From 6b8941f03ee386912dac2ad272dbb6e4bf674a6c Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Fri, 22 Oct 2021 00:00:00 -0500
Subject: [PATCH] postfix-3.7-20211022

---
 postfix/HISTORY                               |  20 +++
 postfix/TODO                                  |   5 -
 postfix/WISHLIST                              |   7 +-
 postfix/html/BDAT_README.html                 |   8 +-
 postfix/html/BUILTIN_FILTER_README.html       |   4 +-
 postfix/html/DSN_README.html                  |   2 +-
 postfix/html/FORWARD_SECRECY_README.html      |   2 +-
 postfix/html/IPV6_README.html                 |   2 +-
 postfix/html/LDAP_README.html                 |   6 +-
 postfix/html/MAILDROP_README.html             |   2 +-
 postfix/html/SASL_README.html                 |   2 +-
 postfix/html/SMTPD_ACCESS_README.html         |   2 +-
 postfix/html/SMTPUTF8_README.html             |  10 +-
 postfix/html/SOHO_README.html                 |   2 +-
 .../html/STANDARD_CONFIGURATION_README.html   |   2 +-
 postfix/html/TLS_LEGACY_README.html           |  12 +-
 postfix/html/TLS_README.html                  |  42 ++---
 postfix/html/XCLIENT_README.html              |   4 +-
 postfix/html/XFORWARD_README.html             |   4 +-
 postfix/html/access.5.html                    |   4 +-
 postfix/html/aliases.5.html                   |   6 +-
 postfix/html/bounce.8.html                    |  20 +--
 postfix/html/cleanup.8.html                   |  16 +-
 postfix/html/defer.8.html                     |  20 +--
 postfix/html/discard.8.html                   |   4 +-
 postfix/html/error.8.html                     |   4 +-
 postfix/html/header_checks.5.html             |  10 +-
 postfix/html/ldap_table.5.html                |  24 +--
 postfix/html/lmtp.8.html                      |  48 +++---
 postfix/html/local.8.html                     |   6 +-
 postfix/html/master.5.html                    |   6 +-
 postfix/html/oqmgr.8.html                     |   4 +-
 postfix/html/pipe.8.html                      |   6 +-
 postfix/html/postalias.1.html                 |   4 +-
 postfix/html/postconf.5.html                  | 116 ++++++-------
 postfix/html/postmap.1.html                   |   8 +-
 postfix/html/postqueue.1.html                 |   6 +-
 postfix/html/postscreen.8.html                |  28 ++--
 postfix/html/qmgr.8.html                      |   4 +-
 postfix/html/qmqpd.8.html                     |   2 +-
 postfix/html/smtp-sink.1.html                 |   2 +-
 postfix/html/smtp.8.html                      |  48 +++---
 postfix/html/smtpd.8.html                     |  54 +++---
 postfix/html/tlsproxy.8.html                  |   6 +-
 postfix/html/trace.8.html                     |  20 +--
 postfix/html/virtual.8.html                   |   2 +-
 postfix/man/man5/master.5                     |   4 +-
 postfix/mantools/postlink                     |   2 +-
 postfix/proto/master                          |   4 +-
 postfix/src/global/Makefile.in                |   1 +
 postfix/src/global/config_known_tcp_ports.c   |   2 +
 postfix/src/global/mail_params.c              |   6 +
 postfix/src/global/mail_version.h             |   2 +-
 postfix/src/posttls-finger/posttls-finger.c   |   6 +-
 postfix/src/smtp/smtp_connect.c               |   6 +-
 postfix/src/util/Makefile.in                  |  12 +-
 postfix/src/util/find_inet.c                  | 158 +++++++++++++++++-
 postfix/src/util/find_inet.ref                |   5 +
 postfix/src/util/myaddrinfo.c                 |  22 ++-
 59 files changed, 536 insertions(+), 310 deletions(-)
 delete mode 100644 postfix/TODO
 create mode 100644 postfix/src/util/find_inet.ref

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 0485b328c..470435702 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -25795,3 +25795,23 @@ Apologies for any names omitted.
 	smtp/smtp.h, smtp/smtp_chat.c, smtp/smtp_params.c,
 	smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_chat.c, and test
 	data.
+
+20211006
+
+	Documentation: http://tools.ietf.org/html/rfc[0-9]+ sometimes
+	does not redirect to the https site. Max-Julian Pogner.
+	Fixed by updating mantools/postlink and rebuilding the HTML
+	files that reference RFCs.
+
+20211016
+
+	Documentation: clarified the difference between private and
+	public services in master.cf. File: proto/master.
+
+20211022
+
+	Bugfix: the known_tcp_ports setting had no effect. Reported
+	by Peter. It also wasn't fully implemented. Files:
+	config_known_tcp_ports.c, mail_params.c,
+	posttls-finger/posttls-finger.c, smtp/smtp_connect.c,
+	util/find_inet.c, util/myaddrinfo.c.
diff --git a/postfix/TODO b/postfix/TODO
deleted file mode 100644
index 274bf9b40..000000000
--- a/postfix/TODO
+++ /dev/null
@@ -1,5 +0,0 @@
-Add a note to tlsproxy source why it does not enforce deadlines or
-minimum data rates. Reason: tlsproxy relies on the plaintext client
-to enforce their context-dependent deadlines and data rates. When
-a plaintext client times out, it will close the tlsproxy connection,
-and then tlsproxy will also hang up.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index fb7f5d64e..a1e55e8ca 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -1,6 +1,11 @@
 Wish list:
 
-	Add verp=+= to the qmgr "from=" logging.
+	Add a pointer to
+	http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
+	in documentation or on-line howtos.
+
+	Add verp=+= to the qmgr "from=" logging. This is already
+	implemented but not yet integrated.
 
 	Need canonical Dovecot example that has virtual_mailbox_domains,
 	(virtual_mailbox_maps or reject unverified_recipient), and
diff --git a/postfix/html/BDAT_README.html b/postfix/html/BDAT_README.html
index cb9775541..56532fc30 100644
--- a/postfix/html/BDAT_README.html
+++ b/postfix/html/BDAT_README.html
@@ -20,7 +20,7 @@ BDAT (CHUNKING) support</h1>
 
 <h2>Overview </h2>
 
-<p> Postfix SMTP server supports <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> CHUNKING (the BDAT command)
+<p> Postfix SMTP server supports <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> CHUNKING (the BDAT command)
 without BINARYMIME, in both <a href="smtpd.8.html">smtpd(8)</a> and <a href="postscreen.8.html">postscreen(8)</a>. It is enabled
 by default. </p>
 
@@ -155,7 +155,7 @@ signatures, so conversion would have to happen before signing. </p>
 <h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
 </h2>
 
-<p> The <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> authors did not specify any limitations on how
+<p> The <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> authors did not specify any limitations on how
 clients may pipeline commands (i.e. send commands without waiting
 for a server response). If a server announces PIPELINING support,
 like Postfix does, then a remote SMTP client can pipeline all
@@ -167,10 +167,10 @@ behavior. If you require "<a href="postconf.5.html#reject_unauth_pipelining">rej
 then turn off Postfix's CHUNKING announcement as described above.
 </p>
 
-<p> In <a href="http://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
+<p> In <a href="https://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
 commands, and that after sending BURL LAST or BDAT LAST, a client
 must wait for the server's response. But as this text does not
-appear in <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
+appear in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
 that Postfix will not enforce. </p>
 
 </body>
diff --git a/postfix/html/BUILTIN_FILTER_README.html b/postfix/html/BUILTIN_FILTER_README.html
index fbe383ba3..74d138d47 100644
--- a/postfix/html/BUILTIN_FILTER_README.html
+++ b/postfix/html/BUILTIN_FILTER_README.html
@@ -222,9 +222,9 @@ header/body checks for mail to some domains only</a>".  </p>
 
 <li> <p> Header/body checks do not decode message headers or message
 body content. For example, if text in the message body is BASE64
-encoded (<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>) then your regular expressions will have to match
+encoded (<a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>) then your regular expressions will have to match
 the BASE64 encoded form. Likewise, message headers with encoded
-non-ASCII characters (<a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>) need to be matched in their encoded
+non-ASCII characters (<a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a>) need to be matched in their encoded
 form. </p>
 
 <li> <p> Header/body checks cannot filter on a combination of
diff --git a/postfix/html/DSN_README.html b/postfix/html/DSN_README.html
index 0406d6065..ea50c09da 100644
--- a/postfix/html/DSN_README.html
+++ b/postfix/html/DSN_README.html
@@ -21,7 +21,7 @@ DSN Support </h1>
 <h2>Introduction</h2>
 
 <p> Postfix version 2.3 introduces support for Delivery Status
-Notifications as described in <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a>. This gives senders control
+Notifications as described in <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a>. This gives senders control
 over successful and failed delivery notifications.  </p>
 
 <p> Specifically, DSN support gives an email sender the ability to
diff --git a/postfix/html/FORWARD_SECRECY_README.html b/postfix/html/FORWARD_SECRECY_README.html
index 92622b422..fd685bd40 100644
--- a/postfix/html/FORWARD_SECRECY_README.html
+++ b/postfix/html/FORWARD_SECRECY_README.html
@@ -227,7 +227,7 @@ setting the <a href="postconf.5.html">main.cf</a> parameter <a href="postconf.5.
 </p> </blockquote>
 
 <p> The elliptic curve standards are evolving, with new curves
-introduced in <a href="http://tools.ietf.org/html/rfc8031">RFC 8031</a> to augment or replace the NIST curves tarnished
+introduced in <a href="https://tools.ietf.org/html/rfc8031">RFC 8031</a> to augment or replace the NIST curves tarnished
 by the Snowden revelations.  Fortunately, TLS clients advertise
 their list of supported curves to the server so that servers can
 choose newer stronger curves when mutually supported.  OpenSSL 1.0.2
diff --git a/postfix/html/IPV6_README.html b/postfix/html/IPV6_README.html
index eb619e8b1..c1211e912 100644
--- a/postfix/html/IPV6_README.html
+++ b/postfix/html/IPV6_README.html
@@ -228,7 +228,7 @@ to the LMTP client. </p>
 
 <li> <p> The SMTP server now requires that IPv6 addresses in SMTP
 commands are specified as [ipv6:<i>ipv6address</i>], as
-described in <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
+described in <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
 
 <li> <p> The IPv6 network address matching code was rewritten from
 the ground up, and is expected to be closer to the specification.
diff --git a/postfix/html/LDAP_README.html b/postfix/html/LDAP_README.html
index fae15b914..b4f938c13 100644
--- a/postfix/html/LDAP_README.html
+++ b/postfix/html/LDAP_README.html
@@ -199,7 +199,7 @@ server listening at port 389 on ldap.example.com. It will bind anonymously,
 search for any directory entries whose mailacceptinggeneralid
 attribute is "ldapuser", read the "maildrop" attributes of those
 found, and build a list of their maildrops, which will be treated
-as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be delivered. </p>
+as <a href="https://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be delivered. </p>
 
 <h2><a name="example_virtual">Example: virtual domains/addresses</a></h2>
 
@@ -592,10 +592,10 @@ contents, please include the applicable bits of some directory entries. </p>
 
 <li>Prabhat K Singh: Wrote the initial Postfix LDAP lookups and connection caching.
 
-<li>Keith Stevenson: <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries.
+<li>Keith Stevenson: <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries.
 
 <li>Samuel Tardieu: Noticed that searches could include wildcards, prompting
-                the work on <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries. Spotted a bug
+                the work on <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries. Spotted a bug
                 in binding.
 
