postfix-2.5-20070328

2025-09-02 15:15:24 +00:00 · 2007-03-28 00:00:00 -05:00
parent 63e0d1546b
commit a1a5c3cc6e
87 changed files with 1741 additions and 1634 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -13386,8 +13386,22 @@ Apologies for any names omitted.
 	Currently, nothing in Postfix uses this functionality.
 	File: global/dict_proxy.c.
 20070325
 	Bugfix: postfix-install didn't work for symlink or hardlink
 	targets, when the parent directory had a value of "no".
 20070326
 	Workaround: Eric Raymond's man page formatters don't handle
 	low-level *roff .in or .ti controls. We now use .nf and .fi
 	instead. Files: many.
 Wish list:
 	Remove defer(8) and trace(8) references and man pages. These
 	are services not program names.
 	Bind all deliveries to the same local delivery process,
 	making Postfix perform as poorly as monolithic mailers,
 	but giving a possibility to eliminate duplicate deliveries.
@@ -13398,16 +13412,9 @@ Wish list:
 	Need scache size limit.
 	Don't transform bare username into user@localdomain.localdomain
 	when no domain is specified via main.cf or via the machine
 	hostname.
 	Update BACKSCATTER_README to use PCRE because that's what I
 	am using now.
 	Update MILTER_README with Martinec info.
 	http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
 	Make postcat header/body aware so people can grep headers.
 	Make postmap header/body aware so people can test multi-line
@@ -13490,8 +13497,6 @@ Wish list:
 	playing with the soft_error test in the smtp_trouble.c
 	module, and avoiding delivery to backup MX hosts.
 	select -> kqueue, epoll, /dev/poll, poll() ...
 	In the SMTP server, set a "pipelining detected" flag at the
 	start of a session and at protocol synchronization points,
 	so that reject_unauth_pipelining can be specified in any
@@ -13512,9 +13517,6 @@ Wish list:
 	Privacy: remove local command/pathname details from remote
 	delivery status reports, and log them via local msg_warn().
 	Remove defer(8) and trace(8) references and man pages. These
 	are services not program names.
 	Is it safe to cache a connection after it has been used for
 	more than some number of address verification probes?
--- a/postfix/README_FILES/BACKSCATTER_README
+++ b/postfix/README_FILES/BACKSCATTER_README
@@ -4,7 +4,11 @@ PPoossttffiixx BBaacckkssccaatttteerr HHoowwttoo
 OOvveerrvviieeww
-This document describes features that require Postfix version 2.0 or later.
+This document describes features that require Postfix version 2.0 or later. The
 examples use Perl Compatible Regular Expressions (Postfix pcre: tables), but
 also provide a translation to POSIX regular expressions (Postfix regexp:
 tables). PCRE is preferred primarily because the implementation is often
 faster.
 Topics covered in this document:
@@ -97,8 +101,8 @@ To block such backscatter I use header_checks and body_checks patterns like
 this:
    /etc/postfix/main.cf:
-        header_checks = regexp:/etc/postfix/header_checks
+        header_checks = pcre:/etc/postfix/header_checks
-        body_checks = regexp:/etc/postfix/body_checks
+        body_checks = pcre:/etc/postfix/body_checks
    /etc/postfix/header_checks:
        if /^Received:/
@@ -107,7 +111,7 @@ this:
        /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)
    (porcupine\.org)\)/
            reject forged client name in Received: header: $2
-        /^Received:.* +by +(porcupine\.org)[[:>:]]/
+        /^Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^Message-ID:.* <!&!/ DUNNO
@@ -121,7 +125,7 @@ this:
        /^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)
    (porcupine\.org)\)/
            reject forged client name in Received: header: $2
-        /^[> ]*Received:.* +by +(porcupine\.org)[[:>:]]/
+        /^[> ]*Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^[> ]*Message-ID:.* <!&!/ DUNNO
@@ -130,6 +134,9 @@ this:
 Notes:
  * The example uses pcre: tables mainly for speed; with minor modifications,
    you can use regexp: tables as explained below.
  * The example is simplified for educational purposes. In reality my patterns
    list multiple domain names, as "(domain|domain|...)".
@@ -139,8 +146,9 @@ Notes:
  * The "\(" and "\)" match "(" and ")" literally. Without the "\", the "(" and
    ")" would be grouping operators.
-  * The "[[:>:]]" matches the end of a word. On some systems you should specify
+  * The "\b" is used here to match the end of a word. If you use regexp:
-    "\>" instead. For details see your system documentation.
+    tables, specify "[[:>:]]" (on some systems you should specify "\>" instead;
    for details see your system documentation).
  * The "if /pattern/" and "endif" eliminate unnecessary matching attempts. DO
    NOT indent lines starting with /pattern/ between the "if" and "endif"!
@@ -202,25 +210,29 @@ the backscatter mail that I get claims to be sent from these addresses. Such
 mail is obviously forged and is very easy to stop.
    /etc/postfix/main.cf:
-        header_checks = regexp:/etc/postfix/header_checks
+        header_checks = pcre:/etc/postfix/header_checks
-        body_checks = regexp:/etc/postfix/body_checks
+        body_checks = pcre:/etc/postfix/body_checks
    /etc/postfix/header_checks:
-        /^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+        /^(From|Return-Path):.*\b(user@domain\.tld)\b/
            reject forged sender address in $1: header: $2
    /etc/postfix/body_checks:
-        /^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+        /^[> ]*(From|Return-Path):.*\b(user@domain\.tld)\b/
            reject forged sender address in $1: header: $2
 Notes:
  * The example uses pcre: tables mainly for speed; with minor modifications,
    you can use regexp: tables as explained below.
  * The example is simplified for educational purposes. In reality, my patterns
    list multiple email addresses as "(user1@domain1\.tld|user2@domain2\.tld)".
-  * The "[[:<:]]" and "[[:>:]]" match the beginning and end of a word,
+  * The two "\b" as used in "\b(user@domain\.tld)\b" match the beginning and
-    respectively. On some systems you should specify "\<" and "\>" instead. For
+    end of a word, respectively. If you use regexp: tables, specify "[[:<:]]
-    details see your system documentation.
+    and [[:>:]]" (on some systems you should specify "\< and \>" instead; for
    details see your system documentation).
  * The "\." matches "." literally. Without the "\", the "." would match any
    character.
--- a/postfix/README_FILES/INSTALL
+++ b/postfix/README_FILES/INSTALL
@@ -88,6 +88,7 @@ At some point in time, a version of Postfix was supported on:
    Linux RedHat 3.x (January 2004) - 9.x
    Linux Slackware 3.x, 4.x, 7.x
    Linux SuSE 5.x, 6.x, 7.x
    Linux Ubuntu 4.10..7.04
    Mac OS X
    NEXTSTEP 3.x
    NetBSD 1.x
--- a/postfix/README_FILES/MILTER_README
+++ b/postfix/README_FILES/MILTER_README
@@ -443,9 +443,6 @@ NOTES:
  * This was tested with sid-milter-0.2.10 and sid-milter-0.2.14.
  * This fixes only the ugly message header, but not the WARNING message.
    Fortunately, sid-milter logs that message only once.
 To fix the ugly message header with other Milter applications, you will need to
 do something like this:
--- a/postfix/README_FILES/OVERVIEW
+++ b/postfix/README_FILES/OVERVIEW
@@ -209,12 +209,13 @@ queues.
    Network -> smtpd(8) <-> anvil(8)
-  * The bounce(8), defer(8) and trace(8) servers each maintain their own queue
+  * The bounce(8), defer(8) and trace(8) services each maintain their own queue
-    directory trees with per-message logfiles. This information is used to send
+    directory trees with per-message logfiles. Postfix uses this information
-    delivery or non-delivery notifications to the sender.
+    when sending "failed", "delayed" or "success" delivery status notifications
    to the sender.
-    The trace(8) service implements support for the Postfix "sendmail -bv" and
+    The trace(8) service also implements support for the Postfix "sendmail -bv"
-    "sendmail -v" commands which produce reports about how Postfix delivers
+    and "sendmail -v" commands which produce reports about how Postfix delivers
    mail, and is available with Postfix version 2.1 and later. See DEBUG_README
    for examples.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,184 +1,18 @@
-The stable Postfix release is called postfix-2.3.x where 2=major
+The stable Postfix release is called postfix-2.4.x where 2=major
-release number, 3=minor release number, x=patchlevel.  The stable
+release number, 4=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
-postfix-2.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-2.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
-Incompatibility with Postfix 2.2 and earlier
+Incompatibility with Postfix 2.3 and earlier
 ============================================
-If you upgrade from Postfix 2.2 or earlier, read RELEASE_NOTES-2.3
+If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4
 before proceeding.
 Incompatibility with Postfix snapshot 200702224
 ===============================================
 As a safety measure, Postfix now by default creates mailbox dotlock
 files on all systems. This prevents problems with GNU POP3D which
 subverts kernel locking by creating a new mailbox file and deleting
 the old one.
 Major changes with Postfix snapshot 20070212-event
 ==================================================
 Better support for systems that run thousands of Postfix processes.
 Postfix now supports FreeBSD kqueue(2), Solaris poll(7d) and Linux
 epoll(4) as more scalable alternatives to the traditional select(2)
 system call, and uses poll(2) when examining a single file descriptor
 for readability or writability. These features are supported on
 sufficiently recent versions of FreeBSD, NetBSD, OpenBSD, Solaris
 and Linux; support for other systems will be added as evidence
 becomes available that usable implementations exist.
 Incompatibility with Postfix snapshot 20070201
 ==============================================
 Some default settings have been adjusted to better match contemporary
 requirements:
 - queue_run_delay and minimal_backoff_time were reduced from 1000s
 to 300s so that deliveries are retried earlier after the first
 failure.
 - ipc_idle was reduced from 100s to 5s, so that tlsmgr and scache
 clients will more quickly release unused file handles.
 Major changes with Postfix snapshot 20070121
 ============================================
 The support for Milter header modification requests was revised.
 With minimal change in the on-disk representation, the code was
 greatly simplified, and regression tests were updated to ensure
 that old errors were not re-introduced.  The queue file format is
 entirely backwards compatible with Postfix 2.3.
 Incompatible changes with Postfix snapshot 20070116
 ===================================================
 A new field is added to the queue file "size" record that specifies
 the message content length.  Postfix 2.3 and older Postfix 2.4
 versions will ignore this field, and will report the message size
 as it was before the body was replaced.
 Major changes with Postfix snapshot 20070116
 ============================================
 Support for Milter requests to replace the message body.  Postfix
 now implements all the header/body modification requests that are
 available with Sendmail 8.13.
 Incompatible changes with Postfix snapshot 20061217
 ===================================================
 Postfix no longer requires a domain name. It uses "localdomain" as
 the default Internet domain name when no domain is specified via
 main.cf or via the machine's hostname.
 Major changes with Postfix snapshot 20061217
 ============================================
 More precise queue flushing with the ETRN, "postqueue -s site", and
 "sendmail -qRsite" commands, after minimization of race conditions.
 New per-queue-file flushing with "postqueue -i queueid" and "sendmail
 -qIqueueid".
 Incompatible changes with Postfix snapshot 20061214
 ===================================================
 The check_smtpd_policy client sends TLS certificate attributes
 (client ccert_subject, ccert_issuer) only after successful client
 certificate verification. The reason is that the certification
 verification status itself is not available in the policy request.
 The check_smtpd_policy client sends TLS certificate fingerprint
 information even when the certificate itself was not verified.
 The remote SMTP client TLS certificate fingerprint can be used for
 access control even when the certificate itself was not verified.
 Incompatible changes with Postfix snapshot 20061209
 ===================================================
 The Postfix installation procedure no longer updates main.cf with
 "unknown_local_recipient_reject_code = 450". Four years after the
 introduction of mandatory recipient validation, this transitional
 tool is no longer neeed.
 After upgrading Postfix you MUST execute "postfix reload", otherwise
 the queue manager may log a warnings with:
    warning: connect to transport retry: Connection refused
 The upgrade procedure adds a new "retry" service to the master.cf
 file.  If you make the mistake of copying old Postfix configuration
 files over the new files, the queue manager may log warnings with:
    warning: connect to transport retry: Connection refused
 To fix your master.cf file, use "postfix upgrade-configuration"
 followed by "postfix reload".
 Small changes were made to the default bounce message templates,
 to prevent HTML-aware software from hiding or removing the text
 "<postmaster>", and producing misleading text.
 Major changes with Postfix snapshot 20061209
 ============================================
 Better interoperability with non-conforming SMTP servers that reply
 and disconnect before Postfix has sent the complete message content.
 Improved worst-case (old and new) queue manager performance when
 deferring or bouncing large amounts of mail. Instead of talking to
 the bounce or defer service synchronously, this work is now done
 in the background by the error or retry service.
 Improved worst-case (new) queue manager performance when delivering
 multi-recipient mail. The queue manager now proactively reads
 recipients from the queue file, instead of waiting for the slowest
 deliveries to complete before reading in new recipients.  This
 introduces two parameters: default_recipient_refill_limit (how many
 recipient slots to refill at a time) and default_recipient_refill_delay
 (how long to wait between refill operations). These two parameters
 act as defaults for optional per-transport settings.
 Better support for queue file systems on file servers with drifting
 clocks. Clock skew can be a problem, because Postfix does not deliver
 mail until the local clock catches up with the queue file's last
 modification time stamp. On systems with usable futimes() or
 equivalent (Solaris, *BSD, MacOS, but not Linux), Postfix now always
 explicitly sets the queue file last modification time stamps while
 creating a queue file.  On systems without usable futimes() (Linux,
 and ancient versions of Solaris, SunOS and *BSD) Postfix keeps using
 the slower utime() system call to update queue file time stamps
 when the file system clock is off with respect to the local system
 clock, and logs a warning.
 Incompatible changes with Postfix snapshot 20061006
 ===================================================
 The format of SMTP server TLS session cache lookup keys has changed.
 The lookup key now includes the master.cf service name.
 Major changes with Postfix snapshot 20061006
 ============================================
 Individual CISCO PIX bug workarounds are now on/off configurable.
 This introduces new parameters: smtp_pix_workarounds (default:
 disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps (workarounds
 indexed by server IP address).  The default settings are backwards
 compatible.
 Incompatible changes with Postfix snapshot 20060806
 ===================================================
 Postfix no longer announces its name in delivery status notifications.
 Users believe that Wietse provides a free help desk service that
 solves all their email problems.
--- a/postfix/RELEASE_NOTES-2.3
+++ b/postfix/RELEASE_NOTES-2.3
--- a/postfix/RELEASE_NOTES-2.4
+++ b/postfix/RELEASE_NOTES-2.4
@@ -0,0 +1,198 @@
 The stable Postfix release is called postfix-2.4.x where 2=major
 release number, 4=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
 postfix-2.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 Major changes - critical
 ------------------------
 See RELEASE_NOTES-2.3 if you upgrade from Postfix 2.2 or earlier.
 [Incompat 20070122] To take advantage of the new support for BSD
 kqueue, Linux epoll, or Solaris /dev/poll, you must restart (not
 reload) Postfix after upgrading from Postfix 2.3.
 [Incompat 20061209] If you upgrade Postfix without restarting, you
 MUST execute "postfix reload", otherwise the queue manager may log
 a warnings with:
    warning: connect to transport retry: Connection refused
 [Incompat 20061209] The upgrade procedure adds a new "retry" service
 to the master.cf file.  If you make the mistake of copying old
 Postfix configuration files over the new files, the queue manager
 may log warnings with:
    warning: connect to transport retry: Connection refused
 To fix your master.cf file, use "postfix upgrade-configuration"
 followed by "postfix reload".
 Major changes - safety
 ----------------------
 [Incompat 20070222] As a safety measure, Postfix now by default
 creates mailbox dotlock files on all systems. This prevents problems
 with GNU POP3D which subverts kernel locking by creating a new
 mailbox file and deleting the old one.
 Major changes - Milter support
 ------------------------------
 [Feature 20070121] The support for Milter header modification
 requests was revised.  With minimal change in the on-disk representation,
 the code was greatly simplified, and regression tests were updated
 to ensure that old errors were not re-introduced.  The queue file
 format is entirely backwards compatible with Postfix 2.3.
 [Feature 20070116] Support for Milter requests to replace the message
 body.  Postfix now implements all the header/body modification
 requests that are available with Sendmail 8.13.
 [Incompat 20070116] A new field is added to the queue file "size"
 record that specifies the message content length.  Postfix 2.3 and
 older Postfix 2.4 snapshots will ignore this field, and will report
 the message size as it was before the body was replaced.
 Major changes - TLS support
 ---------------------------
 [Incompat 20061214] The check_smtpd_policy client sends TLS certificate
 attributes (client ccert_subject, ccert_issuer) only after successful
 client certificate verification. The reason is that the certification
 verification status itself is not available in the policy request.
 [Incompat 20061214] The check_smtpd_policy client sends TLS certificate
 fingerprint information even when the certificate itself was not
 verified.
