fBsmtp_enforce_requiretls (empty)\fR"
 /*	An optional list of next-hop destinations that the Postfix
 /*	SMTP/LMTP client will enforce REQUIRETLS for, when a message was
 /*	received with the REQUIRETLS option: the next-hop server must offer
 /*	a matching TLS server certificate, and the server must announce
 /*	REQUIRETLS support).
 /* OBSOLETE TLS CONTROLS
 /* .ad
 /* .fi
 /*	The following configuration parameters exist for compatibility
@ -1021,6 +1030,8 @@
 #include <maps.h>
 #include <ext_prop.h>
 #include <hfrom_format.h>
 #include <domain_list.h>
 #include <match_parent_style.h>
 /* DNS library. */
@ -1165,6 +1176,7 @@ bool    var_allow_srv_fallback;
 bool    var_smtp_tlsrpt_enable;
 char   *var_smtp_tlsrpt_sockname;
 bool    var_smtp_tlsrpt_skip_reused_hs;
 char   *var_smtp_enforce_requiretls;
 /* Special handling of 535 AUTH errors. */
 char   *var_smtp_sasl_auth_cache_name;
@ -1192,6 +1204,7 @@ HBC_CHECKS *smtp_body_checks;		/* limited body checks */
 SMTP_CLI_ATTR smtp_cli_attr;		/* parsed command-line */
 int     smtp_hfrom_format;		/* postmaster notifications */
 STRING_LIST *smtp_use_srv_lookup;
 DOMAIN_LIST *smtp_enforce_requiretls;
 #ifdef USE_TLS
@ -1693,6 +1706,23 @@ static void pre_init(char *unused_name, char **unused_argv)
    if (*var_smtp_dns_re_filter)
 	dns_rr_filter_compile(VAR_LMTP_SMTP(DNS_RE_FILTER),
 			      var_smtp_dns_re_filter);
    /*
     * REQUIRETLS enforcement uses a match list. No MATCH_FLAG_RETURN after
     * table lookup error, because fail-open is not a good option. We would
     * have to defer all delivery requests anyway. Disable /file/name magic
     * for LMTP, because that would break the handling of UNIX-domain socket
     * pathnames.
     */
    if (var_requiretls_enable && *var_smtp_enforce_requiretls) {
 	int     flags = smtp_mode ? 0 : MATCH_FLAG_NOFILE;
 	const char *param_name = VAR_LMTP_SMTP(ENFORCE_REQUIRETLS);
 	smtp_enforce_requiretls =
 	    domain_list_init(param_name,
 			     match_parent_style(param_name) | flags,
 			     var_smtp_enforce_requiretls);
    }
 }
 /* pre_accept - see if tables have changed */
--- a/postfix/src/smtp/smtp.h
+++ b/postfix/src/smtp/smtp.h
@ -32,6 +32,7 @@
 #include <tok822.h>
 #include <dsn_buf.h>
 #include <header_body_checks.h>
 #include <domain_list.h>
 /*
  * Postfix TLS library.
@ -200,6 +201,7 @@ typedef struct SMTP_STATE {
 #ifdef USE_TLSRPT
    struct TLSRPT_WRAPPER *tlsrpt;
 #endif
    int enforce_requiretls;		/* from smtp_enforce_requiretls */
 #endif
    /*
@ -286,6 +288,7 @@ typedef struct SMTP_STATE {
 #define SMTP_FEATURE_XFORWARD_IDENT	(1<<20)
 #define SMTP_FEATURE_SMTPUTF8		(1<<21)	/* RFC 6531 */
 #define SMTP_FEATURE_FROM_PROXY		(1<<22)	/* proxied connection */
 #define SMTP_FEATURE_REQUIRETLS		(1<<23)	/* RFC 8689 */
 /*
  * Features that passivate under the endpoint.
