From b9cbb4a6b73f6e19f77871613e7e2cc3f125513e Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sat, 10 Jan 2009 00:00:00 -0500 Subject: [PATCH] postfix-2.6-20090110 --- postfix/.indent.pro | 5 +- postfix/HISTORY | 32 ++++-- postfix/RELEASE_NOTES | 28 ++++- postfix/WISHLIST | 31 ++--- postfix/conf/access | 168 ++++++++++++++-------------- postfix/html/NFS_README.html | 2 +- postfix/html/access.5.html | 166 ++++++++++++++------------- postfix/html/postconf.5.html | 34 +++++- postfix/html/smtp-sink.1.html | 5 + postfix/html/smtp-source.1.html | 5 + postfix/man/man1/smtp-sink.1 | 4 + postfix/man/man1/smtp-source.1 | 4 + postfix/man/man5/access.5 | 6 + postfix/man/man5/postconf.5 | 42 ++++++- postfix/proto/NFS_README.html | 2 +- postfix/proto/postconf.proto | 37 +++++- postfix/src/global/Makefile.in | 17 ++- postfix/src/global/mail_params.c | 3 +- postfix/src/global/mail_version.h | 2 +- postfix/src/global/match_service.c | 139 +++++++++++++++++++++++ postfix/src/global/match_service.h | 31 +++++ postfix/src/master/Makefile.in | 13 ++- postfix/src/master/master.h | 29 +++++ postfix/src/master/master_ent.c | 10 +- postfix/src/master/master_vars.c | 113 +------------------ postfix/src/master/master_watch.c | 151 +++++++++++++++++++++++++ postfix/src/smtp/smtp_connect.c | 3 + postfix/src/smtpstone/smtp-sink.c | 10 +- postfix/src/smtpstone/smtp-source.c | 12 +- postfix/src/util/Makefile.in | 8 +- postfix/src/util/connect.h | 2 - postfix/src/util/inet_connect.c | 12 +- postfix/src/util/inet_listen.c | 18 +-- postfix/src/util/inet_windowsize.c | 79 +++++++++++++ postfix/src/util/iostuff.h | 3 + postfix/src/util/listen.h | 2 - 36 files changed, 861 insertions(+), 367 deletions(-) create mode 100644 postfix/src/global/match_service.c create mode 100644 postfix/src/global/match_service.h create mode 100644 postfix/src/master/master_watch.c create mode 100644 postfix/src/util/inet_windowsize.c diff --git a/postfix/.indent.pro b/postfix/.indent.pro index 8d572dec4..3c96b8041 100644 --- a/postfix/.indent.pro +++ b/postfix/.indent.pro @@ -137,11 +137,12 @@ -TMAI_SERVNAME_STR -TMAI_SERVPORT_STR -TMAPS +-TMASTER_INT_WATCH -TMASTER_PROC -TMASTER_SERV -TMASTER_STATUS --TMASTER_VARS_STR_WATCH --TMASTER_VARS_INT_WATCH +-TMASTER_STR_WATCH +-TMATCH_LIST -TMBLOCK -TMBOX -TMILTER diff --git a/postfix/HISTORY b/postfix/HISTORY index ffda0a389..c920cef9c 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -14845,10 +14845,12 @@ Apologies for any names omitted. and type. For example, to turn off the main SMTP listener use "master_service_disable = smtp.inet", and to turn off all TCP/IP listeners use "master_service_disable = inet". - This feature does not distinguish services by their privacy - property; some day, clients will not need to specify that - anymore. Files: global/mail_params.h, master/master.c, - master/master_vars.c, master/master_ent.c. + This immediately terminates all processes that provide the + specified services. The master_service_disable feature does + not distinguish services by their privacy property; some + day, clients will not need to specify that anymore. Files: + global/mail_params.h, master/master.c, master/master_vars.c, + master/master_ent.c. Bugfix (introduced May 19, 1997): removing a parameter setting from main.cf did not reset the parameter to its @@ -14863,8 +14865,20 @@ Apologies for any names omitted. smtpd/smtpd_check.c, proto/access. Workaround: specify "tcp_windowsize = 65535" (or less) to - work around routers with broken TCP window scaling - implementations. This is perhaps easier than collecting - tcpdump output and tuning kernel parameters. Changing this - parameter requires "postfix stop" and "postfix start". - Files: util/inet_connect.c, inet_listen.c, global/mail_params.[hc]. + work around broken TCP window scaling implementations. This + is perhaps easier than collecting tcpdump output and tuning + kernel parameters by hand. See RELEASE_NOTES for how to + change this setting without stopping Postfix. Files: + util/inet_connect.c, inet_listen.c, global/mail_params.[hc]. + +20090110 + + Cleanup: create separate code modules for TCP window size + handling, master.cf service name matching, and main.cf + change monitoring. Files: util/inet_windowsize.c, + global/match_service.c, master/master_watch.c. + + Feature: TCP window size override for the Postfix SMTP/LMTP + client, and for the smtp-source and smtp-sink test programs. + Files: smtp/smtp_connect.c, smtpstone/smtp-source.c, + smtpstone/smtp-sink.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index e4073049d..ee740f947 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -20,12 +20,34 @@ type or by service name + type. Specify a list of service types "name" is the first field of a master.cf entry and "type" is a service type. Examples: to turn off the main SMTP listener port, use "master_service_disable = smtp.inet"; to turn off all TCP/IP -listeners, use "master_service_disable = inet". +listeners, use "master_service_disable = inet". Changing this +parameter requires "postfix reload". Specify "tcp_windowsize = 65535" (or less) to work around routers with broken TCP window scaling implementations. This is perhaps -easier than collecting tcpdump output and tuning kernel parameters. -Changing this parameter requires "postfix stop" and "postfix start". +more convenient than collecting tcpdump output and tuning kernel +parameters by hand. With Postfix TCP servers (smtpd(8), qmqpd(8)), +this feature is implemented by the Postfix master(8) daemon. + +To change this parameter without stopping Postfix, you need to first +terminate all Postfix TCP servers: + + # postconf -e master_service_disable=inet + # postfix reload + +This immediately terminates all processes that accept network +connections. Then you enable Postfix TCP servers with the updated +tcp_windowsize setting: + + # postconf -e tcp_windowsize=65535 master_service_disable= + # postfix reload + +If you skip these steps with a running Postfix system, then the +tcp_windowsize change will work only for Postfix TCP clients (smtp(8), +lmtp(8)). + +Of course you can also do "postfix stop" and "postfix start", +but that is more disruptive. Major changes with snapshot 20081010 ==================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 7c4519c66..466046f15 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -1,11 +1,4 @@ Wish list: - - To work around window scaling bugs, find out if we can force - < 65535 TCP windows with setsockopt(SO_SNDBUF/SO_RCVBUF) - between socket() and connect()/listen(). Instead of screwing - up lots of internal APIs with an extra buffer size parameter, - use a -o command-line option to override a global variable - for use by inet_connect() and inet_listen(). Force a panic when the VDA patch reduces the file size limit under the message size. They break the code that marks a @@ -21,6 +14,9 @@ Wish list: Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that they can be made system dependent. + Plan for time_t larger than long, or wait for LP64 to + dominate the world? + Make "AUTH=<>" appendage to MAIL FROM configurable, enabled by default. @@ -45,11 +41,11 @@ Wish list: and remote mail; the disadvantage is that it makes local submissions more dependent on networking. One possibility is to use "pickup -o content_filter=smtp:127.0.0.1:10025"; - we could also to suppress "mail loop" detection for loopback - connections. Another is to have the pickup or cleanup - server drive an SMTP client directly; this would require - extension of the mail_stream() interface, plus a way to - handle bounced/deferred recipients intelligently. + we could also decide to always suppress "mail loop" detection + for loopback connections. Another option is to have the + pickup or cleanup server drive an SMTP client directly; + this would require extension of the mail_stream() interface, + plus a way to handle bounced/deferred recipients intelligently. Consolidate duplicated code in *_server_accept_{pass,inet}(). @@ -75,14 +71,6 @@ Wish list: Make TLS_BIO_BUFSIZE run-time adjustable, to future-proof Postfix for remote connections with MSS > 8 kbytes. - Absent a formal spec, model IPv6 RBL lookups after the IPv6 - PTR lookups (one zone per hex nibble, nibbles in reversed - order). How to specify whether to query an RBL server for - status info about an IPv6 address? One could argue that as - long as IPv6 traffic is small an unsupported lookup doesn't - matter; and once IPv6 takes off, the RBL servers better - start supporting IPv6 client status information. - Don't log "warning: XXXXX: undeliverable postmaster notification discarded" for spam from outside. @@ -149,9 +137,6 @@ Wish list: into mailer-daemon (current bahavior) or disallow (strict behavior, currently implemented only in the SMTP server). - Plan for time_t larger than long, or wait for LP64 to - dominate the world? - The type of var_message_limit (and other file size/offset configuration parameters or internal protocol attributes) should be changed from int to off_t. This also requires diff --git a/postfix/conf/access b/postfix/conf/access index 2aa8f6450..00aa6cd19 100644 --- a/postfix/conf/access +++ b/postfix/conf/access @@ -202,22 +202,28 @@ # text..." when the optional text is specified, oth- # erwise reply with a generic error response message. # +# This feature is available in Postfix 2.6 and later. +# # DEFER_IF_REJECT optional text... -# Defer the request if some later restriction would -# result in a REJECT action. Reply with -# "$access_map_defer_code 4.7.1 optional text..." -# when the optional text is specified, otherwise +# Defer the request if some later restriction would +# result in a REJECT action. Reply with +# "$access_map_defer_code 4.7.1 optional text..." +# when the optional text is specified, otherwise # reply with a generic error response message. # +# Prior to Postfix 2.6, the SMTP reply code is 450. +# # This feature is available in Postfix 2.1 and later. # # DEFER_IF_PERMIT optional text... -# Defer the request if some later restriction would -# result in a an explicit or implicit PERMIT action. -# Reply with "$access_map_defer_code 4.7.1 optional -# text..." when the optional text is specified, oth- +# Defer the request if some later restriction would +# result in a an explicit or implicit PERMIT action. +# Reply with "$access_map_defer_code 4.7.1 optional +# text..." when the optional text is specified, oth- # erwise reply with a generic error response message. # +# Prior to Postfix 2.6, the SMTP reply code is 450. +# # This feature is available in Postfix 2.1 and later. # # OTHER ACTIONS @@ -226,169 +232,169 @@ # reject_unauth_destination, and so on). # # BCC user@domain -# Send one copy of the message to the specified +# Send one copy of the message to the specified # recipient. # -# If multiple BCC actions are specified within the -# same SMTP MAIL transaction, only