 <li>Sami Haahtinen: Referral chasing and v3 support.
diff --git a/postfix/html/MAILDROP_README.html b/postfix/html/MAILDROP_README.html
index 24b3e63b4..aa2d7946a 100644
--- a/postfix/html/MAILDROP_README.html
+++ b/postfix/html/MAILDROP_README.html
@@ -85,7 +85,7 @@ becoming clogged with undeliverable messages. Specify an empty
 value ("<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> =") to disable this feature. </p>
 
 <li> <p> Lines 6 and 13-15 redirect mail for postmaster to the
-local postmaster. <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> requires that every domain has a postmaster
+local postmaster. <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> requires that every domain has a postmaster
 address. </p>
 
 </ul>
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index 82407e7fa..c074c8c21 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -25,7 +25,7 @@ mail to remote destinations when the client's IP address is in the
 
 <p> SMTP clients outside the SMTP server's network need a different
 way to get "same network" privileges.  To address this need, Postfix
-supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a>).  With
+supports SASL authentication (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a>).  With
 this a remote SMTP client can authenticate to the Postfix SMTP
 server, and the Postfix SMTP client can authenticate to a remote
 SMTP server.  Once a client is authenticated, a server can give it
diff --git a/postfix/html/SMTPD_ACCESS_README.html b/postfix/html/SMTPD_ACCESS_README.html
index 1ac3d57c2..53aa66d1d 100644
--- a/postfix/html/SMTPD_ACCESS_README.html
+++ b/postfix/html/SMTPD_ACCESS_README.html
@@ -145,7 +145,7 @@ no").  </p>
 
 <ul>
 
-<li> <p> Disallowing <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> address syntax (example: "MAIL FROM: the
+<li> <p> Disallowing <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> address syntax (example: "MAIL FROM: the
 dude &lt;dude@example.com&gt;"). </p>
 
 <li> <p> Disallowing addresses that are not enclosed with &lt;&gt;
diff --git a/postfix/html/SMTPUTF8_README.html b/postfix/html/SMTPUTF8_README.html
index 1a3c8d5f1..9bcbdf598 100644
--- a/postfix/html/SMTPUTF8_README.html
+++ b/postfix/html/SMTPUTF8_README.html
@@ -22,8 +22,8 @@ Postfix SMTPUTF8 support
 <h2> Overview </h2>
 
 <p> This document describes Postfix support for Email Address
-Internationalization (EAI) as defined in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (SMTPUTF8 extension),
-<a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized email headers) and <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized
+Internationalization (EAI) as defined in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (SMTPUTF8 extension),
+<a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized email headers) and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized
 delivery status notifications). Introduced with Postfix version
 3.0, this fully supports UTF-8 email addresses and UTF-8 message
 header values. </p>
@@ -288,7 +288,7 @@ at one point in time. </p>
 
 <h3> No automatic conversions between ASCII and UTF-8 domain names. </h3>
 
-<p> Some background: According to <a href="http://tools.ietf.org/html/rfc6530">RFC 6530</a> and related documents,
+<p> Some background: According to <a href="https://tools.ietf.org/html/rfc6530">RFC 6530</a> and related documents,
 an internationalized domain name can appear in two forms: the UTF-8
 form, and the ASCII (xn--mumble) form. An internationalized address
 localpart must be encoded in UTF-8; the RFCs do not define an ASCII
@@ -336,7 +336,7 @@ environments</a> </h2>
 non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
 over "traditional" non-SMTPUTF8 sessions, as long as the message
 has an ASCII envelope sender address and all-ASCII header values.
-The mailing list manager may have to apply <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
+The mailing list manager may have to apply <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
 satisfy that last condition. </p>
 
 <h3> Pre-existing non-ASCII email flows </h3>
@@ -352,7 +352,7 @@ if pre-SMTPUTF8 standards do not support such practice. </p>
 requires that non-ASCII address information is encoded in UTF-8 and
 will reject other encodings such as ISO-8859. It is not practical
 for Postfix to support multiple encodings at the same time.  There
-is no problem with <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encodings such as "=?ISO-8859-1?Q?text?=",
+is no problem with <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a> encodings such as "=?ISO-8859-1?Q?text?=",
 because those use only characters from the ASCII characterset. </p>
 
 <h3> Rejecting non-ASCII addresses in non-SMTPUTF8 transactions </h3>
diff --git a/postfix/html/SOHO_README.html b/postfix/html/SOHO_README.html
index c3a7a10ae..f6f879a6c 100644
--- a/postfix/html/SOHO_README.html
+++ b/postfix/html/SOHO_README.html
@@ -191,7 +191,7 @@ discussed the first half of this document. </p>
 
 <li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
 use a domain name that is already in use by real organizations
-on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
+on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
 names that are guaranteed not to be owned by anyone. </p>
 
 <li> <p> Lines 5, 9, 10: This provides the mapping from
diff --git a/postfix/html/STANDARD_CONFIGURATION_README.html b/postfix/html/STANDARD_CONFIGURATION_README.html
index f2dee965f..4fa268161 100644
--- a/postfix/html/STANDARD_CONFIGURATION_README.html
+++ b/postfix/html/STANDARD_CONFIGURATION_README.html
@@ -823,7 +823,7 @@ discussed the first half of this document. </p>
 
 <li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
 use a domain name that is already in use by real organizations
-on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
+on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
 names that are guaranteed not to be owned by anyone. </p>
 
 <li> <p> Lines 5, 9, 10: This provides the mapping from
diff --git a/postfix/html/TLS_LEGACY_README.html b/postfix/html/TLS_LEGACY_README.html
index 4f4526b83..e36ad4e1e 100644
--- a/postfix/html/TLS_LEGACY_README.html
+++ b/postfix/html/TLS_LEGACY_README.html
@@ -33,7 +33,7 @@ encrypted session protects the information that is transmitted with
 SMTP mail or with SASL authentication.
 
 <p> Postfix version 2.2 introduces support for TLS as described in
-<a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a>.  TLS Support for older Postfix versions was available as
+<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>.  TLS Support for older Postfix versions was available as
 an add-on patch.  The section "<a href="#compat">Compatibility with
 Postfix < 2.2 TLS support</a>" below discusses the differences
 between these implementations.  </p>
@@ -425,7 +425,7 @@ private key. This is intended behavior. </p>
 
 <p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
 announces STARTTLS and accepts no mail without TLS encryption, by
-setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST
+setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST
 NOT be applied in case of a publicly-referenced Postfix SMTP server.
 This option is off by default and should only seldom be used. </p>
 
@@ -575,7 +575,7 @@ $<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is l
 
 <p> Cached Postfix SMTP server session information expires after
 a certain amount of time.  Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600sec (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
 recommends a maximum of 24 hours.  </p>
 
 <p> Example: </p>
@@ -949,7 +949,7 @@ $<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is l
 
 <p> Cached Postfix SMTP client session information expires after
 a certain amount of time.  Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600s (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
 recommends a maximum of 24 hours.  </p>
 
 <p> Example: </p>
@@ -1004,7 +1004,7 @@ CommonName is checked.  Verification may be turned off with the
 
 <p> Enforcing the use of TLS is useful if you know that you will
 only
-connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that present server
+connect to servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that present server
 certificates that meet the above requirements.  An example would
 be a client only sends email to one specific mailhub that offers
 the necessary STARTTLS support.  </p>
@@ -1021,7 +1021,7 @@ the necessary STARTTLS support.  </p>
 <h3> <a name="client_tls_nopeer"> Disabling server certificate
 verification </a> </h3>
 
-<p> As of <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking for MTA
+<p> As of <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking for MTA
 clients are not set. When TLS is required (<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes),
 the option <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> can be set to "no" to disable
 strict remote SMTP server hostname checking. In this case, the mail
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index 248b5e2e4..249dd29ca 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -188,8 +188,8 @@ Certificate-less operation is not recommended. <p>
 Most sites only have RSA certificates.  You can configure all three
 at the same time, in which case the ciphersuite negotiated with the
 remote SMTP client determines which certificate is used.  If your
-DNS zone is signed, and you want to publish DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>,
-<a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) records, these must match all of the configured
+DNS zone is signed, and you want to publish DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>,
+<a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) records, these must match all of the configured
 certificate chains.  Since the best practice is to publish "3 1 1"
 certificate associations, create a separate TLSA record to match
 each public-key certificate digest.  </p>
@@ -224,7 +224,7 @@ size of the server TLS handshake.  </p>
 </pre>
 </blockquote>
 
-<li> <p> If you publish DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>)
+<li> <p> If you publish DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>)
 "2 0 1" or "2 1 1" records to specify root CA certificate digests,
 you must include the corresponding root CA certificates in the
 "server.pem" certificate file.  </p>
@@ -526,7 +526,7 @@ private key. This is intended behavior. </p>
 <p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
 so that the Postfix SMTP server announces STARTTLS and accepts no
 mail without TLS encryption, by setting
-"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt". According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this
+"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt". According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> this
 MUST NOT be applied in case
 of a publicly-referenced Postfix SMTP server.  This option is off
 by default and should only seldom be used. </p>
@@ -685,9 +685,9 @@ the cost of repeatedly negotiating TLS session keys is high.</p>
 
 <p> Starting with Postfix 2.11, linked with a compatible OpenSSL
 library (at least 0.9.8h, preferably 1.0.0 or later) the Postfix
-SMTP server supports <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session resumption without
-server-side state when the remote SMTP client also supports <a href="http://tools.ietf.org/html/rfc5077">RFC</a>
-<a href="http://tools.ietf.org/html/rfc5077">5077</a>.  The session is encrypted by the server in a <i>session
+SMTP server supports <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session resumption without
+server-side state when the remote SMTP client also supports <a href="https://tools.ietf.org/html/rfc5077">RFC</a>
+<a href="https://tools.ietf.org/html/rfc5077">5077</a>.  The session is encrypted by the server in a <i>session
 ticket</i> returned to client for storage.  When a client sends a
 valid session ticket, the server decrypts it and resumes the session,
 provided neither the ticket nor the session have expired.  This
@@ -720,7 +720,7 @@ Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a
 
 <p> Cached Postfix SMTP server session information expires after
 a certain amount of time.  Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600sec (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
 recommends a maximum of 24 hours.  </p>
 
 <p> Example: </p>
@@ -1273,14 +1273,14 @@ just in case the transport table entries are not specified consistently. </p>
 <h4><a name="client_tls_dane">DANE TLS authentication.</a> </h4>
 
 <p> The Postfix SMTP client supports two TLS security levels based
-on DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) records.  The opportunistic
+on DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) records.  The opportunistic
 "dane" level and the mandatory "dane-only" level. </p>
 
 <p> The "dane" level is a stronger form of <a
 href="#client_tls_may">opportunistic</a> TLS that is resistant to
 man in the middle and downgrade attacks when the destination domain
 uses DNSSEC to publish DANE TLSA records for its MX hosts.  If a
-remote SMTP server has "usable" (see section 3 of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) DANE
+remote SMTP server has "usable" (see section 3 of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) DANE
 TLSA records, the server connection will be authenticated.  When
 DANE authentication fails, there is no fallback to unauthenticated
 or plaintext delivery. </p>
@@ -1315,7 +1315,7 @@ be signed and the Postfix SMTP client's operating system must be
 configured to send its DNS queries to a recursive DNS nameserver
 that is able to validate the signed records.  Each MX host's DNS
 zone needs to also be signed, and needs to publish DANE TLSA (see
-section 3 of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) records that specify how that MX host's TLS
+section 3 of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) records that specify how that MX host's TLS
 certificate is to be verified.  </p>
 
 <p> TLSA records do not preempt the normal SMTP MX host
@@ -1327,7 +1327,7 @@ see the documentation for the <a href="postconf.5.html#smtp_dns_support_level">s
 parameter.  The <a href="postconf.5.html#tls_dane_digests">tls_dane_digests</a> parameter controls the list of
 supported digests.  </p>
 