 [Incompat 20061214] The remote SMTP client TLS certificate fingerprint
 can be used for access control even when the certificate itself was
 not verified.
 [Incompat 20061006] The format of SMTP server TLS session cache
 lookup keys has changed.  The lookup key now includes the master.cf
 service name.
 Major changes - performance
 ---------------------------
 [Feature 20070212] Better support for systems that run thousands
 of Postfix processes.  Postfix now supports FreeBSD kqueue(2),
 Solaris poll(7d) and Linux epoll(4) as more scalable alternatives
 to the traditional select(2) system call, and uses poll(2) when
 examining a single file descriptor for readability or writability.
 These features are supported on sufficiently recent versions of
 FreeBSD, NetBSD, OpenBSD, Solaris and Linux; support for other
 systems will be added as evidence becomes available that usable
 implementations exist.
 [Incompat 20070201] Some default settings have been adjusted to
 better match contemporary requirements:
 - queue_run_delay and minimal_backoff_time were reduced from 1000s
  to 300s so that deliveries are retried earlier after the first
  failure.
 - ipc_idle was reduced from 100s to 5s, so that tlsmgr and scache
  clients will more quickly release unused file handles.
 [Feature 20061209] Improved worst-case (old and new) queue manager
 performance when deferring or bouncing large amounts of mail. Instead
 of talking to the bounce or defer service synchronously, this work
 is now done in the background by the error or retry service.
 [Feature 20061209] Improved worst-case (new) queue manager performance
 when delivering multi-recipient mail. The queue manager now proactively
 reads recipients from the queue file, instead of waiting for the
 slowest deliveries to complete before reading in new recipients.
 This introduces two parameters: default_recipient_refill_limit (how
 many recipient slots to refill at a time) and
 default_recipient_refill_delay (how long to wait between refill
 operations). These two parameters act as defaults for optional
 per-transport settings.
 Major changes - delivery status notifications
 ---------------------------------------------
 [Incompat 20061209] Small changes were made to the default bounce
 message templates, to prevent HTML-aware software from hiding or
 removing the text "<postmaster>", and producing misleading text.
 [Incompat 20060806] Postfix no longer announces its name in delivery
 status notifications.  Users believe that Wietse provides a free
 help desk service that solves all their email problems.
 Major changes - ETRN support
 ----------------------------
 [Feature 20061217] More precise queue flushing with the ETRN,
 "postqueue -s site", and "sendmail -qRsite" commands, after
 minimization of race conditions.  New per-queue-file flushing with
 "postqueue -i queueid" and "sendmail -qIqueueid".
 Major changes - small office/home office support
 ------------------------------------------------
 [Incompat 20061217] Postfix no longer requires a domain name. It
 uses "localdomain" as the default Internet domain name when no
 domain is specified via main.cf or via the machine's hostname.
 Major changes - SMTP access control
 -----------------------------------
 [Incompat 20061214] The check_smtpd_policy client sends TLS certificate
 attributes (client ccert_subject, ccert_issuer) only after successful
 client certificate verification. The reason is that the certification
 verification status itself is not available in the policy request.
 [Incompat 20061214] The check_smtpd_policy client sends TLS certificate
 fingerprint information even when the certificate itself was not
 verified.
 [Incompat 20061214] The remote SMTP client TLS certificate fingerprint
 can be used for
 access control even when the certificate itself was not verified.
 [Incompat 20061209] The Postfix installation procedure no longer
 updates main.cf with "unknown_local_recipient_reject_code = 450".
 Four years after the introduction of mandatory recipient validation,
 this transitional tool is no longer neeed.
 Major changes - workarounds
 ---------------------------
 [Incompat 20070222] As a safety measure, Postfix now by default
 creates mailbox dotlock files on all systems. This prevents problems
 with GNU POP3D which subverts kernel locking by creating a new
 mailbox file and deleting the old one.
 [Feature 20061209] Better interoperability with non-conforming SMTP
 servers that reply and disconnect before Postfix has sent the
 complete message content.
 [Feature 20061209] Better support for queue file systems on file
 servers with drifting clocks. Clock skew can be a problem, because
 Postfix does not deliver mail until the local clock catches up with
 the queue file's last modification time stamp. On systems with
 usable futimes() or equivalent (Solaris, *BSD, MacOS, but not Linux),
 Postfix now always explicitly sets the queue file last modification
 time stamps while creating a queue file.  On systems without usable
 futimes() (Linux, and ancient versions of Solaris, SunOS and *BSD)
 Postfix keeps using the slower utime() system call to update queue
 file time stamps when the file system clock is off with respect to
 the local system clock, and logs a warning.
 [Feature 20061006] Individual CISCO PIX bug workarounds are now
 on/off configurable.  This introduces new parameters: smtp_pix_workarounds
 (default: disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
 (workarounds indexed by server IP address).  The default settings
 are backwards compatible.
--- a/postfix/conf/canonical
+++ b/postfix/conf/canonical
@@ -111,8 +111,10 @@
 #               applied to recipient addresses,  the  Postfix  SMTP
 #               server  accepts  mail  for any recipient in domain,
 #               regardless of whether that recipient exists.   This
-#               may turn your mail system into a backscatter source
+#               may  turn  your  mail  system  into  a  backscatter
-#               that returns undeliverable spam to innocent people.
+#               source: Postfix first accepts mail for non-existent
 #               recipients  and  then  tries to return that mail as
 #               "undeliverable" to the often forged sender address.
 # 
 # RESULT ADDRESS REWRITING
 #        The lookup result is subject to address rewriting:
--- a/postfix/conf/header_checks
+++ b/postfix/conf/header_checks
@@ -66,6 +66,11 @@
 #        time, even when a message  header  spans  multiple  lines.
 #        Body lines are always examined one line at a time.
 # 
 # COMPATIBILITY
 #        With Postfix version 2.2 and earlier specify "postmap -fq"
 #        to query a table that contains case sensitive patterns. By
 #        default,  regexp: and pcre: patterns are case insensitive.
 # 
 # TABLE FORMAT
 #        This document assumes that header  and  body_checks  rules
 #        are  specified  in  the form of Postfix regular expression
@@ -289,7 +294,7 @@
 #               line is not carried over to the next line.
 # 
 #        o      If text in the message body is encoded  (RFC  2045)
-#               then the rules have to specified  for  the  encoded
+#               then the rules need to be specified for the encoded
 #               form.
 # 
 #        o      Likewise, when message  headers  are  encoded  (RFC
--- a/postfix/conf/relocated
+++ b/postfix/conf/relocated
@@ -41,7 +41,9 @@
 #        The input format for the postmap(1) command is as follows:
 # 
 #        o      An entry has one of the following form:
 # 
 #                    pattern      new_location
 # 
 #               Where  new_location  specifies  contact information
 #               such as an  email  address,  or  perhaps  a  street
 #               address or telephone number.
--- a/postfix/conf/transport
+++ b/postfix/conf/transport
@@ -13,8 +13,10 @@
 # DESCRIPTION
 #        The  optional  transport(5) table specifies a mapping from
 #        email addresses to message delivery transports  and  next-
-#        hop hosts. The table is searched by the trivial-rewrite(8)
+#        hop  destinations.   Message  delivery  transports such as
-#        daemon.
+#        local or smtp are defined in the master.cf file, and next-
 #        hop  destinations are typically hosts or domain names. The
 #        table is searched by the trivial-rewrite(8) daemon.
 # 
 #        This  mapping  overrides  the  default   transport:nexthop
 #        selection that is built into Postfix:
@@ -207,8 +209,7 @@
 # 
 #        The error mailer can be used to bounce mail:
 # 
-#             .example.com     error:mail for *.example.com is  not
+#             .example.com     error:mail for *.example.com is not deliverable
 #        deliverable
 # 
 #        This causes all mail for user@anything.example.com  to  be
 #        bounced.
@@ -228,9 +229,10 @@
 #        ble,  until  a  pattern  is  found that matches the search
 #        string.
 # 
-#        Results  are  the  same as with indexed file lookups, with
+#        The trivial-rewrite(8) server disallows regular expression
-#        the additional feature that parenthesized substrings  from
+#        substitution  of  $1  etc.  in  regular  expression lookup
-#        the pattern can be interpolated as $1, $2 and so on.
+#        tables, because that could open a security  hole  (Postfix
 #        version 2.3 and later).
 # 
 # TCP-BASED TABLES
 #        This  section  describes how the table lookups change when
--- a/postfix/conf/virtual
+++ b/postfix/conf/virtual
@@ -107,8 +107,10 @@
 #               Postfix SMTP server accepts mail for any  recipient
 #               in  domain,  regardless  of  whether that recipient
 #               exists.  This may turn  your  mail  system  into  a
-#               backscatter  source that returns undeliverable spam
+#               backscatter  source: Postfix first accepts mail for
-#               to innocent people.
+#               non-existent recipients and then  tries  to  return
 #               that  mail  as  "undeliverable" to the often forged
 #               sender address.
 # 
 # RESULT ADDRESS REWRITING
 #        The lookup result is subject to address rewriting:
@@ -156,9 +158,9 @@
 #        /etc/postfix/main.cf:
 #            virtual_alias_maps = hash:/etc/postfix/virtual
 # 
-#            Note:  some systems use dbm databases instead of hash.
+#        Note: some systems use dbm databases instead of hash.  See
-#            See the output from "postconf -m" for available  data-
+#        the output  from  "postconf  -m"  for  available  database
-#            base types.
+#        types.
 # 
 #        /etc/postfix/virtual:
 #            virtual-alias.domain     anything (right-hand content does not matter)
--- a/postfix/html/BACKSCATTER_README.html
+++ b/postfix/html/BACKSCATTER_README.html
@@ -21,7 +21,10 @@ Backscatter Howto</h1>
 <h2>Overview </h2>
 This document describes features that require Postfix version 2.0
-or later.
+or later.  The examples use Perl Compatible Regular Expressions
 (Postfix <a href="pcre_table.5.html">pcre</a>: tables), but also provide a translation to POSIX
 regular expressions (Postfix <a href="regexp_table.5.html">regexp</a>: tables). PCRE is preferred
 primarily because the implementation is often faster.</p>
 <p> Topics covered in this document: </p>
@@ -174,8 +177,8 @@ patterns like this: </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
+    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks
-    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
+    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks
 /etc/postfix/header_checks:
    if /^Received:/
@@ -183,7 +186,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -196,7 +199,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^[&gt; ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^[&gt; ]*Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^[&gt; ]*Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^[&gt; ]*Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -209,6 +212,9 @@ patterns like this: </p>
 <ul>
 <li> <p> The example uses <a href="pcre_table.5.html">pcre</a>: tables mainly for speed; with minor
 modifications, you can use <a href="regexp_table.5.html">regexp</a>: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality my patterns list multiple domain names, as
 "<tt>(domain|domain|...)</tt>".  </p>
@@ -220,9 +226,10 @@ the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
 and "<tt>)</tt>" literally. Without the "<tt>\</tt>", the "<tt>(</tt>"
 and "<tt>)</tt>" would be grouping operators.  </p>
-<li> <p> The "<tt>[[:&gt;:]]</tt>" matches the end of a word. On
+<li> <p> The "<tt>\b</tt>" is used here to match the end of a word.
-some systems you should specify "<tt>\&gt;</tt>" instead. For details
+If you use <a href="regexp_table.5.html">regexp</a>: tables, specify "<tt>[[:&gt;:]]</tt>" (on some
-see your system documentation. </p>
+systems you should specify "<tt>\&gt;</tt>" instead; for details
 see your system documentation).
 <li> <p> The "if /pattern/" and "endif" eliminate unnecessary
 matching attempts. DO NOT indent lines starting with /pattern/
@@ -311,15 +318,15 @@ and is very easy to stop.
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
+    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks
-    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
+    <a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks
 /etc/postfix/header_checks:
-    /^(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 /etc/postfix/body_checks:
-    /^[&gt; ]*(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^[&gt; ]*(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 </pre>
 </blockquote>
@@ -328,14 +335,18 @@ and is very easy to stop.
 <ul>
 <li> <p> The example uses <a href="pcre_table.5.html">pcre</a>: tables mainly for speed; with minor
 modifications, you can use <a href="regexp_table.5.html">regexp</a>: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality, my patterns list multiple email addresses as
 "<tt>(user1@domain1\.tld|user2@domain2\.tld)</tt>".  </p>
-<li> <p> The "<tt>[[:&lt;:]]</tt>" and "<tt>[[:&gt;:]]</tt>" match
+<li> <p> The two "<tt>\b</tt>" as used in "<tt>\b(user@domain\.tld)\b</tt>"
-the beginning and end of a word, respectively. On some systems you
+match the beginning and end of a word, respectively.  If you use
-should specify "<tt>\&lt;</tt>" and "<tt>\&gt;</tt>" instead. For
+<a href="regexp_table.5.html">regexp</a>: tables, specify "<tt>[[:&lt;:]]</tt> and <tt>[[:&gt;:]]</tt>"
-details see your system documentation. </p>
+(on some systems you should specify "<tt>\&lt;</tt> and <tt>\&gt;</tt>"
 instead; for details see your system documentation).  </p>
 <li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
 the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
--- a/postfix/html/INSTALL.html
+++ b/postfix/html/INSTALL.html
@@ -149,6 +149,7 @@ Linux Debian 1.3.1, 2.x, 3.x <br>
 Linux RedHat 3.x (January 2004) - 9.x <br>
 Linux Slackware 3.x, 4.x, 7.x <br>
 Linux SuSE 5.x, 6.x, 7.x <br>
 Linux Ubuntu 4.10..7.04<br>
 Mac OS X <br>
 NEXTSTEP 3.x <br>
 NetBSD 1.x <br>
--- a/postfix/html/MILTER_README.html
+++ b/postfix/html/MILTER_README.html
@@ -708,9 +708,6 @@ text below: </p>
 <li> <p> This was tested with sid-milter-0.2.10 and sid-milter-0.2.14. </p>
 <li> <p> This fixes only the ugly message header, but not the WARNING
 message.  Fortunately, sid-milter logs that message only once. </p>
 </ul>
 <p> To fix the ugly message header with other Milter applications,
--- a/postfix/html/OVERVIEW.html
+++ b/postfix/html/OVERVIEW.html
@@ -460,12 +460,13 @@ bgcolor="#f0f0ff"> <br> <a href="smtpd.8.html">smtpd(8)</a><br><br> </td> <td> <
 </table>
-<li> <p> The <a href="bounce.8.html">bounce(8)</a>, <a href="defer.8.html">defer(8)</a> and <a href="trace.8.html">trace(8)</a> servers each maintain
+<li> <p> The <a href="bounce.8.html">bounce(8)</a>, <a href="defer.8.html">defer(8)</a> and <a href="trace.8.html">trace(8)</a> services each maintain
-their own queue directory trees with per-message logfiles. This
+their own queue directory trees with per-message logfiles. Postfix
-information is used to send delivery or non-delivery notifications
+uses this information when sending "failed", "delayed" or "success"
-to the sender. </p>
+delivery status notifications to the sender. </p>
-<p> The <a href="trace.8.html">trace(8)</a> service implements support for the Postfix "sendmail
+<p> The <a href="trace.8.html">trace(8)</a> service also implements support for the Postfix
 "sendmail
 -bv" and "sendmail -v" commands which produce reports about how
 Postfix delivers mail, and is available with Postfix version 2.1
 and later. See <a href="DEBUG_README.html#trace_mail"> DEBUG_README
--- a/postfix/html/canonical.5.html
+++ b/postfix/html/canonical.5.html
@@ -117,8 +117,10 @@ CANONICAL(5)                                                      CANONICAL(5)
              applied to recipient addresses,  the  Postfix  SMTP
              server  accepts  mail  for any recipient in <i>domain</i>,
              regardless of whether that recipient exists.   This
-              may turn your mail system into a backscatter source
+              may  turn  your  mail  system  into  a  backscatter
-              that returns undeliverable spam to innocent people.
+              source: Postfix first accepts mail for non-existent
              recipients  and  then  tries to return that mail as
              "undeliverable" to the often forged sender address.
 <b>RESULT ADDRESS REWRITING</b>
       The lookup result is subject to address rewriting:
--- a/postfix/html/header_checks.5.html
+++ b/postfix/html/header_checks.5.html
@@ -72,6 +72,11 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
       time, even when a message  header  spans  multiple  lines.
       Body lines are always examined one line at a time.
 <b>COMPATIBILITY</b>
       With Postfix version 2.2 and earlier specify "<b>postmap -fq</b>"
       to query a table that contains case sensitive patterns. By
       default,  <a href="regexp_table.5.html">regexp</a>: and <a href="pcre_table.5.html">pcre</a>: patterns are case insensitive.
 <b>TABLE FORMAT</b>
       This document assumes that header  and  <a href="postconf.5.html#body_checks">body_checks</a>  rules
       are  specified  in  the form of Postfix regular expression
@@ -295,7 +300,7 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
              line is not carried over to the next line.