the last action +# If multiple BCC actions are specified within the +# same SMTP MAIL transaction, only the last action # will be used. # -# This feature is not part of the stable Postfix +# This feature is not part of the stable Postfix # release. # # DISCARD optional text... -# Claim successful delivery and silently discard the -# message. Log the optional text if specified, oth- +# Claim successful delivery and silently discard the +# message. Log the optional text if specified, oth- # erwise log a generic message. # -# Note: this action currently affects all recipients -# of the message. To discard only one recipient -# without discarding the entire message, use the +# Note: this action currently affects all recipients +# of the message. To discard only one recipient +# without discarding the entire message, use the # transport(5) table to direct mail to the discard(8) # service. # # This feature is available in Postfix 2.0 and later. # -# DUNNO Pretend that the lookup key was not found. This -# prevents Postfix from trying substrings of the -# lookup key (such as a subdomain name, or a network +# DUNNO Pretend that the lookup key was not found. This +# prevents Postfix from trying substrings of the +# lookup key (such as a subdomain name, or a network # address subnetwork). # # This feature is available in Postfix 2.0 and later. # # FILTER transport:destination -# After the message is queued, send the entire mes- +# After the message is queued, send the entire mes- # sage through the specified external content filter. -# The transport:destination syntax is described in -# the transport(5) manual page. More information -# about external content filters is in the Postfix +# The transport:destination syntax is described in +# the transport(5) manual page. More information +# about external content filters is in the Postfix # FILTER_README file. # # Note: this action overrides the content_filter set- -# ting, and currently affects all recipients of the +# ting, and currently affects all recipients of the # message. # # This feature is available in Postfix 2.0 and later. # # HOLD optional text... -# Place the message on the hold queue, where it will -# sit until someone either deletes it or releases it -# for delivery. Log the optional text if specified, +# Place the message on the hold queue, where it will +# sit until someone either deletes it or releases it +# for delivery. Log the optional text if specified, # otherwise log a generic message. # -# Mail that is placed on hold can be examined with -# the postcat(1) command, and can be destroyed or +# Mail that is placed on hold can be examined with +# the postcat(1) command, and can be destroyed or # released with the postsuper(1) command. # -# Note: use "postsuper -r" to release mail that was -# kept on hold for a significant fraction of $maxi- +# Note: use "postsuper -r" to release mail that was +# kept on hold for a significant fraction of $maxi- # mal_queue_lifetime or $bounce_queue_lifetime, or -# longer. Use "postsuper -H" only for mail that will +# longer. Use "postsuper -H" only for mail that will # not expire within a few delivery attempts. # -# Note: this action currently affects all recipients +# Note: this action currently affects all recipients # of the message. # # This feature is available in Postfix 2.0 and later. # # PREPEND headername: headervalue -# Prepend the specified message header to the mes- -# sage. When more than one PREPEND action executes, -# the first prepended header appears before the sec- +# Prepend the specified message header to the mes- +# sage. When more than one PREPEND action executes, +# the first prepended header appears before the sec- # ond etc. prepended header. # -# Note: this action must execute before the message -# content is received; it cannot execute in the con- +# Note: this action must execute before the message +# content is received; it cannot execute in the con- # text of smtpd_end_of_data_restrictions. # # This feature is available in Postfix 2.1 and later. # # REDIRECT user@domain -# After the message is queued, send the message to +# After the message is queued, send the message to # the specified address instead of the intended # recipient(s). # -# Note: this action overrides the FILTER action, and +# Note: this action overrides the FILTER action, and # currently affects all recipients of the message. # # This feature is available in Postfix 2.1 and later. # # WARN optional text... # Log a warning with the optional text, together with -# client information and if available, with helo, +# client information and if available, with helo, # sender, recipient and protocol information. # # This feature is available in Postfix 2.1 and later. # # ENHANCED STATUS CODES -# Postfix version 2.3 and later support enhanced status -# codes as defined in RFC 3463. When an enhanced status -# code is specified in an access table, it is subject to -# modification. The following transformations are needed -# when the same access table is used for client, helo, -# sender, or recipient access restrictions; they happen +# Postfix version 2.3 and later support enhanced status +# codes as defined in RFC 3463. When an enhanced status +# code is specified in an access table, it is subject to +# modification. The following transformations are needed +# when the same access table is used for client, helo, +# sender, or recipient access restrictions; they happen # regardless of whether Postfix replies to a MAIL FROM, RCPT # TO or other SMTP command. # -# o When a sender address matches a REJECT action, the -# Postfix SMTP server will transform a recipient DSN -# status (e.g., 4.1.1-4.1.6) into the corresponding +# o When a sender address matches a REJECT action, the +# Postfix SMTP server will transform a recipient DSN +# status (e.g., 4.1.1-4.1.6) into the corresponding # sender DSN status, and vice versa. # -# o When non-address information matches a REJECT -# action (such as the HELO command argument or the -# client hostname/address), the Postfix SMTP server -# will transform a sender or recipient DSN status -# into a generic non-address DSN status (e.g., +# o When non-address information matches a REJECT +# action (such as the HELO command argument or the +# client hostname/address), the Postfix SMTP server +# will transform a sender or recipient DSN status +# into a generic non-address DSN status (e.g., # 4.0.0). # # REGULAR EXPRESSION TABLES -# This section describes how the table lookups change when +# This section describes how the table lookups change when # the table is given in the form of regular expressions. For -# a description of regular expression lookup table syntax, +# a description of regular expression lookup table syntax, # see regexp_table(5) or pcre_table(5). # -# Each pattern is a regular expression that is applied to +# Each pattern is a regular expression that is applied to # the entire string being looked up. Depending on the appli- -# cation, that string is an entire client hostname, an +# cation, that string is an entire client hostname, an # entire client IP address, or an entire mail address. Thus, # no parent domain or parent network search is done, -# user@domain mail addresses are not broken up into their +# user@domain mail addresses are not broken up into their # user@ and domain constituent parts, nor is user+foo broken # up into user and foo. # -# Patterns are applied in the order as specified in the ta- -# ble, until a pattern is found that matches the search +# Patterns are applied in the order as specified in the ta- +# ble, until a pattern is found that matches the search # string. # -# Actions are the same as with indexed file lookups, with -# the additional feature that parenthesized substrings from +# Actions are the same as with indexed file lookups, with +# the additional feature that parenthesized substrings from # the pattern can be interpolated as $1, $2 and so on. # # TCP-BASED TABLES -# This section describes how the table lookups change when +# This section describes how the table lookups change when # lookups are directed to a TCP-based server. For a descrip- # tion of the TCP client/server lookup protocol, see tcp_ta- # ble(5). This feature is not available up to and including # Postfix version 2.4. # -# Each lookup operation uses the entire query string once. -# Depending on the application, that string is an entire +# Each lookup operation uses the entire query string once. +# Depending on the application, that string is an entire # client hostname, an entire client IP address, or an entire -# mail address. Thus, no parent domain or parent network -# search is done, user@domain mail addresses are not broken -# up into their user@ and domain constituent parts, nor is +# mail address. Thus, no parent domain or parent network +# search is done, user@domain mail addresses are not broken +# up into their user@ and domain constituent parts, nor is # user+foo broken up into user and foo. # # Actions are the same as with indexed file lookups. # # EXAMPLE -# The following example uses an indexed file, so that the -# order of table entries does not matter. The example per- -# mits access by the client at address 1.2.3.4 but rejects -# all other clients in 1.2.3.0/24. Instead of hash lookup -# tables, some systems use dbm. Use the command "postconf -# -m" to find out what lookup tables Postfix supports on +# The following example uses an indexed file, so that the +# order of table entries does not matter. The example per- +# mits access by the client at address 1.2.3.4 but rejects +# all other clients in 1.2.3.0/24. Instead of hash lookup +# tables, some systems use dbm. Use the command "postconf +# -m" to find out what lookup tables Postfix supports on # your system. # # /etc/postfix/main.cf: @@ -399,11 +405,11 @@ # 1.2.3 REJECT # 1.2.3.4 OK # -# Execute the command "postmap /etc/postfix/access" after +# Execute the command "postmap /etc/postfix/access" after # editing the file. # # BUGS -# The table format does not understand quoting conventions. +# The table format does not understand quoting conventions. # # SEE ALSO # postmap(1), Postfix lookup table manager @@ -412,13 +418,13 @@ # transport(5), transport:nexthop syntax # # README FILES -# Use "postconf readme_directory" or "postconf html_direc- +# Use "postconf readme_directory" or "postconf html_direc- # tory" to locate this information. # SMTPD_ACCESS_README, built-in SMTP server access control # DATABASE_README, Postfix lookup table overview # # LICENSE -# The Secure Mailer license must be distributed with this +# The Secure Mailer license must be distributed with this # software. # # AUTHOR(S) diff --git a/postfix/html/NFS_README.html b/postfix/html/NFS_README.html index 1661541fc..fdbd0fdc5 100644 --- a/postfix/html/NFS_README.html +++ b/postfix/html/NFS_README.html @@ -56,7 +56,6 @@ methods simultaneously.

