From b9df75b70d0a9cc6c4caf0d3db822b270a02052f Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 16 Jan 2011 00:00:00 -0500
Subject: [PATCH] postfix-2.9-20110116

---
 postfix/HISTORY                           |  14 +
 postfix/README_FILES/POSTSCREEN_README    |  59 ++-
 postfix/RELEASE_NOTES                     | 426 +---------------------
 postfix/RELEASE_NOTES-2.8                 | 352 ++++++++++++++++++
 postfix/html/POSTSCREEN_README.html       |  56 ++-
 postfix/html/dnsblog.8.html               |   5 +-
 postfix/html/postconf.5.html              |  21 +-
 postfix/html/postscreen.8.html            | 217 ++++++-----
 postfix/man/man5/postconf.5               |  23 +-
 postfix/man/man8/dnsblog.8                |  10 +-
 postfix/man/man8/postscreen.8             |  83 +++--
 postfix/proto/POSTSCREEN_README.html      |  56 ++-
 postfix/proto/postconf.proto              |  21 +-
 postfix/src/dnsblog/dnsblog.c             |   8 +-
 postfix/src/global/mail_version.h         |   4 +-
 postfix/src/postscreen/postscreen.c       |  75 ++--
 postfix/src/postscreen/postscreen_send.c  |  26 +-
 postfix/src/postscreen/postscreen_smtpd.c |  80 ++--
 18 files changed, 835 insertions(+), 701 deletions(-)
 create mode 100644 postfix/RELEASE_NOTES-2.8

diff --git a/postfix/HISTORY b/postfix/HISTORY
index c2947e853..5551d5577 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16457,3 +16457,17 @@ Apologies for any names omitted.
 	now configurable, in case someone needs this. Files:
 	global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
 	proto/postconf.proto.
+
+20110116
+
+	Cleanup: soft_bounce support for postscreen(8). Files:
+	postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.
+
+	Cleanup: for smtpd(8) compatibility, postscreen(8) now
+	strips deprecated route address prefixes from email addresses
+	(@here,@there:user@example becomes user@example). This is
+	primarily to make postscreen(8) logging more similar to
+	that of smtpd(8). File: postscreen/postscreen_smtpd.c.
+
+	Cleanup: documentation, in preparation for the Postfix 2.8
+	stable release.
diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README
index 0f83617ae..5e55a0289 100644
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@@ -13,15 +13,14 @@ postscreen(8) should not be used on SMTP ports that receive mail from end-user
 clients (MUAs). In a typical deployment, postscreen(8) is used on the "port 25"
 service, while MUA clients submit mail via the submission service.
 
-postscreen(8) is the first layer in a multi-layer defense.
+postscreen(8) is part of a multi-layer defense.
 
-  * The postscreen(8) layer blocks connections from zombies and other spambots
-    that are responsible for about 90% of all spam. It is implemented as a
-    single process to make this defense as cheap as possible.
+  * As the first layer, postscreen(8) blocks connections from zombies and other
+    spambots that are responsible for about 90% of all spam. It is implemented
+    as a single process to make this defense as cheap as possible.
 
-  * The second layer implements more complex SMTP-level access checks that are
-    available with Postfix SMTP servers, policy daemons, and Milter
-    applications.
+  * The second layer implements more complex SMTP-level access checks with
+    Postfix SMTP servers, policy daemons, and Milter applications.
 
   * The third layer performs light-weight content inspection with the Postfix
     built-in header_checks and body_checks. This can block unacceptable
@@ -482,14 +481,29 @@ TTuurrnniinngg oonn ppoossttssccrreeeenn((88)) wwiitth
 To enable the postscreen(8) service and log client information without blocking
 mail:
 
- 1. Comment out the "smtp inet ... smtpd" service in master.cf, including any
+ 1. Make sure that local clients and systems with non-standard SMTP
+    implementations are excluded from any postscreen(8) tests. The default is
+    to exclude all clients in mynetworks. To exclude additional clients, for
+    example, third-party performance monitoring tools (these tend to have
+    broken SMTP implementations):
+
+    /etc/postfix/main.cf:
+        # Exclude broken clients by whitelisting. Clients in mynetworks
+        # should always be whitelisted.
+        postscreen_access_list = permit_mynetworks,
+            cidr:/etc/postfix/postscreen_access.cidr
+
+    /etc/postfix/postscreen_access.cidr:
+        192.168.254.0/24 permit
+
+ 2. Comment out the "smtp inet ... smtpd" service in master.cf, including any
     "-o parameter=value" entries that follow.
 
     /etc/postfix/master.cf:
         #smtp      inet  n       -       n       -       -       smtpd
         #    -o parameter=value ...
 
- 2. Uncomment the new "smtpd pass ... smtpd" service in master.cf, and
+ 3. Uncomment the new "smtpd pass ... smtpd" service in master.cf, and
     duplicate any "-o parameter=value" entries from the smtpd service that was
     commented out in step 1.
 
@@ -497,24 +511,24 @@ mail:
         smtpd     pass  -       -       n       -       -       smtpd
             -o parameter=value ...
 
- 3. Uncomment the new "smtp inet ... postscreen" service in master.cf.
+ 4. Uncomment the new "smtp inet ... postscreen" service in master.cf.
 
     /etc/postfix/master.cf:
         smtp      inet  n       -       n       -       1       postscreen
 
- 4. Uncomment the new "tlsproxy unix ... tlsproxy" service in master.cf. This
+ 5. Uncomment the new "tlsproxy unix ... tlsproxy" service in master.cf. This
     service implements STARTTLS support for postscreen(8).
 
     /etc/postfix/master.cf:
         tlsproxy  unix  -       -       n       -       0       tlsproxy
 
- 5. Uncomment the new "dnsblog unix ... dnsblog" service in master.cf. This
+ 6. Uncomment the new "dnsblog unix ... dnsblog" service in master.cf. This
     service does DNSBL lookups for postscreen(8) and logs results.
 
     /etc/postfix/master.cf:
         dnsblog   unix  -       -       n       -       0       dnsblog
 
- 6. To enable DNSBL lookups, list some DNS blocklist sites in main.cf,
+ 7. To enable DNSBL lookups, list some DNS blocklist sites in main.cf,
     separated by whitespace. Different sites can have different weights. For
     example:
 
@@ -537,7 +551,7 @@ mail:
     run postmap(1) before the file can be used, and that it does not detect
     changes after the file is read. It is new with Postfix version 2.8.
 
- 7. Read the new configuration with "postfix reload".
+ 8. Read the new configuration with "postfix reload".
 
 Notes:
 
@@ -549,9 +563,6 @@ Notes:
   * See "Tests before the 220 SMTP server greeting" for details about the
     logging from these postscreen(8) tests.
 