       <b>o</b>      If text in the message body is encoded  (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC  2045</a>)
-              then the rules have to specified  for  the  encoded
+              then the rules need to be specified for the encoded
              form.
       <b>o</b>      Likewise, when message  headers  are  encoded  (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC</a>
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@@ -327,8 +327,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              are not performed. This  can  significantly  reduce
              the query load on the LDAP server.
-                  domain = postfix.org, hash:/etc/postfix/search-
+                  domain = postfix.org, hash:/etc/postfix/searchdomains
              domains
              It  is  best  not  to use LDAP to store the domains
              eligible for LDAP lookups.
--- a/postfix/html/mysql_table.5.html
+++ b/postfix/html/mysql_table.5.html
@@ -21,26 +21,26 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
       Alternatively,  lookup  tables  can  be specified as MySQL
       databases.  In order to use MySQL lookups, define a  MySQL
-       source as a lookup table in main.cf, for example:
+       source as a lookup table in <a href="postconf.5.html">main.cf</a>, for example:
           <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="mysql_table.5.html">mysql</a>:/etc/mysql-aliases.cf
       The file /etc/postfix/mysql-aliases.cf has the same format
-       as the Postfix main.cf file, and can specify  the  parame-
+       as the Postfix <a href="postconf.5.html">main.cf</a> file, and can specify  the  parame-
       ters described below.
 <b>BACKWARDS COMPATIBILITY</b>
       For  compatibility with other Postfix lookup tables, MySQL
-       parameters can also be defined in main.cf.  In order to do
+       parameters can also be defined in <a href="postconf.5.html">main.cf</a>.  In order to do
       that,  specify  as  MySQL source a name that doesn't begin
       with a slash or a dot.  The MySQL parameters will then  be
       accessible as the name you've given the source in its def-
       inition, an underscore, and the  name  of  the  parameter.
       For example, if the map is specified as "<a href="mysql_table.5.html">mysql</a>:<i>mysqlname</i>",
-       the parameter "hosts" below would be defined in main.cf as
+       the parameter "hosts" below would be defined in <a href="postconf.5.html">main.cf</a> as
       "<i>mysqlname</i>_hosts".
       Note:  with this form, the passwords for the MySQL sources
-       are written in main.cf, which is normally  world-readable.
+       are written in <a href="postconf.5.html">main.cf</a>, which is normally  world-readable.
       Support  for this form will be removed in a future Postfix
       version.
@@ -115,8 +115,7 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
       <b>query</b>  The SQL query template used to search the database,
              where <b>%s</b> is a substitute for the address Postfix is
              trying to resolve, e.g.
-                  query  =  SELECT replacement FROM aliases WHERE
+                  query = SELECT replacement FROM aliases WHERE mailbox = '%s'
              mailbox = '%s'
              This  parameter  supports  the following '%' expan-
              sions:
@@ -240,8 +239,7 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
              lookups,  bare domain lookups and "@domain" lookups
              are not performed. This  can  significantly  reduce
              the query load on the MySQL server.
-                  domain = postfix.org, hash:/etc/postfix/search-
+                  domain = postfix.org, hash:/etc/postfix/searchdomains
              domains
              It is best not to use SQL to store the domains eli-
              gible for SQL lookups.
--- a/postfix/html/pcre_table.5.html
+++ b/postfix/html/pcre_table.5.html
@@ -16,8 +16,8 @@ PCRE_TABLE(5)                                                    PCRE_TABLE(5)
 <b>DESCRIPTION</b>
       The  Postfix  mail system uses optional tables for address
-       rewriting or mail routing. These tables are usually in <b>dbm</b>
+       rewriting, mail routing, or access control.  These  tables
-       or <b>db</b> format.
+       are usually in <b>dbm</b> or <b>db</b> format.
       Alternatively, lookup tables can be specified in Perl Com-
       patible Regular Expression form. In this case, each  input
--- a/postfix/html/pgsql_table.5.html
+++ b/postfix/html/pgsql_table.5.html
@@ -21,27 +21,27 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
       Alternatively,  lookup  tables  can  be specified as Post-
       greSQL databases.  In order  to  use  PostgreSQL  lookups,
-       define  a  PostgreSQL source as a lookup table in main.cf,
+       define  a  PostgreSQL source as a lookup table in <a href="postconf.5.html">main.cf</a>,
       for example:
           <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="pgsql_table.5.html">pgsql</a>:/etc/pgsql-aliases.cf
       The file /etc/postfix/pgsql-aliases.cf has the same format
-       as  the  Postfix main.cf file, and can specify the parame-
+       as  the  Postfix <a href="postconf.5.html">main.cf</a> file, and can specify the parame-
       ters described below.
 <b>BACKWARDS COMPATIBILITY</b>
       For compatibility with other Postfix lookup tables,  Post-
-       greSQL  parameters  can  also  be  defined in main.cf.  In
+       greSQL  parameters  can  also  be  defined in <a href="postconf.5.html">main.cf</a>.  In
       order to do that, specify as PostgreSQL source a name that
       doesn't  begin  with  a  slash  or  a dot.  The PostgreSQL
       parameters will then be  accessible  as  the  name  you've
       given the source in its definition, an underscore, and the
       name of the parameter.  For example, if the map is  speci-
       fied  as  "<a href="pgsql_table.5.html">pgsql</a>:<i>pgsqlname</i>",  the  parameter "hosts" below
-       would be defined in main.cf as "<i>pgsqlname</i>_hosts".
+       would be defined in <a href="postconf.5.html">main.cf</a> as "<i>pgsqlname</i>_hosts".
       Note: with this form, the  passwords  for  the  PostgreSQL
-       sources  are  written in main.cf, which is normally world-
+       sources  are  written in <a href="postconf.5.html">main.cf</a>, which is normally world-
       readable.  Support for this form  will  be  removed  in  a
       future Postfix version.
@@ -121,8 +121,7 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
       <b>query</b>  The SQL query template used to search the database,
              where <b>%s</b> is a substitute for the address Postfix is
              trying to resolve, e.g.
-                  query = SELECT replacement FROM  aliases  WHERE
+                  query = SELECT replacement FROM aliases WHERE mailbox = '%s'
              mailbox = '%s'
              This parameter supports the  following  '%'  expan-
              sions:
@@ -245,8 +244,7 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
              lookups, bare domain lookups and "@domain"  lookups
              are  not  performed.  This can significantly reduce
              the query load on the PostgreSQL server.
-                  domain = postfix.org, hash:/etc/postfix/search-
+                  domain = postfix.org, hash:/etc/postfix/searchdomains
              domains
              It is best not to use SQL to store the domains eli-
              gible for SQL lookups.
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@@ -278,8 +278,8 @@ PIPE(8)                                                                PIPE(8)
              <b>${sasl_sender</b>}
                     This macro expands to the SASL  sender  name
-                     (i.e.  the  original  submitter  as  per RFC
+                     (i.e.  the  original  submitter  as  per <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC</a>
-                     2554) used during the reception of the  mes-
+                     <a href="http://www.faqs.org/rfcs/rfc2554.html">2554</a>) used during the reception of the  mes-
                     sage.
                     This  is available in Postfix 2.2 and later.
--- a/postfix/html/postsuper.1.html
+++ b/postfix/html/postsuper.1.html
@@ -45,8 +45,7 @@ POSTSUPER(1)                                                      POSTSUPER(1)
              delete  all  mail  with   exactly   one   recipient
              <b>user@example.com</b>:
-              mailq | tail +2 | grep -v '^ *(' | awk  'BEGIN { RS
+              mailq | tail +2 | grep -v '^ *(' | awk  'BEGIN { RS = "" }
              = "" }
                  # $7=sender, $8=recipient1, $9=recipient2
                  { if ($8 == "user@example.com" &amp;&amp; $9 == "")
                        print $1 }
--- a/postfix/html/regexp_table.5.html
+++ b/postfix/html/regexp_table.5.html
@@ -16,8 +16,8 @@ REGEXP_TABLE(5)                                                REGEXP_TABLE(5)
 <b>DESCRIPTION</b>
       The Postfix mail system uses optional tables  for  address
-       rewriting or mail routing. These tables are usually in <b>dbm</b>
+       rewriting,  mail  routing, or access control. These tables
-       or <b>db</b> format.
+       are usually in <b>dbm</b> or <b>db</b> format.
       Alternatively, lookup tables can  be  specified  in  POSIX
       regular  expression form. In this case, each input is com-
--- a/postfix/html/relocated.5.html
+++ b/postfix/html/relocated.5.html
@@ -47,7 +47,9 @@ RELOCATED(5)                                                      RELOCATED(5)
       The input format for the <a href="postmap.1.html"><b>postmap</b>(1)</a> command is as follows:
       <b>o</b>      An entry has one of the following form:
                   <i>pattern      new</i><b>_</b><i>location</i>
              Where  <i>new</i><b>_</b><i>location</i>  specifies  contact information
              such as an  email  address,  or  perhaps  a  street
              address or telephone number.
--- a/postfix/html/transport.5.html
+++ b/postfix/html/transport.5.html
@@ -19,8 +19,10 @@ TRANSPORT(5)                                                      TRANSPORT(5)
 <b>DESCRIPTION</b>
       The  optional  <a href="transport.5.html"><b>transport</b>(5)</a> table specifies a mapping from
       email addresses to message delivery transports  and  next-
-       hop hosts. The table is searched by the <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a>
+       hop  destinations.   Message  delivery  transports such as
-       daemon.
+       <b>local</b> or <b>smtp</b> are defined in the <a href="master.5.html"><b>master.cf</b></a> file, and next-
       hop  destinations are typically hosts or domain names. The
       table is searched by the <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> daemon.
       This  mapping  overrides  the  default   <i>transport</i>:<i>nexthop</i>
       selection that is built into Postfix:
@@ -213,8 +215,7 @@ TRANSPORT(5)                                                      TRANSPORT(5)
       The error mailer can be used to bounce mail:
-            <b>.example.com     <a href="error.8.html">error</a>:mail for *.example.com is  not</b>
+            <b>.example.com     <a href="error.8.html">error</a>:mail for *.example.com is not deliverable</b>
       <b>deliverable</b>
       This causes all mail for <i>user</i>@<i>anything</i><b>.example.com</b>  to  be
       bounced.
@@ -234,9 +235,10 @@ TRANSPORT(5)                                                      TRANSPORT(5)
       ble,  until  a  pattern  is  found that matches the search
       string.
-       Results  are  the  same as with indexed file lookups, with
+       The <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> server disallows regular expression
-       the additional feature that parenthesized substrings  from
+       substitution  of  $1  etc.  in  regular  expression lookup
-       the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
+       tables, because that could open a security  hole  (Postfix
       version 2.3 and later).
 <b>TCP-BASED TABLES</b>
       This  section  describes how the table lookups change when
--- a/postfix/html/virtual.5.html
+++ b/postfix/html/virtual.5.html
@@ -113,8 +113,10 @@ VIRTUAL(5)                                                          VIRTUAL(5)
              Postfix SMTP server accepts mail for any  recipient
              in  <i>domain</i>,  regardless  of  whether that recipient
              exists.  This may turn  your  mail  system  into  a
-              backscatter  source that returns undeliverable spam
+              backscatter  source: Postfix first accepts mail for
-              to innocent people.
+              non-existent recipients and then  tries  to  return
              that  mail  as  "undeliverable" to the often forged
              sender address.
 <b>RESULT ADDRESS REWRITING</b>
       The lookup result is subject to address rewriting:
@@ -162,9 +164,9 @@ VIRTUAL(5)                                                          VIRTUAL(5)
       /etc/postfix/<a href="postconf.5.html">main.cf</a>:
           <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
-           Note:  some systems use <b>dbm</b> databases instead of <b>hash</b>.
+       Note: some systems use <b>dbm</b> databases instead of <b>hash</b>.  See
-           See the output from "<b>postconf -m</b>" for available  data-
+       the output  from  "<b>postconf  -m</b>"  for  available  database
-           base types.
+       types.
       /etc/postfix/<a href="virtual.8.html">virtual</a>:
           <i>virtual-alias.domain     anything</i> (right-hand content does not matter)
--- a/postfix/man/man1/postmap.1
+++ b/postfix/man/man1/postmap.1
@@ -19,8 +19,9 @@ The \fBpostmap\fR(1) command creates or queries one or more Postfix
 lookup tables, or updates an existing one. The input and output
 file formats are expected to be compatible with:
-.ti +4
+.nf
    \fBmakemap \fIfile_type\fR \fIfile_name\fR < \fIfile_name\fR
 .fi
 If the result files do not exist they will be created with the
 same group and other read permissions as their source file.
@@ -38,8 +39,9 @@ The format of a lookup table input file is as follows:
 .IP \(bu
 A table entry has the form
 .sp
-.ti +5
+.nf
     \fIkey\fR whitespace \fIvalue\fR
 .fi
 .IP \(bu
 Empty lines and whitespace-only lines are ignored, as
 are lines whose first non-whitespace character is a `#'.
--- a/postfix/man/man1/postsuper.1
+++ b/postfix/man/man1/postsuper.1
@@ -42,15 +42,13 @@ If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
 queue IDs from standard input. For example, to delete all mail
 with exactly one recipient \fBuser@example.com\fR:
 .sp
 .nf
 mailq | tail +2 | grep -v '^ *(' | awk  \'BEGIN { RS = "" }
 .ti +4
    # $7=sender, $8=recipient1, $9=recipient2
 .ti +4
    { if ($8 == "user@example.com" && $9 == "")
 .ti +10
          print $1 }
 .br
 \' | tr -d '*!' | postsuper -d -
 .fi
 .sp
 Specify "\fB-d ALL\fR" to remove all messages; for example, specify
 "\fB-d ALL deferred\fR" to delete all mail in the \fBdeferred\fR queue.
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -365,20 +365,17 @@ tables, some systems use \fBdbm\fR.  Use the command
 "\fBpostconf -m\fR" to find out what lookup tables Postfix
 supports on your system.
 .na
 .nf
 .na
 /etc/postfix/main.cf:
 .in +4
    smtpd_client_restrictions =
 .in +4
        check_client_access hash:/etc/postfix/access
 .in -8
 /etc/postfix/access:
 .in +4
    1.2.3   REJECT
    1.2.3.4 OK
-.in -4
+.fi
 .ad
 Execute the command "\fBpostmap /etc/postfix/access\fR" after
 editing the file.
--- a/postfix/man/man5/aliases.5
+++ b/postfix/man/man5/aliases.5
@@ -37,8 +37,9 @@ The format of the alias database input file is as follows:
 .IP \(bu
 An alias definition has the form
 .sp
-.ti +5
+.nf
     \fIname\fR: \fIvalue1\fR, \fIvalue2\fR, \fI...\fR
 .fi
 .IP \(bu
 Empty lines and whitespace-only lines are ignored, as
 are lines whose first non-whitespace character is a `#'.
--- a/postfix/man/man5/bounce.5
+++ b/postfix/man/man5/bounce.5
@@ -40,8 +40,9 @@ edit the temporary file.
 To preview the results of $\fIname\fR expansions in the
 template text, use the command
-.ti +4
+.nf
    \fBpostconf -b\fR \fItemporary_file\fR
 .fi
 Errors in the template will be reported to the standard
 error stream and to the syslog daemon.
@@ -54,9 +55,10 @@ Once the result is satisfactory, copy the template to the
 Postfix configuration directory and specify in main.cf
 something like:
 .nf
 /etc/postfix/main.cf:
 .ti +4
    bounce_template_file = /etc/postfix/bounce.cf
 .fi
 .SH "TEMPLATE FILE FORMAT"
 .na
 .nf
@@ -76,9 +78,7 @@ only. You can change the word EOF, but you can't enclose
 it in quotes as with the shell or with Perl (\fItemplate_name\fB
 = <<'EOF'\fR). Here is an example:
 .in +4
 .nf
 .na
    # The failure template is used for undeliverable mail.
    failure_template = <<EOF
@@ -97,11 +97,8 @@ For further assistance, please send mail to postmaster.
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
 .ti +12
                       The mail system
    EOF
 .in -4
 .ad
 .fi
 .PP
 The usage and specification of bounce templates is
--- a/postfix/man/man5/canonical.5
+++ b/postfix/man/man5/canonical.5
@@ -113,8 +113,9 @@ Note: @\fIdomain\fR is a wild-card. When this form is applied
 to recipient addresses, the Postfix SMTP server accepts
 mail for any recipient in \fIdomain\fR, regardless of whether
 that recipient exists.  This may turn your mail system into
-a backscatter source that returns undeliverable spam to
+a backscatter source: Postfix first accepts mail for
-innocent people.
+non-existent recipients and then tries to return that mail
 as "undeliverable" to the often forged sender address.
 .SH "RESULT ADDRESS REWRITING"
 .na
 .nf
--- a/postfix/man/man5/cidr_table.5
+++ b/postfix/man/man5/cidr_table.5
@@ -70,17 +70,16 @@ pattern is found that matches the search string.