mailbox_delivery_lock = fcntl, dotlock -

Postfix NFS workarounds

@@ -134,4 +133,5 @@ false errors when the server reply is lost, the client retransmits the request, and the server does not remember that it already completed the request.

+ diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html index 128006866..626d105e8 100644 --- a/postfix/html/access.5.html +++ b/postfix/html/access.5.html @@ -208,22 +208,28 @@ ACCESS(5) ACCESS(5) text..." when the optional text is specified, oth- erwise reply with a generic error response message. + This feature is available in Postfix 2.6 and later. + DEFER_IF_REJECT optional text... - Defer the request if some later restriction would - result in a REJECT action. Reply with - "$access_map_defer_code 4.7.1 optional text..." - when the optional text is specified, otherwise + Defer the request if some later restriction would + result in a REJECT action. Reply with + "$access_map_defer_code 4.7.1 optional text..." + when the optional text is specified, otherwise reply with a generic error response message. + Prior to Postfix 2.6, the SMTP reply code is 450. + This feature is available in Postfix 2.1 and later. DEFER_IF_PERMIT optional text... - Defer the request if some later restriction would - result in a an explicit or implicit PERMIT action. - Reply with "$access_map_defer_code 4.7.1 optional - text..." when the optional text is specified, oth- + Defer the request if some later restriction would + result in a an explicit or implicit PERMIT action. + Reply with "$access_map_defer_code 4.7.1 optional + text..." when the optional text is specified, oth- erwise reply with a generic error response message. + Prior to Postfix 2.6, the SMTP reply code is 450. + This feature is available in Postfix 2.1 and later. OTHER ACTIONS @@ -232,169 +238,169 @@ ACCESS(5) ACCESS(5) reject_unauth_destination, and so on). BCC user@domain - Send one copy of the message to the specified + Send one copy of the message to the specified recipient. - If multiple BCC actions are specified within the - same SMTP MAIL transaction, only the last action + If multiple BCC actions are specified within the + same SMTP MAIL transaction, only the last action will be used. - This feature is not part of the stable Postfix + This feature is not part of the stable Postfix release. DISCARD optional text... - Claim successful delivery and silently discard the - message. Log the optional text if specified, oth- + Claim successful delivery and silently discard the + message. Log the optional text if specified, oth- erwise log a generic message. - Note: this action currently affects all recipients - of the message. To discard only one recipient - without discarding the entire message, use the + Note: this action currently affects all recipients + of the message. To discard only one recipient + without discarding the entire message, use the transport(5) table to direct mail to the discard(8) service. This feature is available in Postfix 2.0 and later. - DUNNO Pretend that the lookup key was not found. This - prevents Postfix from trying substrings of the - lookup key (such as a subdomain name, or a network + DUNNO Pretend that the lookup key was not found. This + prevents Postfix from trying substrings of the + lookup key (such as a subdomain name, or a network address subnetwork). This feature is available in Postfix 2.0 and later. FILTER transport:destination - After the message is queued, send the entire mes- + After the message is queued, send the entire mes- sage through the specified external content filter. - The transport:destination syntax is described in - the transport(5) manual page. More information - about external content filters is in the Postfix + The transport:destination syntax is described in + the transport(5) manual page. More information + about external content filters is in the Postfix FILTER_README file. Note: this action overrides the content_filter set- - ting, and currently affects all recipients of the + ting, and currently affects all recipients of the message. This feature is available in Postfix 2.0 and later. HOLD optional text... - Place the message on the hold queue, where it will - sit until someone either deletes it or releases it - for delivery. Log the optional text if specified, + Place the message on the hold queue, where it will + sit until someone either deletes it or releases it + for delivery. Log the optional text if specified, otherwise log a generic message. - Mail that is placed on hold can be examined with - the postcat(1) command, and can be destroyed or + Mail that is placed on hold can be examined with + the postcat(1) command, and can be destroyed or released with the postsuper(1) command. - Note: use "postsuper -r" to release mail that was - kept on hold for a significant fraction of $maxi- + Note: use "postsuper -r" to release mail that was + kept on hold for a significant fraction of $maxi- mal_queue_lifetime or $bounce_queue_lifetime, or - longer. Use "postsuper -H" only for mail that will + longer. Use "postsuper -H" only for mail that will not expire within a few delivery attempts. - Note: this action currently affects all recipients + Note: this action currently affects all recipients of the message. This feature is available in Postfix 2.0 and later. PREPEND headername: headervalue - Prepend the specified message header to the mes- - sage. When more than one PREPEND action executes, - the first prepended header appears before the sec- + Prepend the specified message header to the mes- + sage. When more than one PREPEND action executes, + the first prepended header appears before the sec- ond etc. prepended header. - Note: this action must execute before the message - content is received; it cannot execute in the con- + Note: this action must execute before the message + content is received; it cannot execute in the con- text of smtpd_end_of_data_restrictions. This feature is available in Postfix 2.1 and later. REDIRECT user@domain - After the message is queued, send the message to + After the message is queued, send the message to the specified address instead of the intended recipient(s). - Note: this action overrides the FILTER action, and + Note: this action overrides the FILTER action, and currently affects all recipients of the message. This feature is available in Postfix 2.1 and later. WARN optional text... Log a warning with the optional text, together with - client information and if available, with helo, + client information and if available, with helo, sender, recipient and protocol information. This feature is available in Postfix 2.1 and later. ENHANCED STATUS CODES - Postfix version 2.3 and later support enhanced status - codes as defined in RFC 3463. When an enhanced status - code is specified in an access table, it is subject to - modification. The following transformations are needed - when the same access table is used for client, helo, - sender, or recipient access restrictions; they happen + Postfix version 2.3 and later support enhanced status + codes as defined in RFC 3463. When an enhanced status + code is specified in an access table, it is subject to + modification. The following transformations are needed + when the same access table is used for client, helo, + sender, or recipient access restrictions; they happen regardless of whether Postfix replies to a MAIL FROM, RCPT TO or other SMTP command. - o When a sender address matches a REJECT action, the - Postfix SMTP server will transform a recipient DSN - status (e.g., 4.1.1-4.1.6) into the corresponding + o When a sender address matches a REJECT action, the + Postfix SMTP server will transform a recipient DSN + status (e.g., 4.1.1-4.1.6) into the corresponding sender DSN status, and vice versa. - o When non-address information matches a REJECT - action (such as the HELO command argument or the - client hostname/address), the Postfix SMTP server - will transform a sender or recipient DSN status - into a generic non-address DSN status (e.g., + o When non-address information matches a REJECT + action (such as the HELO command argument or the + client hostname/address), the Postfix SMTP server + will transform a sender or recipient DSN status + into a generic non-address DSN status (e.g., 4.0.0). REGULAR EXPRESSION TABLES - This section describes how the table lookups change when + This section describes how the table lookups change when the table is given in the form of regular expressions. For - a description of regular expression lookup table syntax, + a description of regular expression lookup table syntax, see regexp_table(5) or pcre_table(5). - Each pattern is a regular expression that is applied to + Each pattern is a regular expression that is applied to the entire string being looked up. Depending on the appli- - cation, that string is an entire client hostname, an + cation, that string is an entire client hostname, an entire client IP address, or an entire mail address. Thus, no parent domain or parent network search is done, - user@domain mail addresses are not broken up into their + user@domain mail addresses are not broken up into their user@ and domain constituent parts, nor is user+foo broken up into user and foo. - Patterns are applied in the order as specified in the ta- - ble, until a pattern is found that matches the search + Patterns are applied in the order as specified in the ta- + ble, until a pattern is found that matches the search string. - Actions are the same as with indexed file lookups, with - the additional feature that parenthesized substrings from + Actions are the same as with indexed file lookups, with + the additional feature that parenthesized substrings from the pattern can be interpolated as $1, $2 and so on. TCP-BASED TABLES - This section describes how the table lookups change when + This section describes how the table lookups change when lookups are directed to a TCP-based server. For a descrip- tion of the TCP client/server lookup protocol, see tcp_ta- ble(5). This feature is not available up to and including Postfix version 2.4. - Each lookup operation uses the entire query string once. - Depending on the application, that string is an entire + Each lookup operation uses the entire query string once. + Depending on the application, that string is an entire client hostname, an entire client IP address, or an entire - mail address. Thus, no parent domain or parent network - search is done, user@domain mail addresses are not broken - up into their user@ and domain constituent parts, nor is + mail address. Thus, no parent domain or parent network + search is done, user@domain mail addresses are not broken + up into their user@ and domain constituent parts, nor is user+foo broken up into user and foo. Actions are the same as with indexed file lookups. EXAMPLE - The following example uses an indexed file, so that the - order of table entries does not matter. The example per- - mits access by the client at address 1.2.3.4 but rejects - all other clients in 1.2.3.0/24. Instead of hash lookup - tables, some systems use dbm. Use the command "postconf - -m" to find out what lookup tables Postfix supports on + The following example uses an indexed file, so that the + order of table entries does not matter. The example per- + mits access by the client at address 1.2.3.4 but rejects + all other clients in 1.2.3.0/24. Instead of hash lookup + tables, some systems use dbm. Use the command "postconf + -m" to find out what lookup tables Postfix supports on your system. /etc/postfix/main.cf: @@ -405,11 +411,11 @@ ACCESS(5) ACCESS(5) 1.2.3 REJECT 1.2.3.4 OK - Execute the command "postmap /etc/postfix/access" after + Execute the command "postmap /etc/postfix/access" after editing the file. BUGS - The table format does not understand quoting conventions. + The table format does not understand quoting conventions. SEE ALSO postmap(1), Postfix lookup table manager @@ -422,7 +428,7 @@ ACCESS(5) ACCESS(5) DATABASE_README, Postfix lookup table overview LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 19e25f95a..cb4bb3a89 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -5347,6 +5347,10 @@ service type. As with other Postfix matchlists, a search stops at the first match. Specify "!pattern" to exclude a service from the list. By default, all master(8) listener ports are enabled.