@ -358,6 +361,7 @@ extern STRING_LIST *smtp_use_srv_lookup;/* services with SRV record lookup */
 extern TLS_APPL_STATE *smtp_tls_ctx;	/* client-side TLS engine */
 extern int smtp_tls_insecure_mx_policy;	/* DANE post insecure MX? */
 extern DOMAIN_LIST *smtp_enforce_requiretls;	/* parsed list */
 #endif
@ -637,8 +641,9 @@ extern void smtp_rcpt_done(SMTP_STATE *, SMTP_RESP *, RECIPIENT *);
 /*
  * smtp_trouble.c
  */
-#define SMTP_THROTTLE	1
+#define SMTP_MISC_FAIL_NONE		0
-#define SMTP_NOTHROTTLE	0
+#define SMTP_MISC_FAIL_THROTTLE		(1<<0)
 #define SMTP_MISC_FAIL_SOFT_NON_FINAL	(1<<1)
 extern int smtp_sess_fail(SMTP_STATE *);
 extern int PRINTFLIKE(5, 6) smtp_misc_fail(SMTP_STATE *, int, const char *,
 				             SMTP_RESP *, const char *,...);
@ -648,9 +653,9 @@ extern void PRINTFLIKE(5, 6) smtp_rcpt_fail(SMTP_STATE *, RECIPIENT *,
 extern int smtp_stream_except(SMTP_STATE *, int, const char *);
 #define smtp_site_fail(state, mta, resp, ...) \
-	smtp_misc_fail((state), SMTP_THROTTLE, (mta), (resp), __VA_ARGS__)
+    smtp_misc_fail((state), SMTP_MISC_FAIL_THROTTLE, (mta), (resp), __VA_ARGS__)
 #define smtp_mesg_fail(state, mta, resp, ...) \
-	smtp_misc_fail((state), SMTP_NOTHROTTLE, (mta), (resp), __VA_ARGS__)
+    smtp_misc_fail((state), SMTP_MISC_FAIL_NONE, (mta), (resp), __VA_ARGS__)
 /*
  * smtp_unalias.c
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@ -106,6 +106,7 @@
 #include <mail_addr.h>
 #include <valid_hostname.h>
 #include <sendopts.h>
 #include <domain_list.h>
 /* DNS library. */
@ -515,19 +516,32 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
    }
    /*
-     * If the sender requires verified TLS, the TLS level must enforce a
+     * If the sender requires TLS with server certificate verification, the
-     * server certificate match.
+     * TLS level must enforce a server certificate match.
     */
-#if 0
+    else if (var_requiretls_enable
-    else if ((state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
+	     && (state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
 	if (TLS_MUST_MATCH(tls->level) == 0) {
-	    dsb_simple(why, "5.7.10", "Sender requires verified TLS, "
+	    if (state->enforce_requiretls) {
-		       " but my configured TLS security level is '%s %s'",
+		dsb_simple(why, "5.7.10", "REQUIRETLS Failure: Sender "
-		       var_mail_name, str_tls_level(tls->level));
+			   "requires a TLS server certificate match, "
 			   "but the configured %s TLS security level '%s' "
 			   "does not support that. The last attempted "
 			   "server was %s",
 			   var_mail_name, str_tls_level(tls->level),
 			   STR(iter->host));
 		return (0);
 	    } else {
 		msg_info("REQUIRETLS Debug: Sender requires a TLS server "
 			 "certificate match, but the configured %s TLS "
 			 "security level '%s' does not support that. "
 			 "The last attempted server was %s",
 			 var_mail_name, str_tls_level(tls->level),
 			 STR(iter->host));
 		return (0);
 	    }
 	}
-#endif
+    }
    /*
     * Otherwise, if the TLS level is not TLS_LEV_NONE or some non-level, and
@ -574,6 +588,18 @@ static void smtp_connect_local(SMTP_STATE *state, const char *path)
    if (state->misc_flags & SMTP_MISC_FLAG_CONN_CACHE_MASK)
 	SET_SCACHE_REQUEST_NEXTHOP(state, path);
    /*
     * REQUIRETLS enforcement is based on the UNIX-domain pathname, without
     * the "unix:" prefix.
