From 6c23bcd020da2946ff5d4631abab736062dce6e2 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Mon, 20 Dec 1999 00:00:00 -0500
Subject: [PATCH] snapshot-19991220

---
 postfix/HISTORY                  |   9 ++
 postfix/conf/main.cf             |  79 +++++------------
 postfix/conf/sample-local.cf     |   7 +-
 postfix/conf/sample-smtpd.cf     |  41 ++++++---
 postfix/conf/sample-transport.cf |  16 ++--
 postfix/conf/sample-virtual.cf   |   2 +-
 postfix/conf/virtual             |   6 +-
 postfix/global/mail_params.h     |   4 +-
 postfix/global/mail_version.h    |   2 +-
 postfix/html/faq.html            | 116 ++++++++++++++++---------
 postfix/html/qmgr.8.html         |  90 +++++++++++++++++---
 postfix/html/smtpd.8.html        | 104 +++++++++++------------
 postfix/html/uce.html            | 140 ++++++++++++++++++++++---------
 postfix/html/virtual.5.html      |  54 ++++++------
 postfix/man/man5/virtual.5       |   6 +-
 postfix/man/man8/qmgr.8          |  13 +++
 postfix/man/man8/smtpd.8         |   4 +
 postfix/smtpd/smtpd_check.c      |  44 +++++++---
 18 files changed, 462 insertions(+), 275 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index ab839d5dc..53f5976ad 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -3427,3 +3427,12 @@ Apologies for any names omitted.
 	Cleanup: INSTALL.sh uses a configurable directory for
 	scratch files, so that it can install from a file system
 	that is not writable by the super-user.
+
+19991220
+
+	Cleanup: it is no longer necessary to list $virtual_maps
+	as part of the relay_domains definition. The SMTP server
+	now by default accepts mail for domains that match
+	$mydestination or $virtual_maps, or that resolve to a mail
+	delivery transport that is listed in $local_transport.
+	Files: smtpd/smtpd_check.c and lots of documentation.
diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf
index 915380aa6..bd414eaa1 100644
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@@ -14,12 +14,6 @@
 #
 queue_directory = /var/spool/postfix
 
-# The program_directory parameter specifies the default location of
-# Postfix support programs and daemons. This setting can be overruled
-# with the command_directory and daemon_directory parameters.
-#
-program_directory = /some/where/postfix/bin
-
 # The command_directory parameter specifies the location of all
 # postXXX commands.  The default value is $program_directory.
 #
@@ -90,7 +84,9 @@ mail_owner = postfix
 #inet_interfaces = $myhostname, localhost
 
 # The mydestination parameter specifies the list of domains that this
-# machine considers itself the final destination for.
+# machine considers itself the final destination for. That does not
+# include domains that are hosted on this machine. Those domains are
+# specified elsewhere (see sample-virtual.cf, and sample-transport.cf).
 #
 # The default is $myhostname + localhost.$mydomain.  On a mail domain
 # gateway, you should also include $mydomain. Do not specify the
@@ -131,34 +127,6 @@ mail_owner = postfix
 #
 #local_recipient_maps = $alias_maps unix:passwd.byname
 
-# INTERNET VERSUS INTRANET
-#
-# The relayhost parameter specifies the default host to send mail to
-# when no entry is matched in the optional transport(5) table. When
-# no relayhost is given, mail is routed directly to the destination.
-# 
-# On an intranet, specify the organizational domain name. If your
-# internal DNS uses no MX records, specify the name of the intranet
-# gateway host instead.
-#
-# Specify a domain, host, host:port, [address] or [address:port].
-# Use the form [destination] to turn off MX lookups. See also the
-# default_transport parameter if you're connected via UUCP.
-#
-#relayhost = $mydomain
-#relayhost = gateway.my.domain
-#relayhost = uucphost
-#relayhost = [mail.$mydomain:9999]
-
-# DEFAULT TRANSPORT
-#
-# The default_transport parameter specifies the default message
-# delivery transport to use when no transport is explicitly given in
-# the optional transport(5) table.
-#
-#default_transport = smtp
-#default_transport = uucp
-
 # ADDRESS REWRITING
 #
 # Insert text from sample-rewrite.cf if you need to do address
@@ -211,18 +179,6 @@ mail_owner = postfix
 #alias_database = hash:/etc/aliases
 #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
 
-# DELIVERED-TO
-#
-# The prepend_delivered_header controls when Postfix should prepend
-# a Delivered-To: message header.
-#
-# By default, Postfix prepends a Delivered-To: header when forwarding
-# mail and when delivering to file (mailbox) or command.  Turning off
-# the Delivered-To: header when forwarding mail is not recommended.
-#
-# prepend_delivered_header = command, file, forward
-# prepend_delivered_header = forward
-
 # ADDRESS EXTENSIONS (e.g., user+foo)
 #
 # The recipient_delimiter parameter specifies the separator between
@@ -256,10 +212,6 @@ mail_owner = postfix
 # the recipient with proper HOME, SHELL and LOGNAME environment settings.
 # Exception:  delivery for root is done as $default_user.
 #
-# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE WITH, E.G., PROCMAIL,
-# YOU MUST SET UP AN ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL
-# USER.
-#
 # Other environment variables of interest: USER (recipient username),
 # EXTENSION (address extension), DOMAIN (domain part of address),
 # and LOCAL (the address localpart).
@@ -271,6 +223,9 @@ mail_owner = postfix
 # Avoid shell meta characters because they will force Postfix to run
 # an expensive shell process. Procmail alone is expensive enough.
 #
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
 #mailbox_command = /some/where/procmail
 #mailbox_command = /some/where/procmail -a "$EXTENSION"
 
@@ -317,14 +272,20 @@ mail_owner = postfix
 #header_checks = regexp:/etc/postfix/filename
 #header_checks = pcre:/etc/postfix/filename
 
-# The relay_domains parameter restricts what client hostname domains
-# (and subdomains thereof) this mail system will relay mail from,
-# and restricts what destination domains (and subdomains thereof)
-# this system will relay mail to.  See the smtpd_recipient_restrictions
-# restriction in the file sample-smtpd.cf.
+# The relay_domains parameter restricts what clients this mail system
+# will relay mail from, or what destinations this system will relay
+# mail to.  See the smtpd_recipient_restrictions restriction in the
+# file sample-smtpd.cf.
 #
-# By default, Postfix relays mail only from clients or to destinations
-# in or below $mydestination, or in the optional virtual domain list.
+# By default, Postfix relays mail from clients whose IP address
+# matches $mynetworks, and from clients or to destination domains
+# matching $relay_domains or subdomains thereof. The default
+# relay_domains value is $mydestination.
+# 
+# By default, the Postfix SMTP server accepts mail for domains listed
+# in $mydestination and in $virtual_maps, and for destinations that
+# resolve to a mail delivery transport listed in $local_transports.
+# These destinations do not need to be listed in $relay_domains.
 # 
 # Specify a list of hosts or domains, /file/name patterns or type:name
 # lookup tables, separated by commas and/or whitespace.  Continue
@@ -336,7 +297,7 @@ mail_owner = postfix
 # list this system as their primary or backup MX host. See the
 # permit_mx_backup restriction in the file sample-smtpd.cf.
 #
-#relay_domains = $mydestination, $virtual_maps
+#relay_domains = $mydestination
 