+

Note: this feature does not support "/file/name" or "type:table" +patterns, nor does it support wildcards such as "*" or "all". This +is intentional.

+

Examples: 

@@ -13068,10 +13072,34 @@ while accessing the Postfix main.cf configuration
 (default: 0)

 
 
 An optional workaround for routers that break TCP window scaling.
-Specify a value > 0 and < 65536 to enable this feature. 

+Specify a value > 0 and < 65536 to enable this feature.  With
+Postfix TCP servers (smtpd(8), qmqpd(8)), this feature is implemented
+by the Postfix master(8) daemon.  

 
-
 Note: for Postfix servers, this feature is implemented by the
-Postfix master(8) daemon, not by the servers themselves. 

+
 To change this parameter without stopping Postfix, you need to
+first terminate all Postfix TCP servers: 

+
+

+
+# postconf -e master_service_disable=inet
+# postfix reload
+

+

+
+
 This immediately terminates all processes that accept network
+connections.  Next, you enable Postfix TCP servers with the updated
+tcp_windowsize setting: 

+
+

+
+# postconf -e tcp_windowsize=65535 master_service_disable=
+# postfix reload
+

+

+
+
 If you skip these steps with a running Postfix system, then the
+tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
+lmtp(8)).  

 
 
 This feature is available in Postfix 2.6 and later. 

 
diff --git a/postfix/html/smtp-sink.1.html b/postfix/html/smtp-sink.1.html
index fbb10a7bf..60aceedd4 100644
--- a/postfix/html/smtp-sink.1.html
+++ b/postfix/html/smtp-sink.1.html
@@ -184,6 +184,11 @@ SMTP-SINK(1)                                                      SMTP-SINK(1)
               Limit the time for receiving a command or sending a
               response.   The time limit is specified in seconds.
 
+       -T windowsize
+              Override the  default  TCP  window  size.  To  work
+              around  broken  TCP window scaling implementations,
+              specify a value > 0 and < 65536.
+
        -u username
               Switch to the specified user privileges after open-
               ing  the network socket and optionally changing the
diff --git a/postfix/html/smtp-source.1.html b/postfix/html/smtp-source.1.html
index ca707017c..969eecc3d 100644
--- a/postfix/html/smtp-source.1.html
+++ b/postfix/html/smtp-source.1.html
@@ -106,6 +106,11 @@ SMTP-SOURCE(1)                                                  SMTP-SOURCE(1)
        -t to  Use   the  specified  recipient  address  (default:
               <foo@myhostname>).
 
+       -T windowsize
+              Override the  default  TCP  window  size.  To  work
+              around  broken  TCP window scaling implementations,
+              specify a value > 0 and < 65536.
+
        -v     Make the program more verbose, for  debugging  pur-
               poses.
 
diff --git a/postfix/man/man1/smtp-sink.1 b/postfix/man/man1/smtp-sink.1
index 8b12ed0c6..ca86ae39a 100644
--- a/postfix/man/man1/smtp-sink.1
+++ b/postfix/man/man1/smtp-sink.1
@@ -157,6 +157,10 @@ character).
 .IP "\fB-t \fItimeout\fR (default: 100)"
 Limit the time for receiving a command or sending a response.
 The time limit is specified in seconds.
+.IP "\fB-T \fIwindowsize\fR"
+Override the default TCP window size. To work around
+broken TCP window scaling implementations, specify a
+value > 0 and < 65536.
 .IP "\fB-u \fIusername\fR"
 Switch to the specified user privileges after opening the
 network socket and optionally changing the process root
diff --git a/postfix/man/man1/smtp-source.1 b/postfix/man/man1/smtp-source.1
index 21b4e06ca..3304791db 100644
--- a/postfix/man/man1/smtp-source.1
+++ b/postfix/man/man1/smtp-source.1
@@ -85,6 +85,10 @@ Run the specified number of SMTP sessions in parallel (default: 1).
 Send mail with the named subject line (default: none).
 .IP "\fB-t \fIto\fR"
 Use the specified recipient address (default: ).
+.IP "\fB-T \fIwindowsize\fR"
+Override the default TCP window size. To work around
+broken TCP window scaling implementations, specify a
+value > 0 and < 65536.
 .IP \fB-v\fR
 Make the program more verbose, for debugging purposes.
 .IP "\fB-w \fIinterval\fR"
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index 73a0be473..1fb511c80 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -198,6 +198,8 @@ Reject the address etc. that matches the pattern. Reply with
 "\fB$access_map_defer_code \fIoptional text...\fR" when the
 optional text is
 specified, otherwise reply with a generic error response message.
+.sp
+This feature is available in Postfix 2.6 and later.
 .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
 Defer the request if some later restriction would result in a
 REJECT action. Reply with "\fB$access_map_defer_code 4.7.1
@@ -205,6 +207,8 @@ REJECT action. Reply with "\fB$access_map_defer_code 4.7.1
 optional text is specified, otherwise reply with a generic error
 response message.
 .sp
+Prior to Postfix 2.6, the SMTP reply code is 450.
+.sp
 This feature is available in Postfix 2.1 and later.
 .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
 Defer the request if some later restriction would result in a
@@ -214,6 +218,8 @@ text...\fR" when the
 optional text is specified, otherwise reply with a generic error
 response message.
 .sp
+Prior to Postfix 2.6, the SMTP reply code is 450.
+.sp
 This feature is available in Postfix 2.1 and later.
 .SH "OTHER ACTIONS"
 .na
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 0f43bbc5f..be8248a12 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -2957,6 +2957,10 @@ service type. As with other Postfix matchlists, a search stops at
 the first match.  Specify "!pattern" to exclude a service from the
 list. By default, all \fBmaster\fR(8) listener ports are enabled.
 .PP
+Note: this feature does not support "/file/name" or "type:table"
+patterns, nor does it support wildcards such as "*" or "all". This
+is intentional.
+.PP
 Examples:
 .PP
 .nf
@@ -8180,10 +8184,42 @@ are errors while parsing the command line arguments, and errors
 while accessing the Postfix main.cf configuration file.
 .SH tcp_windowsize (default: 0)
 An optional workaround for routers that break TCP window scaling.
-Specify a value > 0 and < 65536 to enable this feature.
+Specify a value > 0 and < 65536 to enable this feature.  With
+Postfix TCP servers (\fBsmtpd\fR(8), \fBqmqpd\fR(8)), this feature is implemented
+by the Postfix \fBmaster\fR(8) daemon.
 .PP
-Note: for Postfix servers, this feature is implemented by the
-Postfix \fBmaster\fR(8) daemon, not by the servers themselves.
+To change this parameter without stopping Postfix, you need to
+first terminate all Postfix TCP servers:
+.sp
+.in +4
+.nf
+.na
+.ft C
+# postconf -e master_service_disable=inet
+# postfix reload
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This immediately terminates all processes that accept network
+connections.  Next, you enable Postfix TCP servers with the updated
+tcp_windowsize setting:
+.sp
+.in +4
+.nf
+.na
+.ft C
+# postconf -e tcp_windowsize=65535 master_service_disable=
+# postfix reload
+.fi
+.ad
+.ft R
+.in -4
+.PP
+If you skip these steps with a running Postfix system, then the
+tcp_windowsize change will work only for Postfix TCP clients (\fBsmtp\fR(8),
+\fBlmtp\fR(8)).
 .PP
 This feature is available in Postfix 2.6 and later.
 .SH tls_daemon_random_bytes (default: 32)
diff --git a/postfix/proto/NFS_README.html b/postfix/proto/NFS_README.html
index 7816f57b6..e8d44d98b 100644
--- a/postfix/proto/NFS_README.html
+++ b/postfix/proto/NFS_README.html
@@ -56,7 +56,6 @@ methods simultaneously. 

     mailbox_delivery_lock = fcntl, dotlock
-

Postfix NFS workarounds

@@ -134,4 +133,5 @@ false errors when the server reply is lost, the client retransmits the request, and the server does not remember that it already completed the request.

+ diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 6626b8f75..01d2c3837 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -11971,6 +11971,10 @@ service type. As with other Postfix matchlists, a search stops at the first match. Specify "!pattern" to exclude a service from the list. By default, all master(8) listener ports are enabled.

+

Note: this feature does not support "/file/name" or "type:table" +patterns, nor does it support wildcards such as "*" or "all". This +is intentional.

+

Examples: 

@@ -11986,13 +11990,36 @@ master_service_disable = !foo.inet, inet
 
 
 This feature is available in Postfix 2.6 and later. 

 
-%PARAM tcp_windowsize 0 
+%PARAM tcp_windowsize 0
 
 
 An optional workaround for routers that break TCP window scaling.
-Specify a value > 0 and < 65536 to enable this feature. 

+Specify a value > 0 and < 65536 to enable this feature.  With
+Postfix TCP servers (smtpd(8), qmqpd(8)), this feature is implemented
+by the Postfix master(8) daemon.  

 
-
 Note: for Postfix servers, this feature is implemented by the
-Postfix master(8) daemon, not by the servers themselves. The Postfix
-master must be restarted for a parameter change to take effect. 

+
 To change this parameter without stopping Postfix, you need to
+first terminate all Postfix TCP servers: 

+
+

+
+# postconf -e master_service_disable=inet
+# postfix reload
+

+

+
+
 This immediately terminates all processes that accept network
+connections.  Next, you enable Postfix TCP servers with the updated
+tcp_windowsize setting: 

+
+

+
+# postconf -e tcp_windowsize=65535 master_service_disable=
+# postfix reload
+

+

+
+
 If you skip these steps with a running Postfix system, then the
+tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
+lmtp(8)).  