 .SH "EXAMPLE SMTPD ACCESS MAP"
 .na
 .nf
 .nf
 /etc/postfix/main.cf:
 .ti +4
    smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ...
 /etc/postfix/client.cidr:
 .in +4
    # Rule order matters. Put more specific whitelist entries
    # before more general blacklist entries.
    192.168.1.1             OK
    192.168.0.0/16          REJECT
-.in -4
+.fi
 .SH "SEE ALSO"
 .na
 .nf
--- a/postfix/man/man5/generic.5
+++ b/postfix/man/man5/generic.5
@@ -174,16 +174,12 @@ that the ISP supports "+" style address extensions).
 .na
 .nf
 /etc/postfix/main.cf:
 .in +4
    smtp_generic_maps = hash:/etc/postfix/generic
 .in -4
 /etc/postfix/generic:
 .in +4
    his@localdomain.local   hisaccount@hisisp.example
    her@localdomain.local   heraccount@herisp.example
    @localdomain.local      hisaccount+local@hisisp.example
 .in -4
 .ad
 .fi
--- a/postfix/man/man5/header_checks.5
+++ b/postfix/man/man5/header_checks.5
@@ -8,17 +8,15 @@ Postfix built-in content inspection
 .SH "SYNOPSIS"
 .na
 .nf
 .nf
 \fBheader_checks = pcre:/etc/postfix/header_checks\fR
 .br
 \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
 .br
 \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
 .br
 \fBbody_checks = pcre:/etc/postfix/body_checks\fR
 .sp
 \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
 .br
 \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
 .fi
 .SH DESCRIPTION
 .ad
 .fi
@@ -66,6 +64,15 @@ message headers is treated as body content.
 Note: message headers are examined one logical header at a time,
 even when a message header spans multiple lines. Body lines are
 always examined one line at a time.
 .SH "COMPATIBILITY"
 .na
 .nf
 .ad
 .fi
 With Postfix version 2.2 and earlier specify "\fBpostmap
 -fq\fR" to query a table that contains case sensitive
 patterns. By default, regexp: and pcre: patterns are case
 insensitive.
 .SH "TABLE FORMAT"
 .na
 .nf
@@ -273,7 +280,7 @@ line at a time. A decision made for one line is not carried over
 to the next line.
 .IP \(bu
 If text in the message body is encoded
-(RFC 2045) then the rules have to specified for the encoded
+(RFC 2045) then the rules need to be specified for the encoded
 form.
 .IP \(bu
 Likewise, when message headers are encoded (RFC
@@ -330,13 +337,10 @@ Header pattern to block attachments with bad file name extensions.
 .na
 .nf
 /etc/postfix/main.cf:
 .ti +4
    header_checks = regexp:/etc/postfix/header_checks
 /etc/postfix/header_checks:
 .ti +4
    /^content-(type|disposition):.*name[[:space:]]*=.*\\.(exe|vbs)/
 .ti +8
        REJECT Bad attachment file name extension: $2
 .ad
@@ -346,13 +350,10 @@ Body pattern to stop a specific HTML browser vulnerability exploit.
 .na
 .nf
 /etc/postfix/main.cf:
 .ti +4
    body_checks = regexp:/etc/postfix/body_checks
 /etc/postfix/body_checks:
 .ti +4
    /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
 .ti +8
        REJECT IFRAME vulnerability exploit
 .SH "SEE ALSO"
 .na
--- a/postfix/man/man5/ldap_table.5
+++ b/postfix/man/man5/ldap_table.5
@@ -23,8 +23,9 @@ Alternatively, lookup tables can be specified as LDAP databases.
 In order to use LDAP lookups, define an LDAP source as a lookup
 table in main.cf, for example:
-.ti +4
+.nf
    alias_maps = ldap:/etc/postfix/ldap-aliases.cf
 .fi
 The file /etc/postfix/ldap-aliases.cf has the same format as
 the Postfix main.cf file, and can specify the parameters
@@ -89,19 +90,17 @@ return the key itself.
 For example, NEVER do this in a map defining $mydestination:
-.in +4
+.nf
    query_filter = domain=*
 .br
    result_attribute = domain
-.in -4
+.fi
 Do this instead:
-.in +4
+.nf
    query_filter = domain=%s
 .br
    result_attribute = domain
-.in -4
+.fi
 .SH "GENERAL LDAP PARAMETERS"
 .na
 .nf
@@ -114,8 +113,9 @@ strings.
 .IP "\fBserver_host (default: localhost)\fR"
 The name of the host running the LDAP server, e.g.
-.ti +4
+.nf
    server_host = ldap.example.com
 .fi
 Depending on the LDAP client library you're using, it should
 be possible to specify multiple servers here, with the library
@@ -123,41 +123,45 @@ trying them in order should the first one fail. It should also
 be possible to give each server in the list a different port
 (overriding \fBserver_port\fR below), by naming them like
-.ti +4
+.nf
    server_host = ldap.example.com:1444
 .fi
 With OpenLDAP, a (list of) LDAP URLs can be used to specify both
 the hostname(s) and the port(s):
-.ti +4
+.nf
    server_host = ldap://ldap.example.com:1444
 .ti +8
                ldap://ldap2.example.com:1444
 .fi
 All LDAP URLs accepted by the OpenLDAP library are supported,
 including connections over UNIX domain sockets, and LDAP SSL
 (the last one provided that OpenLDAP was compiled with support
 for SSL):
-.ti +4
+.nf
    server_host = ldapi://%2Fsome%2Fpath
 .ti +8
                ldaps://ldap.example.com:636
 .fi
 .IP "\fBserver_port (default: 389)\fR"
 The port the LDAP server listens on, e.g.
-.ti +4
+.nf
    server_port = 778
 .fi
 .IP "\fBtimeout (default: 10 seconds)\fR"
 The number of seconds a search can take before timing out, e.g.
-.ti +4
+.fi
    timeout = 5
 .fi
 .IP "\fBsearch_base (No default; you must configure this)\fR"
 The RFC2253 base DN at which to conduct the search, e.g.
-.ti +4
+.nf
    search_base = dc=your, dc=com
 .fi
 .IP
 With Postfix 2.2 and later this parameter supports the
 following '%' expansions:
@@ -199,8 +203,9 @@ The RFC2254 filter used to search the directory, where \fB%s\fR
 is a substitute for the address Postfix is trying to resolve,
 e.g.
-.ti +4
+.nf
    query_filter = (&(mail=%s)(paid_up=true))
 .fi
 This parameter supports the following '%' expansions:
 .RS
@@ -309,8 +314,9 @@ are eligible for lookup: 'user' lookups, bare domain lookups
 and "@domain" lookups are not performed. This can significantly
 reduce the query load on the LDAP server.
-.ti +4
+.nf
    domain = postfix.org, hash:/etc/postfix/searchdomains
 .fi
 It is best not to use LDAP to store the domains eligible
 for LDAP lookups.
@@ -323,15 +329,17 @@ The attribute(s) Postfix will read from any directory
 entries returned by the lookup, to be resolved to an email
 address.
-.ti +4
+.nf
    result_attribute = mailbox, maildrop
 .fi
 .IP "\fBspecial_result_attribute (default: empty)\fR"
 The attribute(s) of directory entries that can contain DNs
 or URLs. If found, a recursive subsequent search is done
 using their values.
-.ti +4
+.nf
    special_result_attribute = memberdn
 .fi
 DN recursion retrieves the same result_attributes as the
 main query, including the special attributes for further
@@ -349,8 +357,9 @@ attribute on selected groups to route the group to a specific host,
 where the group is expanded, possibly via mailing-list manager or
 other special processing.
-.ti +4
+.nf
    terminal_result_attribute = maildrop
 .fi
 This feature is available with Postfix 2.4 or later.
 .IP "\fBleaf_result_attribute (default: empty)\fR"
@@ -370,15 +379,12 @@ rfc822 addresses, then the string attributes go in "result_attribute".
 The attributes that represent the email addresses of objects
 referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
-.in +4
+.nf
    result_attribute = memberaddr
 .br
    special_result_attribute = memberdn
 .br
    terminal_result_attribute = maildrop
 .br
    leaf_result_attribute = mail
-.in -4
+.fi
 This feature is available with Postfix 2.4 or later.
 .IP "\fBscope (default: sub)\fR"
@@ -390,8 +396,9 @@ Whether or not to bind to the LDAP server. Newer LDAP
 implementations don't require clients to bind, which saves
 time. Example:
-.ti +4
+.nf
    bind = no
 .fi
 If you do need to bind, you might consider configuring
 Postfix to connect to the local machine on a port that's
@@ -403,8 +410,9 @@ the clear.
 .IP "\fBbind_dn (default: empty)\fR"
 If you do have to bind, do it with this distinguished name. Example:
-.ti +4
+.nf
    bind_dn = uid=postfix, dc=your, dc=com
 .fi
 .IP "\fBbind_pw (default: empty)\fR"
 The password for the distinguished name above. If you have
 to use this, you probably want to make the map configuration
@@ -415,8 +423,9 @@ password. This is because main.cf needs to be world readable
 to allow local accounts to submit mail via the sendmail
 command. Example:
-.ti +4
+.nf
    bind_pw = postfixpw
 .fi
 .IP "\fBcache (IGNORED with a warning)\fR"
 .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 .IP "\fBcache_size (IGNORED with a warning)\fR"
@@ -485,19 +494,22 @@ issue the STARTTLS command.
 LDAP SSL service can be requested by using a LDAP SSL URL
 in the server_host parameter:
-.ti +4
+.nf
    server_host = ldaps://ldap.example.com:636
 .fi
 STARTTLS can be turned on with the start_tls parameter:
-.ti +4
+.nf
    start_tls = yes
 .fi
 Both forms require LDAP protocol version 3, which has to be set
 explicitly with:
-.ti +4
+.nf
    version = 3
 .fi
 If any of the Postfix programs querying the map is configured in
 master.cf to run chrooted, all the certificates and keys involved
@@ -550,18 +562,17 @@ Here's a basic example for using LDAP to look up local(8)
 aliases.
 Assume that in main.cf, you have:
-.ti +4
+.nf
    alias_maps = hash:/etc/aliases,
 .ti +8
            ldap:/etc/postfix/ldap-aliases.cf
 .fi
 and in ldap:/etc/postfix/ldap-aliases.cf you have:
-.in +4
+.nf
    server_host = ldap.example.com
 .br
    search_base = dc=example, dc=com
-.in -4
+.fi
 Upon receiving mail for a local address "ldapuser" that
 isn't found in the /etc/aliases database, Postfix will
--- a/postfix/man/man5/mysql_table.5
+++ b/postfix/man/man5/mysql_table.5
@@ -21,8 +21,9 @@ rewriting or mail routing. These tables are usually in
 Alternatively, lookup tables can be specified as MySQL databases.
 In order to use MySQL lookups, define a MySQL source as a lookup
 table in main.cf, for example:
-.ti +4
+.nf
    alias_maps = mysql:/etc/mysql-aliases.cf
 .fi
 The file /etc/postfix/mysql-aliases.cf has the same format as
 the Postfix main.cf file, and can specify the parameters
@@ -56,14 +57,12 @@ query constructed from the \fBselect_field\fR, \fBtable\fR,
 The old interface will be gradually phased out. To migrate to
 the new interface set:
-.ti +4
+.nf
    \fBquery\fR = SELECT [\fIselect_field\fR]
 .ti +8
        FROM [\fItable\fR]
 .ti +8
        WHERE [\fIwhere_field\fR] = '%s'
 .ti +12
            [\fIadditional_conditions\fR]
 .fi
 Insert the value, not the name, of each legacy parameter. Note
 that the \fBadditional_conditions\fR parameter is optional
@@ -97,10 +96,10 @@ return the key itself or a constant value.
 The hosts that Postfix will try to connect to and query from.
 Specify \fIunix:\fR for UNIX domain sockets, \fIinet:\fR for TCP
 connections (default).  Example:
-.ti +4
+.nf
    hosts = host1.some.domain host2.some.domain
 .ti +4
    hosts = unix:/file/name
 .fi
 The hosts are tried in random order, with all connections over
 UNIX domain sockets being tried before those over TCP.  The
@@ -112,26 +111,28 @@ NOTE: if you specify localhost as a hostname (even if you
 prefix it with \fIinet:\fR), MySQL will connect to the default
 UNIX domain socket.  In order to instruct MySQL to connect to
 localhost over TCP you have to specify
-.ti +4
+.nf
    hosts = 127.0.0.1
 .fi
 .IP "\fBuser, password\fR"
 The user name and password to log into the mysql server.
 Example:
-.in +4
+.nf
    user = someone
 .br
    password = some_password
-.in -4
+.fi
 .IP "\fBdbname\fR"
 The database name on the servers. Example:
-.ti +4
+.nf
    dbname = customer_database
 .fi
 .IP "\fBquery\fR"
 The SQL query template used to search the database, where \fB%s\fR
 is a substitute for the address Postfix is trying to resolve,
 e.g.
-.ti +4
+.nf
    query = SELECT replacement FROM aliases WHERE mailbox = '%s'
 .fi
 This parameter supports the following '%' expansions:
 .RS
@@ -178,14 +179,12 @@ the SQL query was built from the separate parameters:
 \fBadditional_conditions\fR. The mapping from the old parameters
 to the equivalent query is:
-.ti +4
+.nf
    SELECT [\fBselect_field\fR]
 .ti +4
    FROM [\fBtable\fR]
 .ti +4
    WHERE [\fBwhere_field\fR] = '%s'
 .ti +10
          [\fBadditional_conditions\fR]
 .fi
 The '%s' in the \fBWHERE\fR clause expands to the escaped search string.
 With Postfix 2.2 these legacy parameters are used if the \fBquery\fR
@@ -241,8 +240,9 @@ keys with a *non-empty* localpart and a matching domain
 are eligible for lookup: 'user' lookups, bare domain lookups
 and "@domain" lookups are not performed. This can significantly
 reduce the query load on the MySQL server.
-.ti +4
+.nf
    domain = postfix.org, hash:/etc/postfix/searchdomains
 .fi
 It is best not to use SQL to store the domains eligible
 for SQL lookups.
@@ -262,14 +262,12 @@ values.
 The following parameters can be used to fill in a
 SELECT template statement of the form:
-.ti +4
+.nf
    SELECT [\fBselect_field\fR]
 .ti +4
    FROM [\fBtable\fR]
 .ti +4
    WHERE [\fBwhere_field\fR] = '%s'
 .ti +10
          [\fBadditional_conditions\fR]
 .fi
 The specifier %s is replaced by the search string, and is
 escaped so if it contains single quotes or other odd characters,
@@ -282,20 +280,24 @@ are ignored. Please migrate to the new interface as the legacy
 interface may be removed in a future release.
 .IP "\fBselect_field\fR"
 The SQL "select" parameter. Example:
-.ti +4
+.nf
    \fBselect_field\fR = forw_addr
 .fi
 .IP "\fBtable\fR"
 The SQL "select .. from" table name. Example:
-.ti +4
+.nf
    \fBtable\fR = mxaliases
 .fi
 .IP "\fBwhere_field\fR
 The SQL "select .. where" parameter. Example:
-.ti +4
+.nf
    \fBwhere_field\fR = alias
 .fi
 .IP "\fBadditional_conditions\fR
 Additional conditions to the SQL query. Example:
-.ti +4
+.nf
    \fBadditional_conditions\fR = AND status = 'paid'
 .fi
 .SH "SEE ALSO"
 .na
 .nf
--- a/postfix/man/man5/nisplus_table.5
+++ b/postfix/man/man5/nisplus_table.5
@@ -32,8 +32,9 @@ command as described in the SYNOPSIS above.
 Most of the NIS+ query is specified via the NIS+ map name. The
 general format of a Postfix NIS+ map name is as follows:
-.ti +4
+.fi
    \fBnisplus:[\fIname\fB=%s];\fIname.name.name\fB.:\fIcolumn\fR
 .fi
 Postfix NIS+ map names differ from what one normally
 would use with commands such as \fBniscat\fR:
@@ -54,13 +55,13 @@ no ":\fIcolumn\fR" is specified the first column (1) is used.
 .SH "EXAMPLE"
 .na
 .nf
 .ad
 .fi
 A NIS+ aliases map might be queried as follows:
-.ti +4
+.nf
    alias_maps = dbm:/etc/mail/aliases,
 .ti +2
        nisplus:[alias=%s];mail_aliases.org_dir.$mydomain.:1
 .ad
 .fi
 This queries the local aliases file before the NIS+ file.
--- a/postfix/man/man5/pcre_table.5
+++ b/postfix/man/man5/pcre_table.5
@@ -15,8 +15,8 @@ format of Postfix PCRE tables
 .ad
 .fi
 The Postfix mail system uses optional tables for address
-rewriting or mail routing. These tables are usually in
+rewriting, mail routing, or access control. These tables
-\fBdbm\fR or \fBdb\fR format.
+are usually in \fBdbm\fR or \fBdb\fR format.