     */
 #ifdef USE_TLS
    state->enforce_requiretls =
 	(var_requiretls_enable
 	 && smtp_enforce_requiretls
 	 && (state->request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0
 	 && domain_list_match(smtp_enforce_requiretls, path));
 #endif
    /*
     * Here we ensure that the iter->addr member refers to a copy of the
     * UNIX-domain pathname, so that smtp_save_session() will cache the
@ -978,6 +1004,18 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop,
 	    state->tlsrpt = 0;
 #endif						/* USE_TLSRPT */
 	/*
 	 * REQUIRETLS enforcement is based on the next-hop domain name
 	 * without the service or port.
 	 */
 #ifdef USE_TLS
 	state->enforce_requiretls =
 	    (var_requiretls_enable
 	     && smtp_enforce_requiretls
 	     && (state->request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0
 	     && domain_list_match(smtp_enforce_requiretls, domain));
 #endif
 	/*
 	 * Resolve an SMTP or LMTP server. Skip MX or SRV lookups when a
 	 * quoted domain is specified or when DNS lookups are disabled.
--- a/postfix/src/smtp/smtp_params.c
+++ b/postfix/src/smtp/smtp_params.c
@ -69,6 +69,7 @@
 	VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0,
 	VAR_USE_SRV_LOOKUP, DEF_USE_SRV_LOOKUP, &var_use_srv_lookup, 0, 0,
 	VAR_SMTP_TLSRPT_SOCKNAME, DEF_SMTP_TLSRPT_SOCKNAME, &var_smtp_tlsrpt_sockname, 0, 0,
 	VAR_SMTP_ENFORCE_REQUIRETLS, DEF_SMTP_ENFORCE_REQUIRETLS, &var_smtp_enforce_requiretls, 0, 0,
 	0,
    };
    static const CONFIG_TIME_TABLE smtp_time_table[] = {
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@ -604,6 +604,10 @@ int     smtp_helo(SMTP_STATE *state)
 		    /* Ignored later if we already sent STARTTLS. */
 		    if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
 			session->features |= SMTP_FEATURE_STARTTLS;
 		} else if (strcasecmp(word, "REQUIRETLS") == 0) {
 		    if ((discard_mask & EHLO_MASK_REQUIRETLS) == 0
 			&& (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS))
 			session->features |= SMTP_FEATURE_REQUIRETLS;
 #endif
 #ifdef USE_SASL_AUTH
 		} else if (var_smtp_sasl_enable
@ -661,7 +665,8 @@ int     smtp_helo(SMTP_STATE *state)
     */
    if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0
 	&& DELIVERY_REQUIRES_SMTPUTF8)
-	return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
+	return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
 			       DSN_BY_LOCAL_MTA,
 			       SMTP_RESP_FAKE(&fake, "5.6.7"),
 			       "SMTPUTF8 is required, "
 			       "but was not offered by host %s",
@ -679,6 +684,35 @@ int     smtp_helo(SMTP_STATE *state)
 	session->features |= SMTP_FEATURE_8BITMIME;
    }
    /*
     * Require that the server announces REQUIRETLS when the sender requested
     * REQUIRETLS. Return the message as undeliverable only when there are no
     * more alternative MX hosts.
     */
 #ifdef USE_TLS
    if (var_requiretls_enable
 	&& (request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0
 	&& (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
 	&& (session->features & SMTP_FEATURE_REQUIRETLS) == 0) {
 	if (state->enforce_requiretls) {
 	    return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
 				   DSN_BY_LOCAL_MTA,
 				   SMTP_RESP_FAKE(&fake, "5.7.30"),
 				   "REQUIRETLS Failure: Sender requested "
 				   "delivery wth REQUIRETLS, but no mail "
 				   "server was found with REQUIRETLS "
 				   "support. The last attempted server "
 				   "was %s", session->namaddr));
 	} else {
 	    msg_info("REQUIRETLS Debug: Sender requested delivery wth "
 		     "REQUIRETLS, but no mail server was found with "
 		     "REQUIRETLS support. The last attempted server was "
 		     "%s", session->namaddr);
 	}
    }
 #endif
    /*
     * We use SMTP command pipelining if the server said it supported it.