 
 
 This feature is available in Postfix 2.6 and later. 

diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in
index bb44e93d9..dfcd2c06c 100644
--- a/postfix/src/global/Makefile.in
+++ b/postfix/src/global/Makefile.in
@@ -28,7 +28,8 @@ SRCS	= abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \
 	tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c \
 	user_acl.c valid_mailhost_addr.c verify.c verify_clnt.c \
 	verp_sender.c wildcard_inet_addr.c xtext.c delivered_hdr.c \
-	fold_addr.c header_body_checks.c mkmap_proxy.c data_redirect.c
+	fold_addr.c header_body_checks.c mkmap_proxy.c data_redirect.c \
+	match_service.c
 OBJS	= abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
 	canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
 	clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \
@@ -58,7 +59,8 @@ OBJS	= abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
 	tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o \
 	user_acl.o valid_mailhost_addr.o verify.o verify_clnt.o \
 	verp_sender.o wildcard_inet_addr.o xtext.o delivered_hdr.o \
-	fold_addr.o header_body_checks.o mkmap_proxy.o data_redirect.o
+	fold_addr.o header_body_checks.o mkmap_proxy.o data_redirect.o \
+	match_service.o
 HDRS	= abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
 	canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
 	conv_time.h db_common.h debug_peer.h debug_process.h defer.h \
@@ -82,7 +84,7 @@ HDRS	= abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
 	string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
 	trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \
 	verp_sender.h wildcard_inet_addr.h xtext.h delivered_hdr.h \
-	fold_addr.h header_body_checks.h data_redirect.h
+	fold_addr.h header_body_checks.h data_redirect.h match_service.h
 TESTSRC	= rec2stream.c stream2rec.c recdump.c
 DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
 CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
@@ -1384,6 +1386,15 @@ match_parent_style.o: mail_params.h
 match_parent_style.o: match_parent_style.c
 match_parent_style.o: match_parent_style.h
 match_parent_style.o: string_list.h
+match_service.o: ../../include/argv.h
+match_service.o: ../../include/msg.h
+match_service.o: ../../include/mymalloc.h
+match_service.o: ../../include/stringops.h
+match_service.o: ../../include/sys_defs.h
+match_service.o: ../../include/vbuf.h
+match_service.o: ../../include/vstring.h
+match_service.o: match_service.c
+match_service.o: match_service.h
 mbox_conf.o: ../../include/argv.h
 mbox_conf.o: ../../include/name_mask.h
 mbox_conf.o: ../../include/sys_defs.h
diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c
index 80fc29985..cd3aa3d41 100644
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@@ -170,8 +170,7 @@
 #endif
 #include 
 #include 
-#include 
-#include 
+#include 
 
 /* Global library. */
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index bb974f05a..d96315380 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20090109"
+#define MAIL_RELEASE_DATE	"20090110"
 #define MAIL_VERSION_NUMBER	"2.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/match_service.c b/postfix/src/global/match_service.c
new file mode 100644
index 000000000..3c47df75d
--- /dev/null
+++ b/postfix/src/global/match_service.c
@@ -0,0 +1,139 @@
+/*++
+/* NAME
+/*	match_service 3
+/* SUMMARY
+/*	simple master.cf service name.type pattern matcher
+/* SYNOPSIS
+/*	#include 
+/*
+/*	ARGV	*match_service_init(pattern_list)
+/*	const char *pattern_list;
+/*
+/*	int	match_service_match(list, name_type)
+/*	ARGV	*list;
+/*	const char *name_type;
+/*
+/*	void match_service_free(list)
+/*	ARGV	*list;
+/* DESCRIPTION
+/*	This module implements pattern matching for Postfix master.cf
+/*	services.  This is more precise than using domain_list(3),
+/*	because match_service(3) won't treat a dotted service name
+/*	as a domain hierarchy. Moreover, this module has the advantage
+/*	that it does not drag in all the LDAP, SQL and other map
+/*	lookup client code into programs that don't need it.
+/*
+/*	Each pattern is of the form "name.type" or "type", where
+/*	"name" and "type" are the first two fields of a master.cf
+/*	entry. Patterns are separated by whitespace and/or commas.
+/*	Matches are case insensitive. Patterns are matched in the
+/*	specified order, and the matching process stops at the first
+/*	match.  In order to reverse the result of a pattern match,
+/*	precede a pattern with an exclamation point (!).
+/*
+/*	match_service_init() parses the pattern list. The result
+/*	must be passed to match_service_match() or match_service_free().
+/*
+/*	match_service_match() matches one service name.type string
+/*	against the specified pattern list.
+/*
+/*	match_service_free() releases storage allocated by
+/*	match_service_init().
+/* DIAGNOSTICS
+/*	Fatal error: out of memory, malformed pattern.
+/*	Panic: malformed search string.
+/* SEE ALSO
+/*	domain_list(3) match domain names.
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include 
+#include 
+
+#ifdef STRCASECMP_IN_STRINGS_H
+#include 
+#endif
+
+/* Utility library. */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+/* match_service_init - initialize pattern list */
+
+ARGV   *match_service_init(const char *patterns)
+{
+    const char *delim = " ,\t\r\n";
+    ARGV   *list = argv_alloc(1);
+    char   *saved_patterns = mystrdup(patterns);
+    char   *bp = saved_patterns;
+    const char *item;
+
+    while ((item = mystrtok(&bp, delim)) != 0)
+        argv_add(list, item, (char *) 0);
+    argv_terminate(list);
+    myfree(saved_patterns);
+    return (list);
+}
+
+/* match_service_match - match service name.type against pattern list */
+
+int     match_service_match(ARGV *list, const char *name_type)
+{
+    const char *myname = "match_service_match";
+    const char *type;
+    char  **cpp;
+    char   *pattern;
+    int     match;
+
+    /*
+     * Quick check for empty list.
+     */
+    if (list->argv[0] == 0)
+	return (0);
+
+    /*
+     * Sanity check.
+     */
+    if ((type = strrchr(name_type, '.')) == 0 || *++type == 0)
+	msg_panic("%s: malformed service: \"%s\"; need \"name.type\" format",
+		  myname, name_type);
+
+    /*
+     * Iterate over all patterns in the list, stop at the first match.
+     */
+    for (cpp = list->argv; (pattern = *cpp) != 0; cpp++) {
+	if (msg_verbose)
+	    msg_info("%s: %s ~? %s", myname, name_type, pattern);
+	for (match = 1; *pattern == '!'; pattern++)
+	    match = !match;
+	if (strcasecmp(strchr(pattern, '.') ? name_type : type, pattern) == 0) {
+	    if (msg_verbose)
+		msg_info("%s: %s: found match", myname, name_type);
+	    return (match);
+	}
+    }
+    if (msg_verbose)
+	msg_info("%s: %s: no match", myname, name_type);
+    return (0);
+}
+
+/* match_service_free - release storage */
+
+void    match_service_free(ARGV *list)
+{
+    argv_free(list);
+}
diff --git a/postfix/src/global/match_service.h b/postfix/src/global/match_service.h
new file mode 100644
index 000000000..1e343336d
--- /dev/null
+++ b/postfix/src/global/match_service.h
@@ -0,0 +1,31 @@
+#ifndef _MATCH_SERVICE_H_INCLUDED_
+#define _MATCH_SERVICE_H_INCLUDED_
+
+/*++
+/* NAME
+/*	match_service 3h
+/* SUMMARY
+/*	simple master.cf service name.type pattern matcher
+/* SYNOPSIS
+/*	#include 
+/* DESCRIPTION
+/* .nf
+
+ /* External interface. */
+
+extern ARGV *match_service_init(const char *);
+extern int match_service_match(ARGV *, const char *);
+extern void match_service_free(ARGV *);
+
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+#endif
diff --git a/postfix/src/master/Makefile.in b/postfix/src/master/Makefile.in
index 4c2854b05..00cee038e 100644
--- a/postfix/src/master/Makefile.in
+++ b/postfix/src/master/Makefile.in
@@ -2,10 +2,10 @@ SHELL	= /bin/sh
 SRCS	= master.c master_conf.c master_ent.c master_sig.c master_avail.c \
 	master_spawn.c master_service.c master_status.c master_listen.c \
 	master_proto.c single_server.c multi_server.c master_vars.c \
-	master_wakeup.c master_flow.c mail_flow.c
+	master_wakeup.c master_flow.c master_watch.c mail_flow.c
 OBJS	= master.o master_conf.o master_ent.o master_sig.o master_avail.o \
 	master_spawn.o master_service.o master_status.o master_listen.o \
-	master_vars.o master_wakeup.o master_flow.o
+	master_vars.o master_wakeup.o master_watch.o master_flow.o
 LIB_OBJ	= single_server.o multi_server.o trigger_server.o master_proto.o \
 	mail_flow.o
 HDRS	= mail_server.h master_proto.h mail_flow.h
@@ -128,7 +128,6 @@ master_conf.o: master.h
 master_conf.o: master_conf.c
 master_ent.o: ../../include/argv.h
 master_ent.o: ../../include/attr.h
-master_ent.o: ../../include/domain_list.h
 master_ent.o: ../../include/host_port.h
 master_ent.o: ../../include/inet_addr_host.h
 master_ent.o: ../../include/inet_addr_list.h
@@ -136,8 +135,7 @@ master_ent.o: ../../include/iostuff.h
 master_ent.o: ../../include/mail_conf.h
 master_ent.o: ../../include/mail_params.h
 master_ent.o: ../../include/mail_proto.h
-master_ent.o: ../../include/match_list.h
-master_ent.o: ../../include/match_ops.h
+master_ent.o: ../../include/match_service.h
 master_ent.o: ../../include/msg.h
 master_ent.o: ../../include/myaddrinfo.h
 master_ent.o: ../../include/mymalloc.h
@@ -237,6 +235,11 @@ master_wakeup.o: ../../include/vstream.h
 master_wakeup.o: mail_server.h
 master_wakeup.o: master.h
 master_wakeup.o: master_wakeup.c
+master_watch.o: ../../include/msg.h
+master_watch.o: ../../include/mymalloc.h
+master_watch.o: ../../include/sys_defs.h
+master_watch.o: master.h
+master_watch.o: master_watch.c
 multi_server.o: ../../include/chroot_uid.h
 multi_server.o: ../../include/debug_process.h
 multi_server.o: ../../include/events.h
diff --git a/postfix/src/master/master.h b/postfix/src/master/master.h
index dfc87941e..9c807c381 100644
--- a/postfix/src/master/master.h
+++ b/postfix/src/master/master.h
@@ -184,6 +184,35 @@ extern void master_delete_children(MASTER_SERV *);
 extern void master_flow_init(void);
 extern int master_flow_pipe[2];
 