 Alternatively, lookup tables can be specified in Perl Compatible
 Regular Expression form. In this case, each input is compared
--- a/postfix/man/man5/pgsql_table.5
+++ b/postfix/man/man5/pgsql_table.5
@@ -21,8 +21,9 @@ rewriting or mail routing. These tables are usually in
 Alternatively, lookup tables can be specified as PostgreSQL
 databases.  In order to use PostgreSQL lookups, define a
 PostgreSQL source as a lookup table in main.cf, for example:
-.ti +4
+.nf
    alias_maps = pgsql:/etc/pgsql-aliases.cf
 .fi
 The file /etc/postfix/pgsql-aliases.cf has the same format as
 the Postfix main.cf file, and can specify the parameters
@@ -60,19 +61,18 @@ phased out, \fBselect_function\fR, \fBselect_field\fR, \fBtable\fR,
 \fBwhere_field\fR and \fBadditional_conditions\fR parameters. To
 migrate to the new interface set:
-.ti +4
+.nf
    \fBquery\fR = SELECT \fIselect_function\fR('%s')
 .fi
 or in the absence of \fBselection_function\fR, the lower precedence:
-.ti +4
+.nf
    \fBquery\fR = SELECT \fIselect_field\fR
 .ti +8
        FROM \fItable\fR
 .ti +8
        WHERE \fIwhere_field\fR = '%s'
 .ti +12
            \fIadditional_conditions\fR
 .fi
 Use the value, not the name, of each legacy parameter. Note
 that the \fBadditional_conditions\fR parameter is optional
@@ -106,10 +106,10 @@ return the key itself or a constant value.
 The hosts that Postfix will try to connect to and query from.
 Specify \fIunix:\fR for UNIX-domain sockets, \fIinet:\fR for TCP
 connections (default).  Example:
-.ti +4
+.nf
    hosts = host1.some.domain host2.some.domain
 .ti +4
    hosts = unix:/file/name
 .fi
 The hosts are tried in random order, with all connections over
 UNIX domain sockets being tried before those over TCP.  The
@@ -124,21 +124,22 @@ connection otherwise.
 .IP "\fBuser, password\fR"
 The user name and password to log into the pgsql server.
 Example:
-.in +4
+.nf
    user = someone
 .br
    password = some_password
-.in -4
+.fi
 .IP "\fBdbname\fR"
 The database name on the servers. Example:
-.ti +4
+.nf
    dbname = customer_database
 .fi
 .IP "\fBquery\fR"
 The SQL query template used to search the database, where \fB%s\fR
 is a substitute for the address Postfix is trying to resolve,
 e.g.
-.ti +4
+.nf
    query = SELECT replacement FROM aliases WHERE mailbox = '%s'
 .fi
 This parameter supports the following '%' expansions:
 .RS
@@ -242,8 +243,9 @@ keys with a *non-empty* localpart and a matching domain
 are eligible for lookup: 'user' lookups, bare domain lookups
 and "@domain" lookups are not performed. This can significantly
 reduce the query load on the PostgreSQL server.
-.ti +4
+.nf
    domain = postfix.org, hash:/etc/postfix/searchdomains
 .fi
 It is best not to use SQL to store the domains eligible
 for SQL lookups.
@@ -263,12 +265,14 @@ values.
 Pre-Postfix 2.2 legacy interfaces:
 .IP "\fBselect_function\fR"
 This parameter specifies a database function name. Example:
-.ti +4
+.nf
    select_function = my_lookup_user_alias
 .fi
 This is equivalent to:
-.ti +4
+.nf
    query = SELECT my_lookup_user_alias('%s')
 .fi
 This parameter overrides the legacy table-related fields (described
 below). With Postfix versions prior to 2.2, it also overrides the
@@ -281,14 +285,12 @@ The following parameters (with lower precedence than the
 \fBselect_function\fR interface described above) can be used to
 build the SQL select statement as follows:
-.ti +4
+.nf
    SELECT [\fBselect_field\fR]
 .ti +4
    FROM [\fBtable\fR]
 .ti +4
    WHERE [\fBwhere_field\fR] = '%s'
 .ti +10
          [\fBadditional_conditions\fR]
 .fi
 The specifier %s is replaced with each lookup by the lookup key
 and is escaped so if it contains single quotes or other odd
@@ -302,20 +304,24 @@ are defined, these parameters are ignored. Please migrate to the new
 \fBquery\fR interface as this interface is slated to be phased out.
 .IP "\fBselect_field\fR"
 The SQL "select" parameter. Example:
-.ti +4
+.nf
    \fBselect_field\fR = forw_addr
 .fi
 .IP "\fBtable\fR"
 The SQL "select .. from" table name. Example:
-.ti +4
+.nf
    \fBtable\fR = mxaliases
 .fi
 .IP "\fBwhere_field\fR
 The SQL "select .. where" parameter. Example:
-.ti +4
+.nf
    \fBwhere_field\fR = alias
 .fi
 .IP "\fBadditional_conditions\fR
 Additional conditions to the SQL query. Example:
-.ti +4
+.nf
    \fBadditional_conditions\fR = AND status = 'paid'
 .fi
 .SH "SEE ALSO"
 .na
 .nf
--- a/postfix/man/man5/regexp_table.5
+++ b/postfix/man/man5/regexp_table.5
@@ -15,8 +15,8 @@ format of Postfix regular expression tables
 .ad
 .fi
 The Postfix mail system uses optional tables for address
-rewriting or mail routing. These tables are usually in
+rewriting, mail routing, or access control. These tables
-\fBdbm\fR or \fBdb\fR format.
+are usually in \fBdbm\fR or \fBdb\fR format.
 Alternatively, lookup tables can be specified in POSIX regular
 expression form. In this case, each input is compared against a
--- a/postfix/man/man5/relocated.5
+++ b/postfix/man/man5/relocated.5
@@ -49,9 +49,11 @@ lookup fields can match both upper and lower case.
 The input format for the \fBpostmap\fR(1) command is as follows:
 .IP \(bu
 An entry has one of the following form:
-.ti +5
+
 .nf
     \fIpattern      new_location\fR
-.br
+.fi
 Where \fInew_location\fR specifies contact information such as
 an email address, or perhaps a street address or telephone number.
 .IP \(bu
--- a/postfix/man/man5/transport.5
+++ b/postfix/man/man5/transport.5
@@ -17,7 +17,10 @@ Postfix transport table format
 .ad
 .fi
 The optional \fBtransport\fR(5) table specifies a mapping from email
-addresses to message delivery transports and next-hop hosts. The
+addresses to message delivery transports and next-hop destinations.
 Message delivery transports such as \fBlocal\fR or \fBsmtp\fR
 are defined in the \fBmaster.cf\fR file, and next-hop
 destinations are typically hosts or domain names. The
 table is searched by the \fBtrivial-rewrite\fR(8) daemon.
 This mapping overrides the default \fItransport\fR:\fInexthop\fR
@@ -165,20 +168,19 @@ internal destinations (do not change the delivery transport or
 the nexthop information) and specify a wildcard for all other
 destinations.
-.ti +5
+.nf
     \fB\&my.domain    :\fR
 .ti +5
     \fB\&.my.domain   :\fR
 .ti +5
     \fB*            smtp:outbound-relay.my.domain\fR
 .fi
 In order to send mail for \fBexample.com\fR and its subdomains
 via the \fBuucp\fR transport to the UUCP host named \fBexample\fR:
-.ti +5
+.nf
     \fBexample.com      uucp:example\fR
 .ti +5
     \fB\&.example.com     uucp:example\fR
 .fi
 When no nexthop host name is specified, the destination domain
 name is used instead. For example, the following directs mail for
@@ -186,18 +188,19 @@ name is used instead. For example, the following directs mail for
 exchanger for \fBexample.com\fR.  The \fBslow\fR transport could be
 configured to run at most one delivery process at a time:
-.ti +5
+.nf
     \fBexample.com      slow:\fR
 .fi
 When no transport is specified, Postfix uses the transport that
 matches the address domain class (see DESCRIPTION
 above).  The following sends all mail for \fBexample.com\fR and its
 subdomains to host \fBgateway.example.com\fR:
-.ti +5
+.nf
     \fBexample.com      :[gateway.example.com]\fR
 .ti +5
     \fB\&.example.com     :[gateway.example.com]\fR
 .fi
 In the above example, the [] suppress MX lookups.
 This prevents mail routing loops when your machine is primary MX
@@ -206,8 +209,9 @@ host for \fBexample.com\fR.
 In the case of delivery via SMTP, one may specify
 \fIhostname\fR:\fIservice\fR instead of just a host:
-.ti +5
+.nf
     \fBexample.com      smtp:bar.example:2025\fR
 .fi
 This directs mail for \fIuser\fR@\fBexample.com\fR to host \fBbar.example\fR
 port \fB2025\fR. Instead of a numerical port a symbolic name may be
@@ -215,8 +219,9 @@ used. Specify [] around the hostname if MX lookups must be disabled.
 The error mailer can be used to bounce mail:
-.ti +5
+.nf
     \fB\&.example.com     error:mail for *.example.com is not deliverable\fR
 .fi
 This causes all mail for \fIuser\fR@\fIanything\fB.example.com\fR
 to be bounced.
@@ -238,9 +243,10 @@ nor is \fIuser+foo@domain\fR looked up as \fIuser@domain\fR.
 Patterns are applied in the order as specified in the table, until a
 pattern is found that matches the search string.
-Results are the same as with indexed file lookups, with
+The \fBtrivial-rewrite\fR(8) server disallows regular
-the additional feature that parenthesized substrings from the
+expression substitution of $1 etc. in regular expression
-pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
+lookup tables, because that could open a security hole
 (Postfix version 2.3 and later).
 .SH "TCP-BASED TABLES"
 .na
 .nf
--- a/postfix/man/man5/virtual.5
+++ b/postfix/man/man5/virtual.5
@@ -108,8 +108,9 @@ Note: @\fIdomain\fR is a wild-card. With this form, the
 Postfix SMTP server accepts
 mail for any recipient in \fIdomain\fR, regardless of whether
 that recipient exists.  This may turn your mail system into
-a backscatter source that returns undeliverable spam to
+a backscatter source: Postfix first accepts mail for
-innocent people.
+non-existent recipients and then tries to return that mail
 as "undeliverable" to the often forged sender address.
 .SH "RESULT ADDRESS REWRITING"
 .na
 .nf
@@ -162,25 +163,21 @@ visible in a virtual alias domain. In particular, local
 Support for a virtual alias domain looks like:
 .nf
 /etc/postfix/main.cf:
 .in +4
    virtual_alias_maps = hash:/etc/postfix/virtual
 .fi
 Note: some systems use \fBdbm\fR databases instead of \fBhash\fR.
 See the output from "\fBpostconf -m\fR" for available database types.
 .ti -4
 /etc/postfix/virtual:
 .nf
-.na
+/etc/postfix/virtual:
    \fIvirtual-alias.domain     anything\fR (right-hand content does not matter)
    \fIpostmaster@virtual-alias.domain  postmaster\fR
    \fIuser1@virtual-alias.domain       address1\fR
    \fIuser2@virtual-alias.domain       address2, address3\fR
 .fi
 .in -4
 .ad
 .fi
 .sp
 The \fIvirtual-alias.domain anything\fR entry is required for a
 virtual alias domain. \fBWithout this entry, mail is rejected
--- a/postfix/man/man8/anvil.8
+++ b/postfix/man/man8/anvil.8
@@ -31,39 +31,36 @@ not care.
 .fi
 To register a new connection send the following request to
 the \fBanvil\fR(8) server:
-.PP
+
-.in +4
+.nf
    \fBrequest=connect\fR
 .br
    \fBident=\fIstring\fR
-.in
+.fi
-.PP
+
 The \fBanvil\fR(8) server answers with the number of
 simultaneous connections and the number of connections per
 unit time for the (service, client) combination specified
 with \fBident\fR:
-.PP
+
-.in +4
+.nf
    \fBstatus=0\fR
 .br
    \fBcount=\fInumber\fR
 .br
    \fBrate=\fInumber\fR
-.in
+.fi
-.PP
+
 To register a disconnect event send the following request
 to the \fBanvil\fR(8) server:
-.PP
+
-.in +4
+.nf
    \fBrequest=disconnect\fR
 .br
    \fBident=\fIstring\fR
-.in
+.fi
-.PP
+
 The \fBanvil\fR(8) server replies with:
-.PP
+
-.ti +4
+.nf
    \fBstatus=0\fR
 .fi
 .SH "MESSAGE RATE CONTROL"
 .na
 .nf
@@ -71,22 +68,20 @@ The \fBanvil\fR(8) server replies with:
 .fi
 To register a message delivery request send the following
 request to the \fBanvil\fR(8) server:
-.PP
+
-.in +4
+.nf
    \fBrequest=message\fR
 .br
    \fBident=\fIstring\fR
-.in
+.fi
-.PP
+
 The \fBanvil\fR(8) server answers with the number of message
 delivery requests per unit time for the (service, client)
 combination specified with \fBident\fR:
-.PP
+
-.in +4
+.nf
    \fBstatus=0\fR
 .br
    \fBrate=\fInumber\fR
-.in
+.fi
 .SH "RECIPIENT RATE CONTROL"
 .na
 .nf
@@ -94,22 +89,20 @@ combination specified with \fBident\fR:
 .fi
 To register a recipient request send the following request
 to the \fBanvil\fR(8) server:
-.PP
+
-.in +4
+.nf
    \fBrequest=recipient\fR
 .br
    \fBident=\fIstring\fR
-.in
+.fi
-.PP
+
 The \fBanvil\fR(8) server answers with the number of recipient
 addresses per unit time for the (service, client) combination
 specified with \fBident\fR:
-.PP
+
-.in +4
+.nf
    \fBstatus=0\fR
 .br
    \fBrate=\fInumber\fR
-.in
+.fi
 .SH "TLS SESSION NEGOTIATION RATE CONTROL"
 .na
 .nf
@@ -120,41 +113,37 @@ Postfix 2.3 and later.
 To register a request for a new (i.e. not cached) TLS session
 send the following request to the \fBanvil\fR(8) server:
-.PP
+
-.in +4
+.nf
    \fBrequest=newtls\fR
 .br
    \fBident=\fIstring\fR
-.in
+.fi
-.PP
+
 The \fBanvil\fR(8) server answers with the number of new
 TLS session requests per unit time for the (service, client)
 combination specified with \fBident\fR:
-.PP
+
-.in +4
+.nf
    \fBstatus=0\fR
 .br
    \fBrate=\fInumber\fR
-.in
+.fi
-.PP
+
 To retrieve new TLS session request rate information without
 updating the counter information, send:
-.PP
+
-.in +4
+.nf
    \fBrequest=newtls_report\fR
 .br
    \fBident=\fIstring\fR
-.in
+.fi
-.PP
+
 The \fBanvil\fR(8) server answers with the number of new
 TLS session requests per unit time for the (service, client)
 combination specified with \fBident\fR:
-.PP
+
-.in +4
+.nf
    \fBstatus=0\fR
 .br
    \fBrate=\fInumber\fR
-.in
+.fi
 .SH "SECURITY"
 .na
 .nf
--- a/postfix/man/man8/pipe.8
+++ b/postfix/man/man8/pipe.8
@@ -37,9 +37,10 @@ or fax machines.
 To prevent Postfix from sending multiple recipients per delivery
 request, specify
-
+.sp
-.ti +4
+.nf
    \fItransport\fB_destination_recipient_limit = 1\fR
 .fi
 in the Postfix \fBmain.cf\fR file, where \fItransport\fR
 is the name in the first column of the Postfix \fBmaster.cf\fR
@@ -145,17 +146,19 @@ Postfix. The empty sender address is not affected by the
 Caution: a null sender address is easily mis-parsed by
 naive software. For example, when the \fBpipe\fR(8) daemon
 executes a command such as:
-
+.sp
-.ti +4
+.nf
    command -f$sender -- $recipient (\fIbad\fR)
-
+.fi
 .IP
 the command will mis-parse the -f option value when the
 sender address is a null string.  For correct parsing,
 specify \fB$sender\fR as an argument by itself:
-
+.sp
-.ti +4
+.nf
    command -f $sender -- $recipient (\fIgood\fR)
-
+.fi
 .IP
 This feature is available with Postfix 2.3 and later.
 .IP "\fBsize\fR=\fIsize_limit\fR (optional)"
 Messages greater in size than this limit (in bytes) will
--- a/postfix/man/man8/proxymap.8
+++ b/postfix/man/man8/proxymap.8
@@ -22,18 +22,20 @@ reject mail for non-existent local addresses, but it is not
 practical to maintain a copy of the passwd file in the chroot
 jail.  The solution:
 .sp
 .nf
 local_recipient_maps =
 .ti +4
    proxy:unix:passwd.byname $alias_maps
 .fi
 .IP \(bu
 To consolidate the number of open lookup tables by sharing
 one open table among multiple processes. For example, making
 mysql connections from every Postfix daemon process results
 in "too many connections" errors. The solution:
 .sp
 .nf
 virtual_alias_maps =
 .ti +4
    proxy:mysql:/etc/postfix/virtual_alias.cf
 .fi
 .sp
 The total number of connections is limited by the number of
 proxymap server processes.