-  * By default, postscreen(8) whitelists all clients in mynetworks. This is a
-    safety feature to avoid you from getting into trouble with local users.
-
   * If you run Postfix 2.6 or earlier you must stop and start the master daemon
     ("postfix stop; postfix start"). This is needed because the Postfix "pass"
     master service type did not work reliably on all systems.
@@ -575,6 +586,20 @@ those same parameter overrides for the postscreen(8) and tlsproxy(8) services.
 
 BBlloocckkiinngg mmaaiill wwiitthh ppoossttssccrreeeenn((88))
 
+For compatibility with smtpd(8), postscreen(8) implements the soft_bounce
+safety feature. This causes Postfix to reject mail with a "try again" reply
+code.
+
+  * To turn this on for all of Postfix, specify "soft_bounce = yes" in main.cf.
+
+  * To turn this on for postscreen(8) only, append "-o soft_bounce=yes" (note:
+    NO SPACES around '=') to the postscreen entry in master.cf.
+
+Execute "postfix reload" to make the change effective.
+
+After testing, do not forget to remove the soft_bounce feature, otherwise
+senders won't receive their non-delivery notification until many days later.
+
 To use the postscreen(8) service to block mail, edit main.cf and specify one or
 more of:
 
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 5ea4c491f..a9634df67 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,433 +1,15 @@
-The stable Postfix release is called postfix-2.7.x where 2=major
-release number, 7=minor release number, x=patchlevel.  The stable
+The stable Postfix release is called postfix-2.8.x where 2=major
+release number, 8=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-2.8-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-2.9-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
-If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
+If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
 before proceeding.
-
-Postscreen notes:
-=================
-
-To turn on postscreen, see "Configuring the postscreen(8) service"
-in the POSTSCREEN_README file. This allows you to run postscreen
-without blocking mail first.
-
-The code is rock solid, but the user interface has dozens of
-parameters, so it literally is like using a machine that has wires
-hanging out on all sides. This makes it possible to do research.
-The idea is to reduce the number of parameters once things settle
-down.
-
-NOTE: Some postscreen parameters implement stress-dependent behavior.
-This is supported only when the default value is stress-dependent
-(that is, the default looks like ${stress?XX}${stress:YY}, or it
-is the $name of an smtpd_xxx parameter with a stress-dependent
-default).  Other postscreen parameters always evaluate as if the
-stress value is equal to the empty string.
-
-Incompatibility with snapshot 20110111
-======================================
-
-For performance reasons the postscreen_access_list feature replaces
-the postscreen_whitelist_networks and postscreen_blacklist_networks
-features. CIDR-style access maps are some 100x faster than the code
-that implemented the postscreen_white/blacklist_networks support.
-It can match about 100 million CIDR patterns/second on a modern CPU,
-which is not blindingly fast but adequate for the near future.
-
-Major changes with snapshot 20110105
-====================================
-
-The SMTP server now supports contact information that is appended
-to "reject" responses. This includes SMTP server responses that
-aren't logged to the maillog file, such as responses to syntax
-errors, or unsupported commands.
-
-Example:
-   smtpd_reject_footer = For assistance, call 800-555-0101.
-
-Server response:
-   550-5.5.1 <user@example> Recipient address rejected: User unknown
-   550 5.5.1 For assistance, call 800-555-0101.
-
-This feature supports macro expansion ($client_address, $localtime,
-etc.), as documented in the postconf(5) manpage.
-
-This feature is also supported as postscreen_reject_footer using
-the same setting as smtpd_reject_footer by default.
-
-Incompatibility with snapshot 20110102
-======================================
-
-The smtpd_starttls_timeout default value is now stress-dependent.
-By default, TLS negotiations must now complete under overload in
-10s instead of 300s.
-
-The Postfix SMTP server now always re-computes the SASL mechanism
-list after successful completion of the STARTTLS command. Earlier
-versions only re-computed the mechanism list when the values of
-smtp_sasl_tls_security_options and smtp_sasl_security_options differ.
-This could produce incorrect results, because the Dovecot authentication
-server may change responses when the SMTP session is encrypted.
-
-Major changes with snapshot 20110102
-====================================
-
-STARTTLS support for the postscreen(8) daemon. This is implemented
-by a new tlsproxy(8) daemon that you will need to enable in master.cf
-(see POSTSCREEN_README for instructions).  tlsproxy(8) implements
-its own tlsproxy_mumble versions of TLS-related smtpd_mumble
-parameters. This leaves no confusion about which parameters will
-affect tlsproxy(8) behavior, but it adds another 25 parameters to
-the documentation.
-
-Major changes with snapshot 20101223
-====================================
-
-The new tls_disable_workarounds parameter specifies a list or
-bit-mask of OpenSSL bug work-arounds to disable. This may be necessary
-if one of the work-arounds enabled by default in OpenSSL proves to
-pose a security risk, or introduces an unexpected interoperability
-issue. Some bug work-arounds known to be problematic are disabled
-in the default value of the parameter when linked with an OpenSSL
-library that could be vulnerable. See postconf(5) and TLS_README
-for details.
-
-With "tls_preempt_cipherlist = yes" the Postfix SMTP server will
-choose its most preferred cipher that is supported (offered) by the
-client. This can lead to a more secure or performant cipher choice,
-but may also introduce interoperability problems when a client
-announces support for a cipher that does not work.  See postconf(5)
-and TLS_README for details.
-
-Major changes with snapshot 20101217
-====================================
-
-The lower-level code in the TLS engine was simplified by removing
-an unnecessary layer of data copying. OpenSSL now writes directly
-to the network. The difference in performance should be hardly
-noticeable.
-
-Incompatibility with snapshot 20101206
-======================================
-
-Postfix by default no longer adds a "To: undisclosed-recipients:;"
-header when no recipient specified in the message header.  The
-Internet mail RFCs have supported messages without recipient header
-for almost 10 years now. 
-
-For backwards compatibility, specify:
-
-/etc/postfix/main.cf
-   undisclosed_recipients_header = To: undisclosed-recipients:;
-
-Note: both the ":" and ";" are required.
-
-Incompatibility with snapshot 20101202
-======================================
-
-Postfix now reports a temporary delivery error when the result of
-virtual alias expansion would exceed the virtual_alias_recursion_limit