+ /*
+  * master_watch.c
+  * 
+  * Support to warn about main.cf parameters that can only be initialized but
+  * not updated, and to initialize or update data structures that derive
+  * values from main.cf parameters.
+  */
+typedef struct {
+    const char *name;			/* parameter name */
+    char  **value;			/* current main.cf value */
+    char  **backup;			/* actual value that is being used */
+    int     flags;			/* see below */
+    void    (*notify) (void);		/* init or update data structure */
+} MASTER_STR_WATCH;
+
+typedef struct {
+    const char *name;			/* parameter name */
+    int    *value;			/* current main.cf value */
+    int     backup;			/* actual value that is being used */
+    int     flags;			/* see below */
+    void    (*notify) (void);		/* init or update data structure */
+} MASTER_INT_WATCH;
+
+#define MASTER_WATCH_FLAG_UPDATABLE (1<<0)	/* support update after init */
+#define MASTER_WATCH_FLAG_ISSET    (1<<1)	/* backup is initialized */
+
+extern void master_str_watch(const MASTER_STR_WATCH *);
+extern void master_int_watch(MASTER_INT_WATCH *);
+
 /* DIAGNOSTICS
 /* BUGS
 /* SEE ALSO
diff --git a/postfix/src/master/master_ent.c b/postfix/src/master/master_ent.c
index edae67978..a520b7d2f 100644
--- a/postfix/src/master/master_ent.c
+++ b/postfix/src/master/master_ent.c
@@ -90,7 +90,7 @@
 
 /* Global library. */
 
-#include 
+#include 
 #include 
 #include 
 #include 
@@ -105,7 +105,7 @@
 static char *master_path;		/* config file name */
 static VSTREAM *master_fp;		/* config file pointer */
 static int master_line;			/* config file line number */
-static DOMAIN_LIST *master_disable;	/* disabled services */
+static ARGV *master_disable;		/* disabled service patterns */
 
 static char master_blanks[] = " \t\r\n";/* field delimiters */
 
@@ -136,7 +136,7 @@ void    set_master_ent()
     master_line = 0;
     if (master_disable != 0)
 	msg_panic("%s: service disable list still exists", myname);
-    master_disable = domain_list_init(MATCH_FLAG_PARENT, var_master_disable);
+    master_disable = match_service_init(var_master_disable);
 }
 
 /* end_master_ent - close configuration file */
@@ -152,7 +152,7 @@ void    end_master_ent()
     master_fp = 0;
     if (master_disable == 0)
 	msg_panic("%s: no service disable list", myname);
-    domain_list_free(master_disable);
+    match_service_free(master_disable);
     master_disable = 0;
 }
 
@@ -284,7 +284,7 @@ MASTER_SERV *get_master_ent()
 	name = cp;
 	transport = get_str_ent(&bufp, "transport type", (char *) 0);
 	vstring_sprintf(junk, "%s.%s", name, transport);
-    } while (domain_list_match(master_disable, vstring_str(junk)) != 0);
+    } while (match_service_match(master_disable, vstring_str(junk)) != 0);
 
     /*
      * Parse one logical line from the configuration file. Initialize service
diff --git a/postfix/src/master/master_vars.c b/postfix/src/master/master_vars.c
index 21420431a..3e9b77861 100644
--- a/postfix/src/master/master_vars.c
+++ b/postfix/src/master/master_vars.c
@@ -51,109 +51,6 @@ int     var_proc_limit;
 int     var_throttle_time;
 char   *var_master_disable;
 
- /*
-  * Support to warn about main.cf parameters that can only be initialized but
-  * not updated, and to initialize or update data structures that derive
-  * values from main.cf parameters. Add similar code if we also need to
-  * monitor non-string parameters.
-  */
-typedef struct MASTER_VARS_STR_WATCH {
-    const char *name;			/* parameter name */
-    char  **value;			/* current main.cf value */
-    char  **backup;			/* actual value that is being used */
-    int     flags;			/* see below */
-    void    (*assign) (void);		/* init or update data structure */
-} MASTER_VARS_STR_WATCH;
-
-typedef struct MASTER_VARS_INT_WATCH {
-    const char *name;			/* parameter name */
-    int    *value;			/* current main.cf value */
-    int    *backup;			/* actual value that is being used */
-    int     flags;			/* see below */
-    void    (*assign) (void);		/* init or update data structure */
-} MASTER_VARS_INT_WATCH;
-
-#define MASTER_VARS_WATCH_FLAG_UPDATE	(1<<0)	/* support update after init */
-#define MASTER_VARS_WATCH_FLAG_ISSET	(1<<1)	/* backup is initialized */
-
-/* master_vars_str_watch - watch string-valued parameters for change */
-
-static void master_vars_str_watch(MASTER_VARS_STR_WATCH *str_watch_table)
-{
-    MASTER_VARS_STR_WATCH *wp;
-
-    for (wp = str_watch_table; wp->name != 0; wp++) {
-
-	/*
-	 * Detect changes to monitored parameter values. If a change is
-	 * supported, we discard the backed up value and update it to the
-	 * current value later. Otherwise we complain.
-	 */
-	if (wp->backup[0] != 0
-	    && strcmp(wp->backup[0], wp->value[0]) != 0) {
-	    if ((wp->flags & MASTER_VARS_WATCH_FLAG_UPDATE) == 0) {
-		msg_warn("ignoring %s parameter value change", wp->name);
-		msg_warn("old value: \"%s\", new value: \"%s\"",
-			 wp->backup[0], wp->value[0]);
-		msg_warn("to change %s, stop and start Postfix", wp->name);
-	    } else {
-		myfree(wp->backup[0]);
-		wp->backup[0] = 0;
-	    }
-	}
-
-	/*
-	 * Initialize the backed up parameter value, or update if it this
-	 * parameter supports updates after initialization. Optionally assign
-	 * the parameter value to an application-specific data structure.
-	 */
-	if (wp->backup[0] == 0) {
-	    if (wp->assign != 0)
-		wp->assign();
-	    wp->backup[0] = mystrdup(wp->value[0]);
-	}
-    }
-}
-
-/* master_vars_int_watch - watch integer-valued parameters for change */
-
-static void master_vars_int_watch(MASTER_VARS_INT_WATCH *str_watch_table)
-{
-    MASTER_VARS_INT_WATCH *wp;
-
-    for (wp = str_watch_table; wp->name != 0; wp++) {
-
-	/*
-	 * Detect changes to monitored parameter values. If a change is
-	 * supported, we discard the backed up value and update it to the
-	 * current value later. Otherwise we complain.
-	 */
-	if ((wp->flags & MASTER_VARS_WATCH_FLAG_ISSET) != 0
-	    && wp->backup[0] != wp->value[0]) {
-	    if ((wp->flags & MASTER_VARS_WATCH_FLAG_UPDATE) == 0) {
-		msg_warn("ignoring %s parameter value change", wp->name);
-		msg_warn("old value: \"%d\", new value: \"%d\"",
-			 wp->backup[0], wp->value[0]);
-		msg_warn("to change %s, stop and start Postfix", wp->name);
-	    } else {
-		wp->flags &= ~MASTER_VARS_WATCH_FLAG_ISSET;
-	    }
-	}
-
-	/*
-	 * Initialize the backed up parameter value, or update if it this
-	 * parameter supports updates after initialization. Optionally assign
-	 * the parameter value to an application-specific data structure.
-	 */
-	if ((wp->flags & MASTER_VARS_WATCH_FLAG_ISSET) == 0) {
-	    if (wp->assign != 0)
-		wp->assign();
-	    wp->flags |= MASTER_VARS_WATCH_FLAG_ISSET;
-	    wp->backup[0] = wp->value[0];
-	}
-    }
-}
-
 /* master_vars_init - initialize from global Postfix configuration file */
 
 void    master_vars_init(void)
@@ -175,18 +72,13 @@ void    master_vars_init(void)
     static char *saved_inet_protocols;
     static char *saved_queue_dir;
     static char *saved_config_dir;
-    static MASTER_VARS_STR_WATCH str_watch_table[] = {
+    static const MASTER_STR_WATCH str_watch_table[] = {
 	VAR_CONFIG_DIR, &var_config_dir, &saved_config_dir, 0, 0,
 	VAR_QUEUE_DIR, &var_queue_dir, &saved_queue_dir, 0, 0,
 	VAR_INET_PROTOCOLS, &var_inet_protocols, &saved_inet_protocols, 0, 0,
 	/* XXX Add inet_interfaces here after this code is burned in. */
 	0,
     };
-    static int saved_inet_windowsize;
-    static MASTER_VARS_INT_WATCH int_watch_table[] = {
-	VAR_INET_WINDOW, &var_inet_windowsize, &saved_inet_windowsize, 0, 0,
-	0,
-    };
 