--- a/postfix/man/man8/virtual.8
+++ b/postfix/man/man8/virtual.8
@@ -34,8 +34,9 @@ address as described under TABLE SEARCH ORDER below.
 The mailbox pathname is constructed as follows:
-.ti +2
+.nf
  \fB$virtual_mailbox_base/$virtual_mailbox_maps(\fIrecipient\fB)\fR
 .fi
 where \fIrecipient\fR is the full recipient address.
 .SH "UNIX MAILBOX FORMAT"
--- a/postfix/mantools/manspell
+++ b/postfix/mantools/manspell
@@ -3,5 +3,5 @@
 for file
 do
    echo ==== $file ====
-    deroff $file | spell
+    deroff $file | spell | fgrep -vf proto/stop
-done | fgrep -vf proto/stop
+done
--- a/postfix/proto/BACKSCATTER_README.html
+++ b/postfix/proto/BACKSCATTER_README.html
@@ -21,7 +21,10 @@ Backscatter Howto</h1>
 <h2>Overview </h2>
 This document describes features that require Postfix version 2.0
-or later.
+or later.  The examples use Perl Compatible Regular Expressions
 (Postfix pcre: tables), but also provide a translation to POSIX
 regular expressions (Postfix regexp: tables). PCRE is preferred
 primarily because the implementation is often faster.</p>
 <p> Topics covered in this document: </p>
@@ -174,8 +177,8 @@ patterns like this: </p>
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    header_checks = regexp:/etc/postfix/header_checks
+    header_checks = pcre:/etc/postfix/header_checks
-    body_checks = regexp:/etc/postfix/body_checks
+    body_checks = pcre:/etc/postfix/body_checks
 /etc/postfix/header_checks:
    if /^Received:/
@@ -183,7 +186,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -196,7 +199,7 @@ patterns like this: </p>
        reject forged client name in Received: header: $1
    /^[&gt; ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
-    /^[&gt; ]*Received:.* +by +(porcupine\.org)[[:&gt;:]]/
+    /^[&gt; ]*Received:.* +by +(porcupine\.org)\b/
        reject forged mail server name in Received: header: $1
    endif
    /^[&gt; ]*Message-ID:.* &lt;!&amp;!/ DUNNO
@@ -209,6 +212,9 @@ patterns like this: </p>
 <ul>
 <li> <p> The example uses pcre: tables mainly for speed; with minor
 modifications, you can use regexp: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality my patterns list multiple domain names, as
 "<tt>(domain|domain|...)</tt>".  </p>
@@ -220,9 +226,10 @@ the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
 and "<tt>)</tt>" literally. Without the "<tt>\</tt>", the "<tt>(</tt>"
 and "<tt>)</tt>" would be grouping operators.  </p>
-<li> <p> The "<tt>[[:&gt;:]]</tt>" matches the end of a word. On
+<li> <p> The "<tt>\b</tt>" is used here to match the end of a word.
-some systems you should specify "<tt>\&gt;</tt>" instead. For details
+If you use regexp: tables, specify "<tt>[[:&gt;:]]</tt>" (on some
-see your system documentation. </p>
+systems you should specify "<tt>\&gt;</tt>" instead; for details
 see your system documentation).
 <li> <p> The "if /pattern/" and "endif" eliminate unnecessary
 matching attempts. DO NOT indent lines starting with /pattern/
@@ -311,15 +318,15 @@ and is very easy to stop.
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    header_checks = regexp:/etc/postfix/header_checks
+    header_checks = pcre:/etc/postfix/header_checks
-    body_checks = regexp:/etc/postfix/body_checks
+    body_checks = pcre:/etc/postfix/body_checks
 /etc/postfix/header_checks:
-    /^(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 /etc/postfix/body_checks:
-    /^[&gt; ]*(From|Return-Path):.*[[:&lt;:]](user@domain\.tld)[[:&gt;:]]/ 
+    /^[&gt; ]*(From|Return-Path):.*\b(user@domain\.tld)\b/ 
        reject forged sender address in $1: header: $2
 </pre>
 </blockquote>
@@ -328,14 +335,18 @@ and is very easy to stop.
 <ul>
 <li> <p> The example uses pcre: tables mainly for speed; with minor
 modifications, you can use regexp: tables as explained below. </p>
 <li> <p> The example is simplified for educational purposes.  In
 reality, my patterns list multiple email addresses as
 "<tt>(user1@domain1\.tld|user2@domain2\.tld)</tt>".  </p>
-<li> <p> The "<tt>[[:&lt;:]]</tt>" and "<tt>[[:&gt;:]]</tt>" match
+<li> <p> The two "<tt>\b</tt>" as used in "<tt>\b(user@domain\.tld)\b</tt>"
-the beginning and end of a word, respectively. On some systems you
+match the beginning and end of a word, respectively.  If you use
-should specify "<tt>\&lt;</tt>" and "<tt>\&gt;</tt>" instead. For
+regexp: tables, specify "<tt>[[:&lt;:]]</tt> and <tt>[[:&gt;:]]</tt>"
-details see your system documentation. </p>
+(on some systems you should specify "<tt>\&lt;</tt> and <tt>\&gt;</tt>"
 instead; for details see your system documentation).  </p>
 <li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
 the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
--- a/postfix/proto/INSTALL.html
+++ b/postfix/proto/INSTALL.html
@@ -149,6 +149,7 @@ Linux Debian 1.3.1, 2.x, 3.x <br>
 Linux RedHat 3.x (January 2004) - 9.x <br>
 Linux Slackware 3.x, 4.x, 7.x <br>
 Linux SuSE 5.x, 6.x, 7.x <br>
 Linux Ubuntu 4.10..7.04<br>
 Mac OS X <br>
 NEXTSTEP 3.x <br>
 NetBSD 1.x <br>
--- a/postfix/proto/MILTER_README.html
+++ b/postfix/proto/MILTER_README.html
@@ -708,9 +708,6 @@ text below: </p>
 <li> <p> This was tested with sid-milter-0.2.10 and sid-milter-0.2.14. </p>
 <li> <p> This fixes only the ugly message header, but not the WARNING
 message.  Fortunately, sid-milter logs that message only once. </p>
 </ul>
 <p> To fix the ugly message header with other Milter applications,
--- a/postfix/proto/OVERVIEW.html
+++ b/postfix/proto/OVERVIEW.html
@@ -460,12 +460,13 @@ bgcolor="#f0f0ff"> <br> smtpd(8)<br><br> </td> <td> <tt> &lt;-&gt;
 </table>
-<li> <p> The bounce(8), defer(8) and trace(8) servers each maintain
+<li> <p> The bounce(8), defer(8) and trace(8) services each maintain
-their own queue directory trees with per-message logfiles. This
+their own queue directory trees with per-message logfiles. Postfix
-information is used to send delivery or non-delivery notifications
+uses this information when sending "failed", "delayed" or "success"
-to the sender. </p>
+delivery status notifications to the sender. </p>
-<p> The trace(8) service implements support for the Postfix "sendmail
+<p> The trace(8) service also implements support for the Postfix
 "sendmail
 -bv" and "sendmail -v" commands which produce reports about how
 Postfix delivers mail, and is available with Postfix version 2.1
 and later. See <a href="DEBUG_README.html#trace_mail"> DEBUG_README
--- a/postfix/proto/access
+++ b/postfix/proto/access
@@ -362,20 +362,17 @@
 #	"\fBpostconf -m\fR" to find out what lookup tables Postfix
 #	supports on your system.
 #
 # .na
 # .nf
 # .na
 #	/etc/postfix/main.cf:
 # .in +4
 #	    smtpd_client_restrictions = 
 # .in +4
 #	        check_client_access hash:/etc/postfix/access
 #
 # .in -8
 #	/etc/postfix/access:
 # .in +4
 #	    1.2.3   REJECT
 #	    1.2.3.4 OK
-# .in -4
+# .fi
 # .ad
 #
 #	Execute the command "\fBpostmap /etc/postfix/access\fR" after
 #	editing the file.
--- a/postfix/proto/aliases
+++ b/postfix/proto/aliases
@@ -31,8 +31,9 @@
 # .IP \(bu
 #	An alias definition has the form
 # .sp
-# .ti +5
+# .nf
 #	     \fIname\fR: \fIvalue1\fR, \fIvalue2\fR, \fI...\fR
 # .fi
 # .IP \(bu
 #	Empty lines and whitespace-only lines are ignored, as
 #	are lines whose first non-whitespace character is a `#'.
--- a/postfix/proto/bounce
+++ b/postfix/proto/bounce
@@ -32,8 +32,9 @@
 #	To preview the results of $\fIname\fR expansions in the
 #       template text, use the command
 #
-# .ti +4
+# .nf
 #	    \fBpostconf -b\fR \fItemporary_file\fR
 # .fi
 #
 #	Errors in the template will be reported to the standard
 #	error stream and to the syslog daemon.
@@ -46,9 +47,10 @@
 #	Postfix configuration directory and specify in main.cf
 #	something like:
 #
 # .nf
 #	/etc/postfix/main.cf:
 # .ti +4
 #	    bounce_template_file = /etc/postfix/bounce.cf
 # .fi
 # TEMPLATE FILE FORMAT
 # .ad
 # .fi
@@ -66,9 +68,7 @@
 #	it in quotes as with the shell or with Perl (\fItemplate_name\fB
 #	= <<'EOF'\fR). Here is an example:
 #
 # .in +4
 # .nf
 # .na
 #	    # The failure template is used for undeliverable mail.
 #
 #	    failure_template = <<EOF
@@ -87,11 +87,8 @@
 #	    If you do so, please include this problem report. You can
 #	    delete your own text from the attached returned message.
 #
 # .ti +12
 #	                       The mail system
 #	    EOF
 # .in -4
 # .ad
 # .fi
 # .PP
 #	The usage and specification of bounce templates is
--- a/postfix/proto/canonical
+++ b/postfix/proto/canonical
@@ -101,8 +101,9 @@
 #	to recipient addresses, the Postfix SMTP server accepts
 #	mail for any recipient in \fIdomain\fR, regardless of whether
 #	that recipient exists.  This may turn your mail system into
-#	a backscatter source that returns undeliverable spam to
+#	a backscatter source: Postfix first accepts mail for
-#	innocent people.