-or virtual_alias_expansion_limit. Previously, Postfix would silently
-drop the excess recipients and deliver the message.
-
-Incompatibility with snapshot 20101130
-======================================
-
-The postscreen(8) daemon now logs the client as [address]:port.
-The port helps to distinguish between simultaneous sessions from
-the same address, and the [] allow the same tool to be used with
-old and new format logfiles, without producing errors for IPv6.
-
-Major changes with snapshot 20101126
-====================================
-
-Support for address patterns in DNSBL and DNSWL lookup results. 
-
-For example, "reject_rbl_client example.com=127.0.0.[2,4,6..8]"
-will reject clients when the lookup result is 127.0.0.2, 127.0.0.4,
-127.0.0.6, 127.0.0.7, or 127.0.0.8.
-
-The setting "postscreen_dnsbl_sites = example.com=127.0.0.[2,4,6..8]"
-rejects the same clients.
-
-An IPv4 address pattern has four fields separated by ".".  Each
-field is either a decimal number, or a sequence inside "[]" that
-contains one or more comma-separated decimal numbers or number..number
-ranges.
-
-Thus, any pattern field can be a sequence inside "[]", but a "[]"
-sequence cannot span multiple address fields, and a pattern field
-cannot contain both a number and a "[]" sequence at the same time.
-
-This means that the pattern 1.2.[3.4] is not valid (the sequence
-[3.4] cannot span two address fields) and the pattern 1.2.3.3[6..9]
-is also not valid (the last field cannot be both number 3 and
-sequence [6..9] at the same time).
-
-The syntax for IPv4 patterns is as follows:
-
-v4pattern = v4field "." v4field "." v4field "." v4field
-v4field = v4octet | "[" v4sequence "]"
-v4octet = any decimal number in the range 0 through 255
-v4sequence = v4seq_member | v4sequence "," v4seq_member
-v4seq_member = v4octet | v4octet ".." v4octet
-
-Major changes with snapshot 20101105
-====================================
-
-The Postfix SMTP server now supports DNS-based whitelisting with
-several safety features: permit_dnswl_client whitelists a client
-by IP address, and permit_rhswl_client whitelists a client by its
-hostname.  These features use the same syntax as reject_rbl_client
-and reject_rhsbl_client, respectively. The main difference is that
-they return PERMIT instead of REJECT.
-
-Whitelisting is primarily a tool to reduce the false positive rate
-of DNS blocklist lookups.  Client name whitelisting should not be
-used to make exceptions to access rules. The reason is that client
-name lookup can fail unpredictably due to some temporary outage.
-
-For safety reasons, permit_dnswl_client and permit_rhswl_client are
-silently ignored when they would override reject_unauth_destination.
-Also for safety reasons, the result is DEFER_IF_REJECT when DNS
-whitelist lookup fails (this result will be made configurable).
-
-Incompatibility with snapshot 20101103
-======================================
-
-Postfix now requests default delivery status notifications when
-adding a recipient with the Milter smfi_addrcpt action, instead of
-"never notify" as with Postfix automatically-added recipients
-(always_bcc and sender/recipient_bcc_maps).
-
-Incompatibility with snapshot 20101006
-======================================
-
-To avoid repeated delivery to mailing lists with pathological nested
-alias configurations, the local(8) delivery agent now keeps the
-owner-alias attribute of a parent alias, when delivering mail to a
-child alias that does not have its own owner alias.
-
-With this change, local addresses from that child alias will be
-written to a new queue file, and a temporary error with one local
-address will no longer result in repeated delivery to other mailing
-list members.  Specify "reset_owner_alias = yes" for the older,
-more fragile, behavior.
-
-The postconf(5) manpage entry for "reset_owner_alias" has more
-background information on this issue.
-
-Incompatibility with snapshot 20100912
-======================================
-
-- If your DNSBL queries have a "secret" in the domain name, you
-  must now censor this information from the postscreen(8) SMTP
-  replies.  For example:
-
-  /etc/postfix/main.cf:
-      postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
-
-  /etc/postfix/dnsbl_reply:
-      # Secret DNSBL name        Name in postscreen(8) replies
-      secret.zen.spamhaus.org    zen.spamhaus.org
-
-  The texthash: format is similar to hash: except that there is no need to
-  run postmap(1) before the file can be used, and that it does not detect
-  changes after the file is read. It is new with Postfix version 2.8.
-
-- The postscreen "continue" action is now called "ignore".  The old
-  name is still supported but no longer documented.
-
-- The postscreen_hangup_action parameter was removed. Postscreen
-  now always behaves as if "postscreen_hangup_action = drop".
-
-- The postscreen_cache_retention_time default was increased from
-  1d to 7d, to avoid deleting results from expensive deep SMTP
-  protocol tests too quickly.
-
-Major changes with snapshot 20100912
-====================================
-
-The main change is a new SMTP protocol engine for deep protocol
-tests, and for logging the helo/sender/recipient information when
-postscreen rejects an attempt to deliver mail.
-
-    CAUTION: when postscreen rejects mail, it replies with the DNSBL
-    domain name. Use the postscreen_dnsbl_reply_map feature to hide
-    "password" information in DNSBL domain names. See the poststconf(5)
-    manpage for a specific example.
-
-Deep protocol tests are implemented by a new SMTP protocol engine
-that defers or rejects all attempts to deliver mail. The first,
-test detects unauthorized SMTP command pipelining (an SMTP client
-sends multiple commands, instead of sending one command and waiting
-for the server response); a second deep protocol test implements
-the Postfix SMTP server's smtpd_forbidden_commands feature (a client
-sends commands such as CONNECT, GET, POST); and a third deep protocol
-test detects spambots that send SMTP commands that end in newline
-instead of carriage-return/newline.  Real spambots rarely make this
-mistake, but poorly-written software often does.
-
-Deep protocol tests are disabled by default, because the built-in
-SMTP engine cannot not hand off the "live" connection from a good
-SMTP client to a Postfix SMTP server process. Instead, postscreen(8)
-defers attempts to deliver mail with a 4XX status, and waits for
-the client to disconnect. The next time a good client connects,
-it will be allowed to talk to a Postfix SMTP server process to
-deliver mail.
-
-Incompatibility with snapshot 20100830
-======================================
-
-Use "postfix reload" after installing this code, otherwise the
-dnsblog(8) daemon may complain.  The postscreen-to-dnsblog protocol
-had to be changed to support DNSBL query result filters.
-
-Major changes with snapshot 20100830
-====================================
-
-Postscreen DNSBL support is extended with optional fixed-string
-filters, with optional integral weight factors, and with an adjustable
-threshold to block SMTP clients with DNSBL score >= that threshold.