     * Since we use blocking I/O, RFC 2197 says that we should inspect the
@ -1143,7 +1177,7 @@ static int smtp_start_tls(SMTP_STATE *state)
 	if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE)
 	    RETRY_AS_PLAINTEXT;
 	return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ?
-			       SMTP_NOTHROTTLE : SMTP_THROTTLE,
+			       SMTP_MISC_FAIL_NONE : SMTP_MISC_FAIL_THROTTLE,
 			       DSN_BY_LOCAL_MTA,
 			       SMTP_RESP_FAKE(&fake, "4.7.5"),
 			       "Cannot start TLS: handshake failure"));
@ -1188,6 +1222,31 @@ static int smtp_start_tls(SMTP_STATE *state)
 		}
 	    }
 #endif
 	    /*
 	     * Require a server certificate match when the sender requested
 	     * REQUIRETLS. Return the message as undeliverable only when
 	     * there are no more alternative MX hosts.
 	     */
 	    if (var_requiretls_enable
 		&& (state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
 		if (state->enforce_requiretls) {
 		    return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
 					   DSN_BY_LOCAL_MTA,
 					   SMTP_RESP_FAKE(&fake, "5.7.10"),
 					   "REQUIRETLS Failure: Sender "
 					   "requested a TLS server "
 					   "certificate match, but no "
 					   "match was found. The last "
 					   "attempted server was %s",
 					   session->namaddr));
 		} else {
 		    msg_info("REQUIRETLS Debug: Sender requested a TLS "
 			     "server certificate match, but no match was "
 			     "found. The last attempted server was %s",
 			     session->namaddr);
 		}
 	    }
 	    return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
 				   SMTP_RESP_FAKE(&fake, "4.7.5"),
 				   "Server certificate not verified"));
@ -1778,7 +1837,22 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
 	    if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
 		&& (request->sendopts & SMTPUTF8_FLAG_REQUESTED) != 0)
 		vstring_strcat(next_command, " SMTPUTF8");
-	    /* TODO(wietse) REQUIRETLS. */
+
 	    /*
 	     * Request REQUIRETLS when the remote SMTP server supports
 	     * REQUIRETLS and the sender requested REQUIRETLS.
 	     */
 #ifdef USE_TLS
 	    if (var_requiretls_enable
 		&& (request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
 		if ((session->features & SMTP_FEATURE_REQUIRETLS) != 0)
 		    vstring_strcat(next_command, " REQUIRETLS");
 		else if (state->enforce_requiretls)
 		    msg_panic("Can't happen: must enforce REQUIRETLS, but "
 			      "host %s did not announce REQUIRETLS support",
 			      session->namaddr);
 	    }
 #endif
 	    /*
 	     * We authenticate the local MTA only, but not the sender.
--- a/postfix/src/smtp/smtp_state.c
+++ b/postfix/src/smtp/smtp_state.c
@ -82,6 +82,9 @@ SMTP_STATE *smtp_state_alloc(void)
    state->iterator->saved_dest = vstring_alloc(100);
 #ifdef USE_TLSRPT
    state->tlsrpt = 0;
 #endif
 #ifdef USE_TLS
    state->enforce_requiretls = 0;
 #endif
    if (var_smtp_cache_conn) {
 	state->dest_label = vstring_alloc(10);
--- a/postfix/src/smtp/smtp_trouble.c
+++ b/postfix/src/smtp/smtp_trouble.c
@ -33,9 +33,9 @@
 /*	int	exception;
 /*	const char *description;
 /* AUXILIARY FUNCTIONS
-/*	int	smtp_misc_fail(state, throttle, mta_name, resp, format, ...)