     /*
      * Flush existing main.cf settings, so that we handle deleted main.cf
@@ -205,6 +97,5 @@ void    master_vars_init(void)
     /*
      * Look for parameter changes that require special attention.
      */
-    master_vars_str_watch(str_watch_table);
-    master_vars_int_watch(int_watch_table);
+    master_str_watch(str_watch_table);
 }
diff --git a/postfix/src/master/master_watch.c b/postfix/src/master/master_watch.c
new file mode 100644
index 000000000..1af26fe71
--- /dev/null
+++ b/postfix/src/master/master_watch.c
@@ -0,0 +1,151 @@
+/*++
+/* NAME
+/*	master_watch 3
+/* SUMMARY
+/*	Postfix master - monitor main.cf changes
+/* SYNOPSIS
+/*	#include "master.h"
+/*
+/*	void	master_str_watch(str_watch_table)
+/*	const MASTER_STR_WATCH *str_watch_table;
+/*
+/*	void	master_int_watch(int_watch_table)
+/*	MASTER_INT_WATCH *int_watch_table;
+/* DESCRIPTION
+/*	The Postfix master daemon is a long-running process. After
+/*	main.cf is changed, some parameter changes may require that
+/*	master data structures be recomputed.
+/*
+/*	Unfortunately, some main.cf changes cannot be applied
+/*	on-the-fly, either because they require killing off existing
+/*	child processes and thus disrupt service, or because the
+/*	necessary support for on-the-fly data structure update has
+/*	not yet been implemented.  Such main.cf changes trigger a
+/*	warning that they require that Postfix be stopped and
+/*	restarted.
+/*
+/*	This module provides functions that monitor selected main.cf
+/*	parameters for change. The operation of these functions is
+/*	controlled by tables that specify the parameter name, the
+/*	current parameter value, a historical parameter value,
+/*	optional flags, and an optional notify call-back function.
+/*
+/*	master_str_watch() monitors string-valued parameters for
+/*	change, and master_int_watch() does the same for integer-valued
+/*	parameters. Note that master_int_watch() needs read-write
+/*	access to its argument table, while master_str_watch() needs
+/*	read-only access only.
+/*
+/*	The functions log a warning when a parameter value has
+/*	changed after re-reading main.cf, but the parameter is not
+/*	flagged in the MASTER_*_WATCH table as "updatable" with
+/*	MASTER_WATCH_FLAG_UPDATABLE.
+/*
+/*	If the parameter has a notify call-back function, then the
+/*	function is called after main.cf is read for the first time.
+/*	If the parameter is flagged as "updatable", then the function
+/*	is also called when the parameter value changes after
+/*	re-reading main.cf.
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include 
+#include 
+#include 
+
+/* Utility library. */
+
+#include 
+#include 
+
+/* Application-specific. */
+
+#include "master.h"
+
+/* master_str_watch - watch string-valued parameters for change */
+
+void    master_str_watch(const MASTER_STR_WATCH *str_watch_table)
+{
+    const MASTER_STR_WATCH *wp;
+
+    for (wp = str_watch_table; wp->name != 0; wp++) {
+
+	/*
+	 * Detect changes to monitored parameter values. If a change is
+	 * supported, we discard the backed up value and update it to the
+	 * current value later. Otherwise we complain.
+	 */
+	if (wp->backup[0] != 0
+	    && strcmp(wp->backup[0], wp->value[0]) != 0) {
+	    if ((wp->flags & MASTER_WATCH_FLAG_UPDATABLE) == 0) {
+		msg_warn("ignoring %s parameter value change", wp->name);
+		msg_warn("old value: \"%s\", new value: \"%s\"",
+			 wp->backup[0], wp->value[0]);
+		msg_warn("to change %s, stop and start Postfix", wp->name);
+	    } else {
+		myfree(wp->backup[0]);
+		wp->backup[0] = 0;
+	    }
+	}
+
+	/*
+	 * Initialize the backed up parameter value, or update it if this
+	 * parameter supports updates after initialization. Optionally 
+	 * notify the application that this parameter has changed.
+	 */
+	if (wp->backup[0] == 0) {
+	    if (wp->notify != 0)
+		wp->notify();
+	    wp->backup[0] = mystrdup(wp->value[0]);
+	}
+    }
+}
+
+/* master_int_watch - watch integer-valued parameters for change */
+
+void    master_int_watch(MASTER_INT_WATCH *int_watch_table)
+{
+    MASTER_INT_WATCH *wp;
+
+    for (wp = int_watch_table; wp->name != 0; wp++) {
+
+	/*
+	 * Detect changes to monitored parameter values. If a change is
+	 * supported, we discard the backed up value and update it to the
+	 * current value later. Otherwise we complain.
+	 */
+	if ((wp->flags & MASTER_WATCH_FLAG_ISSET) != 0
+	    && wp->backup != wp->value[0]) {
+	    if ((wp->flags & MASTER_WATCH_FLAG_UPDATABLE) == 0) {
+		msg_warn("ignoring %s parameter value change", wp->name);
+		msg_warn("old value: \"%d\", new value: \"%d\"",
+			 wp->backup, wp->value[0]);
+		msg_warn("to change %s, stop and start Postfix", wp->name);
+	    } else {
+		wp->flags &= ~MASTER_WATCH_FLAG_ISSET;
+	    }
+	}
+
+	/*
+	 * Initialize the backed up parameter value, or update if it this
+	 * parameter supports updates after initialization. Optionally 
+	 * notify the application that this parameter has changed.
+	 */
+	if ((wp->flags & MASTER_WATCH_FLAG_ISSET) == 0) {
+	    if (wp->notify != 0)
+		wp->notify();
+	    wp->flags |= MASTER_WATCH_FLAG_ISSET;
+	    wp->backup = wp->value[0];
+	}
+    }
+}
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index f8ec4fdcc..ba6b0a66a 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -197,6 +197,9 @@ static SMTP_SESSION *smtp_connect_addr(const char *destination, DNS_RR *addr,
     if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0)
 	msg_fatal("%s: socket: %m", myname);
 
+    if (inet_windowsize > 0)
+	set_inet_windowsize(sock, inet_windowsize);
+
     /*
      * Allow the sysadmin to specify the source address, for example, as "-o
      * smtp_bind_address=x.x.x.x" in the master.cf file.
diff --git a/postfix/src/smtpstone/smtp-sink.c b/postfix/src/smtpstone/smtp-sink.c
index cfba4d05d..dfa3fab2d 100644
--- a/postfix/src/smtpstone/smtp-sink.c
+++ b/postfix/src/smtpstone/smtp-sink.c
@@ -151,6 +151,10 @@
 /* .IP "\fB-t \fItimeout\fR (default: 100)"
 /*	Limit the time for receiving a command or sending a response.
 /*	The time limit is specified in seconds.
+/* .IP "\fB-T \fIwindowsize\fR"
+/*	Override the default TCP window size. To work around
+/*	broken TCP window scaling implementations, specify a
+/*	value > 0 and < 65536.
 /* .IP "\fB-u \fIusername\fR"
 /*	Switch to the specified user privileges after opening the
 /*	network socket and optionally changing the process root
@@ -1395,7 +1399,7 @@ int     main(int argc, char **argv)
     /*
      * Parse JCL.
      */
-    while ((ch = GETOPT(argc, argv, "468aA:cCd:D:eEf:Fh:Ln:m:M:pPq:Q:r:R:s:S:t:u:vw:W:")) > 0) {
+    while ((ch = GETOPT(argc, argv, "468aA:cCd:D:eEf:Fh:Ln:m:M:pPq:Q:r:R:s:S:t:T:u:vw:W:")) > 0) {
 	switch (ch) {
 	case '4':
 	    protocols = INET_PROTO_NAME_IPV4;
@@ -1490,6 +1494,10 @@ int     main(int argc, char **argv)
 	    if ((var_tmout = atoi(optarg)) <= 0)
 		msg_fatal("bad timeout: %s", optarg);
 	    break;
+	case 'T':
+	    if ((inet_windowsize = atoi(optarg)) <= 0)
+		msg_fatal("bad TCP window size: %s", optarg);
+	    break;
 	case 'u':
 	    user_privs = optarg;
 	    break;
diff --git a/postfix/src/smtpstone/smtp-source.c b/postfix/src/smtpstone/smtp-source.c
index a2231e94e..58b38ecef 100644
--- a/postfix/src/smtpstone/smtp-source.c
+++ b/postfix/src/smtpstone/smtp-source.c
@@ -79,6 +79,10 @@
 /*	Send mail with the named subject line (default: none).
 /* .IP "\fB-t \fIto\fR"
 /*	Use the specified recipient address (default: ).
+/* .IP "\fB-T \fIwindowsize\fR"
+/*	Override the default TCP window size. To work around
+/*	broken TCP window scaling implementations, specify a
+/*	value > 0 and < 65536.
 /* .IP \fB-v\fR
 /*	Make the program more verbose, for debugging purposes.
 /* .IP "\fB-w \fIinterval\fR"
@@ -460,6 +464,8 @@ static void start_connect(SESSION *session)
     session->stream = vstream_fdopen(fd, O_RDWR);
     event_enable_write(fd, connect_done, (char *) session);
     smtp_timeout_setup(session->stream, var_timeout);
+    if (inet_windowsize > 0)
+	set_inet_windowsize(fd, inet_windowsize);
     if (sane_connect(fd, sa, sa_length) < 0 && errno != EINPROGRESS)
 	fail_connect(session);
 }
@@ -922,7 +928,7 @@ int     main(int argc, char **argv)
     /*
      * Parse JCL.
      */
-    while ((ch = GETOPT(argc, argv, "46AcC:df:F:l:Lm:M:Nor:R:s:S:t:vw:")) > 0) {
+    while ((ch = GETOPT(argc, argv, "46AcC:df:F:l:Lm:M:Nor:R:s:S:t:T:vw:")) > 0) {
 	switch (ch) {
 	case '4':
 	    protocols = INET_PROTO_NAME_IPV4;
@@ -1001,6 +1007,10 @@ int     main(int argc, char **argv)
 	case 't':
 	    recipient = optarg;
 	    break;
+	case 'T':
+	    if ((inet_windowsize = atoi(optarg)) <= 0)
+		msg_fatal("bad TCP window size: %s", optarg);
+	    break;
 	case 'v':
 	    msg_verbose++;
 	    break;
diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in
index fca6be2ec..3db912c7e 100644
--- a/postfix/src/util/Makefile.in
+++ b/postfix/src/util/Makefile.in
@@ -31,7 +31,7 @@ SRCS	= alldig.c allprint.c argv.c argv_split.c attr_clnt.c attr_print0.c \
 	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
 	write_buf.c write_wait.c sane_basename.c format_tv.c allspace.c \
 	allascii.c load_file.c killme_after.c vstream_tweak.c upass_connect.c \
-	upass_listen.c upass_trigger.c edit_file.c
+	upass_listen.c upass_trigger.c edit_file.c inet_windowsize.c
 OBJS	= alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
 	attr_print64.o attr_print_plain.o attr_scan0.o attr_scan64.o \
 	attr_scan_plain.o auto_clnt.o base64_code.o basename.o binhash.o \
@@ -64,7 +64,7 @@ OBJS	= alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
 	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
 	write_buf.o write_wait.o sane_basename.o format_tv.o allspace.o \
 	allascii.o load_file.o killme_after.o vstream_tweak.o upass_connect.o \
-	upass_listen.o upass_trigger.o edit_file.o
+	upass_listen.o upass_trigger.o edit_file.o inet_windowsize.o
 HDRS	= argv.h attr.h attr_clnt.h auto_clnt.h base64_code.h binhash.h \
 	chroot_uid.h cidr_match.h clean_env.h connect.h ctable.h dict.h \
 	dict_cdb.h dict_cidr.h dict_db.h dict_dbm.h dict_env.h dict_ht.h \
@@ -1137,6 +1137,10 @@ inet_trigger.o: msg.h
 inet_trigger.o: mymalloc.h
 inet_trigger.o: sys_defs.h
 inet_trigger.o: trigger.h
+inet_windowsize.o: inet_windowsize.c
+inet_windowsize.o: iostuff.h
+inet_windowsize.o: msg.h
+inet_windowsize.o: sys_defs.h
 killme_after.o: killme_after.c
 killme_after.o: killme_after.h
 killme_after.o: sys_defs.h
diff --git a/postfix/src/util/connect.h b/postfix/src/util/connect.h
index a115e5744..40987dc72 100644
--- a/postfix/src/util/connect.h
+++ b/postfix/src/util/connect.h
@@ -24,8 +24,6 @@ extern int inet_connect(const char *, int, int);
 extern int stream_connect(const char *, int, int);
 extern int upass_connect(const char *, int, int);
 