-Support for wild-card patterns will be added later.
-
-The updated postscreen configuration syntax is:
-
-    postscreen_dnsbl_sites = domain[=ipaddr][*weight] ...
-    postscreen_dnsbl_threshold = score
-
-Elements inside [] are optional, ipaddr is an IPv4 address, and
-weight and score are integral numbers. The [] are not part of the
-postscreen_dnsbl_sites input.  By default, weight and score are
-equal to 1, and entries without filter will match any non-error
-DNSBL reply.  Use a negative weight value for whitelisting.
-
-Examples:
-
-To use example.com as a high-confidence blocklist, and to block
-mail with example.net and example.org only when both agree, use:
-
-    postscreen_dnsbl_threshold = 2
-    postscreen_dnsbl_sites = example.com*2, example.net, example.org
-
-To filter only DNSBL replies containing 127.0.0.4, use:
-
-    postscreen_dnsbl_sites = example.com=127.0.0.4
-
-See also postconf(5) for the fine details.
-
-Incompatibility with snapshot 20100827
-======================================
-
-The Postfix SMTP client no longer appends the local domain when
-looking up a DNS name without ".".  Specify "smtp_dns_resolver_options
-= res_defnames" to get the old behavior, which may produce unexpected
-results.
-
-Incompatibility with snapshot 20100728
-======================================
-
-The format of the "postfix/smtpd[pid]: queueid: client=host[addr]"
-logfile record has changed. When available, the before-filter client
-information and the before-filter queue ID are now appended to the
-end of the record.
-
-Major changes with snapshot 20100728
-====================================
-
-Improved message tracking across SMTP-based content filters.  The
-logging example below is from an after-filter SMTP server. Here,
-951F692462F is a before-filter queue ID, hades.porcupine.org is a
-before-filter SMTP client, while 6B4A9924782 is the after-filter
-queue ID, and localhost[127.0.0.1] is the SMTP-based content filter
-that sends mail into the after-filter SMTP server.
-
-    postfix/smtpd[4074]: 6B4A9924782: 
-	client=localhost[127.0.0.1],
-	orig_queue_id=951F692462F
-	orig_client=hades.porcupine.org[168.100.189.10]
-
-Incompatibility with snapshot 20100610
-======================================
- 
-Postfix no longer appends the system-supplied default CA certificates
-to the lists specified with *_tls_CAfile or with *_tls_CApath. This
-prevents third-party certificates from getting mail relay permission
-with the permit_tls_all_clientcerts feature.
- 
-Unfortunately this change may cause compatibility problems when
-configurations rely on certificate verification for other purposes.
-Specify "tls_append_default_CA = yes" for backwards compatibility.
-
-Incompatibility with snapshot 20100101
-======================================
-
-When periodic cache cleanup is enabled (the default), the postscreen(8)
-server now requires that the cache database supports the "delete"
-and "sequence" operations.  To disable periodic cache cleanup specify
-a zero postscreen_cache_cleanup_interval value.
-
-Major changes with snapshot 20100101
-====================================
-
-Periodic cache cleanup for the postscreen(8) cache database. The
-time between cache cleanup runs is controlled with the
-postscreen_cache_cleanup_interval (default: 12h) parameter.  Cache
-cleanup increases the database access latency, so this should not
-be run more often than necessary.
-
-In addition, the postscreen_cache_retention_time (default: 1d)
-parameter specifies how long to keep an expired entry in the cache.
-This prevents a client from being logged as "NEW" after its record
-expired only a little while ago.
-
-Incompatibility with snapshot 20091209
-======================================
-
-The postscreen daemon now checks the permanent whitelist before
-the permanent blacklist. This makes the whitelist easier to use
-for its intended purpose, which is to receive mail.
-
-Incompatibility with snapshot 20091008
-======================================
-
-NOTE: You must stop and start the Postfix master daemon before you
-can use the postscreen(8) daemon.  This is needed because the Postfix
-"pass" master service type did not work reliably on some systems.
-
-Major changes with snapshot 20091008
-====================================
-
-Prototype postscreen(8) server that runs a number of time-consuming
-checks in parallel for all incoming SMTP connections, before clients
-are allowed to talk to a real Postfix SMTP server.  It detects
-clients that start talking too soon, or clients that appear on DNS
-blocklists, or clients that hang up without sending any command.
-
-By doing these checks in a single postscreen(8) process, Postfix
-can avoid wasting one SMTP server process per connection. A side
-benefit of postscreen(8)'s DNSBL lookups is that DNS records are
-already cached before the Postfix SMTP server looks them up later.
-
-postscreen(8) maintains a temporary whitelist of positive decisions.
-Once an SMTP client is whitelisted, it is immediately forwarded
-to a real Postfix SMTP server process without further checking.
-
-By default, the program logs only statistics, and it does not run
-any checks on clients in mynetworks (primarily, to avoid problems
-with buggy SMTP implementations in network appliances).  The logging
-function alone is already useful for research.
-
-postscreen(8) has been tested on FreeBSD and Linux systems.  It
-probably needs additional work before it can be used on Solaris.
-
diff --git a/postfix/RELEASE_NOTES-2.8 b/postfix/RELEASE_NOTES-2.8
new file mode 100644
index 000000000..632904bf0
--- /dev/null
+++ b/postfix/RELEASE_NOTES-2.8
@@ -0,0 +1,352 @@
+The stable Postfix release is called postfix-2.8.x where 2=major
+release number, 8=minor release number, x=patchlevel.  The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-2.9-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day).  Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
+before proceeding.
+
+Major changes - DNSBL/DNSWL support
+-----------------------------------
+
+[Feature 20101126] Support for address patterns in DNSBL and DNSWL
+lookup results.
+
+For example, "reject_rbl_client example.com=127.0.0.[2,4,6..8]"
+will reject clients when the lookup result is 127.0.0.2, 127.0.0.4,
+127.0.0.6, 127.0.0.7, or 127.0.0.8.
+
+The setting "postscreen_dnsbl_sites = example.com=127.0.0.[2,4,6..8]"
+rejects the same clients.
+
+An IPv4 address pattern has four fields separated by ".".  Each
+field is either a decimal number, or a sequence inside "[]" that
+contains one or more comma-separated decimal numbers or number..number
+ranges.
+
+Thus, any pattern field can be a sequence inside "[]", but a "[]"
+sequence cannot span multiple address fields, and a pattern field
+cannot contain both a number and a "[]" sequence at the same time.
+
+This means that the pattern 1.2.[3.4] is not valid (the sequence
+[3.4] cannot span two address fields) and the pattern 1.2.3.3[6..9]
+is also not valid (the last field cannot be both number 3 and
+sequence [6..9] at the same time).
+