+#	non-existent recipients and then tries to return that mail
 #	as "undeliverable" to the often forged sender address.
 # RESULT ADDRESS REWRITING
 # .ad
 # .fi
--- a/postfix/proto/cidr_table
+++ b/postfix/proto/cidr_table
@@ -58,17 +58,16 @@
 #	Patterns are applied in the order as specified in the table, until a
 #	pattern is found that matches the search string.
 # EXAMPLE SMTPD ACCESS MAP
 # .nf
 #	/etc/postfix/main.cf:
 # .ti +4
 #	    smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ...
 #
 #	/etc/postfix/client.cidr:
 # .in +4
 #	    # Rule order matters. Put more specific whitelist entries
 #	    # before more general blacklist entries.
 #	    192.168.1.1             OK
 #	    192.168.0.0/16          REJECT
-# .in -4
+# .fi
 # SEE ALSO
 #	postmap(1), Postfix lookup table manager
 #	regexp_table(5), format of regular expression tables
--- a/postfix/proto/generic
+++ b/postfix/proto/generic
@@ -152,16 +152,12 @@
 # .na
 # .nf
 #	/etc/postfix/main.cf:
 # .in +4
 #	    smtp_generic_maps = hash:/etc/postfix/generic
 # .in -4
 #
 #	/etc/postfix/generic:
 # .in +4
 #	    his@localdomain.local   hisaccount@hisisp.example
 #	    her@localdomain.local   heraccount@herisp.example
 #	    @localdomain.local      hisaccount+local@hisisp.example
 # .in -4
 #
 # .ad
 # .fi
--- a/postfix/proto/header_checks
+++ b/postfix/proto/header_checks
@@ -4,17 +4,15 @@
 # SUMMARY
 #	Postfix built-in content inspection
 # SYNOPSIS
 # .nf
 #	\fBheader_checks = pcre:/etc/postfix/header_checks\fR
 # .br
 #	\fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
 # .br
 #	\fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
 # .br
 #	\fBbody_checks = pcre:/etc/postfix/body_checks\fR
 # .sp
 #	\fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
 # .br
 #	\fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
 # .fi
 # DESCRIPTION
 #	This document describes access control on the content of
 #	message headers and message body lines; it is implemented
@@ -60,6 +58,13 @@
 #	Note: message headers are examined one logical header at a time,
 #	even when a message header spans multiple lines. Body lines are
 #	always examined one line at a time.
 # COMPATIBILITY
 # .ad
 # .fi
 #       With Postfix version 2.2 and earlier specify "\fBpostmap
 #       -fq\fR" to query a table that contains case sensitive
 #       patterns. By default, regexp: and pcre: patterns are case
 #       insensitive.
 # TABLE FORMAT
 # .ad
 # .fi
@@ -284,7 +289,7 @@
 #	to the next line.
 # .IP \(bu
 #	If text in the message body is encoded
-#	(RFC 2045) then the rules have to specified for the encoded
+#	(RFC 2045) then the rules need to be specified for the encoded
 #	form.
 # .IP \(bu
 #	Likewise, when message headers are encoded (RFC
@@ -337,13 +342,10 @@
 # .na
 # .nf
 #	/etc/postfix/main.cf:
 # .ti +4
 #	    header_checks = regexp:/etc/postfix/header_checks
 #
 #	/etc/postfix/header_checks:
 # .ti +4
 #	    /^content-(type|disposition):.*name[[:space:]]*=.*\\.(exe|vbs)/
 # .ti +8
 #	        REJECT Bad attachment file name extension: $2
 #
 # .ad
@@ -353,13 +355,10 @@
 # .na
 # .nf
 #	/etc/postfix/main.cf:
 # .ti +4
 #	    body_checks = regexp:/etc/postfix/body_checks
 #
 #	/etc/postfix/body_checks:
 # .ti +4
 #	    /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
 # .ti +8
 #	        REJECT IFRAME vulnerability exploit
 # SEE ALSO
 #	cleanup(8), canonicalize and enqueue Postfix message
--- a/postfix/proto/ldap_table
+++ b/postfix/proto/ldap_table
@@ -17,8 +17,9 @@
 #	In order to use LDAP lookups, define an LDAP source as a lookup
 #	table in main.cf, for example:
 #
-# .ti +4
+# .nf
 #	    alias_maps = ldap:/etc/postfix/ldap-aliases.cf
 # .fi
 #
 #	The file /etc/postfix/ldap-aliases.cf has the same format as
 #	the Postfix main.cf file, and can specify the parameters
@@ -79,19 +80,17 @@
 #
 #	For example, NEVER do this in a map defining $mydestination:
 #
-# .in +4
+# .nf
 #	    query_filter = domain=* 
 # .br
 #	    result_attribute = domain
-# .in -4
+# .fi
 #
 #	Do this instead:
 #
-# .in +4
+# .nf
 #	    query_filter = domain=%s 
 # .br
 #	    result_attribute = domain
-# .in -4
+# .fi
 # GENERAL LDAP PARAMETERS
 # .ad
 # .fi
@@ -102,8 +101,9 @@
 # .IP "\fBserver_host (default: localhost)\fR"
 #	The name of the host running the LDAP server, e.g.
 #
-# .ti +4
+# .nf
 #	    server_host = ldap.example.com
 # .fi
 #
 #	Depending on the LDAP client library you're using, it should
 #	be possible to specify multiple servers here, with the library
@@ -111,41 +111,45 @@
 #	be possible to give each server in the list a different port
 #	(overriding \fBserver_port\fR below), by naming them like
 #
-# .ti +4
+# .nf
 #	    server_host = ldap.example.com:1444
 # .fi
 #
 #	With OpenLDAP, a (list of) LDAP URLs can be used to specify both
 #	the hostname(s) and the port(s):
 #
-# .ti +4
+# .nf
 #	    server_host = ldap://ldap.example.com:1444
 # .ti +8
 #	                ldap://ldap2.example.com:1444
 # .fi
 #
 #	All LDAP URLs accepted by the OpenLDAP library are supported,
 #	including connections over UNIX domain sockets, and LDAP SSL
 #	(the last one provided that OpenLDAP was compiled with support
 #	for SSL):
 #
-# .ti +4
+# .nf
 #	    server_host = ldapi://%2Fsome%2Fpath
 # .ti +8
 #	                ldaps://ldap.example.com:636
 # .fi
 # .IP "\fBserver_port (default: 389)\fR"
 #	The port the LDAP server listens on, e.g.
 #
-# .ti +4
+# .nf
 #	    server_port = 778
 # .fi
 # .IP "\fBtimeout (default: 10 seconds)\fR"
 #	The number of seconds a search can take before timing out, e.g.
 #
-# .ti +4
+# .fi
 #	    timeout = 5
 # .fi
 # .IP "\fBsearch_base (No default; you must configure this)\fR"
 #	The RFC2253 base DN at which to conduct the search, e.g.
 #
-# .ti +4
+# .nf
 #	    search_base = dc=your, dc=com
 # .fi
 # .IP
 #	With Postfix 2.2 and later this parameter supports the
 #	following '%' expansions:
@@ -187,8 +191,9 @@
 #	is a substitute for the address Postfix is trying to resolve,
 #	e.g.
 #
-# .ti +4
+# .nf
 #	    query_filter = (&(mail=%s)(paid_up=true))
 # .fi
 #
 #	This parameter supports the following '%' expansions:
 # .RS
@@ -297,8 +302,9 @@
 #	and "@domain" lookups are not performed. This can significantly
 #	reduce the query load on the LDAP server.
 #
-# .ti +4
+# .nf
 #	    domain = postfix.org, hash:/etc/postfix/searchdomains
 # .fi
 #
 #	It is best not to use LDAP to store the domains eligible
 #	for LDAP lookups.
@@ -311,15 +317,17 @@
 #	entries returned by the lookup, to be resolved to an email
 #	address.
 #
-# .ti +4
+# .nf
 #	    result_attribute = mailbox, maildrop
 # .fi
 # .IP "\fBspecial_result_attribute (default: empty)\fR"
 #	The attribute(s) of directory entries that can contain DNs
 #	or URLs. If found, a recursive subsequent search is done
 #	using their values.
 #
-# .ti +4
+# .nf
 #	    special_result_attribute = memberdn
 # .fi
 #
 #	DN recursion retrieves the same result_attributes as the
 #	main query, including the special attributes for further
@@ -337,8 +345,9 @@
 #	where the group is expanded, possibly via mailing-list manager or
 #	other special processing.
 #
-# .ti +4
+# .nf
 #	    terminal_result_attribute = maildrop
 # .fi
 #
 #	This feature is available with Postfix 2.4 or later.
 # .IP "\fBleaf_result_attribute (default: empty)\fR"
@@ -358,15 +367,12 @@
 #	The attributes that represent the email addresses of objects
 #	referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
 #
-# .in +4
+# .nf
 #	    result_attribute = memberaddr
 # .br
 #	    special_result_attribute = memberdn
 # .br
 #	    terminal_result_attribute = maildrop
 # .br
 #	    leaf_result_attribute = mail
-# .in -4
+# .fi
 #
 #	This feature is available with Postfix 2.4 or later.
 # .IP "\fBscope (default: sub)\fR"
@@ -378,8 +384,9 @@
 #	implementations don't require clients to bind, which saves
 #	time. Example:
 #
-# .ti +4
+# .nf
 #	    bind = no
 # .fi
 #
 #	If you do need to bind, you might consider configuring
 #	Postfix to connect to the local machine on a port that's
@@ -391,8 +398,9 @@
 # .IP "\fBbind_dn (default: empty)\fR"
 #	If you do have to bind, do it with this distinguished name. Example:
 #
-# .ti +4
+# .nf
 #	    bind_dn = uid=postfix, dc=your, dc=com
 # .fi
 # .IP "\fBbind_pw (default: empty)\fR"
 #	The password for the distinguished name above. If you have
 #	to use this, you probably want to make the map configuration
@@ -403,8 +411,9 @@
 #	to allow local accounts to submit mail via the sendmail
 #	command. Example:
 #
-# .ti +4
+# .nf
 #	    bind_pw = postfixpw
 # .fi
 # .IP "\fBcache (IGNORED with a warning)\fR"
 # .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 # .IP "\fBcache_size (IGNORED with a warning)\fR"
@@ -471,19 +480,22 @@
 #	LDAP SSL service can be requested by using a LDAP SSL URL
 #	in the server_host parameter:
 #
-# .ti +4
+# .nf
 #	    server_host = ldaps://ldap.example.com:636
 # .fi
 #
 #	STARTTLS can be turned on with the start_tls parameter:
 #
-# .ti +4
+# .nf
 #	    start_tls = yes
 # .fi
 #
 #	Both forms require LDAP protocol version 3, which has to be set
 #	explicitly with:
 #
-# .ti +4
+# .nf
 #	    version = 3
 # .fi
 #
 #	If any of the Postfix programs querying the map is configured in
 #	master.cf to run chrooted, all the certificates and keys involved
@@ -534,18 +546,17 @@
 #	aliases.
 #	Assume that in main.cf, you have:
 #
-# .ti +4
+# .nf
 #	    alias_maps = hash:/etc/aliases,
 # .ti +8
 #	            ldap:/etc/postfix/ldap-aliases.cf
 # .fi
 #
 #	and in ldap:/etc/postfix/ldap-aliases.cf you have:
 #
-# .in +4
+# .nf
 #	    server_host = ldap.example.com
 # .br
 #	    search_base = dc=example, dc=com
-# .in -4
+# .fi
 #
 #	Upon receiving mail for a local address "ldapuser" that
 #	isn't found in the /etc/aliases database, Postfix will
--- a/postfix/proto/mysql_table
+++ b/postfix/proto/mysql_table
@@ -15,8 +15,9 @@
 #	Alternatively, lookup tables can be specified as MySQL databases.
 #	In order to use MySQL lookups, define a MySQL source as a lookup
 #	table in main.cf, for example:
-# .ti +4
+# .nf
 #	    alias_maps = mysql:/etc/mysql-aliases.cf
 # .fi
 #
 #	The file /etc/postfix/mysql-aliases.cf has the same format as
 #	the Postfix main.cf file, and can specify the parameters
@@ -48,14 +49,12 @@
 #	The old interface will be gradually phased out. To migrate to
 #	the new interface set:
 #
-# .ti +4
+# .nf
 #	    \fBquery\fR = SELECT [\fIselect_field\fR]
 # .ti +8
 #	        FROM [\fItable\fR]
 # .ti +8
 #	        WHERE [\fIwhere_field\fR] = '%s'
 # .ti +12
 #	            [\fIadditional_conditions\fR]
 # .fi
 #
 #	Insert the value, not the name, of each legacy parameter. Note
 #	that the \fBadditional_conditions\fR parameter is optional
@@ -85,10 +84,10 @@
 #	The hosts that Postfix will try to connect to and query from.
 #	Specify \fIunix:\fR for UNIX domain sockets, \fIinet:\fR for TCP
 #	connections (default).  Example:
-# .ti +4
+# .nf
 #	    hosts = host1.some.domain host2.some.domain
 # .ti +4
 #	    hosts = unix:/file/name
 # .fi
 #
 #	The hosts are tried in random order, with all connections over
 #	UNIX domain sockets being tried before those over TCP.	The
@@ -100,26 +99,28 @@
 #	prefix it with \fIinet:\fR), MySQL will connect to the default
 #	UNIX domain socket.  In order to instruct MySQL to connect to
 #	localhost over TCP you have to specify
-# .ti +4
+# .nf
 #	    hosts = 127.0.0.1
 # .fi
 # .IP "\fBuser, password\fR"
 #	The user name and password to log into the mysql server.
 #	Example:
-# .in +4
+# .nf
 #	    user = someone
 # .br
 #	    password = some_password
-# .in -4
+# .fi
 # .IP "\fBdbname\fR"
 #	The database name on the servers. Example:
-# .ti +4
+# .nf
 #	    dbname = customer_database
 # .fi
 # .IP "\fBquery\fR"
 #	The SQL query template used to search the database, where \fB%s\fR
 #	is a substitute for the address Postfix is trying to resolve,
 #	e.g.
-# .ti +4
+# .nf
 #	    query = SELECT replacement FROM aliases WHERE mailbox = '%s'
 # .fi
 #
 #	This parameter supports the following '%' expansions:
 # .RS
@@ -166,14 +167,12 @@
 #	\fBadditional_conditions\fR. The mapping from the old parameters
 #	to the equivalent query is:
 #
-# .ti +4
+# .nf
 #	    SELECT [\fBselect_field\fR]
 # .ti +4
 #	    FROM [\fBtable\fR]
 # .ti +4
 #	    WHERE [\fBwhere_field\fR] = '%s'
 # .ti +10
 #	          [\fBadditional_conditions\fR]
 # .fi
 #
 #	The '%s' in the \fBWHERE\fR clause expands to the escaped search string.
 #	With Postfix 2.2 these legacy parameters are used if the \fBquery\fR
@@ -229,8 +228,9 @@
 #	are eligible for lookup: 'user' lookups, bare domain lookups
 #	and "@domain" lookups are not performed. This can significantly
 #	reduce the query load on the MySQL server.
-# .ti +4
+# .nf
 #	    domain = postfix.org, hash:/etc/postfix/searchdomains
 # .fi
 #
 #	It is best not to use SQL to store the domains eligible
 #	for SQL lookups.
@@ -250,14 +250,12 @@
 #	The following parameters can be used to fill in a
 #	SELECT template statement of the form:
 #
-# .ti +4
+# .nf
 #	    SELECT [\fBselect_field\fR]
 # .ti +4
 #	    FROM [\fBtable\fR]
 # .ti +4
 #	    WHERE [\fBwhere_field\fR] = '%s'
 # .ti +10
 #	          [\fBadditional_conditions\fR]
 # .fi
 #
 #	The specifier %s is replaced by the search string, and is
 #	escaped so if it contains single quotes or other odd characters,
@@ -270,20 +268,24 @@
 #	interface may be removed in a future release.
 # .IP "\fBselect_field\fR"
 #	The SQL "select" parameter. Example:
-# .ti +4
+# .nf
 #	    \fBselect_field\fR = forw_addr
 # .fi
 # .IP "\fBtable\fR"
 #	The SQL "select .. from" table name. Example:
-# .ti +4
+# .nf
 #	    \fBtable\fR = mxaliases
 # .fi
 # .IP "\fBwhere_field\fR
 #	The SQL "select .. where" parameter. Example:
-# .ti +4
+# .nf
 #	    \fBwhere_field\fR = alias
 # .fi
 # .IP "\fBadditional_conditions\fR
 #	Additional conditions to the SQL query. Example:
-# .ti +4
+# .nf
 #	    \fBadditional_conditions\fR = AND status = 'paid'
 # .fi
 # SEE ALSO
 #	postmap(1), Postfix lookup table maintenance
 #	postconf(5), configuration parameters
--- a/postfix/proto/nisplus_table
+++ b/postfix/proto/nisplus_table
@@ -24,8 +24,9 @@
 #	Most of the NIS+ query is specified via the NIS+ map name. The
 #	general format of a Postfix NIS+ map name is as follows:
 #
-# .ti +4
+# .fi
 #	    \fBnisplus:[\fIname\fB=%s];\fIname.name.name\fB.:\fIcolumn\fR
 # .fi
 #
 #	Postfix NIS+ map names differ from what one normally
 #	would use with commands such as \fBniscat\fR:
@@ -44,13 +45,13 @@
 #	of the table column that provides the lookup result. When
 #	no ":\fIcolumn\fR" is specified the first column (1) is used.
 # EXAMPLE
 # .ad
 # .fi
 #	A NIS+ aliases map might be queried as follows:
 #
-# .ti +4
+# .nf
 #	    alias_maps = dbm:/etc/mail/aliases,
 # .ti +2
 #		nisplus:[alias=%s];mail_aliases.org_dir.$mydomain.:1
 # .ad
 # .fi
 #
 #	This queries the local aliases file before the NIS+ file.
--- a/postfix/proto/pcre_table
+++ b/postfix/proto/pcre_table
@@ -9,8 +9,8 @@
 #	\fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
 # DESCRIPTION
 #	The Postfix mail system uses optional tables for address
-#	rewriting or mail routing. These tables are usually in
+#	rewriting, mail routing, or access control. These tables
-#	\fBdbm\fR or \fBdb\fR format.
+#	are usually in \fBdbm\fR or \fBdb\fR format.
 #
 #	Alternatively, lookup tables can be specified in Perl Compatible
 #	Regular Expression form. In this case, each input is compared
--- a/postfix/proto/pgsql_table
+++ b/postfix/proto/pgsql_table
@@ -15,8 +15,9 @@
 #	Alternatively, lookup tables can be specified as PostgreSQL
 #	databases.  In order to use PostgreSQL lookups, define a
 #	PostgreSQL source as a lookup table in main.cf, for example:
-# .ti +4
+# .nf
 #	    alias_maps = pgsql:/etc/pgsql-aliases.cf
 # .fi
 #
 #	The file /etc/postfix/pgsql-aliases.cf has the same format as
 #	the Postfix main.cf file, and can specify the parameters
@@ -52,19 +53,18 @@
 #	\fBwhere_field\fR and \fBadditional_conditions\fR parameters. To
 #	migrate to the new interface set:
 #
-# .ti +4
+# .nf
 #	    \fBquery\fR = SELECT \fIselect_function\fR('%s')
 # .fi
 #
 #	or in the absence of \fBselection_function\fR, the lower precedence:
 #
-# .ti +4
+# .nf
 #	    \fBquery\fR = SELECT \fIselect_field\fR
 # .ti +8
 #	        FROM \fItable\fR
 # .ti +8
 #	        WHERE \fIwhere_field\fR = '%s'
 # .ti +12
 #	            \fIadditional_conditions\fR
 # .fi
 #
 #	Use the value, not the name, of each legacy parameter. Note
 #	that the \fBadditional_conditions\fR parameter is optional
@@ -94,10 +94,10 @@
 #	The hosts that Postfix will try to connect to and query from.
 #	Specify \fIunix:\fR for UNIX-domain sockets, \fIinet:\fR for TCP
 #	connections (default).  Example:
-# .ti +4
+# .nf
 #	    hosts = host1.some.domain host2.some.domain
 # .ti +4
 #	    hosts = unix:/file/name
 # .fi
 #
 #	The hosts are tried in random order, with all connections over
 #	UNIX domain sockets being tried before those over TCP.	The
@@ -112,21 +112,22 @@
 # .IP "\fBuser, password\fR"
 #	The user name and password to log into the pgsql server.
 #	Example:
-# .in +4
+# .nf
 #	    user = someone
 # .br
 #	    password = some_password
-# .in -4
+# .fi
 # .IP "\fBdbname\fR"
 #	The database name on the servers. Example:
-# .ti +4
+# .nf
 #	    dbname = customer_database
 # .fi
 # .IP "\fBquery\fR"
 #	The SQL query template used to search the database, where \fB%s\fR
 #	is a substitute for the address Postfix is trying to resolve,
 #	e.g.
-# .ti +4
+# .nf
 #	    query = SELECT replacement FROM aliases WHERE mailbox = '%s'
 # .fi
 #
 #	This parameter supports the following '%' expansions:
 # .RS
@@ -230,8 +231,9 @@
 #	are eligible for lookup: 'user' lookups, bare domain lookups
 #	and "@domain" lookups are not performed. This can significantly
 #	reduce the query load on the PostgreSQL server.
-# .ti +4
+# .nf
 #	    domain = postfix.org, hash:/etc/postfix/searchdomains
 # .fi
 #
 #	It is best not to use SQL to store the domains eligible
 #	for SQL lookups.
@@ -251,12 +253,14 @@
 #	Pre-Postfix 2.2 legacy interfaces:
 # .IP "\fBselect_function\fR"
 #	This parameter specifies a database function name. Example:
-# .ti +4
+# .nf
 #	    select_function = my_lookup_user_alias
 # .fi
 #
 #	This is equivalent to:
-# .ti +4
+# .nf
 #	    query = SELECT my_lookup_user_alias('%s')
 # .fi
 #
 #	This parameter overrides the legacy table-related fields (described
 #	below). With Postfix versions prior to 2.2, it also overrides the
@@ -269,14 +273,12 @@
 #	\fBselect_function\fR interface described above) can be used to
 #	build the SQL select statement as follows:
 #
-# .ti +4
+# .nf
 #	    SELECT [\fBselect_field\fR]
 # .ti +4
 #	    FROM [\fBtable\fR]
 # .ti +4
 #	    WHERE [\fBwhere_field\fR] = '%s'
 # .ti +10
 #	          [\fBadditional_conditions\fR]
 # .fi
 #
 #	The specifier %s is replaced with each lookup by the lookup key
 #	and is escaped so if it contains single quotes or other odd
@@ -290,20 +292,24 @@
 #	\fBquery\fR interface as this interface is slated to be phased out.
 # .IP "\fBselect_field\fR"
 #	The SQL "select" parameter. Example:
-# .ti +4
+# .nf
 #	    \fBselect_field\fR = forw_addr
 # .fi
 # .IP "\fBtable\fR"
 #	The SQL "select .. from" table name. Example:
-# .ti +4
+# .nf
 #	    \fBtable\fR = mxaliases
 # .fi
 # .IP "\fBwhere_field\fR
 #	The SQL "select .. where" parameter. Example:
-# .ti +4
+# .nf
 #	    \fBwhere_field\fR = alias
 # .fi
 # .IP "\fBadditional_conditions\fR
 #	Additional conditions to the SQL query. Example:
-# .ti +4
+# .nf
 #	    \fBadditional_conditions\fR = AND status = 'paid'
 # .fi
 # SEE ALSO
 #	postmap(1), Postfix lookup table manager
 #	postconf(5), configuration parameters
--- a/postfix/proto/regexp_table
+++ b/postfix/proto/regexp_table
@@ -9,8 +9,8 @@
 #	\fBpostmap -q - regexp:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
 # DESCRIPTION
 #	The Postfix mail system uses optional tables for address
-#	rewriting or mail routing. These tables are usually in
+#	rewriting, mail routing, or access control. These tables
-#	\fBdbm\fR or \fBdb\fR format.