 # The mynetworks parameter specifies the list of networks that are
 # local to this machine.  The list is used by the anti-UCE software
diff --git a/postfix/conf/sample-local.cf b/postfix/conf/sample-local.cf
index cb783e6ac..3041f8214 100644
--- a/postfix/conf/sample-local.cf
+++ b/postfix/conf/sample-local.cf
@@ -100,10 +100,6 @@ home_mailbox =
 # command to use instead of mailbox delivery. The command is run
 # as the recipient with proper HOME, SHELL and LOGNAME environment settings.
 # Exception: delivery for root is done as $default_user.
-#
-# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE WITH, E.G., PROCMAIL,
-# YOU MUST SET UP AN ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL
-# USER.
 # 
 # Other environment variables of interest: USER (recipient username),
 # EXTENSION (address extension), DOMAIN (domain part of address),
@@ -116,6 +112,9 @@ home_mailbox =
 # Avoid shell meta characters because they will force Postfix to run
 # an expensive shell process. Procmail alone is expensive enough.
 #
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
 # mailbox_command = /some/where/procmail
 # mailbox_command = /some/where/procmail -a "$EXTENSION"
 mailbox_command = 
diff --git a/postfix/conf/sample-smtpd.cf b/postfix/conf/sample-smtpd.cf
index 1f5b13618..8a0613207 100644
--- a/postfix/conf/sample-smtpd.cf
+++ b/postfix/conf/sample-smtpd.cf
@@ -185,22 +185,30 @@ smtpd_sender_restrictions =
 # The smtpd_recipient_restrictions parameter specifies restrictions on
 # recipient addresses that SMTP clients can send in RCPT TO commands.
 # 
-# The default is to permit any destination from clients that match
-# $mynetworks, and to otherwise permit only mail from clients or to
-# destinations that match $relay_domains or a subdomain thereof.
+# By default, Postfix relays mail from clients whose IP address
+# matches $mynetworks, and from clients or to destination domains
+# matching $relay_domains or subdomains thereof. The default
+# relay_domains value is $mydestination.
 #
-# The following restrictions are available:
+# By default, the Postfix SMTP server accepts mail for domains listed
+# in $mydestination and in $virtual_maps, and for destinations that
+# resolve to a mail delivery transport listed in $local_transports.
+# These destinations do not need to be listed in $relay_domains.
+# 
+# The following restrictions are available (* is part of default setting):
 #
-#   permit_mynetworks: permit if the client address matches $mynetworks.
+#  *permit_mynetworks: permit if the client address matches $mynetworks.
 #   reject_unknown_client: reject the request if the client hostname is unknown.
 #   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
 #   reject_invalid_hostname: reject HELO hostname with bad syntax.
 #   reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
 #   reject_unknown_sender_domain: reject sender domain without A or MX record.
-#   check_relay_domains: permit only mail from clients/to domains matching 
-#	$relay_domains, or to the local machine.
-#   permit_auth_destination: permit mail to self or to $relay_domains.
-#   reject_unauth_destination: reject mail not to self or to $relay_domains.
+#  *check_relay_domains: permit only mail from clients/to domains matching 
+#	$relay_domains, or to $mydestination, $virtual_maps or $local_transports
+#   permit_auth_destination: permit mail to domains matching $relay_domains,
+#	or to $mydestination, $virtual_maps or $local_transports.
+#   reject_unauth_destination: reject mail not to $relay_domains or to 
+#	$mydestination, $virtual_maps or $local_transports.
 #   reject_unauth_pipelining: reject mail from improperly pipelining spamware
 #   permit_mx_backup: accept mail for sites that list me as MX host.
 #   reject_unknown_recipient_domain: reject domains without A or MX record.
@@ -246,9 +254,16 @@ maps_rbl_domains = rbl.maps.vix.com
 # and restricts what destination domains (and subdomains thereof)
 # this system will relay mail to.
 # 
-# By default, Postfix relays mail only from clients or to destinations
-# in or below $mydestination, or in the optional virtual domain list.
-# 
+# By default, Postfix relays mail from clients whose IP address
+# matches $mynetworks, and from clients or to destination domains
+# matching $relay_domains or subdomains thereof. The default
+# relay_domains value is $mydestination.
+#
+# By default, the Postfix SMTP server accepts mail for domains listed
+# in $mydestination and in $virtual_maps, and for destinations that
+# resolve to a mail delivery transport listed in $local_transports.
+# These destinations do not need to be listed in $relay_domains.
+#
 # Specify a list of hosts or domains, /file/name patterns or type:name
 # lookup tables, separated by commas and/or whitespace.  Continue
 # long lines by starting the next line with whitespace. A file name
@@ -260,7 +275,7 @@ maps_rbl_domains = rbl.maps.vix.com
 # permit_mx_backup restriction, in the description of the
 # smtpd_recipient_restrictions parameter.
 #
-relay_domains = $mydestination, $virtual_maps
+relay_domains = $mydestination
 
 #
 # RESPONSE CODES
diff --git a/postfix/conf/sample-transport.cf b/postfix/conf/sample-transport.cf
index ce582d294..0b6e94a7e 100644
--- a/postfix/conf/sample-transport.cf
+++ b/postfix/conf/sample-transport.cf
@@ -4,6 +4,14 @@
 # This file contains example settings of Postfix configuration
 # parameters that control the optional transport table lookups.
 
+# The local_transports parameter defines the name of the default
+# transport for local mail delivery, plus zero or more names of
+# additional transports that are known to deliver locally. By default,
+# the SMTP server's UCE restrictions permit mail for any destination
+# that resolves to a mail delivery transport in $local_transports.
+#
+local_transports = local,cyrus
+
 # The transport_maps parameter specifies optional tables with domain
 # to (transport, nexthop) mappings. See transport(5) for syntax details.
 #
@@ -16,11 +24,3 @@
 # transport_maps = hash:/etc/postfix/transport, nis:transport
 # transport_maps = hash:/etc/postfix/transport, netinfo:/transport
 transport_maps = 
-
-# The local_transports parameter defines the name of the default
-# transport for local mail delivery, plus zero or more names of
-# additional transports that are known to deliver locally. The SMTP
-# server's UCE restrictions use this list to decide if an address
-# would be forwarded or not.
-#
-local_transports = local
diff --git a/postfix/conf/sample-virtual.cf b/postfix/conf/sample-virtual.cf
index 3bebaab00..d660d6b79 100644
--- a/postfix/conf/sample-virtual.cf
+++ b/postfix/conf/sample-virtual.cf
@@ -13,7 +13,7 @@
 # If you use this feature, run "postmap /etc/postfix/virtual" to 
 # build the necessary DBM or DB file after change.
 #
-# It will take a minute or so before the change becomes visible.
+# It may take a minute or so before the change becomes visible.
 # Use "postfix reload" to eliminate the delay.
 #
 # virtual_maps = dbm:/etc/postfix/virtual
diff --git a/postfix/conf/virtual b/postfix/conf/virtual
index 8d8405af0..ef2e34934 100644
--- a/postfix/conf/virtual
+++ b/postfix/conf/virtual
@@ -31,10 +31,8 @@
 # .fi
 # .in -4
 #
-#	With this, the SMTP server accepts mail for \fIvirtual.domain\fR
-#	(provided that the \fBrelay_domains\fR parameter includes
-#	$\fBvirtual_maps\fR), and mail for \fIunknown\fR@\fIvirtual.domain\fR
-#	is bounced as undeliverable.
+#	With this, the SMTP server accepts mail for \fIvirtual.domain\fR and
+#	rejects mail for \fIunknown\fR@\fIvirtual.domain\fR as undeliverable.
 #
 #	The format of the virtual table is as follows, mappings being
 #	tried in the order as listed in this manual page:
diff --git a/postfix/global/mail_params.h b/postfix/global/mail_params.h
index 608843944..7b8efaa6c 100644
--- a/postfix/global/mail_params.h
+++ b/postfix/global/mail_params.h
@@ -84,7 +84,7 @@ extern char *var_mydomain;
   * Transports that deliver locally. Order matters.
   */
 #define VAR_LOCAL_TRANSP	"local_transports"
-#define DEF_LOCAL_TRANSP	"local"
+#define DEF_LOCAL_TRANSP	"local,cyrus"
 extern char *var_local_transports;
 
  /*
@@ -717,7 +717,7 @@ extern int var_trigger_timeout;
 extern char *var_mynetworks;
 
 #define VAR_RELAY_DOMAINS	"relay_domains"
-#define DEF_RELAY_DOMAINS	"$mydestination, $virtual_maps"
+#define DEF_RELAY_DOMAINS	"$mydestination"
 extern char *var_relay_domains;
 