+The syntax for IPv4 patterns is as follows:
+
+v4pattern = v4field "." v4field "." v4field "." v4field
+v4field = v4octet | "[" v4sequence "]"
+v4octet = any decimal number in the range 0 through 255
+v4sequence = v4seq_member | v4sequence "," v4seq_member
+v4seq_member = v4octet | v4octet ".." v4octet
+
+[Feature 20101105] The Postfix SMTP server now supports DNS-based
+whitelisting with several safety features: permit_dnswl_client
+whitelists a client by IP address, and permit_rhswl_client whitelists
+a client by its hostname.  These features use the same syntax as
+reject_rbl_client and reject_rhsbl_client, respectively. The main
+difference is that they return PERMIT instead of REJECT.
+
+Whitelisting is primarily a tool to reduce the false positive rate
+of DNS blocklist lookups.  Client name whitelisting should not be
+used to make exceptions to access rules. The reason is that client
+name lookup can fail unpredictably due to some temporary outage.
+
+For safety reasons, permit_dnswl_client and permit_rhswl_client are
+silently ignored when they would override reject_unauth_destination.
+Also for safety reasons, the result is DEFER_IF_REJECT when DNS
+whitelist lookup fails (this result will be made configurable).
+
+Major changes - Milter suppport
+-------------------------------
+
+[Incompat 20101103] Postfix now requests default delivery status
+notifications when adding a recipient with the Milter smfi_addrcpt
+action, instead of "never notify" as with Postfix automatically-added
+recipients (always_bcc and sender/recipient_bcc_maps).
+
+Major changes - alias expansion
+-------------------------------
+
+[Incompat 20101202] Postfix now reports a temporary delivery error
+when the result of virtual alias expansion would exceed the
+virtual_alias_recursion_limit or virtual_alias_expansion_limit.
+Previously, Postfix would silently drop the excess recipients and
+deliver the message.
+
+[Incompat 20101006] To avoid repeated delivery to mailing lists
+with pathological nested alias configurations, the local(8) delivery
+agent now keeps the owner-alias attribute of a parent alias, when
+delivering mail to a child alias that does not have its own owner
+alias.
+
+With this change, local addresses from that child alias will be
+written to a new queue file, and a temporary error with one local
+address will no longer result in repeated delivery to other mailing
+list members.  Specify "reset_owner_alias = yes" for the older,
+more fragile, behavior.
+
+The postconf(5) manpage entry for "reset_owner_alias" has more
+background information on this issue.
+
+Major changes - dns lookup
+--------------------------
+
+[Incompat 20100827] The Postfix SMTP client no longer appends the
+local domain when looking up a DNS name without ".".  Specify
+"smtp_dns_resolver_options = res_defnames" to get the old behavior,
+which may produce unexpected results.
+
+Major changes - logging
+-----------------------
+
+[Incompat 20100728] The format of the "postfix/smtpd[pid]: queueid:
+client=host[addr]" logfile record has changed. When available, the
+before-filter client information and the before-filter queue ID are
+now appended to the end of the record.
+
+[Feature 20100728] Improved message tracking across SMTP-based
+content filters.  The logging example below is from an after-filter
+SMTP server. Here, 951F692462F is a before-filter queue ID,
+hades.porcupine.org is a before-filter SMTP client, while 6B4A9924782
+is the after-filter queue ID, and localhost[127.0.0.1] is the
+SMTP-based content filter that sends mail into the after-filter
+SMTP server.
+
+    postfix/smtpd[4074]: 6B4A9924782: 
+	client=localhost[127.0.0.1],
+	orig_queue_id=951F692462F
+	orig_client=hades.porcupine.org[168.100.189.10]
+
+Major changes - reply footer
+----------------------------
+
+[Feature 20110105] The SMTP server now supports contact information
+that is appended to "reject" responses. This includes SMTP server
+responses that aren't logged to the maillog file, such as responses
+to syntax errors, or unsupported commands.
+
+Example:
+   smtpd_reject_footer = For assistance, call 800-555-0101.
+
+Server response:
+   550-5.5.1 <user@example> Recipient address rejected: User unknown
+   550 5.5.1 For assistance, call 800-555-0101.
+
+This feature supports macro expansion ($client_address, $localtime,
+etc.), as documented in the postconf(5) manpage.
+
+This feature is also supported as postscreen_reject_footer using
+the same setting as smtpd_reject_footer by default.
+
+Major changes - rfc compliance
+------------------------------
+
+[Incompat 20101206] Postfix by default no longer adds a "To:
+undisclosed-recipients:;" header when no recipient specified in the
+message header.  The Internet mail RFCs have supported messages
+without recipient header for almost 10 years now.
+
+For backwards compatibility, specify:
+
+/etc/postfix/main.cf
+   undisclosed_recipients_header = To: undisclosed-recipients:;
+
+Note: both the ":" and ";" are required.
+
+Major changes - tls support
+---------------------------
+
+[Incompat 20110102] The Postfix SMTP server now always re-computes
+the SASL mechanism list after successful completion of the STARTTLS
+command. Earlier versions only re-computed the mechanism list when
+the values of smtp_sasl_tls_security_options and smtp_sasl_security_options
+differ.  This could produce incorrect results, because the Dovecot
+authentication server may change responses when the SMTP session
+is encrypted.
+
+[Incompat 20110102] The smtpd_starttls_timeout default value is now
+stress-dependent.  By default, TLS negotiations must now complete
+under overload in 10s instead of 300s.
+
+[Feature 20101223] The new tls_disable_workarounds parameter specifies
+a list or bit-mask of OpenSSL bug work-arounds to disable. This may
+be necessary if one of the work-arounds enabled by default in OpenSSL
+proves to pose a security risk, or introduces an unexpected
+interoperability issue. Some bug work-arounds known to be problematic
+are disabled in the default value of the parameter when linked with
+an OpenSSL library that could be vulnerable. See postconf(5) and
+TLS_README for details.
+
+With "tls_preempt_cipherlist = yes" the Postfix SMTP server will
+choose its most preferred cipher that is supported (offered) by the
+client. This can lead to a more secure or performant cipher choice,
+but may also introduce interoperability problems when a client
+announces support for a cipher that does not work.  See postconf(5)
+and TLS_README for details.
+
+[Feature 20101217] The lower-level code in the TLS engine was
+simplified by removing an unnecessary layer of data copying. OpenSSL
+now writes directly to the network. The difference in performance
+should be hardly noticeable.
+
+[Incompat 20100610] Postfix no longer appends the system-supplied
+default CA certificates to the lists specified with *_tls_CAfile
+or with *_tls_CApath. This prevents third-party certificates from
+getting mail relay permission with the permit_tls_all_clientcerts
+feature.
+
+Unfortunately this change may cause compatibility problems when