+/*	int	smtp_misc_fail(state, flags, mta_name, resp, format, ...)
 /*	SMTP_STATE *state;
-/*	int	throttle;
+/*	int	flags;
 /*	const char *mta_name;
 /*	SMTP_RESP *resp;
 /*	const char *format;
@ -91,8 +91,11 @@
 /*
 /*	smtp_misc_fail() provides a more detailed interface than
 /*	smtp_site_fail() and smtp_mesg_fail(), which are convenience
-/*	wrappers around smtp_misc_fail(). The throttle argument
+/*	wrappers around smtp_misc_fail(). The flags argument is either
-/*	is either SMTP_THROTTLE or SMTP_NOTHROTTLE; it is used only
+/*	SMTP_MISC_FAIL_NONE or the bitwise OR of SMTP_MISC_FAIL_THROTTLE
 /*	(throttle the destination) and/or SMTP_MISC_FAIL_SOFT_NON_FINAL
 /*	(if the server was not the last one to try, treat a hard error
 /*	as a soft error); SMTP_MISC_FAIL_THROTTLE is used only
 /*	in the "soft error, final server" policy, and determines
 /*	whether a destination will be marked as problematic.
 /*
@ -210,7 +213,7 @@ static void smtp_check_code(SMTP_SESSION *session, int code)
 /* smtp_bulk_fail - skip, defer or bounce recipients, maybe throttle queue */
-static int smtp_bulk_fail(SMTP_STATE *state, int throttle_queue)
+static int smtp_bulk_fail(SMTP_STATE *state, int flags)
 {
    DELIVER_REQUEST *request = state->request;
    SMTP_SESSION *session = state->session;
@ -220,8 +223,21 @@ static int smtp_bulk_fail(SMTP_STATE *state, int throttle_queue)
    int     aggregate_status;
    int     soft_error = (STR(why->status)[0] == '4');
    int     soft_bounce_error = (STR(why->status)[0] == '5' && var_soft_bounce);
    int     throttle_queue = (flags & SMTP_MISC_FAIL_THROTTLE);
    int     nrcpt;
    /*
     * Sanity check.
     */
    if ((flags & SMTP_MISC_FAIL_SOFT_NON_FINAL) != 0) {
 	if (soft_error) {
 	    msg_warn("smtp_bulk_fail: ignoring SMTP_MISC_FAIL_SOFT_NON_FINAL "
 		    "for a soft error");
 	} else {
 	    soft_error = (state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0;
 	}
    }
    /*
     * Don't defer the recipients just yet when this error qualifies them for
     * delivery to a backup server. Just log something informative to show
@ -302,7 +318,7 @@ int     smtp_sess_fail(SMTP_STATE *state)
     * because this error information is collected by a routine that
     * terminates BEFORE the error is reported.
     */
-    return (smtp_bulk_fail(state, SMTP_THROTTLE));
+    return (smtp_bulk_fail(state, SMTP_MISC_FAIL_THROTTLE));
 }
 /* vsmtp_fill_dsn - fill in temporary DSN structure */
@ -342,7 +358,7 @@ static void vsmtp_fill_dsn(SMTP_STATE *state, const char *mta_name,
 /* smtp_misc_fail - maybe throttle queue; skip/defer/bounce all recipients */
-int     smtp_misc_fail(SMTP_STATE *state, int throttle, const char *mta_name,
+int     smtp_misc_fail(SMTP_STATE *state, int flags, const char *mta_name,
 		               SMTP_RESP *resp, const char *format,...)
 {
    va_list ap;
@ -360,7 +376,7 @@ int     smtp_misc_fail(SMTP_STATE *state, int throttle, const char *mta_name,
    /*
     * Skip, defer or bounce recipients, and throttle this queue.