 #define VAR_CLIENT_CHECKS	"smtpd_client_restrictions"
diff --git a/postfix/global/mail_version.h b/postfix/global/mail_version.h
index 3fdd077ec..2f1c01900 100644
--- a/postfix/global/mail_version.h
+++ b/postfix/global/mail_version.h
@@ -15,7 +15,7 @@
   * Version of this program.
   */
 #define VAR_MAIL_VERSION	"mail_version"
-#define DEF_MAIL_VERSION	"Snapshot-19991219"
+#define DEF_MAIL_VERSION	"Snapshot-19991220"
 extern char *var_mail_version;
 
 /* LICENSE
diff --git a/postfix/html/faq.html b/postfix/html/faq.html
index 24ac8b12c..631126b35 100644
--- a/postfix/html/faq.html
+++ b/postfix/html/faq.html
@@ -52,6 +52,8 @@
 
 <ul>
 
+<li><a href="#stand_alone">Stand-alone machine</a>
+
 <li><a href="#workstation_server">Workstations and servers</a>
 
 <li><a href="#null_client">Null clients</a>
@@ -110,7 +112,8 @@ virtual domains</a>
 
 <li><a href="#root">Root's mail is delivered to nobody</a>
 
-<li><a href="#local">Delivering some users locally while sending mail as user@domain</a>
+<li><a href="#some_local">Delivering some users locally while
+sending mail as user@domain</a>
 
 <li><a href="#maildir">Support for maildir-style mailboxes</a>
 
@@ -196,9 +199,19 @@ virtual domains</a>
 
 <hr>
 
+<a name="stand_alone"><h3>Stand-alone machine</h3>
+
+Out of the box, Postfix should work without change on a stand-alone
+machine that is has direct Internet access.  At least, that is how
+Postfix installs when you download the Postfix source code. If you
+are on a firewalled intranet, or if your machine is dial-up connected
+only a small part of the time, see the respective sections.
+
+<hr>
+
 <a name="workstation_server"><h3>Workstations and servers</h3>
 
-This section describes a workstation-sever environment. All systems
+This section describes a workstation-server environment. All systems
 send mail as user@domain. All systems receive mail for user@hostname.
 The server receives mail for user@domain, too.
 
@@ -268,7 +281,6 @@ domain.
 
 <pre>
     <b>/etc/postfix/main.cf</b>:
-	mydestination =
         myorigin = $mydomain
         relayhost = $mydomain
 
@@ -279,21 +291,9 @@ domain.
 
 <p>
 
-The mail server is the primary MX host for null clients (remember,
-null clients do not receive mail, so something needs to be done
-with mail for user@nullclient).
-
-<p>
-
-<pre>
-    <b>/etc/postfix/main.cf</b>:
-	myorigin = $mydomain
-        mydestination = $myhostname localhost.$mydomain $mydomain /etc/postfix/nullclients
-
-    <b>/etc/postfix/nullclients</b>:
-	hosta.my.domain
-	hostb.my.domain
-</pre>
+Since everything sends mail as user@domain, nothing sends mail as
+user@nullclient, and therefore no special configuration needs to
+be done on the mail server for mail addressed to user@nullclient.
 
 <hr>
 
@@ -307,8 +307,18 @@ to let that mail gateway take care of forwarding.
 
 <ul>
 
-<li>Forward <i>all</i> mail to an intranet mail gateway, unless
-the mail is to be delivered on the local machine:
+<li>Send mail as user@domain. This is optional but highly recommended
+because it allows users to change machines without hassle.
+
+<pre>
+    <b>/etc/postfix/main.cf</b>:
+        myorigin = $mydomain
+</pre>
+
+<p>
+
+<li>Forward <i>all</i> mail to an intranet mail gateway, except
+for mail for the local machine:
 
 <p>
 
@@ -364,8 +374,8 @@ href="transport.5.html">transport</a> table lookups.
     <b>/etc/postfix/transport</b>:
         my.domain               smtp:
         .my.domain              smtp:
-        thishost.my.domain      local:        <blink>important!</blink>
-        localhost.my.domain     local:        <blink>important!</blink>
+        thishost.my.domain      local:        <blink>!important!</blink>
+        localhost.my.domain     local:        <blink>!important!</blink>
 
     <b>/etc/postfix/main.cf</b>:
         transport_maps = hash:/etc/postfix/transport
@@ -373,8 +383,8 @@ href="transport.5.html">transport</a> table lookups.
 
 <p>
 
-Important: do not omit the entries that route local mail to the
-local delivery agent, or else mail your mail will go into a loop.
+Important: do not omit the entries that deliver mail locally, or
+else mail will bounce with a "mail loops to myself" condition.
 
 <p>
 
@@ -383,6 +393,11 @@ uses <b>dbm</b> files instead of <b>db</b>.
 
 <p>
 
+Execute the command <b>postmap /etc/postfix/transport</b> whenever
+you edit the transport table.
+
+<p>
+
 <li>Execute the command <b>postfix reload</b> to make the
 changes effective.
 
@@ -393,7 +408,8 @@ changes effective.
 <a name="firewall"><h3>Running Postfix on a firewall</h3> </a>
 
 Note: this text applies to Postfix versions dated 19991115
-and later only.
+and later only. To find out what Postfix version you have,
+execute the command <b>postconf mail_version</b>.
 
 <p>
 
@@ -421,8 +437,11 @@ route mail for <i>my.domain</i> to the inside machine:
     transport_maps = hash:/etc/postfix/transport
 
 <b>/etc/postfix/transport</b>:
-    my.domain   smtp:inside-gateway.my.domain
-    .my.domain  smtp:inside-gateway.my.domain
+    my.domain   smtp:inside-gateway.my.domain   (forwards user@domain)
+    .my.domain  smtp:inside-gateway.my.domain   (forwards user@firewall)
+
+<b>/etc/postfix/master.cf</b>:
+    Comment out the local delivery agent
 </pre>
 
 <p>
@@ -432,6 +451,11 @@ files instead of <b>db</b>.
 
 <p>
 
+<li>Execute the command <b>postmap /etc/postfix/transport</b>
+whenever you change the transport table.
+
+<p>
+
 <li>Execute the command <b>postfix reload</b> after a
 configuration change.
 
@@ -441,6 +465,18 @@ configuration change.
 
 <a name="dialup"><h3>Running Postfix on a dialup machine</h3></a>
 
+This section applies to dialup connections that are down most of
+the time. For dialup connections that are up 24x7, see the <a
+href="#workstation_server">workstations and servers</a> section
+instead. 
+
+<p>
+
+If you do not have your own hostname (as with dynamic IP addressing)
+and must send mail as user@your-isp.com, you should also study the
+the section on <a href="#some_local">delivering some users locally
+while sending mail as user@domain</a>.
+
 <ul>
 
 <li> Route all outgoing mail to your provider.
@@ -588,11 +624,12 @@ is probably more a matter of expectation and of what one is used to.
 
 <p>
 
-This can be "fixed" only by making Postfix slower.  Postfix would
-first have to expand all distribution lists before starting any
-delivery. By design, Postfix delivers mail to different destinations
-in parallel, and local delivery is no exception. This is why Postfix
-can be faster than sendmail.
+This can be "fixed" only by making Postfix slower.  In the above
+examples, Postfix would first have to completely expand all
+distribution lists before starting any delivery. By design, Postfix
+delivers mail to different destinations in parallel, and local
+delivery is no exception. This is why Postfix can be faster than
+sendmail.
 
 <hr>
 
@@ -601,14 +638,14 @@ distribution list</h3> </a>
 
 Some people will complain that Postfix sends mail to every member
 of a distribution list, including the poster.  By default, Sendmail
-deletes the poster from the distribution list. Sendmail sends mail
-to the poster only when the "metoo" flag is explicitly turned on.
+deletes the poster from distribution lists. Sendmail sends mail to
+the poster only when the "metoo" flag is explicitly turned on.
 
 <p>
 
 Wietse believes that Postfix implements the "right" behavior,
 and suspects that Sendmail's default behavior is a remnant from a
-dark past when Sendmail used a really crummy algorithm to avoid
+dark past when Sendmail used a pretty crummy algorithm to avoid
 aliasing loops.
 