+configurations rely on certificate verification for other purposes.
+Specify "tls_append_default_CA = yes" for backwards compatibility.
+
+Major changes - postscreen
+--------------------------
+
+[Incompat 20110111] The postscreen_access_list feature replaces the
+postscreen_whitelist_networks and postscreen_blacklist_networks
+features. Reason: CIDR-style access maps are some 100x faster than
+the code that implemented the postscreen_white/blacklist_networks
+support.  CIDR maps can match about 100 million CIDR patterns/second
+on a modern CPU, which is not blindingly fast but adequate for the
+near future.
+
+[Feature 20110102] STARTTLS support for the postscreen(8) daemon.
+This is implemented by a new tlsproxy(8) daemon that you will need
+to enable in master.cf (see POSTSCREEN_README for instructions).
+tlsproxy(8) implements its own tlsproxy_mumble versions of TLS-related
+smtpd_mumble parameters. This leaves no confusion about which
+parameters will affect tlsproxy(8) behavior, but it adds another
+25 parameters to the documentation.
+
+[Incompat 20100912] If your DNSBL queries have a "secret" in the
+domain name, you must now censor this information from the postscreen(8)
+SMTP replies.  For example:
+
+  /etc/postfix/main.cf:
+      postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
+
+  /etc/postfix/dnsbl_reply:
+      # Secret DNSBL name        Name in postscreen(8) replies
+      secret.zen.spamhaus.org    zen.spamhaus.org
+
+The texthash: format is similar to hash: except that there is no need to
+run postmap(1) before the file can be used, and that it does not detect
+changes after the file is read. It is new with Postfix version 2.8.
+
+[Incompat 20100912] The postscreen "continue" action is now called
+"ignore".  The old name is still supported but no longer documented.
+
+[Incompat 20100912] The postscreen_hangup_action parameter was
+removed. Postscreen now always behaves as if "postscreen_hangup_action
+= drop".
+
+[Incompat 20100912] The postscreen_cache_retention_time default was
+increased from 1d to 7d, to avoid deleting results from expensive
+deep SMTP protocol tests too quickly.
+
+[Feature 20100912] SMTP protocol engine for deep protocol tests,
+and for logging the helo/sender/recipient information when postscreen
+rejects an attempt to deliver mail.
+
+The postscreen SMTP protocol engine implements a number of deep
+protocol tests and defers or rejects all attempts to deliver mail.
+The first test detects unauthorized SMTP command pipelining (an
+SMTP client sends multiple commands, instead of sending one command
+and waiting for the server response); a second deep protocol test
+implements the Postfix SMTP server's smtpd_forbidden_commands feature
+(a client sends commands such as CONNECT, GET, POST); and a third
+deep protocol test detects spambots that send SMTP commands that
+end in newline instead of carriage-return/newline.  Real spambots
+rarely make this mistake, but poorly-written software often does.
+
+Deep protocol tests are disabled by default, because the built-in
+SMTP engine cannot not hand off the "live" connection from a good
+SMTP client to a Postfix SMTP server process. To work around this,
+postscreen(8) defers attempts to deliver mail with a 4XX status,
+and waits for the client to disconnect. The next time a good client
+connects, it will be allowed to talk to a Postfix SMTP server process
+to deliver mail.
+
+[Feature 20100830] Postscreen DNSBL support is extended with optional
+fixed-string filters, with optional integral weight factors, and
+with an adjustable threshold to block SMTP clients with DNSBL score
+>= that threshold. Reply filters will be implemented later.
+
+The updated postscreen configuration syntax is:
+
+    postscreen_dnsbl_sites = domain[=ipaddr][*weight] ...
+    postscreen_dnsbl_threshold = score
+
+Elements inside [] are optional, ipaddr is an IPv4 address, and
+weight and score are integral numbers. The [] are not part of the
+postscreen_dnsbl_sites input.  By default, weight and score are
+equal to 1, and entries without filter will match any non-error
+DNSBL reply.  Use a negative weight value for whitelisting.
+
+Examples:
+
+To use example.com as a high-confidence blocklist, and to block
+mail with example.net and example.org only when both agree, use:
+
+    postscreen_dnsbl_threshold = 2
+    postscreen_dnsbl_sites = example.com*2, example.net, example.org
+
+To filter only DNSBL replies containing 127.0.0.4, use:
+
+    postscreen_dnsbl_sites = example.com=127.0.0.4
+
+See also postconf(5) for the fine details.
+
+[Incompat 20100101] When periodic cache cleanup is enabled (the
+default), the postscreen(8) server now requires that the cache
+database supports the "delete" and "sequence" operations.  To disable
+periodic cache cleanup specify a zero postscreen_cache_cleanup_interval
+value.
+
+[Feature 20100101] Periodic cache cleanup for the postscreen(8)
+cache database. The time between cache cleanup runs is controlled
+with the postscreen_cache_cleanup_interval (default: 12h) parameter.
+Cache cleanup increases the database access latency, so this should
+not be run more often than necessary.
+
+In addition, the postscreen_cache_retention_time (default: 1d)
+parameter specifies how long to keep an expired entry in the cache.
+This prevents a client from being logged as "NEW" after its record
+expired only a little while ago.
+
+[Incompat 20091008] If you upgrade from Postfix 2.6 or earlier, you
+must stop and start the Postfix master daemon before you can use
+the postscreen(8) daemon.  This is needed because the Postfix 2.6
+"pass" master service type did not work reliably on some systems.
+
+[Feature 20091008] Prototype postscreen(8) server that runs a number
+of time-consuming checks in parallel for all incoming SMTP connections,
+before clients are allowed to talk to a real Postfix SMTP server.
+It detects clients that start talking too soon, or clients that
+appear on DNS blocklists, or clients that hang up without sending
+any command.
+
+By doing these checks in a single postscreen(8) process, Postfix
+can avoid wasting one SMTP server process per connection. A side
+benefit of postscreen(8)'s DNSBL lookups is that DNS records are
+already cached before the Postfix SMTP server looks them up later.
+
+postscreen(8) maintains a temporary whitelist of positive decisions.
+Once an SMTP client is whitelisted, it is immediately forwarded to
+a real Postfix SMTP server process without further checking.
+
+By default, the program logs only statistics, and it does not run
+any checks on clients in mynetworks (primarily, to avoid problems
+with buggy SMTP implementations in network appliances).  The logging
+function alone is already useful for research.
+
diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html
index 6dd5799de..11a28a55d 100644
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@@ -28,18 +28,18 @@ mail from end-user clients (MUAs). In a typical deployment,
 <a href="postscreen.8.html">postscreen(8)</a> is used on the "port 25" service, while MUA clients
 submit mail via the submission service. </p>
 