-<p> As explained in section 3 of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>, certificate usages "0"
+<p> As explained in section 3 of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>, certificate usages "0"
 and "1", which are intended to "constrain" existing Web-PKI trust,
 are not supported with MTA-to-MTA SMTP.  Rather, TLSA records with
 usages "0" and "1" are treated as "unusable".  </p>
@@ -1346,8 +1346,8 @@ records.  </p>
 security level is treated like a "mandatory" TLS security level,
 and weak ciphers and protocols are disabled.  Since DANE authenticates
 server certificates the "aNULL" cipher-suites are transparently
-excluded at this level, no need to configure this manually.  <a href="http://tools.ietf.org/html/rfc7672">RFC</a>
-<a href="http://tools.ietf.org/html/rfc7672">7672</a> (DANE) TLS authentication is available with Postfix 2.11 and
+excluded at this level, no need to configure this manually.  <a href="https://tools.ietf.org/html/rfc7672">RFC</a>
+<a href="https://tools.ietf.org/html/rfc7672">7672</a> (DANE) TLS authentication is available with Postfix 2.11 and
 later.  </p>
 
 <p> When a DANE TLSA record specifies a trust-anchor (TA) certificate
@@ -1613,7 +1613,7 @@ verification as a default policy. </p>
 
 <p> Mandatory server certificate verification as a default security
 level may be appropriate if you know that you will only connect to
-servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present verifiable
+servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present verifiable
 server certificates. An example would be a client that sends all
 email to a central mailhub that offers the necessary STARTTLS
 support. In such cases, you can often use a <a
@@ -1687,7 +1687,7 @@ as a default policy. </p>
 
 <p> Mandatory secure server certificate verification as a default
 security level may be appropriate if you know that you will only
-connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present
+connect to servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present
 verifiable server certificates. An example would be a client that
 sends all email to a central mailhub that offers the necessary
 STARTTLS support. </p>
@@ -2102,7 +2102,7 @@ Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a
 
 <p> Cached Postfix SMTP client session information expires after
 a certain amount of time.  Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600s (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
 recommends a maximum of 24 hours.  </p>
 
 <p> Example: </p>
@@ -2177,7 +2177,7 @@ When, as is current practice, the client verifies the insecurely
 obtained MX hostname, it is subject to a DNS man-in-the-middle
 attack. </p>
 
-<p> Adoption of DNSSEC and <a href="http://tools.ietf.org/html/rfc6698">RFC6698</a> (DANE) may gradually (as domains
+<p> Adoption of DNSSEC and <a href="https://tools.ietf.org/html/rfc6698">RFC6698</a> (DANE) may gradually (as domains
 implement DNSSEC and publish TLSA records for their MX hosts) address
 the DNS man-in-the-middle risk and provide scalable key management
 for SMTP with TLS.  Postfix &ge; 2.11 supports the new <a
@@ -2290,7 +2290,7 @@ found, but none are usable, the effective security level is <a
 href="#client_tls_encrypt">encrypt</a>.  When usable TLSA records
 are obtained for the remote SMTP server, SSLv2+3 are automatically
 disabled (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate
-must match the TLSA records.  <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication
+must match the TLSA records.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication
 and DNSSEC support is available with Postfix 2.11 and later.  </dd>
 
 <dt><b>dane-only</b></dt> <dd><a href="#client_tls_dane">Mandatory DANE TLS</a>.
@@ -2299,7 +2299,7 @@ DNSSEC.  If no TLSA records are found, or none are usable, no
 connection is made to the server.  When usable TLSA records are
 obtained for the remote SMTP server, SSLv2+3 are automatically disabled
 (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate must
-match the TLSA records.  <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication and
+match the TLSA records.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication and
 DNSSEC support is available with Postfix 2.11 and later.  </dd>
 
 <dt><b>fingerprint</b></dt> <dd><a href="#client_tls_fprint">Certificate
@@ -2996,7 +2996,7 @@ receiving and sending mail.  It also enables logging of TLS connections
 and recording of TLS use in the "Received" header.  TLS session
 caching is also enabled in the Postfix SMTP client.  With Postfix
 &ge; 2.10, the SMTP server does not need an explicit session cache
-since session reuse is better handled via <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session
+since session reuse is better handled via <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session
 tickets. </p>
 
 <h3><a name="private-ca">Private Certification Authority</a></h3>
diff --git a/postfix/html/XCLIENT_README.html b/postfix/html/XCLIENT_README.html
index 30155a29b..151257603 100644
--- a/postfix/html/XCLIENT_README.html
+++ b/postfix/html/XCLIENT_README.html
@@ -89,7 +89,7 @@ names are shown in upper case, they are in fact case insensitive.
 
 <ul>
 
-    <li> <p> Attribute values are xtext encoded as per <a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>.
+    <li> <p> Attribute values are xtext encoded as per <a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>.
     </p>
 
     <li> <p> The NAME attribute specifies a remote SMTP client
@@ -260,7 +260,7 @@ before each MAIL FROM command. </p>
 <h2> References </h2>
 
 <p> Moore, K, "SMTP Service Extension for Delivery Status Notifications",
-<a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
+<a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
 
 </body>
 
diff --git a/postfix/html/XFORWARD_README.html b/postfix/html/XFORWARD_README.html
index 66fb4d1e8..9a43e27d3 100644
--- a/postfix/html/XFORWARD_README.html
+++ b/postfix/html/XFORWARD_README.html
@@ -81,7 +81,7 @@ names are shown in upper case, they are in fact case insensitive.
 
 <ul>
 
-    <li> <p> Attribute values are xtext encoded as per <a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>.
+    <li> <p> Attribute values are xtext encoded as per <a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>.
     </p>
 
     <li> <p> The NAME attribute specifies the up-stream hostname,
@@ -234,7 +234,7 @@ so there is no risk of information leakage. </p>
 <h2> References </h2>
 
 <p> Moore, K, "SMTP Service Extension for Delivery Status Notifications",
-<a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
+<a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
 
 </body>
 
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index d1f984943..605db661e 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -160,7 +160,7 @@ ACCESS(5)                                                            ACCESS(5)
 
 <b>REJECT ACTIONS</b>
        Postfix  version 2.3 and later support enhanced status codes as defined
-       in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>.  When no code is specified at the beginning  of  the  <i>text</i>
+       in <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>.  When no code is specified at the beginning  of  the  <i>text</i>
        below, Postfix inserts a default enhanced status code of "5.7.1" in the
        case of reject actions, and "4.7.1" in the case of defer  actions.  See
        "ENHANCED STATUS CODES" below.
@@ -340,7 +340,7 @@ ACCESS(5)                                                            ACCESS(5)
 
 <b>ENHANCED STATUS CODES</b>
        Postfix version 2.3 and later support enhanced status codes as  defined
-       in  <a href="http://tools.ietf.org/html/rfc3463">RFC  3463</a>.   When an enhanced status code is specified in an access
+       in  <a href="https://tools.ietf.org/html/rfc3463">RFC  3463</a>.   When an enhanced status code is specified in an access
        table, it is subject to modification. The following transformations are
        needed  when the same access table is used for client, helo, sender, or
        recipient access restrictions; they happen regardless of whether  Post-
diff --git a/postfix/html/aliases.5.html b/postfix/html/aliases.5.html
index b82cff2f2..af9e9ec69 100644
--- a/postfix/html/aliases.5.html
+++ b/postfix/html/aliases.5.html
@@ -63,8 +63,8 @@ ALIASES(5)                                                          ALIASES(5)
        The <i>value</i> contains one or more of the following:
 
        <i>address</i>
-              Mail is forwarded to <i>address</i>, which is compatible with  the  <a href="http://tools.ietf.org/html/rfc822">RFC</a>
-              <a href="http://tools.ietf.org/html/rfc822">822</a> standard.
+              Mail is forwarded to <i>address</i>, which is compatible with  the  <a href="https://tools.ietf.org/html/rfc822">RFC</a>
+              <a href="https://tools.ietf.org/html/rfc822">822</a> standard.
 
        <i>/file/name</i>
               Mail  is  appended  to  <i>/file/name</i>.  See <a href="local.8.html"><b>local</b>(8)</a> for details of
@@ -177,7 +177,7 @@ ALIASES(5)                                                          ALIASES(5)
               while expanding aliases or .forward files.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
 
 <b>SEE ALSO</b>
        <a href="local.8.html">local(8)</a>, local delivery agent
diff --git a/postfix/html/bounce.8.html b/postfix/html/bounce.8.html
index 077af1668..5421e49e7 100644
--- a/postfix/html/bounce.8.html
+++ b/postfix/html/bounce.8.html
@@ -39,16 +39,16 @@ BOUNCE(8)                                                            BOUNCE(8)
        and that depend on retry logic in their own client.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
-       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
-       <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
-       <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
-       <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
-       <a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
-       <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
+       <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+       <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+       <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
+       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html
index c276f6cbf..026cf26ab 100644
--- a/postfix/html/cleanup.8.html
+++ b/postfix/html/cleanup.8.html
@@ -62,13 +62,13 @@ CLEANUP(8)                                                          CLEANUP(8)
        trouble.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
-       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
-       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
-       <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
-       <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
+       <a href="https://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
+       <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+       <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
+       <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -422,7 +422,7 @@ CLEANUP(8)                                                          CLEANUP(8)
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
               Enable  preliminary SMTPUTF8 support for the protocols described
-              in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
               Detect that a message requires SMTPUTF8 support for  the  speci-
diff --git a/postfix/html/defer.8.html b/postfix/html/defer.8.html
index 077af1668..5421e49e7 100644
--- a/postfix/html/defer.8.html
+++ b/postfix/html/defer.8.html
@@ -39,16 +39,16 @@ BOUNCE(8)                                                            BOUNCE(8)
        and that depend on retry logic in their own client.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
-       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
-       <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
-       <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
-       <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
-       <a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
-       <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
+       <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+       <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+       <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
+       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
diff --git a/postfix/html/discard.8.html b/postfix/html/discard.8.html
index a58587481..c324ee94e 100644
--- a/postfix/html/discard.8.html
+++ b/postfix/html/discard.8.html
@@ -17,7 +17,7 @@ DISCARD(8)                                                          DISCARD(8)
        the queue manager. Each  request  specifies  a  queue  file,  a  sender
        address,  a next-hop destination that is treated as the reason for dis-
        carding the mail, and recipient information.  The reason  may  be  pre-
-       fixed with an <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>-compatible detail code.  This program expects to
+       fixed with an <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>-compatible detail code.  This program expects to
        be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
 
        The <a href="discard.8.html"><b>discard</b>(8)</a> delivery agent pretends to deliver all recipients in the
@@ -33,7 +33,7 @@ DISCARD(8)                                                          DISCARD(8)
        the network, and can be run chrooted at fixed low privilege.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
diff --git a/postfix/html/error.8.html b/postfix/html/error.8.html
index 6b36f3d5f..a85680f40 100644
--- a/postfix/html/error.8.html
+++ b/postfix/html/error.8.html
@@ -17,7 +17,7 @@ ERROR(8)                                                              ERROR(8)
        the queue manager. Each  request  specifies  a  queue  file,  a  sender
        address,  the reason for non-delivery (specified as the next-hop desti-
        nation), and recipient information.  The reason may be prefixed with an
-       <a href="http://tools.ietf.org/html/rfc3463">RFC  3463</a>-compatible  detail code; if none is specified a default 4.0.0
+       <a href="https://tools.ietf.org/html/rfc3463">RFC  3463</a>-compatible  detail code; if none is specified a default 4.0.0
        or 5.0.0 code is used instead.  This program expects to be run from the
        <a href="master.8.html"><b>master</b>(8)</a> process manager.
 