 <hr>
@@ -902,7 +939,8 @@ To find out the location for your system, execute the command
 
 <hr>
 
-<a name="local"><h3>Delivering some users locally while sending mail as user@domain</h3></a>
+<a name="some_local"><h3>Delivering some users locally while sending
+mail as user@domain</h3></a>
 
 <ul>
 
@@ -1630,8 +1668,8 @@ changes effective.
 <a name="uucp-only"><h3>Using UUCP as the default transport</h3> </a>
 
 Here is how to relay all your mail over a UUCP link.  See the <a
-href="#uucp">Internet to UUCP</a> FAQ entry for setting up a machine
-that gateways between UUCP and SMTP.
+href="#internet-uucp">Internet to UUCP</a> FAQ entry for setting
+up a machine that gateways between UUCP and SMTP.
 
 <p>
 
@@ -1813,7 +1851,7 @@ One problem: older DB versions install a file
 <b>/usr/local/include/ndbm.h</b> that is incompatible with
 <b>/usr/include/ndbm.h</b>. Be sure to get rid of the bogus file.
 See the FAQ entry titled "<a href="#dbm_dirfno">Undefined symbols:
-dbm_pagfno, dbm_dirfno etc".
+dbm_pagfno, dbm_dirfno etc</a>".
 
 <hr>
 
diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html
index 3769b015e..bcbc2623d 100644
--- a/postfix/html/qmgr.8.html
+++ b/postfix/html/qmgr.8.html
@@ -210,6 +210,10 @@ QMGR(8)                                                   QMGR(8)
        command after a configuration change.
 
 <b>Miscellaneous</b>
+       <b>allow</b><i>_</i><b>min</b><i>_</i><b>user</b>
+              Do  not  bounce recipient addresses that begin with
+              '-'.
+
        <b>relocated</b><i>_</i><b>maps</b>
               Tables with contact information for users, hosts or
               domains that no longer exist. See <a href="relocated.5.html"><b>relocated</b>(5)</a>.
@@ -224,24 +228,24 @@ QMGR(8)                                                   QMGR(8)
        <b>qmgr</b><i>_</i><b>message</b><i>_</i><b>recipient</b><i>_</i><b>limit</b>
               Limit the number of in-memory recipients.
 
-              This parameter also limits the size of  the  short-
+              This  parameter  also limits the size of the short-
               term, in-memory destination cache.
 
 <b>Timing</b> <b>controls</b>
        <b>min</b><i>_</i><b>backoff</b>
-              Minimal  time  in seconds between delivery attempts
+              Minimal time in seconds between  delivery  attempts
               of a deferred message.
 
-              This parameter also limits the time an  unreachable
-              destination  is  kept  in the short-term, in-memory
+              This  parameter also limits the time an unreachable
+              destination is kept in  the  short-term,  in-memory
               destination status cache.
 
        <b>max</b><i>_</i><b>backoff</b>
-              Maximal time in seconds between  delivery  attempts
+              Maximal  time  in seconds between delivery attempts
               of a deferred message.
 
        <b>maximal</b><i>_</i><b>queue</b><i>_</i><b>lifetime</b>
-              Maximal  time in days a message is queued before it
+              Maximal time in days a message is queued before  it
               is sent back as undeliverable.
 
        <b>queue</b><i>_</i><b>run</b><i>_</i><b>delay</b>
@@ -249,13 +253,9 @@ QMGR(8)                                                   QMGR(8)
               scans do not overlap.
 
        <b>transport</b><i>_</i><b>retry</b><i>_</i><b>time</b>
-              Time  in seconds between attempts to contact a bro-
+              Time in seconds between attempts to contact a  bro-
               ken delivery transport.
 
-<b>Concurrency</b> <b>controls</b>
-       In the text below, <i>transport</i> is the first field in a  <b>mas-</b>
-       <b>ter.cf</b> entry.
-
 
 
 
@@ -269,6 +269,26 @@ QMGR(8)                                                   QMGR(8)
 QMGR(8)                                                   QMGR(8)
 
 
+<b>Concurrency</b> <b>controls</b>
+       In  the text below, <i>transport</i> is the first field in a <b>mas-</b>
+       <b>ter.cf</b> entry.
+
+       <b>qmgr</b><i>_</i><b>fudge</b><i>_</i><b>factor</b> (valid range: 10..100)
+              The percentage of delivery resources  that  a  busy
+              mail  system  will  use  up for delivery of a large
+              mailing list message.  With 100%, delivery  of  one
+              message  does not begin before the previous message
+              has been delivered. This results  in  good  perfor-
+              mance  for large mailing lists, but results in poor
+              response time for one-to-one mail.  With less  than
+              100%,  response  time for one-to-one mail improves,
+              but large mailing list  delivery  performance  suf-
+              fers. In the worst case, recipients near the begin-
+              ning of a large list receive a  burst  of  messages
+              immediately,  while recipients near the end of that
+              list receive that same burst of  messages  a  whole
+              day later.
+
        <b>initial</b><i>_</i><b>destination</b><i>_</i><b>concurrency</b>
               Initial  per-destination concurrency level for par-
               allel delivery to the same destination.
@@ -303,6 +323,18 @@ QMGR(8)                                                   QMGR(8)
 
 <b>AUTHOR(S)</b>
        Wietse Venema
+
+
+
+                                                                5
+
+
+
+
+
+QMGR(8)                                                   QMGR(8)
+
+
        IBM T.J. Watson Research
        P.O. Box 704
        Yorktown Heights, NY 10598, USA
@@ -326,7 +358,41 @@ QMGR(8)                                                   QMGR(8)
 
 
 
-                                                                5
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                                                                6
 
 
 </pre> </body> </html>
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 8de52584e..d977b5b8f 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -109,22 +109,22 @@ SMTPD(8)                                                 SMTPD(8)
        <b>notify</b><i>_</i><b>classes</b>
               List of error classes. Of special interest are:
 
-              <b>policy</b> When  a  client  violates any policy, mail a
+       <b>local</b><i>_</i><b>recipient</b><i>_</i><b>maps</b>
+              List  of  maps  with  user  names that are local to
+              <b>$myorigin</b> or <b>$inet</b><i>_</i><b>interfaces</b>. If this parameter is
+              defined,  then  the  SMTP  server  rejects mail for
+              unknown local users.
+
+              <b>policy</b> When a client violates any  policy,  mail  a
                      transcript of the entire SMTP session to the
                      postmaster.
 
               <b>protocol</b>
-                     When  a client violates the SMTP protocol or
+                     When a client violates the SMTP protocol  or
                      issues  an  unimplemented  command,  mail  a
                      transcript of the entire SMTP session to the
                      postmaster.
 
-       <b>smtpd</b><i>_</i><b>banner</b>
-              Text that follows the <b>220</b> status code in  the  SMTP
-              greeting banner.
-
-       <b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>limit</b>
-              Restrict  the  number  of  recipients that the SMTP
 
 
 
@@ -137,15 +137,21 @@ SMTPD(8)                                                 SMTPD(8)
 SMTPD(8)                                                 SMTPD(8)
 
 
+       <b>smtpd</b><i>_</i><b>banner</b>
+              Text  that  follows the <b>220</b> status code in the SMTP
+              greeting banner.
+
+       <b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>limit</b>
+              Restrict the number of  recipients  that  the  SMTP
               server accepts per message delivery.
 
        <b>smtpd</b><i>_</i><b>timeout</b>
-              Limit the time to send a  server  response  and  to
+              Limit  the  time  to  send a server response and to
               receive a client request.
 
 <b>Resource</b> <b>controls</b>
        <b>line</b><i>_</i><b>length</b><i>_</i><b>limit</b>
-              Limit  the  amount  of memory in bytes used for the
+              Limit the amount of memory in bytes  used  for  the
               handling of partial input lines.
 
        <b>message</b><i>_</i><b>size</b><i>_</i><b>limit</b>
@@ -153,8 +159,8 @@ SMTPD(8)                                                 SMTPD(8)
               ing on-disk storage for envelope information.
 
        <b>queue</b><i>_</i><b>minfree</b>
-              Minimal  amount of free space in bytes in the queue
-              file system for the SMTP server to accept any  mail
+              Minimal amount of free space in bytes in the  queue
+              file  system for the SMTP server to accept any mail
               at all.
 