-<p> <a href="postscreen.8.html">postscreen(8)</a> is the first layer in a multi-layer defense. <p>
+<p> <a href="postscreen.8.html">postscreen(8)</a> is part of a multi-layer defense. <p>
 
 <ul>
 
-<li> <p> The <a href="postscreen.8.html">postscreen(8)</a> layer blocks connections from zombies
-and other spambots that are responsible for about 90% of all spam.
-It is implemented as a single process to make this defense as cheap
-as possible. </p>
+<li> <p> As the first layer, <a href="postscreen.8.html">postscreen(8)</a> blocks connections from
+zombies and other spambots that are responsible for about 90% of
+all spam.  It is implemented as a single process to make this defense
+as cheap as possible. </p>
 
 <li> <p> The second layer implements more complex SMTP-level access
-checks that are available with Postfix SMTP servers, policy daemons,
-and Milter applications. </p>
+checks with Postfix SMTP servers, policy daemons, and Milter
+applications. </p>
 
 <li> <p> The third layer performs light-weight content inspection
 with the Postfix built-in <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. This can
@@ -672,6 +672,23 @@ without blocking mail: </p>
 
 <ol>
 
+<li> <p> Make sure that local clients and systems with non-standard
+SMTP implementations are excluded from any <a href="postscreen.8.html">postscreen(8)</a> tests. The
+default is to exclude all clients in <a href="postconf.5.html#mynetworks">mynetworks</a>. To exclude additional
+clients, for example, third-party performance monitoring tools (these
+tend to have broken SMTP implementations): </p>
+
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    # Exclude broken clients by whitelisting. Clients in <a href="postconf.5.html#mynetworks">mynetworks</a>
+    # should always be whitelisted.
+    <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, 
+        <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr
+
+/etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>:
+    192.168.254.0/24 permit
+</pre>
+
 <li> <p> Comment out the "<tt>smtp  inet ... smtpd</tt>" service
 in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries
 that follow.  </p>
@@ -768,10 +785,6 @@ string. </p>
 greeting</a>" for details about the logging from these postscreen(8)
 tests. </p>
 
-<li> <p> By default, <a href="postscreen.8.html">postscreen(8)</a> whitelists all clients in
-<a href="postconf.5.html#mynetworks">mynetworks</a>.  This is a safety feature to avoid you from getting
-into trouble with local users. </p>
-
 <li> <p> If you run Postfix 2.6 or earlier you must stop and start
 the master daemon ("<tt>postfix stop; postfix start</tt>").  This
 is needed because the Postfix "pass" master service type did not
@@ -802,6 +815,27 @@ services. </p>
 
 <h3> <a name="blocking"> Blocking mail with postscreen(8) </a> </h3>
 
+<p> For compatibility with <a href="smtpd.8.html">smtpd(8)</a>, <a href="postscreen.8.html">postscreen(8)</a> implements the
+<a href="postconf.5.html#soft_bounce">soft_bounce</a> safety feature. This causes Postfix to reject mail with
+a "try again" reply code. </p>
+
+<ul> 
+
+<li> <p> To turn this on for all of Postfix, specify "<tt><a href="postconf.5.html#soft_bounce">soft_bounce</a>
+= yes</tt>" in <a href="postconf.5.html">main.cf</a>. </p>
+
+<li> <p> To turn this on for <a href="postscreen.8.html">postscreen(8)</a> only, append "<tt>-o
+<a href="postconf.5.html#soft_bounce">soft_bounce</a>=yes</tt>" (note: NO SPACES around '=') to the postscreen
+entry in <a href="master.5.html">master.cf</a>. <p>
+
+</ul>
+
+<p> Execute "<tt>postfix reload</tt>" to make the change effective. </p>
+
+<p> After testing, do not forget to remove the <a href="postconf.5.html#soft_bounce">soft_bounce</a> feature,
+otherwise senders won't receive their non-delivery notification
+until many days later.  </p>
+
 <p> To use the <a href="postscreen.8.html">postscreen(8)</a> service to block mail, edit <a href="postconf.5.html">main.cf</a> and
 specify one or more of: </p>
 
diff --git a/postfix/html/dnsblog.8.html b/postfix/html/dnsblog.8.html
index ab257ea38..85de63982 100644
--- a/postfix/html/dnsblog.8.html
+++ b/postfix/html/dnsblog.8.html
@@ -14,10 +14,11 @@ DNSBLOG(8)                                                          DNSBLOG(8)
 
 <b>DESCRIPTION</b>
        The   <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a>   server   implements   an   ad-hoc   DNS
-       white/blacklist lookup service  that  will  eventually  be
+       white/blacklist lookup service.  This  may  eventually  be
        replaced  by an UDP client that is built directly into the
        <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
 
+<b>PROTOCOL</b>
        With each connection, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server receives a DNS
        white/blacklist  domain  name  and  an  IP address. If the
        address is listed under the DNS white/blacklist, the  <b>dns-</b>
@@ -84,7 +85,7 @@ DNSBLOG(8)                                                          DNSBLOG(8)
        software.
 
 <b>HISTORY</b>
-       This service is temporary with Postfix version 2.7.
+       This service was introduced with Postfix version 2.8.
 
 <b>AUTHOR(S)</b>
        Wietse Venema
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index cc3f97dc6..b879d0a45 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -6634,7 +6634,7 @@ and enabled instances are processed in reverse order. </p>
 <DT><b><a name="postscreen_access_list">postscreen_access_list</a>
 (default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b></DT><DD>
 
-<p> Permanent white/blacklist for remote SMTP client IP addresses;
+<p> Permanent white/blacklist for remote SMTP client IP addresses.
 <a href="postscreen.8.html">postscreen(8)</a> searches this list immediately after a remote SMTP
 client connects.  Specify a comma- or whitespace-separated list of
 commands (in upper or lower case) or lookup tables. The search stops
@@ -6664,10 +6664,12 @@ server process. </dd>
 the search. Subject the client to the action configured with the
 <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> configuration parameter. </dd>
 
-<dt> <b> dunno </b> </dt> <dd> When used inside a lookup table,
-return from the lookup table and evaluate the next command.  <br>
-When used outside a lookup table, terminate the search, and subject
-the client to the configured before/after 220 greeting tests. </dd>
+<dt> <b> dunno </b> </dt> <dd> All <a href="postscreen.8.html">postscreen(8)</a> access lists
+implicitly have this command at the end. <br> When <b> dunno </b>
+is executed inside a lookup table, return from the lookup table and
+evaluate the next command.  <br> When <b> dunno </b> is executed
+outside a lookup table, terminate the search, and subject the client
+to the configured before/after 220 greeting tests. </dd>
 
 </dl>
 
@@ -6762,8 +6764,8 @@ one-letter suffix that specifies the time unit).  Time units: s
 (default: ignore)</b></DT><DD>
 
 <p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client is
-permanently blacklisted with the <a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a>
-parameter.  Specify one of the following: </p>
+permanently blacklisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter.
+Specify one of the following: </p>
 
 <dl>
 
@@ -6885,9 +6887,8 @@ See <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> for
 <DT><b><a name="postscreen_command_time_limit">postscreen_command_time_limit</a>
 (default: ${stress?10}${stress:300}s)</b></DT><DD>
 
-<p> The command "read" time limit for <a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP
-protocol engine. This bounds the time to receive an entire command.
-</p>
+<p> The time limit to read an entire command line with <a href="postscreen.8.html">postscreen(8)</a>'s
+built-in SMTP protocol engine. </p>
 
 <p> This feature is available in Postfix 2.8.  </p>
 
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index a26bf621a..7b459f768 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -71,84 +71,100 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        Problems and transactions are logged to <b>syslogd</b>(8).
 