+#	are usually in \fBdbm\fR or \fBdb\fR format.
 #
 #	Alternatively, lookup tables can be specified in POSIX regular
 #	expression form. In this case, each input is compared against a
--- a/postfix/proto/relocated
+++ b/postfix/proto/relocated
@@ -39,9 +39,11 @@
 #	The input format for the \fBpostmap\fR(1) command is as follows:
 # .IP \(bu
 #	An entry has one of the following form:
-# .ti +5
+#
 # .nf
 #	     \fIpattern      new_location\fR
-# .br
+# .fi
 #
 #	Where \fInew_location\fR specifies contact information such as
 #	an email address, or perhaps a street address or telephone number.
 # .IP \(bu
--- a/postfix/proto/transport
+++ b/postfix/proto/transport
@@ -11,7 +11,10 @@
 #	\fBpostmap -q - /etc/postfix/transport <\fIinputfile\fR
 # DESCRIPTION
 #	The optional \fBtransport\fR(5) table specifies a mapping from email
-#	addresses to message delivery transports and next-hop hosts. The
+#	addresses to message delivery transports and next-hop destinations. 
 #	Message delivery transports such as \fBlocal\fR or \fBsmtp\fR
 #	are defined in the \fBmaster.cf\fR file, and next-hop
 #	destinations are typically hosts or domain names. The
 #	table is searched by the \fBtrivial-rewrite\fR(8) daemon.
 #
 #	This mapping overrides the default \fItransport\fR:\fInexthop\fR
@@ -149,20 +152,19 @@
 #	the nexthop information) and specify a wildcard for all other
 #	destinations.
 #
-# .ti +5
+# .nf
 #	     \fB\&my.domain    :\fR
 # .ti +5
 #	     \fB\&.my.domain   :\fR
 # .ti +5
 #	     \fB*            smtp:outbound-relay.my.domain\fR
 # .fi
 #
 #	In order to send mail for \fBexample.com\fR and its subdomains
 #	via the \fBuucp\fR transport to the UUCP host named \fBexample\fR:
 #
-# .ti +5
+# .nf
 #	     \fBexample.com      uucp:example\fR
 # .ti +5
 #	     \fB\&.example.com     uucp:example\fR
 # .fi
 #
 #	When no nexthop host name is specified, the destination domain
 #	name is used instead. For example, the following directs mail for
@@ -170,18 +172,19 @@
 #	exchanger for \fBexample.com\fR.  The \fBslow\fR transport could be
 #	configured to run at most one delivery process at a time:
 #
-# .ti +5
+# .nf
 #	     \fBexample.com      slow:\fR
 # .fi
 #
 #	When no transport is specified, Postfix uses the transport that
 #	matches the address domain class (see DESCRIPTION
 #	above).  The following sends all mail for \fBexample.com\fR and its
 #	subdomains to host \fBgateway.example.com\fR:
 #
-# .ti +5
+# .nf
 #	     \fBexample.com      :[gateway.example.com]\fR
 # .ti +5
 #	     \fB\&.example.com     :[gateway.example.com]\fR
 # .fi
 #
 #	In the above example, the [] suppress MX lookups.
 #	This prevents mail routing loops when your machine is primary MX
@@ -190,8 +193,9 @@
 #	In the case of delivery via SMTP, one may specify
 #	\fIhostname\fR:\fIservice\fR instead of just a host:
 #
-# .ti +5
+# .nf
 #	     \fBexample.com      smtp:bar.example:2025\fR
 # .fi
 #
 #	This directs mail for \fIuser\fR@\fBexample.com\fR to host \fBbar.example\fR
 #	port \fB2025\fR. Instead of a numerical port a symbolic name may be
@@ -199,8 +203,9 @@
 #
 #	The error mailer can be used to bounce mail:
 #
-# .ti +5
+# .nf
 #	     \fB\&.example.com     error:mail for *.example.com is not deliverable\fR
 # .fi
 #
 #	This causes all mail for \fIuser\fR@\fIanything\fB.example.com\fR
 #	to be bounced.
@@ -220,9 +225,10 @@
 #	Patterns are applied in the order as specified in the table, until a
 #	pattern is found that matches the search string.
 #
-#	Results are the same as with indexed file lookups, with
+#	The \fBtrivial-rewrite\fR(8) server disallows regular
-#	the additional feature that parenthesized substrings from the
+#	expression substitution of $1 etc. in regular expression
-#	pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
+#	lookup tables, because that could open a security hole
 #	(Postfix version 2.3 and later).
 # TCP-BASED TABLES
 # .ad
 # .fi
--- a/postfix/proto/virtual
+++ b/postfix/proto/virtual
@@ -96,8 +96,9 @@
 #	Postfix SMTP server accepts
 #	mail for any recipient in \fIdomain\fR, regardless of whether
 #	that recipient exists.  This may turn your mail system into
-#	a backscatter source that returns undeliverable spam to
+#	a backscatter source: Postfix first accepts mail for
-#	innocent people.
+#	non-existent recipients and then tries to return that mail
 #	as "undeliverable" to the often forged sender address.
 # RESULT ADDRESS REWRITING
 # .ad
 # .fi
@@ -144,25 +145,21 @@
 #
 #	Support for a virtual alias domain looks like:
 #
 # .nf
 #	/etc/postfix/main.cf:
 # .in +4
 #	    virtual_alias_maps = hash:/etc/postfix/virtual
 # .fi
 #
 #	Note: some systems use \fBdbm\fR databases instead of \fBhash\fR.
 #	See the output from "\fBpostconf -m\fR" for available database types.
 #
 # .ti -4
 #	/etc/postfix/virtual:
 # .nf
-# .na
+#	/etc/postfix/virtual:
 #	    \fIvirtual-alias.domain	anything\fR (right-hand content does not matter)
 #	    \fIpostmaster@virtual-alias.domain	postmaster\fR
 #	    \fIuser1@virtual-alias.domain	address1\fR
 #	    \fIuser2@virtual-alias.domain	address2, address3\fR
 # .fi
 # .in -4
 # .ad
 # .fi
 # .sp
 #	The \fIvirtual-alias.domain anything\fR entry is required for a
 #	virtual alias domain. \fBWithout this entry, mail is rejected
--- a/postfix/src/anvil/anvil.c
+++ b/postfix/src/anvil/anvil.c
@@ -23,81 +23,74 @@
 /* .fi
 /*	To register a new connection send the following request to
 /*	the \fBanvil\fR(8) server:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBrequest=connect\fR
 /* .br
 /*	    \fBident=\fIstring\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	The \fBanvil\fR(8) server answers with the number of
 /*	simultaneous connections and the number of connections per
 /*	unit time for the (service, client) combination specified
 /*	with \fBident\fR:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBstatus=0\fR
 /* .br
 /*	    \fBcount=\fInumber\fR
 /* .br
 /*	    \fBrate=\fInumber\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	To register a disconnect event send the following request
 /*	to the \fBanvil\fR(8) server:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBrequest=disconnect\fR
 /* .br
 /*	    \fBident=\fIstring\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	The \fBanvil\fR(8) server replies with:
-/* .PP
+/*
-/* .ti +4
+/* .nf
 /*	    \fBstatus=0\fR
 /* .fi
 /* MESSAGE RATE CONTROL
 /* .ad
 /* .fi
 /*	To register a message delivery request send the following
 /*	request to the \fBanvil\fR(8) server:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBrequest=message\fR
 /* .br
 /*	    \fBident=\fIstring\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	The \fBanvil\fR(8) server answers with the number of message
 /*	delivery requests per unit time for the (service, client)
 /*	combination specified with \fBident\fR:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBstatus=0\fR
 /* .br
 /*	    \fBrate=\fInumber\fR
-/* .in
+/* .fi
 /* RECIPIENT RATE CONTROL
 /* .ad
 /* .fi
 /*	To register a recipient request send the following request
 /*	to the \fBanvil\fR(8) server:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBrequest=recipient\fR
 /* .br
 /*	    \fBident=\fIstring\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	The \fBanvil\fR(8) server answers with the number of recipient
 /*	addresses per unit time for the (service, client) combination
 /*	specified with \fBident\fR:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBstatus=0\fR
 /* .br
 /*	    \fBrate=\fInumber\fR
-/* .in
+/* .fi
 /* TLS SESSION NEGOTIATION RATE CONTROL
 /* .ad
 /* .fi
@@ -106,41 +99,37 @@
 /*
 /*	To register a request for a new (i.e. not cached) TLS session
 /*	send the following request to the \fBanvil\fR(8) server:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBrequest=newtls\fR
 /* .br
 /*	    \fBident=\fIstring\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	The \fBanvil\fR(8) server answers with the number of new
 /*	TLS session requests per unit time for the (service, client)
 /*	combination specified with \fBident\fR:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBstatus=0\fR
 /* .br
 /*	    \fBrate=\fInumber\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	To retrieve new TLS session request rate information without
 /*	updating the counter information, send:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBrequest=newtls_report\fR
 /* .br
 /*	    \fBident=\fIstring\fR
-/* .in
+/* .fi
-/* .PP
+/*
 /*	The \fBanvil\fR(8) server answers with the number of new
 /*	TLS session requests per unit time for the (service, client)
 /*	combination specified with \fBident\fR:
-/* .PP
+/*
-/* .in +4
+/* .nf
 /*	    \fBstatus=0\fR
 /* .br
 /*	    \fBrate=\fInumber\fR
-/* .in
+/* .fi
 /* SECURITY
 /* .ad
 /* .fi
--- a/postfix/src/bounce/2template_test.in
+++ b/postfix/src/bounce/2template_test.in
@@ -9,7 +9,7 @@ This is the mail system at host $myhostname.
 I'm sorry to have to inform you that your message could not
 be delivered to one or more recipients. It's attached below.
-For further assistance, please send mail to <postmaster>
+For further assistance, please send mail to postmaster.
 If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
@@ -32,7 +32,7 @@ This is the mail system at host $myhostname.
 Your message could not be delivered for more than $delay_warning_time_hours hour(s).
 It will be retried until it is $maximal_queue_lifetime_days day(s) old.
-For further assistance, please send mail to <postmaster>
+For further assistance, please send mail to postmaster.
 If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
@@ -77,7 +77,7 @@ This is the mail system at host $myhostname.
 I'm sorry to have to inform you that your message could not
 be delivered to one or more recipients. It's attached below.
-For further assistance, please send mail to <postmaster>
+For further assistance, please send mail to postmaster.
 If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
@@ -100,7 +100,7 @@ This is the mail system at host $myhostname.
 Your message could not be delivered for more than $delay_warning_time_hours hour(s).
 It will be retried until it is $maximal_queue_lifetime_days day(s) old.
-For further assistance, please send mail to <postmaster>
+For further assistance, please send mail to postmaster.
 If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
--- a/postfix/src/bounce/template_test.ref
+++ b/postfix/src/bounce/template_test.ref
@@ -9,7 +9,7 @@ This is the mail system at host $myhostname.
 I'm sorry to have to inform you that your message could not
 be delivered to one or more recipients. It's attached below.
-For further assistance, please send mail to <postmaster>
+For further assistance, please send mail to postmaster.
 If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
@@ -32,7 +32,7 @@ This is the mail system at host $myhostname.
 Your message could not be delivered for more than $delay_warning_time_hours hour(s).
 It will be retried until it is $maximal_queue_lifetime_days day(s) old.
-For further assistance, please send mail to <postmaster>
+For further assistance, please send mail to postmaster.
 If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20070325"
+#define MAIL_RELEASE_DATE	"20070328"
-#define MAIL_VERSION_NUMBER	"2.4"
+#define MAIL_VERSION_NUMBER	"2.5"
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@@ -29,9 +29,10 @@
 /*
 /*	To prevent Postfix from sending multiple recipients per delivery
 /*	request, specify
-/*
+/* .sp
-/* .ti +4
+/* .nf
 /*	    \fItransport\fB_destination_recipient_limit = 1\fR
 /* .fi
 /*
 /*	in the Postfix \fBmain.cf\fR file, where \fItransport\fR
 /*	is the name in the first column of the Postfix \fBmaster.cf\fR
@@ -135,17 +136,19 @@
 /*	Caution: a null sender address is easily mis-parsed by
 /*	naive software. For example, when the \fBpipe\fR(8) daemon
 /*	executes a command such as:
-/*
+/* .sp
-/* .ti +4
+/* .nf
 /*	    command -f$sender -- $recipient (\fIbad\fR)
-/*
+/* .fi
 /* .IP
 /*	the command will mis-parse the -f option value when the
 /*	sender address is a null string.  For correct parsing,
 /*	specify \fB$sender\fR as an argument by itself:
-/*
+/* .sp
-/* .ti +4
+/* .nf
 /*	    command -f $sender -- $recipient (\fIgood\fR)
-/*
+/* .fi
 /* .IP
 /*	This feature is available with Postfix 2.3 and later.
 /* .IP "\fBsize\fR=\fIsize_limit\fR (optional)"
 /*	Messages greater in size than this limit (in bytes) will
--- a/postfix/src/postmap/postmap.c
+++ b/postfix/src/postmap/postmap.c
@@ -13,8 +13,9 @@
 /*	lookup tables, or updates an existing one. The input and output
 /*	file formats are expected to be compatible with:
 /*
-/* .ti +4
+/* .nf
 /*	    \fBmakemap \fIfile_type\fR \fIfile_name\fR < \fIfile_name\fR
 /* .fi
 /*
 /*	If the result files do not exist they will be created with the
 /*	same group and other read permissions as their source file.
@@ -30,8 +31,9 @@
 /* .IP \(bu
 /*	A table entry has the form
 /* .sp
-/* .ti +5
+/* .nf
 /*	     \fIkey\fR whitespace \fIvalue\fR
 /* .fi
 /* .IP \(bu
 /*	Empty lines and whitespace-only lines are ignored, as
 /*	are lines whose first non-whitespace character is a `#'.
--- a/postfix/src/postsuper/postsuper.c
+++ b/postfix/src/postsuper/postsuper.c
@@ -36,15 +36,13 @@
 /*	queue IDs from standard input. For example, to delete all mail
 /*	with exactly one recipient \fBuser@example.com\fR:
 /* .sp
 /* .nf
 /*	mailq | tail +2 | grep -v '^ *(' | awk  \'BEGIN { RS = "" }
 /* .ti +4
 /*	    # $7=sender, $8=recipient1, $9=recipient2
 /* .ti +4
 /*	    { if ($8 == "user@example.com" && $9 == "")
 /* .ti +10
 /*	          print $1 }
 /* .br
 /*	\' | tr -d '*!' | postsuper -d -
 /* .fi
 /* .sp
 /*	Specify "\fB-d ALL\fR" to remove all messages; for example, specify
 /*	"\fB-d ALL deferred\fR" to delete all mail in the \fBdeferred\fR queue.
--- a/postfix/src/proxymap/proxymap.c
+++ b/postfix/src/proxymap/proxymap.c
@@ -16,18 +16,20 @@
 /*	practical to maintain a copy of the passwd file in the chroot
 /*	jail.  The solution:
 /* .sp
 /* .nf
 /*	local_recipient_maps =
 /* .ti +4
 /*	    proxy:unix:passwd.byname $alias_maps
 /* .fi
 /* .IP \(bu
 /*	To consolidate the number of open lookup tables by sharing
 /*	one open table among multiple processes. For example, making
 /*	mysql connections from every Postfix daemon process results
 /*	in "too many connections" errors. The solution:
 /* .sp
 /* .nf
 /*	virtual_alias_maps =
 /* .ti +4
 /*	    proxy:mysql:/etc/postfix/virtual_alias.cf
 /* .fi
 /* .sp
 /*	The total number of connections is limited by the number of
 /*	proxymap server processes.
--- a/postfix/src/virtual/virtual.c
+++ b/postfix/src/virtual/virtual.c
@@ -26,8 +26,9 @@
 /*
 /*	The mailbox pathname is constructed as follows:
 /*
-/* .ti +2
+/* .nf
 /*	  \fB$virtual_mailbox_base/$virtual_mailbox_maps(\fIrecipient\fB)\fR
 /* .fi
 /*
 /*	where \fIrecipient\fR is the full recipient address.
 /* UNIX MAILBOX FORMAT