 <b>Tarpitting</b>
@@ -164,11 +170,11 @@ SMTPD(8)                                                 SMTPD(8)
 
        <b>smtpd</b><i>_</i><b>soft</b><i>_</i><b>error</b><i>_</i><b>limit</b>
               When an SMTP client has made this number of errors,
-              wait  <i>error_count</i>  seconds before responding to any
+              wait <i>error_count</i> seconds before responding  to  any
               client request.
 
        <b>smtpd</b><i>_</i><b>hard</b><i>_</i><b>error</b><i>_</i><b>limit</b>
-              Disconnect after a client has made this  number  of
+              Disconnect  after  a client has made this number of
               errors.
 
 <b>UCE</b> <b>control</b> <b>restrictions</b>
@@ -177,20 +183,14 @@ SMTPD(8)                                                 SMTPD(8)
               tem.
 
        <b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>required</b>
-              Require that clients introduce  themselves  at  the
+              Require  that  clients  introduce themselves at the
               beginning of an SMTP session.
 
        <b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>restrictions</b>
-              Restrict  what client hostnames are allowed in <b>HELO</b>
+              Restrict what client hostnames are allowed in  <b>HELO</b>
               and <b>EHLO</b> commands.
 
-       <b>smtpd</b><i>_</i><b>sender</b><i>_</i><b>restrictions</b>
-              Restrict what sender addresses are allowed in  <b>MAIL</b>
-              <b>FROM</b> commands.
 
-       <b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>restrictions</b>
-              Restrict  what  recipient  addresses are allowed in
-              <b>RCPT</b> <b>TO</b> commands.
 
 
 
@@ -203,60 +203,60 @@ SMTPD(8)                                                 SMTPD(8)
 SMTPD(8)                                                 SMTPD(8)
 
 
+       <b>smtpd</b><i>_</i><b>sender</b><i>_</i><b>restrictions</b>
+              Restrict  what sender addresses are allowed in <b>MAIL</b>
+              <b>FROM</b> commands.
+
+       <b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>restrictions</b>
+              Restrict what recipient addresses  are  allowed  in
+              <b>RCPT</b> <b>TO</b> commands.
+
        <b>smtpd</b><i>_</i><b>etrn</b><i>_</i><b>restrictions</b>
               Restrict what domain names can be used in <b>ETRN</b> com-
               mands, and what clients may issue <b>ETRN</b> commands.
 
        <b>restriction</b><i>_</i><b>classes</b>
-              Declares  the  name of zero or more parameters that
-              contain a list of UCE restrictions.  The  names  of
-              these  parameters  can  then be used instead of the
+              Declares the name of zero or more  parameters  that
+              contain  a  list  of UCE restrictions. The names of
+              these parameters can then be used  instead  of  the
               restriction lists that they represent.
 
        <b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b>
-              List of DNS domains that publish the  addresses  of
+              List  of  DNS domains that publish the addresses of
               blacklisted hosts.
 
        <b>relay</b><i>_</i><b>domains</b>
-              Restrict  what domains or networks this mail system
+              Restrict what domains or networks this mail  system
               will relay mail from or to.
 
 <b>UCE</b> <b>control</b> <b>responses</b>
        <b>access</b><i>_</i><b>map</b><i>_</i><b>reject</b><i>_</i><b>code</b>
-              Server response when a client  violates  an  access
+              Server  response  when  a client violates an access
               database restriction.
 
        <b>invalid</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
-              Server   response   when   a  client  violates  the
+              Server  response  when  a   client   violates   the
               <b>reject</b><i>_</i><b>invalid</b><i>_</i><b>hostname</b> restriction.
 
        <b>maps</b><i>_</i><b>rbl</b><i>_</i><b>reject</b><i>_</i><b>code</b>
-              Server  response  when  a   client   violates   the
+              Server   response   when   a  client  violates  the
               <b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b> restriction.
 
        <b>reject</b><i>_</i><b>code</b>
-              Response  code  when  the  client  matches a <b>reject</b>
+              Response code when  the  client  matches  a  <b>reject</b>
               restriction.
 
        <b>relay</b><i>_</i><b>domains</b><i>_</i><b>reject</b><i>_</i><b>code</b>
-              Server response when a client attempts  to  violate
+              Server  response  when a client attempts to violate
               the mail relay policy.
 
        <b>unknown</b><i>_</i><b>address</b><i>_</i><b>reject</b><i>_</i><b>code</b>
-              Server   response   when   a  client  violates  the
+              Server  response  when  a   client   violates   the
               <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>address</b> restriction.
 
        <b>unknown</b><i>_</i><b>client</b><i>_</i><b>reject</b><i>_</i><b>code</b>
-              Server response when a client  without  address  to
-              name  mapping  violates  the <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b>
-              restriction.
-
-       <b>unknown</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
-              Server  response  when  a   client   violates   the
-              <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>hostname</b> restriction.
-
-<b>SEE</b> <b>ALSO</b>
-       <a href="cleanup.8.html">cleanup(8)</a> message canonicalization
+              Server  response  when  a client without address to
+              name mapping  violates  the  <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b>
 
 
 
@@ -269,11 +269,19 @@ SMTPD(8)                                                 SMTPD(8)
 SMTPD(8)                                                 SMTPD(8)
 
 
+              restriction.
+
+       <b>unknown</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
+              Server   response   when   a  client  violates  the
+              <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>hostname</b> restriction.
+
+<b>SEE</b> <b>ALSO</b>
+       <a href="cleanup.8.html">cleanup(8)</a> message canonicalization
        <a href="master.8.html">master(8)</a> process manager
        syslogd(8) system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
@@ -309,14 +317,6 @@ SMTPD(8)                                                 SMTPD(8)
 
 
 
-
-
-
-
-
-
-
-
 
 
 
diff --git a/postfix/html/uce.html b/postfix/html/uce.html
index 4f983e8e9..0094a4fca 100644
--- a/postfix/html/uce.html
+++ b/postfix/html/uce.html
@@ -26,9 +26,9 @@ unsolicited commercial email (UCE).
 <p>
 
 By default, the Postfix <a href="smtpd.8.html">SMTP server</a> will
-accept mail only from or to the local network or domain, so that
-your system can't be used as a mail relay to forward bulk mail from
-random strangers.
+accept mail only from or to the local network or domain, or to
+domains that are hosted by Postfix, so that your system can't be
+used as a mail relay to forward bulk mail from random strangers.
 
 <p>
 
@@ -48,7 +48,7 @@ command.
 
 <p>
 
-<li> <a href="#smtpd_client_restrictions">Client name/address
+<li> <a href="#smtpd_client_restrictions">Client hostname/address
 restrictions</a>
 
 <p>
@@ -62,6 +62,11 @@ restrictions</a>
 
 <p>
 
+<li> <a href="#strict_rfc821_envelopes">Require strict RFC 821-style
+envelope addresses </a>
+
+<p>
+
 <li> <a href="#smtpd_sender_restrictions">Sender address restrictions
 </a>
 
@@ -108,15 +113,16 @@ matches a table, a REJECT result means reject the message.
 
 <p>
 
-<i>A rule ending in OK affects only the header being matched. The
-next header may still result in a REJECT match, causing the mail
-still to be rejected.</i>
+<i>At present, specifying a header pattern with OK serves no useful
+purpose. A rule ending in OK affects only the header being matched.
+The next header may still result in a REJECT match, causing the
+mail still to be rejected.</i>
 
 </dl>
 
 <p>
 
-<dt>Examples:
+<dt>Examples (main.cf):
 
 <dd> <b>header_checks = regexp:/etc/postfix/header_checks</b>
 
@@ -124,9 +130,15 @@ still to be rejected.</i>
 
 <p>
 
+<dt>Example (header_checks):
+
+<dd> /^to: *friend@public\.com$/ REJECT
+
+<p>
+
 <a name="smtpd_client_restrictions">
 
-<h2> Client name/address restrictions</h2>
+<h2> Client hostname/address restrictions</h2>
 
 The <b>smtpd_client_restrictions</b> parameter restricts what
 clients this system accepts SMTP connections from.
@@ -168,7 +180,7 @@ reject_unknown_client</b>
 <a name="reject_unknown_client">
 
 <dt> <b>reject_unknown_client</b> <dd> Reject the request when the
-client address to name lookup failed.  The
+client IP address has no PTR record in the DNS.  The
 <b>unknown_client_reject_code</b> parameter specifies the response
 code to rejected requests (default:  <b>450</b>).
 