-extern int inet_windowsize;
-
 /* LICENSE
 /* .ad
 /* .fi
diff --git a/postfix/src/util/inet_connect.c b/postfix/src/util/inet_connect.c
index f531329ff..51bd13930 100644
--- a/postfix/src/util/inet_connect.c
+++ b/postfix/src/util/inet_connect.c
@@ -16,7 +16,7 @@
 /*	inet_connect connects to a TCP listener at
 /*	the specified address, and returns the resulting file descriptor.
 /*
-/*	Specify an inet_windowsize value > 0 to override the default
+/*	Specify an inet_windowsize value > 0 to override the TCP
 /*	window size that the client advertises to the server.
 /*
 /*	Arguments:
@@ -149,14 +149,8 @@ static int inet_connect_one(struct addrinfo * res, int block_mode, int timeout)
     /*
      * Window scaling workaround.
      */
-    if (inet_windowsize > 0) {
-	if (setsockopt(sock, SOL_SOCKET, SO_SNDBUF, (char *) &inet_windowsize,
-		       sizeof(inet_windowsize)) < 0)
-	    msg_warn("setsockopt SO_SNDBUF %d: %m", inet_windowsize);
-	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (char *) &inet_windowsize,
-		       sizeof(inet_windowsize)) < 0)
-	    msg_warn("setsockopt SO_RCVBUF %d: %m", inet_windowsize);
-    }
+    if (inet_windowsize > 0)
+	set_inet_windowsize(sock, inet_windowsize);
 
     /*
      * Timed connect.
diff --git a/postfix/src/util/inet_listen.c b/postfix/src/util/inet_listen.c
index b5a463c6c..a9153ac75 100644
--- a/postfix/src/util/inet_listen.c
+++ b/postfix/src/util/inet_listen.c
@@ -22,8 +22,8 @@
 /*
 /*	inet_accept() accepts a connection and sanitizes error results.
 /*
-/*	Specify an inet_windowsize value > 0 to override the default
-/*	TCP window size that the server advertises to the server.
+/*	Specify an inet_windowsize value > 0 to override the TCP
+/*	window size that the server advertises to the client.
 /*
 /*	Arguments:
 /* .IP addr
@@ -145,12 +145,12 @@ int     inet_listen(const char *addr, int backlog, int block_mode)
     if ((sock = socket(res->ai_family, res->ai_socktype, 0)) < 0)
 	msg_fatal("socket: %m");
 #ifdef HAS_IPV6
-#if defined(IPV6_V6ONLY) && !defined(BROKEN_AI_PASSIVE_NULL_HOST)
+# if defined(IPV6_V6ONLY) && !defined(BROKEN_AI_PASSIVE_NULL_HOST)
     if (res->ai_family == AF_INET6
 	&& setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
 		      (char *) &on, sizeof(on)) < 0)
 	msg_fatal("setsockopt(IPV6_V6ONLY): %m");
-#endif
+# endif
 #endif
     if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR,
 		   (char *) &on, sizeof(on)) < 0)
@@ -160,16 +160,10 @@ int     inet_listen(const char *addr, int backlog, int block_mode)
 			     &hostaddr, &portnum, 0);
 	msg_fatal("bind %s port %s: %m", hostaddr.buf, portnum.buf);
     }
-    if (inet_windowsize > 0) {
-	if (setsockopt(sock, SOL_SOCKET, SO_SNDBUF, (char *) &inet_windowsize,
-		       sizeof(inet_windowsize)) < 0)
-	    msg_warn("setsockopt SO_SNDBUF %d: %m", inet_windowsize);
-	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (char *) &inet_windowsize,
-		       sizeof(inet_windowsize)) < 0)
-	    msg_warn("setsockopt SO_RCVBUF %d: %m", inet_windowsize);
-    }
     freeaddrinfo(res0);
     non_blocking(sock, block_mode);
+    if (inet_windowsize > 0)
+	set_inet_windowsize(sock, inet_windowsize);
     if (listen(sock, backlog) < 0)
 	msg_fatal("listen: %m");
     return (sock);
diff --git a/postfix/src/util/inet_windowsize.c b/postfix/src/util/inet_windowsize.c
new file mode 100644
index 000000000..cbe3a8b93
--- /dev/null
+++ b/postfix/src/util/inet_windowsize.c
@@ -0,0 +1,79 @@
+/*++
+/* NAME
+/*	inet_windowsize 3
+/* SUMMARY
+/*	TCP window scaling control
+/* SYNOPSIS
+/*	#include 
+/*
+/*	int	inet_windowsize;
+/*
+/*	void	set_inet_windowsize(sock, windowsize)
+/*	int	sock;
+/*	int	windowsize;
+/* DESCRIPTION
+/*	set_inet_windowsize() overrides the default TCP window size
+/*	with the specified value. When called before listen() or
+/*	accept(), this works around broken infrastructure that
+/*	mis-handles TCP window scaling options.
+/*
+/*	The global inet_windowsize variable is available for other
+/*	routines to remember that they wish to override the default
+/*	TCP window size. The variable is not accessed by the
+/*	set_inet_windowsize() function itself.
+/*
+/*	Arguments:
+/* .IP sock
+/*	TCP communication endpoint, before the connect(2) or listen(2) call.
+/* .IP windowsize
+/*	The preferred TCP window size. This must be > 0.
+/* DIAGNOSTICS
+/*	Panic: interface violation.
+/*	Warnings: some error return from setsockopt().
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System libraries. */
+
+#include 
+#include 
+
+/* Utility library. */
+
+#include 
+#include 
+
+/* Application storage. */
+
+int     inet_windowsize;
+
+/* set_inet_windowsize - set TCP send/receive window size */
+
+void    set_inet_windowsize(int sock, int windowsize)
+{
+
+    /*
+     * Sanity check.
+     */
+    if (windowsize <= 0)
+	msg_panic("inet_windowsize: bad window size %d", windowsize);
+
+    /*
+     * Generic implementation: set the send and receive buffer size before
+     * listen() or connect().
+     */
+    if (setsockopt(sock, SOL_SOCKET, SO_SNDBUF, (char *) &windowsize,
+		   sizeof(windowsize)) < 0)
+	msg_warn("setsockopt SO_SNDBUF %d: %m", windowsize);
+    if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (char *) &windowsize,
+		   sizeof(windowsize)) < 0)
+	msg_warn("setsockopt SO_RCVBUF %d: %m", windowsize);
+}
diff --git a/postfix/src/util/iostuff.h b/postfix/src/util/iostuff.h
index 8d3c7a5ca..da0955c66 100644
--- a/postfix/src/util/iostuff.h
+++ b/postfix/src/util/iostuff.h
@@ -36,6 +36,9 @@ extern int unix_send_fd(int, int);
 extern ssize_t dummy_read(int, void *, size_t, int, void *);
 extern ssize_t dummy_write(int, void *, size_t, int, void *);
 
+extern int inet_windowsize;
+extern void set_inet_windowsize(int, int);
+
 #define BLOCKING	0
 #define NON_BLOCKING	1
 
diff --git a/postfix/src/util/listen.h b/postfix/src/util/listen.h
index c499c0341..8a9041547 100644
--- a/postfix/src/util/listen.h
+++ b/postfix/src/util/listen.h
@@ -31,8 +31,6 @@ extern int unix_accept(int);
 extern int stream_accept(int);
 extern int upass_accept(int);
 
-extern int inet_windowsize;
-
 /* LICENSE
 /* .ad
 /* .fi