     */
-    return (smtp_bulk_fail(state, throttle));
+    return (smtp_bulk_fail(state, flags));
 }
 /* smtp_rcpt_fail - skip, defer, or bounce recipient */
@ -472,5 +488,5 @@ int     smtp_stream_except(SMTP_STATE *state, int code, const char *description)
     * falling back to plaintext, because RETRY_AS_PLAINTEXT clears the
     * FINAL_SERVER flag.
     */
-    return (smtp_bulk_fail(state, SMTP_THROTTLE));
+    return (smtp_bulk_fail(state, SMTP_MISC_FAIL_THROTTLE));
 }
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@ -57,6 +57,7 @@
 /*	RFC 6531 (Internationalized SMTP)
 /*	RFC 6533 (Internationalized Delivery Status Notifications)
 /*	RFC 7505 ("Null MX" No Service Resource Record)
 /*	RFC 8689 (SMTP REQUIRETLS extension)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
 /*	or \fBpostlogd\fR(8).
@ -370,7 +371,7 @@
 /* .IP "\fBsmtpd_sasl_mechanism_filter (!external, static:rest)\fR"
 /*	If non-empty, a filter for the SASL mechanism names that the
 /*	Postfix SMTP server will announce in the EHLO response.
-/* STARTTLS SUPPORT CONTROLS
+/* TLS SUPPORT CONTROLS
 /* .ad
 /* .fi
 /*	Detailed information about STARTTLS configuration may be
@ -544,7 +545,12 @@
 /*	Request that remote SMTP clients send an RFC7250 raw public key
 /*	instead of an X.509 certificate, when asking for or requiring client
 /*	authentication.
-/* OBSOLETE STARTTLS CONTROLS
+/* .PP
 /*	Available in Postfix version 3.10 and later:
 /* .IP "\fBrequiretls_enable (yes)\fR"
 /*	Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
 /*	8689.
 /* OBSOLETE TLS CONTROLS
 /* .ad
 /* .fi
 /*	The following configuration parameters exist for compatibility
@ -2105,6 +2111,11 @@ static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	EHLO_APPEND(state, "SMTPUTF8");
    if ((discard_mask & EHLO_MASK_CHUNKING) == 0)
 	EHLO_APPEND(state, "CHUNKING");
 #ifdef USE_TLS
    if (var_requiretls_enable && (discard_mask & EHLO_MASK_REQUIRETLS) == 0
 	&& state->tls_context != 0)
 	EHLO_APPEND(state, "REQUIRETLS");
 #endif
    /*
     * Send the reply.
@ -2219,7 +2230,8 @@ static int mail_open_stream(SMTPD_STATE *state)
 	    cleanup_flags |= CLEANUP_FLAG_SMTPUTF8;
 	else
 	    cleanup_flags |= smtputf8_autodetect(MAIL_SRC_MASK_SMTPD);
-	/* TODO(wietse) REQUIRETLS. */
+	if (state->flags & SMTPD_FLAG_REQUIRETLS)
 	    cleanup_flags |= CLEANUP_FLAG_REQUIRETLS;
 	state->dest = mail_stream_service(MAIL_CLASS_PUBLIC,
 					  var_cleanup_service);
 	if (state->dest == 0
@ -2679,6 +2691,13 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 		   && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0
 		   && strcasecmp(arg, "SMTPUTF8") == 0) {	/* RFC 6531 */
 	     /* Already processed early. */ ;
 #ifdef USE_TLS
 	} else if (var_requiretls_enable
 		   && state->tls_context != 0
 		   && (state->ehlo_discard_mask & EHLO_MASK_REQUIRETLS) == 0
 		   && strcasecmp(arg, "REQUIRETLS") == 0) {	/* RFC 8689 */
 	    state->flags |= SMTPD_FLAG_REQUIRETLS;
 #endif
 #ifdef USE_SASL_AUTH
 	} else if (strncasecmp(arg, "AUTH=", 5) == 0) {
 	    if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) {
--- a/postfix/src/smtpd/smtpd.h
+++ b/postfix/src/smtpd/smtpd.h
@ -209,6 +209,7 @@ typedef struct {
 #define SMTPD_FLAG_AUTH_USED	   (1<<2)	/* don't reuse SASL state */
 #define SMTPD_FLAG_SMTPUTF8	   (1<<3)	/* RFC 6531/2 transaction */
 #define SMTPD_FLAG_NEED_MILTER_ABORT (1<<4)	/* undo milter_mail_event() */
 #define SMTPD_FLAG_REQUIRETLS	   (1<<5)	/* RFC 8689 */
 #define SMTPD_NOTE_BARE_LF	   (1<<0)	/* saw at least one bare LF */
--- a/postfix/src/util/match_list.c
+++ b/postfix/src/util/match_list.c
@ -60,6 +60,10 @@
 /*	Request that match_list_match() logs a warning and returns
 /*	zero (with list->error set to a non-zero dictionary error
 /*	code) instead of raising a fatal run-time error.