@@ -177,7 +189,7 @@ code to rejected requests (default:  <b>450</b>).
 <a name="permit_mynetworks">
 
 <dt> <b>permit_mynetworks</b> <dd> Permit the request when the
-client address matches any network listed in <a
+client IP address matches any network listed in <a
 href="basic.html#mynetworks"> $mynetworks</a>.
 
 <p>
@@ -187,8 +199,8 @@ href="basic.html#mynetworks"> $mynetworks</a>.
 <dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i>
 
 <dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
-href="access.5.html">access database</a> for the client name, parent
-domains, client address, or networks obtained by stripping least
+href="access.5.html">access database</a> for the client hostname, parent
+domains, client IP address, or networks obtained by stripping least
 significant octets.  Reject the request if the result is <b>REJECT</b>
 or "[<b>45</b>]<i>XX text</i>". Permit the request if the result
 is <b>OK</b> or <b>RELAY</b> or all-numerical. Otherwise, treat the
@@ -225,7 +237,7 @@ rejected requests (default: <b>554</b>).
 <h2> Require HELO (EHLO) command</h2>
 
 The <b>smtpd_helo_required</b> parameter determines if clients must
-send a <b>HELO</b> (<b>EHLO</b>) command at the beginning of an
+send a <b>HELO</b> (or <b>EHLO</b>) command at the beginning of an
 SMTP session.  Requiring this will stop some UCE software.
 
 <p>
@@ -264,7 +276,7 @@ UCE software can be stopped by being strict here.
 <dt>Default:
 
 <dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
-accepts any hostname.
+accepts any garbage in the <b>HELO</b> (<b>EHLO</b>) command.
 
 <p>
 
@@ -297,7 +309,7 @@ on the client hostname or network address.
 <a name="reject_invalid_hostname">
 
 <dt> <b>reject_invalid_hostname</b> <dd> Reject the request when
-the client HELO and EHLO command has a bad hostname syntax. The
+the client HELO or EHLO parameter has a bad hostname syntax. The
 <b>invalid_hostname_reject_code</b> specifies the response code to
 rejected requests (default:  501).
 
@@ -326,8 +338,9 @@ response code to rejected requests (default:  <b>450</b>).
 
 <dt> <b>reject_non_fqdn_hostname</b> <dd> Reject the request when
 the hostname in the client HELO (EHLO) command is not in fully-qualified
-domain form. The <b>non_fqdn_reject_code</b> specifies the
-response code to rejected requests (default:  <b>504</b>).
+domain form, as required by the RFC. The <b>non_fqdn_reject_code</b>
+specifies the response code to rejected requests (default:
+<b>504</b>).
 
 <p>
 
@@ -354,7 +367,7 @@ the response code for <b>REJECT</b> results (default:  <b>554</b>).
 
 <dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>
 
-<dd> See client name/address restrictions.
+<dd> See client hostname/address restrictions.
 
 <p>
 
@@ -370,6 +383,34 @@ the response code for <b>REJECT</b> results (default:  <b>554</b>).
 
 </dl>
 
+<a name="strict_rfc821_envelopes">
+
+<h2> Require strict RFC 821-style envelope addresses </h2>
+
+The <b>strict_rfc821_envelopes</b> parameter controls how tolerant
+Postfix is with respect to addresses given in MAIL FROM or RCPT TO
+commands. Being strict to the RFC not only stops unwanted mail,
+but also blocks legitimate mail from poorly-written mail applications.
+
+<p>
+
+<dl>
+
+<dt> Default:
+
+<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
+accepts any address form that it can make sense of, including forms
+that contain RFC 822-style comments, or addresses not enclosed in
+&lt;&gt;.
+
+<p>
+
+<dt> Example:
+
+<dd><b>strict_rfc821_envelopes = yes</b>
+
+</dl>
+
 <a name="smtpd_sender_restrictions">
 
 <h2> Sender address restrictions</h2>
@@ -469,7 +510,7 @@ response code to rejected requests (default:  <b>504</b>).
 
 <dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>
 
-<dd> See client name/address restrictions.
+<dd> See client hostname/address restrictions.
 
 <p>
 
@@ -497,10 +538,20 @@ recipient addresses this system accepts in RCPT TO commands.
 <dt>Default:
 
 <dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
-forwards mail from any client that matches <a
-href="basic.html#mynetworks">$mynetworks</a> or <a
-href="#relay_domains">$relay_domains</a>, or to any destination
-that matches <a href="#relay_domains"> $relay_domains</a>.
+relays mail from any client whose IP address matches <a
+href="basic.html#mynetworks">$mynetworks</a> or whose hostname
+matches <a href="#relay_domains">$relay_domains</a> or a subdomain
+thereof, and relays mail to any destination that matches <a
+href="#relay_domains"> $relay_domains</a> or a subdomain thereof.
+
+<p>
+
+In addition, the Postfix <a href="smtpd.8.html">SMTP server</a> by
+default accepts mail for which Postfix is the final destination:
+anything that matches <a href="basic.html#mydomain">$mydomain</a>,
+<a href="basic.html#mynetworks">$mynetworks</a> or <a
+href="virtual.5.html">$virtual_maps</a>, or anything that resolves
+to a mail delivery transport whose name is listed in $local_transports.
 
 <p>
 
@@ -536,12 +587,16 @@ reject_unauth_destination</b>
 <a name="check_relay_domains">
 
 <dt> <b>check_relay_domains</b> <dd> Permit the request when the
-client hostname matches <a href="#relay_domains">$relay_domains</a>,
-or when the resolved destination address matches <a
-href="basic.html#mydestination">$mydestination</a>, the machine IP
-addresses, or <a href="#relay_domains"> $relay_domains</a>, otherwise
-reject the request.  The <b>relay_domains_reject_code</b> parameter
-specifies the response code for rejected requests (default:
+client hostname matches <a href="#relay_domains">$relay_domains</a>
+or a subdomain thereof, or when the resolved destination address
+matches <a href="#relay_domains">$relay_domains</a> or a subdomain
+thereof, or when Postfix is the final destination:  anything that
+matches <a href="basic.html#mydomain">$mydomain</a>, <a
+href="basic.html#mynetworks">$mynetworks</a> or <a
+href="virtual.5.html">$virtual_maps</a>, or anything that resolves
+to a mail delivery transport whose name is listed in $local_transports.
+Otherwise reject the request.  The <b>relay_domains_reject_code</b>
+parameter specifies the response code for rejected requests (default:
 <b>554</b>).
 
 <p>
@@ -550,8 +605,12 @@ specifies the response code for rejected requests (default:
 
 <dt> <b>permit_auth_destination</b> <dd> Ignore the client hostname.
 Permit the request when the resolved destination address matches
-<a href="basic.html#mydestination">$mydestination</a>, the
-machine IP addresses, or <a href="#relay_domains"> $relay_domains</a>.
+<a href="#relay_domains"> $relay_domains</a> or a subdomain thereof,
+or when Postfix is the final destination:  anything that matches
+<a href="basic.html#mydomain">$mydomain</a>, <a
+href="basic.html#mynetworks">$mynetworks</a> or <a
+href="virtual.5.html">$virtual_maps</a>, or anything that resolves
+to a mail delivery transport whose name is listed in $local_transports.
 
 <p>
 
@@ -559,8 +618,13 @@ machine IP addresses, or <a href="#relay_domains"> $relay_domains</a>.
 