@@ -34,7 +34,7 @@ ERROR(8)                                                              ERROR(8)
        network, and can be run chrooted at fixed low privilege.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
diff --git a/postfix/html/header_checks.5.html b/postfix/html/header_checks.5.html
index 14f3d6030..03b0f3ef7 100644
--- a/postfix/html/header_checks.5.html
+++ b/postfix/html/header_checks.5.html
@@ -173,7 +173,7 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
               Note  1:  the  BCC  address is added as if it was specified with
               NOTIFY=NONE. The sender  will  not  be  notified  when  the  BCC
               address  is  undeliverable,  as long as all down-stream software
-              implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+              implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
 
               Note 2: this ignores duplicate addresses (with the same delivery
               status notification options).
@@ -376,10 +376,10 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
               line at a time. A decision made for one line is not carried over
               to the next line.
 
-       <b>o</b>      If text in the message body is encoded (<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>) then the rules
+       <b>o</b>      If text in the message body is encoded (<a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>) then the rules
               need to be specified for the encoded form.
 
-       <b>o</b>      Likewise, when message headers are encoded (<a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>)  then  the
+       <b>o</b>      Likewise, when message headers are encoded (<a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a>)  then  the
               rules need to be specified for the encoded form.
 
        Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are excluded from
@@ -462,8 +462,8 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
        <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table management
        <a href="postsuper.1.html">postsuper(1)</a>, Postfix janitor
        <a href="postcat.1.html">postcat(1)</a>, show Postfix queue file contents
-       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>, base64 and quoted-printable encoding rules
-       <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>, message header encoding for non-ASCII text
+       <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>, base64 and quoted-printable encoding rules
+       <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a>, message header encoding for non-ASCII text
 
 <b>README FILES</b>
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
diff --git a/postfix/html/ldap_table.5.html b/postfix/html/ldap_table.5.html
index 332bfbd23..9ca15f4b6 100644
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@@ -102,7 +102,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
                   timeout = 5
 
        <b>search_base (No default; you must configure this)</b>
-              The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g.
+              The <a href="https://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g.
 
                   search_base = dc=your, dc=com
 
@@ -111,18 +111,18 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
               <b>%%</b>     This is replaced by a literal '%' character.
 
-              <b>%s</b>     This  is  replaced by the input key.  <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is
+              <b>%s</b>     This  is  replaced by the input key.  <a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is
                      used to make sure that the input key does not  add  unex-
                      pected metacharacters.
 
               <b>%u</b>     When the input key is an address of the form user@domain,
-                     <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the
+                     <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the
                      address.   Otherwise, <b>%u</b> is replaced by the entire search
                      string.  If the localpart is empty, the  search  is  sup-
                      pressed and returns no results.
 
               <b>%d</b>     When the input key is an address of the form user@domain,
-                     <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted  domain  part  of
+                     <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted  domain  part  of
                      the  address.   Otherwise,  the  search is suppressed and
                      returns no results.
 
@@ -142,7 +142,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
                      pressed and returns no results.
 
        <b>query_filter (default: mailacceptinggeneralid=%s)</b>
-              The  <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a>  filter used to search the directory, where <b>%s</b> is a
+              The  <a href="https://tools.ietf.org/html/rfc2254">RFC2254</a>  filter used to search the directory, where <b>%s</b> is a
               substitute for the address Postfix is trying to resolve, e.g.
 
                   query_filter = (&amp;(mail=%s)(paid_up=true))
@@ -152,18 +152,18 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               <b>%%</b>     This is replaced by a literal '%' character. (Postfix 2.2
                      and later).
 
-              <b>%s</b>     This  is  replaced by the input key.  <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is
+              <b>%s</b>     This  is  replaced by the input key.  <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is
                      used to make sure that the input key does not  add  unex-
                      pected metacharacters.
 
               <b>%u</b>     When the input key is an address of the form user@domain,
-                     <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the
+                     <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the
                      address.   Otherwise, <b>%u</b> is replaced by the entire search
                      string.  If the localpart is empty, the  search  is  sup-
                      pressed and returns no results.
 
               <b>%d</b>     When the input key is an address of the form user@domain,
-                     <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted  domain  part  of
+                     <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted  domain  part  of
                      the  address.   Otherwise,  the  search is suppressed and
                      returns no results.
 
@@ -281,7 +281,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
        <b>special_result_attribute (default: empty)</b>
               The attribute(s) of directory entries that can  contain  DNs  or
-              <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to
+              <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to
               retrieve the entry referenced by the DN, or the entries  matched
               by the URL query.
 
@@ -295,13 +295,13 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               special, leaf or terminal) in the Postfix table definition.   If
               the  URL  lists  any  of  the table's special result attributes,
               these are retrieved and used recursively. A URL  that  does  not
-              specify  any  attribute selection, is equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a
+              specify  any  attribute selection, is equivalent (<a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a
               URL that selects all attributes,  in  which  case  the  selected
               attributes  will  be  the  full  set of result attributes in the
               Postfix table.
 
               If an LDAP URL attribute-descriptor or the corresponding Postfix
-              LDAP  table  result  attribute  (but  not  both)  uses  <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>
+              LDAP  table  result  attribute  (but  not  both)  uses  <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a>
               sub-type options ("attr;option"), the attribute  requested  from
               the  LDAP  server will include the sub-type option. In all other
               cases, the URL attribute and  the  table  attribute  must  match
@@ -629,7 +629,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
        ing at port 389 on ldap.example.com.  It will bind anonymously,  search
        for  any  directory  entries  whose mailacceptinggeneralid attribute is
        "ldapuser", read the "maildrop" attributes of those found, and build  a
-       list  of  their maildrops, which will be treated as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to
+       list  of  their maildrops, which will be treated as <a href="https://tools.ietf.org/html/rfc822">RFC822</a> addresses to
        which the message will be delivered.
 
 <b>OBSOLETE MAIN.CF PARAMETERS</b>
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index b4420f221..1b62ba97b 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -141,26 +141,26 @@ SMTP(8)                                                                SMTP(8)
        low privilege.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
-       <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
-       <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
-       <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
-       <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
-       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
-       <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
-       <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
-       <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
-       <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
-       <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
-       <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
-       <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+       <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
+       <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+       <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+       <a href="https://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+       <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
+       <a href="https://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
+       <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
+       <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+       <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+       <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+       <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
+       <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
 
 <b>DIAGNOSTICS</b>
        Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -231,7 +231,7 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
               Quote addresses in Postfix SMTP client MAIL  FROM  and  RCPT  TO
-              commands as required by <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+              commands as required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 
        <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
               A  mechanism  to  transform replies from remote SMTP servers one
@@ -635,10 +635,10 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.11-3.1:
 
        <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
-              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+              Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
 
        <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
-              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+              Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
               digests of trust-anchors with certificate usage "2".
 
        Available in Postfix version 2.11 and later:
@@ -854,7 +854,7 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
               Enable  preliminary SMTPUTF8 support for the protocols described
-              in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
               Detect that a message requires SMTPUTF8 support for  the  speci-
diff --git a/postfix/html/local.8.html b/postfix/html/local.8.html
index af3491a8d..888fb31ba 100644
--- a/postfix/html/local.8.html
+++ b/postfix/html/local.8.html
@@ -159,7 +159,7 @@ LOCAL(8)                                                              LOCAL(8)
        follow  the  conventions  defined in &lt;<b>sysexits.h</b>&gt;.  Exit status 0 means
        normal successful completion.
 
-       Postfix version 2.3 and later support <a href="http://tools.ietf.org/html/rfc3463">RFC  3463</a>-style  enhanced  status
+       Postfix version 2.3 and later support <a href="https://tools.ietf.org/html/rfc3463">RFC  3463</a>-style  enhanced  status
        codes.   If  a  command terminates with a non-zero exit status, and the
        command output begins with an enhanced status code,  this  status  code
        takes precedence over the non-zero exit status.
@@ -279,8 +279,8 @@ LOCAL(8)                                                              LOCAL(8)
        the <b><a href="postconf.5.html#default_privs">default_privs</a></b> configuration parameter.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
 
 <b>DIAGNOSTICS</b>
        Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
diff --git a/postfix/html/master.5.html b/postfix/html/master.5.html
index c384136f7..b3a5fd7ec 100644
--- a/postfix/html/master.5.html
+++ b/postfix/html/master.5.html
@@ -122,8 +122,10 @@ MASTER(5)                                                            MASTER(5)
                      This feature is available as of Postfix version 2.5.
 
        <b>Private (default: y)</b>
-              Whether or not access is restricted to the mail system.   Inter-
-              net (type <b>inet</b>) services can't be private.
+              Whether a service is internal to Postfix (pathname  starts  with
+              <b>private/</b>),  or exposed through Postfix command-line tools (path-
+              name starts with <b>public/</b>).  Internet (type <b>inet</b>) services  can't
+              be private.
 
        <b>Unprivileged (default: y)</b>
               Whether the service runs with root privileges or as the owner of
diff --git a/postfix/html/oqmgr.8.html b/postfix/html/oqmgr.8.html
index 0624982f7..39c062295 100644
--- a/postfix/html/oqmgr.8.html
+++ b/postfix/html/oqmgr.8.html
@@ -133,8 +133,8 @@ OQMGR(8)                                                              OQMGR(8)
        queue manager of the arrival of new mail one would request <b>I</b>.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
-       <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+       <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
 
 <b>SECURITY</b>
        The  <a href="qmgr.8.html"><b>oqmgr</b>(8)</a> daemon is not security sensitive. It reads single-charac-
diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html
index e112c7dda..46aba353e 100644
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@@ -121,7 +121,7 @@ PIPE(8)                                                                PIPE(8)
                      command-line <b>$sender</b>, <b>$original_recipient</b> and  <b>$recipient</b>
                      address  localparts (text to the left of the right-most <b>@</b>
                      character), according to an 8-bit transparent version  of
-                     <a href="http://tools.ietf.org/html/rfc822">RFC  822</a>.   This  is recommended for delivery via <b>UUCP</b> or
+                     <a href="https://tools.ietf.org/html/rfc822">RFC  822</a>.   This  is recommended for delivery via <b>UUCP</b> or
                      <b>BSMTP</b>.
 
                      The result is compatible with the address parsing of com-
@@ -306,7 +306,7 @@ PIPE(8)                                                                PIPE(8)
 
               <b>${sasl_sender}</b>
                      This  macro  expands  to  the  SASL sender name (i.e. the
-                     original submitter as per <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) in the MAIL FROM com-
+                     original submitter as per <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>) in the MAIL FROM com-
                      mand when the Postfix SMTP server received the message.
 