 /* .IP MATCH_FLAG_NOFILE
 /*	Disable special handling for /file/name.
 /* .IP MATCH_FLAG_NODICT
 /*	Disable special handling for type:name.
 /* .RE
 /*	Specify MATCH_FLAG_NONE to request none of the above.
 /* .IP pattern_list
@ -84,6 +88,9 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	Wietse Venema
 /*	porcupine.org
 /*--*/
 /* System library. */
@ -152,7 +159,8 @@ static ARGV *match_list_parse(MATCH_LIST *match_list, ARGV *pat_list,
 	if (*item == 0)
 	    /* No graceful degradation for this... */
 	    msg_fatal("%s: no pattern after '!'", match_list->pname);
-	if (*item == '/') {			/* /file/name */
+	if (*item == '/'			/* /file/name */
 	    && (match_list->flags & MATCH_FLAG_NOFILE) == 0) {
 	    if ((fp = vstream_fopen(item, O_RDONLY, 0)) == 0) {
 		/* Replace unusable pattern with pseudo table. */
 		vstring_sprintf(buf, "%s:%s", DICT_TYPE_NOFILE, item);
@ -169,7 +177,8 @@ static ARGV *match_list_parse(MATCH_LIST *match_list, ARGV *pat_list,
 		if (vstream_fclose(fp))
 		    msg_fatal("%s: read file %s: %m", myname, item);
 	    }
-	} else if (MATCH_DICTIONARY(item)) {	/* type:table */
+	} else if (MATCH_DICTIONARY(item)	/* type:table */
 		   &&(match_list->flags & MATCH_FLAG_NODICT) == 0) {
 	    vstring_sprintf(buf, "%s%s(%o,%s)", match ? "" : "!",
 			    item, OPEN_FLAGS, dict_flags_str(DICT_FLAGS));
 	    map_type_name_flags = STR(buf) + (match == 0);
--- a/postfix/src/util/match_list.h
+++ b/postfix/src/util/match_list.h
@ -38,8 +38,10 @@ struct MATCH_LIST {
 #define MATCH_FLAG_NONE		0
 #define MATCH_FLAG_PARENT	(1<<0)
 #define MATCH_FLAG_RETURN	(1<<1)
-#define MATCH_FLAG_ALL		(MATCH_FLAG_PARENT | MATCH_FLAG_RETURN)
+#define MATCH_FLAG_NOFILE	(1<<2)
-
+#define MATCH_FLAG_NODICT	(1<<3)
 #define MATCH_FLAG_ALL		(MATCH_FLAG_PARENT | MATCH_FLAG_RETURN | \
 				MATCH_FLAG_NOFILE | MATCH_FLAG_NODICT)
 extern MATCH_LIST *match_list_init(const char *, int, const char *, int,...);
 extern int match_list_match(MATCH_LIST *,...);
 extern void match_list_free(MATCH_LIST *);