 <dt> <b>reject_unauth_destination</b> <dd> Ignore the client
 hostname.  Reject the request when the resolved destination address
-does not match <a href="basic.html#mydestination">$mydestination</a>,
-the machine IP addresses, or <a href="#relay_domains"> $relay_domains</a>.
+does not match <a href="#relay_domains"> $relay_domains</a> or a
+subdomain thereof, and when Postfix is not the final destination.
+Postfix is final destination for anything that matches <a
+href="basic.html#mydomain">$mydomain</a>, <a
+href="basic.html#mynetworks">$mynetworks</a> or <a
+href="virtual.5.html">$virtual_maps</a>, or anything that resolves
+to a mail delivery transport whose name is listed in $local_transports.
 The <b>relay_domains_reject_code</b> parameter specifies the response
 code for rejected requests (default:  <b>554</b>).
 
@@ -651,7 +715,7 @@ useful results with the <a href="aliases.5.html">aliases</a> and
 
 <dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>
 
-<dd> See client name/address restrictions.
+<dd> See client hostname/address restrictions.
 
 <p>
 
@@ -744,7 +808,7 @@ the result code for rejected requests (default: <b>554</b>).
 
 <dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>
 
-<dd> See client name/address restrictions.
+<dd> See client hostname/address restrictions.
 
 <p>
 
@@ -818,7 +882,7 @@ to speed up deliveries.
 
 <dd>This parameter controls the behavior of the <a
 href="#reject_maps_rbl">reject_maps_rbl</a> restriction that can
-appear as part of a client name/address restriction list.
+appear as part of a client hostname/address restriction list.
 
 <p>
 
@@ -836,7 +900,7 @@ Note: RBL lookups are disabled by default.
 
 <dt>Syntax:
 
-<dd> Zero or more DNS domains that blacklist client addresses.  A
+<dd> Zero or more DNS domains that blacklist client IP addresses.  A
 host is blacklisted when its reversed IP address is listed as a
 subdomain under any of the domains listed in <b>$maps_rbl_domains.</b>
 
diff --git a/postfix/html/virtual.5.html b/postfix/html/virtual.5.html
index 5e8de75f7..91f57e9b7 100644
--- a/postfix/html/virtual.5.html
+++ b/postfix/html/virtual.5.html
@@ -37,28 +37,28 @@ VIRTUAL(5)                                             VIRTUAL(5)
            <i>user2@virtual.domain</i> <i>address2,</i> <i>address3</i>
 
        With this, the SMTP server accepts mail for <i>virtual.domain</i>
-       (provided that the <b>relay</b><i>_</i><b>domains</b> parameter includes  $<b>vir-</b>
-       <b>tual</b><i>_</i><b>maps</b>), and mail for <i>unknown</i>@<i>virtual.domain</i> is bounced
-       as undeliverable.
+       and rejects mail for <i>unknown</i>@<i>virtual.domain</i> as  undeliver-
+       able.
 
-       The format of the virtual table is  as  follows,  mappings
+       The  format  of  the virtual table is as follows, mappings
        being tried in the order as listed in this manual page:
 
        blanks and comments
-              Blank  lines  are  ignored,  as are lines beginning
+              Blank lines are ignored,  as  are  lines  beginning
               with `#'.
 
        <i>user</i>@<i>domain</i> <i>address,</i> <i>address,</i> <i>...</i>
-              Mail for  <i>user</i>@<i>domain</i>  is  redirected  to  <i>address</i>.
+              Mail  for  <i>user</i>@<i>domain</i>  is  redirected  to <i>address</i>.
               This form has the highest precedence.
 
        <i>user</i> <i>address,</i> <i>address,</i> <i>...</i>
-              Mail  for  <i>user</i>@<i>site</i>  is redirected to <i>address</i> when
-              <i>site</i> is equal to $<b>myorigin</b>, when <i>site</i> is listed  in
+              Mail for <i>user</i>@<i>site</i> is redirected  to  <i>address</i>  when
+              <i>site</i>  is equal to $<b>myorigin</b>, when <i>site</i> is listed in
               $mydestination,   or   when   it   is   listed   in
               $<i>inet_interfaces</i>.
 
-              This functionality overlaps with  functionality  of
+              This  functionality  overlaps with functionality of
+              the local <i>alias</i>(5) database. The difference is that
 
 
 
@@ -71,33 +71,32 @@ VIRTUAL(5)                                             VIRTUAL(5)
 VIRTUAL(5)                                             VIRTUAL(5)
 
 
-              the local <i>alias</i>(5) database. The difference is that
-              <b>virtual</b>  mapping  can  be  applied   to   non-local
+              <b>virtual</b>   mapping   can  be  applied  to  non-local
               addresses.
 
        @<i>domain</i> <i>address,</i> <i>address,</i> <i>...</i>
-              Mail  for  any  user  in  <i>domain</i>  is  redirected to
+              Mail for  any  user  in  <i>domain</i>  is  redirected  to
               <i>address</i>.  This form has the lowest precedence.
 
-       In all the above forms, when <i>address</i> has the form  @<i>other-</i>
-       <i>domain</i>,  the result is the same user in <i>otherdomain</i>.  This
+       In  all the above forms, when <i>address</i> has the form @<i>other-</i>
+       <i>domain</i>, the result is the same user in <i>otherdomain</i>.   This
        works for the first address in the expansion only.
 
 <b>ADDRESS</b> <b>EXTENSION</b>
-       When the search fails, and the address localpart  contains
-       the  optional recipient delimiter (e.g., <i>user+foo</i>@<i>domain</i>),
-       the search is repeated for the  unextended  address  (e.g.
+       When  the search fails, and the address localpart contains
+       the optional recipient delimiter (e.g.,  <i>user+foo</i>@<i>domain</i>),
+       the  search  is  repeated for the unextended address (e.g.
        <i>user</i>@<i>domain</i>), and the unmatched address extension is prop-
-       agated to the result of expansion. The matching order  is:
+       agated  to the result of expansion. The matching order is:
        <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and @<i>domain</i>.
 
 <b>BUGS</b>
-       The table format does not understand quoting  conventions.
+       The  table format does not understand quoting conventions.
 
 <b>CONFIGURATION</b> <b>PARAMETERS</b>
-       The  following  <b>main.cf</b> parameters are especially relevant
-       to this topic. See the Postfix  <b>main.cf</b>  file  for  syntax
-       details  and  for  default  values. Use the <b>postfix</b> <b>reload</b>
+       The following <b>main.cf</b> parameters are  especially  relevant
+       to  this  topic.  See  the Postfix <b>main.cf</b> file for syntax
+       details and for default values.  Use  the  <b>postfix</b>  <b>reload</b>
        command after a configuration change.
 
        <b>virtual</b><i>_</i><b>maps</b>
@@ -106,11 +105,11 @@ VIRTUAL(5)                                             VIRTUAL(5)
        Other parameters of interest:
 
        <b>inet</b><i>_</i><b>interfaces</b>
-              The network interface addresses  that  this  system
+              The  network  interface  addresses that this system
               receives mail on.
 
        <b>mydestination</b>
-              List  of  domains  that  this mail system considers
+              List of domains that  this  mail  system  considers
               local.
 
        <b>myorigin</b>
@@ -124,7 +123,8 @@ VIRTUAL(5)                                             VIRTUAL(5)
        <a href="cleanup.8.html">cleanup(8)</a> canonicalize and enqueue mail
        <a href="postmap.1.html">postmap(1)</a> create mapping table
 
-
+<b>LICENSE</b>
+       The  Secure  Mailer  license must be distributed with this
 
 
 
@@ -137,8 +137,6 @@ VIRTUAL(5)                                             VIRTUAL(5)
 VIRTUAL(5)                                             VIRTUAL(5)
 
 
-<b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
@@ -191,6 +189,8 @@ VIRTUAL(5)                                             VIRTUAL(5)
 
 
 
+
+
 
 
 
diff --git a/postfix/man/man5/virtual.5 b/postfix/man/man5/virtual.5
index b9ee2157f..48f0e72d8 100644
--- a/postfix/man/man5/virtual.5
+++ b/postfix/man/man5/virtual.5
@@ -37,10 +37,8 @@ Typical support for a virtual domain looks like the following:
 .fi
 .in -4
 
-With this, the SMTP server accepts mail for \fIvirtual.domain\fR
-(provided that the \fBrelay_domains\fR parameter includes
-$\fBvirtual_maps\fR), and mail for \fIunknown\fR@\fIvirtual.domain\fR
-is bounced as undeliverable.
+With this, the SMTP server accepts mail for \fIvirtual.domain\fR and
+rejects mail for \fIunknown\fR@\fIvirtual.domain\fR as undeliverable.
 