                      This feature is available as of Postfix 2.2.
@@ -343,7 +343,7 @@ PIPE(8)                                                                PIPE(8)
                      ing.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
 
 <b>DIAGNOSTICS</b>
        Command exit status  codes  are  expected  to  follow  the  conventions
diff --git a/postfix/html/postalias.1.html b/postfix/html/postalias.1.html
index e8710adaf..60dc43640 100644
--- a/postfix/html/postalias.1.html
+++ b/postfix/html/postalias.1.html
@@ -204,7 +204,7 @@ POSTALIAS(1)                                                      POSTALIAS(1)
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
               Enable  preliminary SMTPUTF8 support for the protocols described
-              in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
@@ -219,7 +219,7 @@ POSTALIAS(1)                                                      POSTALIAS(1)
               The initial OpenLDAP LMDB database size limit in bytes.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
 
 <b>SEE ALSO</b>
        <a href="aliases.5.html">aliases(5)</a>, format of alias database input file.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index ab2f350e5..0ebb72008 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -124,7 +124,7 @@ is hard-coded as "450".
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 <p>
@@ -143,7 +143,7 @@ an <a href="access.5.html">access(5)</a> map "reject" action.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -828,7 +828,7 @@ that is received by the Postfix mail system.
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
 when the BCC address is undeliverable, as long as all down-stream
-software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
 </p>
 
 <p>
@@ -1357,7 +1357,7 @@ is placed into the Postfix configuration directory.  </p>
 
 <p>
 Enable interoperability with remote SMTP clients that implement an obsolete
-version of the AUTH command (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>). Examples of such clients
+version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>). Examples of such clients
 are MicroSoft Outlook Express version 4 and MicroSoft Exchange
 version 5.0.
 </p>
@@ -2519,7 +2519,7 @@ address, or Recipient address. </dd>
 <a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> configuration parameter. Note: The numerical
 SMTP response code is required, and must appear at the start of the
 reply. With Postfix version 2.3 and later this information may be followed
-by an <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> enhanced status code. </dd>
+by an <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> enhanced status code. </dd>
 
 <dt><b>$rbl_domain</b></dt>
 
@@ -2752,7 +2752,7 @@ client request is rejected by the "defer" restriction.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -3014,7 +3014,7 @@ Example:
 (default: no)</b></DT><DD>
 
 <p> Enable a workaround for future libc incompatibility. The Postfix
-implementation of <a href="http://tools.ietf.org/html/rfc2308">RFC 2308</a> negative reply caching relies on the
+implementation of <a href="https://tools.ietf.org/html/rfc2308">RFC 2308</a> negative reply caching relies on the
 promise that res_query() and res_search() invoke res_send(), which
 returns the server response in an application buffer even if the
 requested record does not exist. If this promise is broken, specify
@@ -3871,7 +3871,7 @@ address is empty. This is the same behavior as prior to Postfix
 3.3. </p>
 
 <li> <p> In the <b>standard</b> form, the <i>name</i> will be quoted
-if it contains <b>specials</b> as defined in <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a>, or the "!%"
+if it contains <b>specials</b> as defined in <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>, or the "!%"
 address operators. </p>
 
 <li> <p> The Postfix <a href="sendmail.1.html">sendmail(1)</a> command gets <i>name</i> information
@@ -4126,7 +4126,7 @@ workaround will be phased out as IPv6 deployment becomes more common.
 <p> Note: you MUST stop and start Postfix after changing this
 parameter. </p>
 
-<p> On systems that pre-date IPV6_V6ONLY support (<a href="http://tools.ietf.org/html/rfc3493">RFC 3493</a>), an
+<p> On systems that pre-date IPV6_V6ONLY support (<a href="https://tools.ietf.org/html/rfc3493">RFC 3493</a>), an
 IPv6 server will also accept IPv4 connections, even when IPv4 is
 turned off with the <a href="postconf.5.html#inet_protocols">inet_protocols</a> parameter.  On systems with
 IPV6_V6ONLY support, Postfix will use separate server sockets for
@@ -4137,7 +4137,7 @@ corresponding protocol.  </p>
 Postfix will look up DNS type A records, and will convert
 IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original
 IPv4 form (1.2.3.4).  The latter is needed on hosts that pre-date
-IPV6_V6ONLY support (<a href="http://tools.ietf.org/html/rfc3493">RFC 3493</a>). </p>
+IPV6_V6ONLY support (<a href="https://tools.ietf.org/html/rfc3493">RFC 3493</a>). </p>
 
 <p> When IPv6 support is enabled via the <a href="postconf.5.html#inet_protocols">inet_protocols</a> parameter,
 Postfix will do DNS type AAAA record lookups. </p>
@@ -4262,7 +4262,7 @@ restriction.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -5874,7 +5874,7 @@ a neighboring system.  </dd>
 <dt><b><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> </b></dt>
 
 <dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
-client is successfully authenticated via the <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH)
+client is successfully authenticated via the <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH)
 protocol. </dd>
 
 <dt><b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a> </b></dt>
@@ -6621,7 +6621,7 @@ client request is blocked by the <a href="postconf.5.html#reject_rbl_client">rej
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -7418,7 +7418,7 @@ restriction.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 <p>
@@ -9657,7 +9657,7 @@ equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.ht
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
 when the BCC address is undeliverable, as long as all down-stream
-software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
 </p>
 
 <p>
@@ -9798,7 +9798,7 @@ client request is rejected by the "reject" restriction.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -9937,7 +9937,7 @@ restriction.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -10204,7 +10204,7 @@ in multiple deliveries of the same message to mailing list members.
 looking inside quotes.  </p>
 
 <p> By default, the Postfix address resolver does not quote the
-address localpart as per <a href="http://tools.ietf.org/html/rfc822">RFC 822</a>, so that additional @ or % or !
+address localpart as per <a href="https://tools.ietf.org/html/rfc822">RFC 822</a>, so that additional @ or % or !
 operators remain visible. This behavior is safe but it is also
 technically incorrect.  </p>
 
@@ -10355,7 +10355,7 @@ equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.ht
 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
 when the BCC address is undeliverable, as long as all down-stream
-software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
 </p>
 
 <p>
@@ -11401,7 +11401,7 @@ the CommonName is checked.  The behavior may be changed with the
 <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> option.  </p>
 
 <p> This option is useful only if you are definitely sure that you
-will only connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that
+will only connect to servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that
 provide valid server certificates.  Typical use is for clients that
 send all their email to a dedicated mailhub.  </p>
 
@@ -11848,12 +11848,12 @@ The default time unit is s (seconds).
 <p>
 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
 as required
-by <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>. This includes putting quotes around an address localpart
+by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. This includes putting quotes around an address localpart
 that ends in ".".
 </p>
 
 <p>
-The default is to comply with <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>. If you have to send mail to
+The default is to comply with <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. If you have to send mail to
 a broken SMTP server, configure a special SMTP client in <a href="master.5.html">master.cf</a>:
 </p>
 
@@ -12325,7 +12325,7 @@ Skip remote SMTP servers that greet with a 5XX status code.
 <p> By default, the Postfix SMTP client moves on the next mail
 exchanger. Specify "<a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> = no" if Postfix should
 bounce the mail immediately. Caution: the latter behavior appears
-to contradict <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
+to contradict <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
 
 
 </DD>
@@ -12849,7 +12849,7 @@ compiled and linked with OpenSSL 1.0.0 or later. </p>
 
 <p> With mandatory TLS encryption, require that the remote SMTP
 server hostname matches the information in the remote SMTP server
-certificate.  As of <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking
+certificate.  As of <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking
 for MTA clients are not specified. </p>
 
 <p> This option can be set to "no" to disable strict peer name
@@ -13475,7 +13475,7 @@ href="TLS_README.html#client_tls_may">may</a>.  If TLSA records are
 found, but none are usable, the effective security level is <a
 href="TLS_README.html#client_tls_encrypt">encrypt</a>.  When usable
 TLSA records are obtained for the remote SMTP server, the
-server certificate must match the TLSA records.  <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
+server certificate must match the TLSA records.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
 TLS authentication and DNSSEC support is available with Postfix
 2.11 and later. The optional "connection_reuse" attribute (Postfix
 &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
@@ -13486,7 +13486,7 @@ TLS authentication and DNSSEC support is available with Postfix
 obtained via TLSA records in DNSSEC.  If no TLSA records are found,
 or none are usable, no connection is made to the server.  When
 usable TLSA records are obtained for the remote SMTP server, the
-server certificate must match the TLSA records.  <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS
+server certificate must match the TLSA records.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS
 authentication and DNSSEC support is available with Postfix 2.11
 and later. The optional "connection_reuse" attribute (Postfix &ge;
 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
@@ -13780,7 +13780,7 @@ in effect, the destination domain's containing DNS zone must be
 signed and the Postfix SMTP client's operating system must be
 configured to send its DNS queries to a recursive DNS nameserver
 that is able to validate the signed records.  Each MX host's DNS
-zone should also be signed, and should publish DANE TLSA (<a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>)
+zone should also be signed, and should publish DANE TLSA (<a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>)
 records that specify how that MX host's TLS certificate is to be
 verified.  TLSA records do not preempt the normal SMTP MX host
 selection algorithm, if some MX hosts support TLSA and others do
@@ -13795,13 +13795,13 @@ purposes of protocol and cipher selection, the "dane" security level
 is treated like a "mandatory" TLS security level, and weak ciphers
 and protocols are disabled.  Since DANE authenticates server
 certificates the "aNULL" cipher-suites are transparently excluded
-at this level, no need to configure this manually.  <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
+at this level, no need to configure this manually.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
 TLS authentication is available with Postfix 2.11 and later.  </dd>
 
 <dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt>
 <dd>Mandatory DANE TLS.  This is just like "dane" above, but DANE
 TLSA authentication is required.  There is no fallback to "may" or
-"encrypt" when TLSA records are missing or unusable.  <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>
+"encrypt" when TLSA records are missing or unusable.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>
 (DANE) TLS authentication is available with Postfix 2.11 and later.
 </dd>
 
@@ -13902,7 +13902,7 @@ Examples:
 <p> Optional name to send to the remote SMTP server in the TLS Server
 Name Indication (SNI) extension.  The SNI extension is always on when
 DANE is used to authenticate the server, and in that case the SNI name
-sent is the one required by <a href="http://tools.ietf.org/html/rfc7672">RFC7672</a> and this parameter is ignored. </p>
+sent is the one required by <a href="https://tools.ietf.org/html/rfc7672">RFC7672</a> and this parameter is ignored. </p>
 
 <p> Some SMTP servers use the received SNI name to select an appropriate
 certificate chain to present to the client.  While this may improve
@@ -14018,7 +14018,7 @@ trust-anchor files are used at all, they will be specified on a
 per-destination basis via the "tafile" attribute of the "verify"
 and "secure" levels in <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>.  </p>
 
-<p> The underlying mechanism is in support of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE TLSA),
+<p> The underlying mechanism is in support of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE TLSA),
 which defines mechanisms for an SMTP client MTA to securely determine
 server TLS certificates via DNS.  </p>
 
@@ -14730,7 +14730,7 @@ network or network address listed in  $<a href="postconf.5.html#mynetworks">myne
 <dt><b><a name="permit_sasl_authenticated">permit_sasl_authenticated</a></b></dt>
 
 <dd> Permit the request when the client is successfully
-authenticated via the <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH) protocol. </dd>
+authenticated via the <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH) protocol. </dd>
 
 <dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
 
@@ -15262,7 +15262,7 @@ restriction lists" for a discussion of evaluation context and time.
 (default: no)</b></DT><DD>
 
 <p> Mandatory TLS: announce STARTTLS support to remote SMTP clients,
-and require that clients use TLS encryption.  According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a>
+and require that clients use TLS encryption.  According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a>
 this MUST NOT be applied in case of a publicly-referenced SMTP
 server.  This option is therefore off by default. </p>
 
@@ -16797,7 +16797,7 @@ releases it was called <b><a href="postconf.5.html#smtpd_sasl_application_name">
 When the client's "initial response" is longer than the normal limit for
 SMTP commands, the client must omit its initial response, and wait for an
 empty server challenge; it can then send what would have been its "initial
-response" as a response to the empty server challenge.  <a href="http://tools.ietf.org/html/rfc4954">RFC4954</a> requires the
+response" as a response to the empty server challenge.  <a href="https://tools.ietf.org/html/rfc4954">RFC4954</a> requires the
 server to accept client responses up to at least 12288 octets of
 base64-encoded text.  The default value is therefore also the minimum value
 accepted for this parameter.</p>
@@ -18321,7 +18321,7 @@ to remote SMTP clients, but do not require that clients use TLS encryption.
 
 <dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
 STARTTLS support to remote SMTP clients, and require that clients use TLS
-encryption. According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST NOT be applied in case
+encryption. According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST NOT be applied in case
 of a publicly-referenced SMTP server. Instead, this option should
 be used only on dedicated servers. </dd>
 
@@ -18372,7 +18372,7 @@ under a non-Postfix directory is redirected to the Postfix-owned
 <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
 
 <p> As of Postfix 2.11 the preferred mechanism for session resumption
-is <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
+is <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
 storage.  Consequently, for Postfix &ge; 2.11 this parameter should
 generally be left empty.  TLS session tickets require an OpenSSL
 library (at least version 0.9.8h) that provides full support for
@@ -18401,7 +18401,7 @@ are not possible. </p>
 
 <p> As of Postfix 2.11 this setting cannot exceed 100 days.  If set
 &le; 0, session caching is disabled, not just via the database, but
-also via <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
+also via <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
 storage.  If set to a positive value less than 2 minutes, the minimum
 value of 2 minutes is used instead.  TLS session tickets require
 an OpenSSL library (at least version 0.9.8h) that provides full
@@ -18540,7 +18540,7 @@ mail. </dd>
 (default: yes)</b></DT><DD>
 
 <p> Enable preliminary SMTPUTF8 support for the protocols described
-in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533. This requires that Postfix is built to support
+in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533. This requires that Postfix is built to support
 these protocols. </p>
 
 <p> This feature is available in Postfix 3.0 and later. </p>
@@ -18708,12 +18708,12 @@ This feature is available in Postfix 2.0 and later.
 <p>
 Require that addresses received in SMTP MAIL FROM and RCPT TO
 commands are enclosed with &lt;&gt;, and that those addresses do
-not contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases.  This stops mail
+not contain <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases.  This stops mail
 from poorly written software.
 </p>
 
 <p>
-By default, the Postfix SMTP server accepts <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> syntax in MAIL
+By default, the Postfix SMTP server accepts <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> syntax in MAIL
 FROM and RCPT TO addresses.
 </p>
 
@@ -18891,10 +18891,10 @@ bytes (equivalent to 256 bits) is sufficient to generate a 128bit
 <DT><b><a name="tls_dane_digest_agility">tls_dane_digest_agility</a>
 (default: on)</b></DT><DD>
 
-<p> Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+<p> Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
 Do not change this setting from its default value. </p>
 
-<p> See Section 8 of <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> for correct key rotation procedures.  </p>
+<p> See Section 8 of <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> for correct key rotation procedures.  </p>
 
 <p> This feature is available in Postfix 2.11 through 3.1.  Postfix
 3.2 and later ignore this configuration parameter and behave as
@@ -18906,7 +18906,7 @@ though it were set to "on".  </p>
 <DT><b><a name="tls_dane_digests">tls_dane_digests</a>
 (default: sha512 sha256)</b></DT><DD>
 
-<p> DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) resource-record "matching
+<p> DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) resource-record "matching
 type" digest algorithms in descending preference order.  All the
 specified algorithms must be supported by the underlying OpenSSL
 library, otherwise the Postfix SMTP client will not support DANE
@@ -18929,7 +18929,7 @@ ignored with a warning. </p>
 
 <p> Note: It is unwise to omit sha256 from the digest list.  This
 digest algorithm is the only mandatory to implement digest algorithm
-in <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, and many servers are expected publish TLSA records
+in <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, and many servers are expected publish TLSA records
 with just sha256 digests.  Unless one of the standard digests is
 seriously compromised and servers have had ample time to update their
 TLSA records you should not omit any standard digests, just arrange
@@ -18943,7 +18943,7 @@ them in order from strongest to weakest.  </p>
 <DT><b><a name="tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a>
 (default: yes)</b></DT><DD>
 
-<p> Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+<p> Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
 digests of trust-anchors with certificate usage "2".  Do not change
 this setting from its default value.  </p>
 
@@ -19047,15 +19047,15 @@ be using 0.9.6! </dd>
 SMTP client and server.  These curves are used by the Postfix SMTP
 server when "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = auto".  The selected curves
 must be implemented by OpenSSL and be standardized for use in TLS
-(<a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a> or its imminent successor).  It is unwise to list only
+(<a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a> or its imminent successor).  It is unwise to list only
 "bleeding-edge" curves supported by a small subset of clients.  The
 default list is suitable for most users. </p>
 
 <p> Postfix skips curve names that are unknown to OpenSSL, or that
 are known but not yet implemented.  This makes it possible to
 "anticipate" support for curves that should be used once they become
-available.  In particular, in some OpenSSL versions, the new <a href="http://tools.ietf.org/html/rfc8031">RFC</a>
-<a href="http://tools.ietf.org/html/rfc8031">8031</a> curves "X25519" and "X448" may be known by name, but ECDH
+available.  In particular, in some OpenSSL versions, the new <a href="https://tools.ietf.org/html/rfc8031">RFC</a>
+<a href="https://tools.ietf.org/html/rfc8031">8031</a> curves "X25519" and "X448" may be known by name, but ECDH
 support for either or both may be missing.  These curves may appear
 in the default value of this parameter, even though they'll only
 be usable with later versions of OpenSSL.  </p>
@@ -19077,7 +19077,7 @@ server when "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_gra
 strong" means approximately 128-bit security based on best known
 attacks. The selected curve must be implemented by OpenSSL (as
 reported by ecparam(1) with the "-list_curves" option) and be one
-of the curves listed in Section 5.1.1 of <a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not
+of the curves listed in Section 5.1.1 of <a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not
 generally change this setting.  Remote SMTP client implementations
 must support this curve for EECDH key exchange to take place.  It
 is unwise to choose an "bleeding-edge" curve supported by only a
@@ -19122,7 +19122,7 @@ This additional strength comes at a significant computational cost, most
 users should instead set "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = strong".  The selected
 curve must be implemented by OpenSSL (as reported by ecparam(1) with the
 "-list_curves" option) and be one of the curves listed in Section 5.1.1
-of <a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not generally change this setting. </p>
+of <a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not generally change this setting. </p>
 
 <p> This default "ultra" curve is rated in NSA <a
 href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
@@ -19472,7 +19472,7 @@ listed before the corresponding certificates. </p>
 <DT><b><a name="tls_session_ticket_cipher">tls_session_ticket_cipher</a>
 (default: Postfix &ge; 3.0: aes-256-cbc, Postfix &lt; 3.0: aes-128-cbc)</b></DT><DD>
 
-<p> Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.  This
+<p> Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.  This
 algorithm must use CBC mode, have a 128-bit block size, and must
 have a key length between 128 and 256 bits.  The default is
 aes-256-cbc.  Overriding the default to choose a different algorithm
@@ -20627,7 +20627,7 @@ is one of the possible replies from the restrictions
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -20660,7 +20660,7 @@ with 450 when the mapping failed due to a temporary error condition.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -20691,7 +20691,7 @@ specified with the HELO or EHLO command is rejected by the
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 
@@ -20791,7 +20791,7 @@ accept the address anyway.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 <p>
@@ -20815,7 +20815,7 @@ accept the address anyway.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 <p>
@@ -20873,7 +20873,7 @@ accept the address anyway.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 <p>
@@ -20897,7 +20897,7 @@ accept the address anyway.
 </p>
 
 <p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 </p>
 
 <p>
diff --git a/postfix/html/postmap.1.html b/postfix/html/postmap.1.html
index 3ce1ff838..db9fa28b2 100644
--- a/postfix/html/postmap.1.html
+++ b/postfix/html/postmap.1.html
@@ -47,7 +47,7 @@ POSTMAP(1)                                                          POSTMAP(1)
        will store the base64-encoded result instead of the <i>value</i>.
 
        When the <i>key</i> specifies email address information, the localpart  should
-       be enclosed with double quotes if required by <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a>. For example, an
+       be enclosed with double quotes if required by <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>. For example, an
        address localpart that contains ";", or a localpart that starts or ends
        with ".".
 
@@ -62,7 +62,7 @@ POSTMAP(1)                                                          POSTMAP(1)
 <b>COMMAND-LINE ARGUMENTS</b>
        <b>-b</b>     Enable  message  body  query mode. When reading lookup keys from
               standard input with "<b>-q -</b>", process the input as  if  it  is  an
-              email  message  in  <a href="http://tools.ietf.org/html/rfc5322">RFC  5322</a> format.  Each line of body content
+              email  message  in  <a href="https://tools.ietf.org/html/rfc5322">RFC  5322</a> format.  Each line of body content
               becomes one lookup key.
 
               By default, the <b>-b</b> option starts generating lookup keys  at  the
@@ -107,7 +107,7 @@ POSTMAP(1)                                                          POSTMAP(1)
 
        <b>-h</b>     Enable  message header query mode. When reading lookup keys from
               standard input with "<b>-q -</b>", process the input as  if  it  is  an
-              email  message  in  <a href="http://tools.ietf.org/html/rfc5322">RFC  5322</a>  format.  Each logical header line
+              email  message  in  <a href="https://tools.ietf.org/html/rfc5322">RFC  5322</a>  format.  Each logical header line
               becomes one lookup key. A multi-line header becomes  one  lookup
               key with one or more embedded newline characters.
 
@@ -276,7 +276,7 @@ POSTMAP(1)                                                          POSTMAP(1)
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
               Enable preliminary SMTPUTF8 support for the protocols  described
-              in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
diff --git a/postfix/html/postqueue.1.html b/postfix/html/postqueue.1.html
index 767cb070f..83721034b 100644
--- a/postfix/html/postqueue.1.html
+++ b/postfix/html/postqueue.1.html
@@ -87,8 +87,8 @@ POSTQUEUE(1)                                                      POSTQUEUE(1)
 
        <b>-s</b> <i>site</i>
               Schedule  immediate  delivery of all mail that is queued for the
-              named <i>site</i>. A numerical site must be specified as  a  valid  <a href="http://tools.ietf.org/html/rfc5321">RFC</a>
-              <a href="http://tools.ietf.org/html/rfc5321">5321</a>  address  literal  enclosed  in  [],  just  like  in  email
+              named <i>site</i>. A numerical site must be specified as  a  valid  <a href="https://tools.ietf.org/html/rfc5321">RFC</a>
+              <a href="https://tools.ietf.org/html/rfc5321">5321</a>  address  literal  enclosed  in  [],  just  like  in  email
               addresses.  The site must be eligible for the "fast flush"  ser-
               vice.   See <a href="flush.8.html"><b>flush</b>(8)</a> for more information about the "fast flush"
               service.
@@ -156,7 +156,7 @@ POSTQUEUE(1)                                                      POSTQUEUE(1)
        it can connect to Postfix daemon processes.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc7159">RFC 7159</a> (JSON notation)
+       <a href="https://tools.ietf.org/html/rfc7159">RFC 7159</a> (JSON notation)
 
 <b>DIAGNOSTICS</b>
        Problems are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>, and to  the  standard
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index c0e59650b..c60e1134d 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -55,20 +55,20 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        fixed low privilege.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
-       <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
-       <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
-       <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
-       <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
-       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
-       <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
-       Not: <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
-       <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
-       <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
-       <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
-       <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners)
+       <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
+       <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+       <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
+       <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+       <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
+       <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
+       <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+       Not: <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+       <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
+       <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+       <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+       <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html
index 96380b4f6..a19958510 100644
--- a/postfix/html/qmgr.8.html
+++ b/postfix/html/qmgr.8.html
@@ -138,8 +138,8 @@ QMGR(8)                                                                QMGR(8)
        queue manager of the arrival of new mail one would request <b>I</b>.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
-       <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+       <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
 
 <b>SECURITY</b>
        The <a href="qmgr.8.html"><b>qmgr</b>(8)</a> daemon is not security sensitive. It reads single-character
diff --git a/postfix/html/qmqpd.8.html b/postfix/html/qmqpd.8.html
index 5da7a369a..bf045f30b 100644
--- a/postfix/html/qmqpd.8.html
+++ b/postfix/html/qmqpd.8.html
@@ -60,7 +60,7 @@ QMQPD(8)                                                              QMQPD(8)
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
               Enable preliminary SMTPUTF8 support for the protocols  described
-              in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
               Detect  that  a message requires SMTPUTF8 support for the speci-
diff --git a/postfix/html/smtp-sink.1.html b/postfix/html/smtp-sink.1.html
index 2802aad96..a3644f8a7 100644
--- a/postfix/html/smtp-sink.1.html
+++ b/postfix/html/smtp-sink.1.html
@@ -269,7 +269,7 @@ SMTP-SINK(1)                                                      SMTP-SINK(1)
                      dom portion of the per-message capture file name.
 