 The format of the virtual table is as follows, mappings being
 tried in the order as listed in this manual page:
diff --git a/postfix/man/man8/qmgr.8 b/postfix/man/man8/qmgr.8
index 4e799bd4a..444970acb 100644
--- a/postfix/man/man8/qmgr.8
+++ b/postfix/man/man8/qmgr.8
@@ -169,6 +169,8 @@ a configuration change.
 .SH Miscellaneous
 .ad
 .fi
+.IP \fBallow_min_user\fR
+Do not bounce recipient addresses that begin with '-'.
 .IP \fBrelocated_maps\fR
 Tables with contact information for users, hosts or domains
 that no longer exist. See \fBrelocated\fR(5).
@@ -210,6 +212,17 @@ delivery transport.
 .fi
 In the text below, \fItransport\fR is the first field in a
 \fBmaster.cf\fR entry.
+.IP "\fBqmgr_fudge_factor\fR (valid range: 10..100)"
+The percentage of delivery resources that a busy mail system will
+use up for delivery of a large mailing list message.
+With 100%, delivery of one message does not begin before the previous
+message has been delivered. This results in good performance for large
+mailing lists, but results in poor response time for one-to-one mail.
+With less than 100%, response time for one-to-one mail improves,
+but large mailing list delivery performance suffers. In the worst
+case, recipients near the beginning of a large list receive a burst
+of messages immediately, while recipients near the end of that list
+receive that same burst of messages a whole day later.
 .IP \fBinitial_destination_concurrency\fR
 Initial per-destination concurrency level for parallel delivery
 to the same destination.
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 6396131a1..9067b806a 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -95,6 +95,10 @@ Recipient of protocol/policy/resource/software error notices.
 Limit the number of \fBReceived:\fR message headers.
 .IP \fBnotify_classes\fR
 List of error classes. Of special interest are:
+.IP \fBlocal_recipient_maps\fR
+List of maps with user names that are local to \fB$myorigin\fR
+or \fB$inet_interfaces\fR. If this parameter is defined,
+then the SMTP server rejects mail for unknown local users.
 .RS
 .IP \fBpolicy\fR
 When a client violates any policy, mail a transcript of the
diff --git a/postfix/smtpd/smtpd_check.c b/postfix/smtpd/smtpd_check.c
index e1c275ba0..4c14c2632 100644
--- a/postfix/smtpd/smtpd_check.c
+++ b/postfix/smtpd/smtpd_check.c
@@ -121,15 +121,21 @@
 /* .IP check_relay_domains
 /*	Allow the request when either the client hostname or the resolved
 /*	recipient domain matches the \fIrelay_domains\fR configuration
-/*	parameter.  Reject the request otherwise.
+/*	parameter or a subdomain therereof, or when the destination somehow
+/*	resolves locally (see $mydestination, $virtual_maps or
+/*	$local_transports).  Reject the request otherwise.
 /*	The \fIrelay_domains_reject_code\fR configuration parameter specifies
 /*	the reject status code (default: 554).
 /* .IP permit_auth_destination
-/*	Permit the request when the resolved recipient domain matches
-/*	the local machine or the \fIrelay_domains\fR configuration parameter.
+/*	Permit the request when the resolved recipient domain matches the
+/*	\fIrelay_domains\fR configuration parameter or a subdomain therereof,
+/*	or when the destination somehow resolves locally (see $mydestination,
+/*	$virtual_maps or $local_transports).
 /* .IP reject_unauth_destination
 /*	Reject the request when the resolved recipient domain does not match
-/*	the local machine or the \fIrelay_domains\fR configuration parameter.
+/*	the \fIrelay_domains\fR configuration parameter or a subdomain
+/*	therereof, and when the destination does not somehow resolve locally
+/*	(see $mydestination, $virtual_maps or $local_transports).
 /*	Same error code as check_relay_domains.
 /* .IP reject_unauth_pipelining
 /*	Reject the request when the client has already sent the next request
@@ -721,13 +727,17 @@ static int check_relay_domains(SMTPD_STATE *state, char *recipient,
     resolve_clnt_query(STR(query), &reply);
 
     /*
-     * Permit if destination is local. XXX This must be generalized for
-     * per-domain user tables and for non-UNIX local delivery agents.
+     * Permit if destination is local. That is, the destination matches
+     * mydestination or virtual_maps, or it resolves to any transport that
+     * delivers locally.
      */
     if (match_any_local_transport(STR(reply.transport))
 	|| (domain = strrchr(STR(reply.recipient), '@')) == 0)
 	return (SMTPD_CHECK_OK);
     domain += 1;
+    if (resolve_local(domain)
+	|| (*var_virtual_maps && maps_find(virtual_maps, domain, 0)))
+	return (SMTPD_CHECK_OK);
 
     /*
      * Permit if the destination matches the relay_domains list.
@@ -760,13 +770,17 @@ static int permit_auth_destination(char *recipient)
     resolve_clnt_query(STR(query), &reply);
 
     /*
-     * Permit if destination is local. XXX This must be generalized for
-     * per-domain user tables and for non-UNIX local delivery agents.
+     * Permit if destination is local. That is, the destination matches
+     * mydestination or virtual_maps, or it resolves to any transport that
+     * delivers locally.
      */
     if (match_any_local_transport(STR(reply.transport))
 	|| (domain = strrchr(STR(reply.recipient), '@')) == 0)
 	return (SMTPD_CHECK_OK);
     domain += 1;
+    if (resolve_local(domain)
+	|| (*var_virtual_maps && maps_find(virtual_maps, domain, 0)))
+	return (SMTPD_CHECK_OK);
 
     /*
      * Permit if the destination matches the relay_domains list.
@@ -797,13 +811,17 @@ static int reject_unauth_destination(SMTPD_STATE *state, char *recipient)
     resolve_clnt_query(STR(query), &reply);
 
     /*
-     * Pass if destination is local. XXX This must be generalized for
-     * per-domain user tables and for non-UNIX local delivery agents.
+     * Permit if destination is local. That is, the destination matches
+     * mydestination or virtual_maps, or it resolves to any transport that
+     * delivers locally.
      */
     if (match_any_local_transport(STR(reply.transport))
 	|| (domain = strrchr(STR(reply.recipient), '@')) == 0)
 	return (SMTPD_CHECK_DUNNO);
     domain += 1;
+    if (resolve_local(domain)
+	|| (*var_virtual_maps && maps_find(virtual_maps, domain, 0)))
+	return (SMTPD_CHECK_DUNNO);
 
     /*
      * Pass if the destination matches the relay_domains list.
@@ -907,7 +925,8 @@ static int permit_mx_backup(SMTPD_STATE *unused_state, const char *recipient)
 	|| (domain = strrchr(STR(reply.recipient), '@')) == 0)
 	return (SMTPD_CHECK_OK);
     domain += 1;
-    if (resolve_local(domain))
+    if (resolve_local(domain)
+	|| (*var_virtual_maps && maps_find(virtual_maps, domain, 0)))
 	return (SMTPD_CHECK_OK);
 
     if (msg_verbose)
@@ -1041,6 +1060,9 @@ static int reject_unknown_address(SMTPD_STATE *state, char *addr,
 	|| (domain = strrchr(STR(reply.recipient), '@')) == 0)
 	return (SMTPD_CHECK_DUNNO);
     domain += 1;
+    if (resolve_local(domain)
+	|| (*var_virtual_maps && maps_find(virtual_maps, domain, 0)))
+	return (SMTPD_CHECK_DUNNO);
     if (domain[0] == '#')
 	return (SMTPD_CHECK_DUNNO);
     if (domain[0] == '[' && domain[strlen(domain) - 1] == ']')