               <i>time-stamp</i>
-                     A time stamp as defined in <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a>.
+                     A time stamp as defined in <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a>.
 
 <b>SEE ALSO</b>
        <a href="smtp-source.1.html">smtp-source(1)</a>, SMTP/LMTP message generator
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index b4420f221..1b62ba97b 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -141,26 +141,26 @@ SMTP(8)                                                                SMTP(8)
        low privilege.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
-       <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
-       <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
-       <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
-       <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
-       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
-       <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
-       <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
-       <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
-       <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
-       <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
-       <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
-       <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+       <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
+       <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+       <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+       <a href="https://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+       <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
+       <a href="https://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
+       <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
+       <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+       <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+       <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+       <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
+       <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
 
 <b>DIAGNOSTICS</b>
        Problems  and  transactions  are  logged  to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -231,7 +231,7 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
               Quote addresses in Postfix SMTP client MAIL  FROM  and  RCPT  TO
-              commands as required by <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+              commands as required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
 
        <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
               A  mechanism  to  transform replies from remote SMTP servers one
@@ -635,10 +635,10 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.11-3.1:
 
        <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
-              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+              Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
 
        <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
-              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+              Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
               digests of trust-anchors with certificate usage "2".
 
        Available in Postfix version 2.11 and later:
@@ -854,7 +854,7 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
               Enable  preliminary SMTPUTF8 support for the protocols described
-              in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
               Detect that a message requires SMTPUTF8 support for  the  speci-
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index db7d76308..fbf1875cc 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -40,27 +40,27 @@ SMTPD(8)                                                              SMTPD(8)
        chrooted at fixed low privilege.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
-       <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
-       <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
-       <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message size declaration)
-       <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
-       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP enhanced status codes)
-       <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
-       <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP pipelining)
-       <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
-       <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
-       <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN extension)
-       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
-       <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP transmission types)
-       <a href="http://tools.ietf.org/html/rfc4409">RFC 4409</a> (Message submission)
-       <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
-       <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
-       <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc7505">RFC 7505</a> ("Null MX" No Service Resource Record)
+       <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
+       <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+       <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
+       <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message size declaration)
+       <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
+       <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP enhanced status codes)
+       <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
+       <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP pipelining)
+       <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
+       <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+       <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN extension)
+       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+       <a href="https://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP transmission types)
+       <a href="https://tools.ietf.org/html/rfc4409">RFC 4409</a> (Message submission)
+       <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
+       <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
+       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc7505">RFC 7505</a> ("Null MX" No Service Resource Record)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
@@ -84,7 +84,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
               Enable  interoperability with remote SMTP clients that implement
-              an obsolete version of the AUTH command (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
+              an obsolete version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>).
 
        <b><a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> (no)</b>
               Disable the SMTP VRFY command.
@@ -97,7 +97,7 @@ SMTPD(8)                                                              SMTPD(8)
        <b><a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> (no)</b>
               Require that addresses received in SMTP MAIL FROM  and  RCPT  TO
               commands  are  enclosed with &lt;&gt;, and that those addresses do not
-              contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases.
+              contain <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases.
 
        Available in Postfix version 2.1 and later:
 
@@ -350,14 +350,14 @@ SMTPD(8)                                                              SMTPD(8)
               ture.
 
 <b>SASL AUTHENTICATION CONTROLS</b>
-       Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenticate remote SMTP
+       Postfix SASL support (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenticate remote SMTP
        clients  to  the  Postfix  SMTP server, and to authenticate the Postfix
        SMTP client to a remote SMTP server.  See the <a href="SASL_README.html">SASL_README</a> document  for
        details.
 
        <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
               Enable  interoperability with remote SMTP clients that implement
-              an obsolete version of the AUTH command (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
+              an obsolete version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>).
 
        <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b>
               Enable SASL authentication in the Postfix SMTP server.
@@ -601,7 +601,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a>  (Postfix</b> &gt;<b>= 3.0: aes-256-cbc, Postfix</b> &lt; <b>3.0:</b>
        <b>aes-128-cbc)</b>
-              Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
+              Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
 
        Available in Postfix version 3.2 and later:
 
@@ -654,7 +654,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
               Enable preliminary SMTPUTF8 support for the protocols  described
-              in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#strict_smtputf8">strict_smtputf8</a> (no)</b>
               Enable stricter enforcement of the SMTPUTF8 protocol.
diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html
index 1c6ec5576..6f5ad53ef 100644
--- a/postfix/html/tlsproxy.8.html
+++ b/postfix/html/tlsproxy.8.html
@@ -111,10 +111,10 @@ TLSPROXY(8)                                                        TLSPROXY(8)
        Available in Postfix version 2.11-3.1:
 
        <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
-              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+              Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
 
        <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
-              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+              Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
               digests of trust-anchors with certificate usage "2".
 
        Available in Postfix version 2.11 and later:
@@ -126,7 +126,7 @@ TLSPROXY(8)                                                        TLSPROXY(8)
 
        <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> &gt;<b>= 3.0: aes-256-cbc, Postfix</b> &lt;  <b>3.0:</b>
        <b>aes-128-cbc)</b>
-              Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
+              Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
 
        <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
               The location of the OpenSSL command line program <b>openssl</b>(1).
diff --git a/postfix/html/trace.8.html b/postfix/html/trace.8.html
index 077af1668..5421e49e7 100644
--- a/postfix/html/trace.8.html
+++ b/postfix/html/trace.8.html
@@ -39,16 +39,16 @@ BOUNCE(8)                                                            BOUNCE(8)
        and that depend on retry logic in their own client.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
-       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
-       <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
-       <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
-       <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
-       <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
-       <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
-       <a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
-       <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
+       <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
+       <a href="https://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+       <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+       <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+       <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
+       <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
diff --git a/postfix/html/virtual.8.html b/postfix/html/virtual.8.html
index e67218054..6de6dd6d7 100644
--- a/postfix/html/virtual.8.html
+++ b/postfix/html/virtual.8.html
@@ -118,7 +118,7 @@ VIRTUAL(8)                                                          VIRTUAL(8)
        fatal error.
 
 <b>STANDARDS</b>
-       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
 
 <b>DIAGNOSTICS</b>
        Mail bounces when the recipient has no mailbox or when the recipient is
diff --git a/postfix/man/man5/master.5 b/postfix/man/man5/master.5
index 14e436bb8..d17b1797c 100644
--- a/postfix/man/man5/master.5
+++ b/postfix/man/man5/master.5
@@ -123,7 +123,9 @@ implemented with streams sockets.
 This feature is available as of Postfix version 2.5.
 .RE
 .IP "\fBPrivate (default: y)\fR"
-Whether or not access is restricted to the mail system.
+Whether a service is internal to Postfix (pathname starts
+with \fBprivate/\fR), or exposed through Postfix command\-line
+tools (pathname starts with \fBpublic/\fR).
 Internet (type \fBinet\fR) services can't be private.
 .IP "\fBUnprivileged (default: y)\fR"
 Whether the service runs with root privileges or as the
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index d4902b41a..bc6854c8d 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -1160,7 +1160,7 @@ while (<>) {
 
     if (!/href=/) { s/(https?:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/; }
     s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
-    s/\bRFC\s*([1-9]\d*)/<a href="http:\/\/tools.ietf.org\/html\/rfc$1">$&<\/a>/g;
+    s/\bRFC\s*([1-9]\d*)/<a href="https:\/\/tools.ietf.org\/html\/rfc$1">$&<\/a>/g;
 
     # Split README/RFC/parameter/restriction hyperlinks that span line breaks
 
diff --git a/postfix/proto/master b/postfix/proto/master
index 64fb1211a..6f01c16ce 100644
--- a/postfix/proto/master
+++ b/postfix/proto/master
@@ -117,7 +117,9 @@
 #	This feature is available as of Postfix version 2.5.
 # .RE
 # .IP "\fBPrivate (default: y)\fR"
-#	Whether or not access is restricted to the mail system.
+#	Whether a service is internal to Postfix (pathname starts
+#	with \fBprivate/\fR), or exposed through Postfix command-line
+#	tools (pathname starts with \fBpublic/\fR).
 #	Internet (type \fBinet\fR) services can't be private.
 # .IP "\fBUnprivileged (default: y)\fR"
 #	Whether the service runs with root privileges or as the
diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in
index fb426057a..0944a75a9 100644
--- a/postfix/src/global/Makefile.in
+++ b/postfix/src/global/Makefile.in
@@ -1941,6 +1941,7 @@ mail_params.o: ../../include/vbuf.h
 mail_params.o: ../../include/vstream.h
 mail_params.o: ../../include/vstring.h
 mail_params.o: ../../include/vstring_vstream.h
+mail_params.o: config_known_tcp_ports.h
 mail_params.o: compat_level.h
 mail_params.o: mail_conf.h
 mail_params.o: mail_params.c
diff --git a/postfix/src/global/config_known_tcp_ports.c b/postfix/src/global/config_known_tcp_ports.c
index 84f66e810..563bbd356 100644
--- a/postfix/src/global/config_known_tcp_ports.c
+++ b/postfix/src/global/config_known_tcp_ports.c
@@ -58,6 +58,8 @@ void    config_known_tcp_ports(const char *source, const char *settings)
     ARGV   *association;
     char  **cpp;
 
+    clear_known_tcp_ports();
+
     /*
      * The settings is in the form of associations separated by comma. Split
      * it into separate associations.
diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c
index 44a5a84ac..81aee73cf 100644
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@@ -237,6 +237,7 @@
 #include <own_inet_addr.h>
 #include <mail_params.h>
 #include <compat_level.h>
+#include <config_known_tcp_ports.h>
 
  /*
   * Special configuration variables.
@@ -922,6 +923,11 @@ void    mail_params_init()
 #endif
     util_utf8_enable = var_smtputf8_enable;
 
+    /*
+     * Configure the known TCP port mappings.
+     */
+    config_known_tcp_ports(VAR_KNOWN_TCP_PORTS, var_known_tcp_ports);
+
     /*
      * What protocols should we attempt to support? The result is stored in
      * the global inet_proto_table variable.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 5649b58d8..68e2f92b1 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20211002"
+#define MAIL_RELEASE_DATE	"20211022"
 #define MAIL_VERSION_NUMBER	"3.7"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c
index 9e8020dae..28e204856 100644
--- a/postfix/src/posttls-finger/posttls-finger.c
+++ b/postfix/src/posttls-finger/posttls-finger.c
@@ -1490,12 +1490,14 @@ static char *parse_destination(char *destination, char *def_service,
     /*
      * Convert service to port number, network byte order.
      */
+    service = (char *) filter_known_tcp_port(service);
     if (alldig(service)) {
 	if ((port = atoi(service)) >= 65536 || port == 0)
-	    msg_fatal("bad network port in destination: %s", destination);
+	    msg_fatal("bad network port: %s for destination: %s",
+		      service, destination);
 	*portp = htons(port);
     } else {
-	if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) != 0)
+	if ((sp = getservbyname(service, protocol)) != 0)
 	    *portp = sp->s_port;
 	else if (strcmp(service, "smtp") == 0)
 	    *portp = htons(25);
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index 43df3fe04..f93e7efc6 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -356,12 +356,14 @@ static char *smtp_parse_destination(char *destination, char *def_service,
     /*
      * Convert service to port number, network byte order.
      */
+    service = (char *) filter_known_tcp_port(service);
     if (alldig(service)) {
 	if ((port = atoi(service)) >= 65536 || port == 0)
-	    msg_fatal("bad network port in destination: %s", destination);
+	    msg_fatal("bad network port: %s for destination: %s",
+		      service, destination);
 	*portp = htons(port);
     } else {
-	if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) == 0)
+	if ((sp = getservbyname(service, protocol)) == 0)
 	    msg_fatal("unknown service: %s/%s", service, protocol);
 	*portp = sp->s_port;
     }
diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in
index fa23e20e2..47e467442 100644
--- a/postfix/src/util/Makefile.in
+++ b/postfix/src/util/Makefile.in
@@ -140,7 +140,7 @@ TESTPROG= dict_open dup2_pass_on_exec events exec_command fifo_open \
 	valid_utf8_string ip_match base32_code msg_rate_delay netstring \
 	vstream timecmp dict_cache midna_domain casefold strcasecmp_utf8 \
 	vbuf_print split_qnameval vstream msg_logger byte_mask \
-	known_tcp_ports dict_stream
+	known_tcp_ports dict_stream find_inet
 PLUGIN_MAP_SO = $(LIB_PREFIX)pcre$(LIB_SUFFIX)
 
 LIB_DIR	= ../../lib
@@ -472,6 +472,11 @@ sane_basename: $(LIB)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(SYSLIBS)
 	mv junk $@.o
 
+find_inet: $(LIB)
+	mv $@.o junk
+	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(SYSLIBS)
+	mv junk $@.o
+
 stream_test: stream_test.c $(LIB)
 	$(CC) $(CFLAGS)  -o $@ $@.c $(LIB) $(SYSLIBS)
 
@@ -1010,6 +1015,11 @@ dict_inline_cidr_test: dict_open dict_inline_cidr.ref
 	diff dict_inline_cidr.ref dict_inline_cidr.tmp
 	rm -f dict_inline_cidr.tmp
 
+find_inet_test: find_inet find_inet.ref
+	    $(SHLIB_ENV) ${VALGRIND} ./find_inet >find_inet.tmp 2>&1
+	diff find_inet.ref find_inet.tmp
+	rm -f find_inet.tmp
+
 depend: $(MAKES)
 	(sed '1,/^# do not edit/!d' Makefile.in; \
 	set -e; for i in [a-z][a-z0-9]*.c; do \
diff --git a/postfix/src/util/find_inet.c b/postfix/src/util/find_inet.c
index 47a5cff4e..294634c50 100644
--- a/postfix/src/util/find_inet.c
+++ b/postfix/src/util/find_inet.c
@@ -35,6 +35,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System libraries. */
@@ -58,6 +63,12 @@
 #define INADDR_NONE 0xffffffff
 #endif
 
+#ifdef TEST
+extern NORETURN PRINTFLIKE(1, 2) test_msg_fatal(const char *,...);
+
+#define msg_fatal test_msg_fatal
+#endif
+
 /* find_inet_addr - translate numerical or symbolic host name */
 
 unsigned find_inet_addr(const char *host)
@@ -85,13 +96,158 @@ int     find_inet_port(const char *service, const char *protocol)
     struct servent *sp;
     int     port;
 
+    service = filter_known_tcp_port(service);
     if (alldig(service) && (port = atoi(service)) != 0) {
 	if (port < 0 || port > 65535)
 	    msg_fatal("bad port number: %s", service);
 	return (htons(port));
     } else {
-	if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) == 0)
+	if ((sp = getservbyname(service, protocol)) == 0)
 	    msg_fatal("unknown service: %s/%s", service, protocol);
 	return (sp->s_port);
     }
 }
+
+#ifdef TEST
+
+#include <stdlib.h>
+#include <setjmp.h>
+#include <string.h>
+
+#include <vstream.h>
+#include <vstring.h>
+#include <msg_vstream.h>
+
+#define STR(x) vstring_str(x)
+
+ /* TODO(wietse) make this a proper VSTREAM interface */
+
+/* vstream_swap - kludge to capture output for testing */
+
+static void vstream_swap(VSTREAM *one, VSTREAM *two)
+{
+    VSTREAM save;
+
+    save = *one;
+    *one = *two;
+    *two = save;
+}
+
+jmp_buf test_fatal_jbuf;
+
+#undef msg_fatal
+
+/* test_msg_fatal - does not return, and does not terminate */
+
+void    test_msg_fatal(const char *fmt,...)
+{
+    va_list ap;
+
+    va_start(ap, fmt);
+    vmsg_warn(fmt, ap);
+    va_end(ap);
+    longjmp(test_fatal_jbuf, 1);
+}
+
+struct association {
+    const char *lhs;			/* service name */
+    const char *rhs;			/* service port */
+};
+
+struct test_case {
+    const char *label;			/* identifies test case */
+    struct association associations[10];
+    const char *service;
+    const char *proto;
+    const char *exp_warning;		/* expected error */
+    int     exp_hport;			/* expected port, host byte order */
+};
+
+struct test_case test_cases[] = {
+    {"good-symbolic",
+	 /* association */ {{"foobar", "25252"}, 0},
+	 /* service */ "foobar",
+	 /* proto */ "tcp",
+	 /* exp_warning */ "",
+	 /* exp_hport */ 25252,
+    },
+    {"good-numeric",
+	 /* association */ {{"foobar", "25252"}, 0},
+	 /* service */ "25252",
+	 /* proto */ "tcp",
+	 /* exp_warning */ "",
+	 /* exp_hport */ 25252,
+    },
+    {"bad-symbolic",
+	 /* association */ {{"foobar", "25252"}, 0},
+	 /* service */ "an-impossible-name",
+	 /* proto */ "tcp",
+	 /* exp_warning */ "find_inet: warning: unknown service: an-impossible-name/tcp\n",
+    },
+    {"bad-numeric",
+	 /* association */ {{"foobar", "25252"}, 0},
+	 /* service */ "123456",
+	 /* proto */ "tcp",
+	 /* exp_warning */ "find_inet: warning: bad port number: 123456\n",
+    },
+};
+
+int main(int argc, char **argv) {
+    struct test_case *tp;
+    struct association *ap;
+    int     pass = 0;
+    int     fail = 0;
+    const char *err;
+    int     test_failed;
+    int     nport;
+    VSTRING *msg_buf;
+    VSTREAM *memory_stream;
+
+    msg_vstream_init("find_inet", VSTREAM_ERR);
+    msg_buf = vstring_alloc(100);
+
+    for (tp = test_cases; tp->label != 0; tp++) {
+	test_failed = 0;
+	VSTRING_RESET(msg_buf);
+	VSTRING_TERMINATE(msg_buf);
+	clear_known_tcp_ports();
+	for (err = 0, ap = tp->associations; err == 0 && ap->lhs != 0; ap++)
+	    err = add_known_tcp_port(ap->lhs, ap->rhs);
+	if (err != 0) {
+	    msg_warn("test case %s: got err: \"%s\"", tp->label, err);
+	    test_failed = 1;
+	} else {
+	    if ((memory_stream = vstream_memopen(msg_buf, O_WRONLY)) == 0)
+		msg_fatal("open memory stream: %m");
+	    vstream_swap(VSTREAM_ERR, memory_stream);
+	    if (setjmp(test_fatal_jbuf) == 0)
+		nport = find_inet_port(tp->service, tp->proto);
+	    vstream_swap(memory_stream, VSTREAM_ERR);
+	    if (vstream_fclose(memory_stream))
+		msg_fatal("close memory stream: %m");
+	    if (strcmp(STR(msg_buf), tp->exp_warning) != 0) {
+		msg_warn("test case %s: got error: \"%s\", want: \"%s\"",
+			 tp->label, STR(msg_buf), tp->exp_warning);
+		test_failed = 1;
+	    } else if (tp->exp_warning[0] == 0) {
+		if (ntohs(nport) != tp->exp_hport) {
+		    msg_warn("test case %s: got port \"%d\", want: \"%d\"",
+			     tp->label, ntohs(nport), tp->exp_hport);
+		    test_failed = 1;
+		}
+	    }
+	}
+	if (test_failed) {
+	    msg_info("%s: FAIL", tp->label);
+	    fail++;
+	} else {
+	    msg_info("%s: PASS", tp->label);
+	    pass++;
+	}
+    }
+    msg_info("PASS=%d FAIL=%d", pass, fail);
+    vstring_free(msg_buf);
+    exit(fail != 0);
+}
+
+#endif
diff --git a/postfix/src/util/find_inet.ref b/postfix/src/util/find_inet.ref
new file mode 100644
index 000000000..a6f9cac28
--- /dev/null
+++ b/postfix/src/util/find_inet.ref
@@ -0,0 +1,5 @@
+find_inet: good-symbolic: PASS
+find_inet: good-numeric: PASS
+find_inet: bad-symbolic: PASS
+find_inet: bad-numeric: PASS
+find_inet: PASS=4 FAIL=0
diff --git a/postfix/src/util/myaddrinfo.c b/postfix/src/util/myaddrinfo.c
index ec62676e1..a80eb2f79 100644
--- a/postfix/src/util/myaddrinfo.c
+++ b/postfix/src/util/myaddrinfo.c
@@ -179,6 +179,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
@@ -271,6 +276,7 @@ static int find_service(const char *service, int socktype)
     const char *proto;
     unsigned port;
 
+    service = filter_known_tcp_port(service);
     if (alldig(service)) {
 	port = atoi(service);
 	return (port < 65536 ? htons(port) : -1);
@@ -282,7 +288,7 @@ static int find_service(const char *service, int socktype)
     } else {
 	return (-1);
     }
-    if ((sp = getservbyname(filter_known_tcp_port(service), proto)) != 0) {
+    if ((sp = getservbyname(service, proto)) != 0) {
 	return (sp->s_port);
     } else {
 	return (-1);
@@ -445,7 +451,12 @@ int     hostname_to_sockaddr_pf(const char *hostname, int pf,
 	}
 #endif
     }
-    err = getaddrinfo(hostname, filter_known_tcp_port(service), &hints, res);
+    if (service) {
+	service = filter_known_tcp_port(service);
+	if (alldig(service))
+	    hints.ai_flags |= AI_NUMERICSERV;
+    }
+    err = getaddrinfo(hostname, service, &hints, res);
 #if defined(BROKEN_AI_NULL_SERVICE)
     if (service == 0 && err == 0) {
 	struct addrinfo *r;
@@ -561,7 +572,12 @@ int     hostaddr_to_sockaddr(const char *hostaddr, const char *service,
 	}
 #endif
     }
-    err = getaddrinfo(hostaddr, filter_known_tcp_port(service), &hints, res);
+    if (service) {
+	service = filter_known_tcp_port(service);
+	if (alldig(service))
+	    hints.ai_flags |= AI_NUMERICSERV;
+    }
+    err = getaddrinfo(hostaddr, service, &hints, res);
 #if defined(BROKEN_AI_NULL_SERVICE)
     if (service == 0 && err == 0) {
 	struct addrinfo *r;