 <b>BUGS</b>
-       The  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  server  does  not  yet  implement  the
-       <b><a href="postconf.5.html#soft_bounce">soft_bounce</a></b> feature.
-
-       The  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine currently
-       does not announce support for AUTH, XCLIENT  or  XFORWARD.
-       Support  for AUTH may be added in the future.  In the mean
+       The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine  currently
+       does  not  announce support for AUTH, XCLIENT or XFORWARD.
+       Support for AUTH may be added in the future.  In the  mean
        time, if you need to make these services available on port
-       25,  then  do  not  enable  the optional "after 220 server
+       25, then do not enable  the  optional  "after  220  server
        greeting" tests.
 
-       The optional "after 220  server  greeting"  tests  involve
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s  built-in SMTP protocol engine. When these
+       The  optional  "after  220  server greeting" tests involve
+       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When  these
        tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
-       rary  whitelist but it cannot not hand off the "live" con-
-       nection to a Postfix SMTP server process in the middle  of
-       a  session.   Instead,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  defers  attempts to
-       deliver mail with a 4XX status, and waits for  the  client
-       to  disconnect.   The next time a good client connects, it
-       will be allowed to talk to a Postfix SMTP  server  process
-       to  deliver  mail.  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  mitigates the impact of
-       this limitation by giving such  tests  a  long  expiration
+       rary whitelist but it cannot not hand off the "live"  con-
+       nection  to a Postfix SMTP server process in the middle of
+       a session.   Instead,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  defers  attempts  to
+       deliver  mail  with a 4XX status, and waits for the client
+       to disconnect.  The next time a good client  connects,  it
+       will  be  allowed to talk to a Postfix SMTP server process
+       to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  mitigates  the  impact  of
+       this  limitation  by  giving  such tests a long expiration
        time.
 
 <b>CONFIGURATION PARAMETERS</b>
-       Changes  to  <a href="postconf.5.html">main.cf</a>  are  not picked up automatically, as
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for  several  hours.   Use
+       Changes to <a href="postconf.5.html">main.cf</a> are not  picked  up  automatically,  as
+       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  processes  may  run for several hours.  Use
        the command "postfix reload" after a configuration change.
 
-       The text below provides  only  a  parameter  summary.  See
+       The  text  below  provides  only  a parameter summary. See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
        NOTE:  Some  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  parameters  implement  stress-
-       dependent behavior.   This  is  supported  only  when  the
-       default  parameter  value is stress-dependent (that is, it
-       looks like ${stress?X}${stress:Y}, or it is the  $<i>name</i>  of
+       dependent  behavior.   This  is  supported  only  when the
+       default parameter value is stress-dependent (that  is,  it
+       looks  like  ${stress?X}${stress:Y}, or it is the $<i>name</i> of
        an  smtpd  parameter  with  a  stress-dependent  default).
-       Other parameters always evaluate as if the <b>stress</b>  parame-
+       Other  parameters always evaluate as if the <b>stress</b> parame-
        ter value is the empty string.
 
 <b>COMPATIBILITY CONTROLS</b>
        <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b>
-              A  mechanism to transform commands from remote SMTP
+              A mechanism to transform commands from remote  SMTP
               clients.
 
        <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a>  ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_dis</a>-</b>
        <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">card_ehlo_keyword_address_maps</a>)</b>
-              Lookup tables, indexed by the  remote  SMTP  client
-              address,  with  case insensitive lists of EHLO key-
-              words (pipelining, starttls, auth, etc.)  that  the
-              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  server  will  not  send  in the EHLO
+              Lookup  tables,  indexed  by the remote SMTP client
+              address, with case insensitive lists of  EHLO  key-
+              words  (pipelining,  starttls, auth, etc.) that the
+              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will  not  send  in  the  EHLO
               response to a remote SMTP client.
 
        <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_key</a>-</b>
        <b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">words</a>)</b>
-              A case insensitive list of EHLO keywords  (pipelin-
-              ing,  starttls,  auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
-              server will not send in  the  EHLO  response  to  a
+              A  case insensitive list of EHLO keywords (pipelin-
+              ing, starttls, auth, etc.) that  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+              server  will  not  send  in  the EHLO response to a
               remote SMTP client.
 
-<b>BEFORE-GREETING TRIAGE</b>
-       <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b>
-              The  name  of  the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in mas-
-              ter.cf.
+<b>TROUBLE SHOOTING CONTROLS</b>
+       <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b>
+              List  of   characters   that   are   permitted   in
+              <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions.
+
+       <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b>
+              Optional  information  that is appended after a 4XX
+              or 5XX server response.
+
+       <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
+              Safety net to keep mail queued that would otherwise
+              be returned to the sender.
+
+<b>PERMANENT WHITE/BLACKLIST TEST</b>
+       This  test  is  executed  immediately  after a remote SMTP
+       client connects. If a client is  permanently  whitelisted,
+       the  client  will  be  handed off immediately to a Postfix
+       SMTP server process.
 
        <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b>
               Permanent white/blacklist for remote SMTP client IP
-              addresses; <a href="postscreen.8.html"><b>postscreen</b>(8)</a> searches this list immedi-
-              ately after a remote SMTP client connects.
+              addresses.
 
        <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
-              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
-              client   is   permanently   blacklisted   with  the
-              <a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> parameter.
+              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              client  is   permanently   blacklisted   with   the
+              <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter.
 
-       <b><a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> (empty)</b>
-              Network addresses that are permanently blacklisted;
-              see  the  <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter for
-              possible actions.
+<b>BEFORE-GREETING TESTS</b>
+       These  tests  are  executed  before the remote SMTP client
+       receives the "220 servername" greeting. If no tests remain
+       after  the successful completion of this phase, the client
+       will be handed off immediately to a  Postfix  SMTP  server
+       process.
+
+       <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b>
+              The  name  of  the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in mas-
+              ter.cf.
 
        <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
               The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
@@ -191,7 +207,18 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               (default: up to 2 seconds under  stress,  up  to  6
               seconds otherwise).
 
-<b>AFTER-GREETING TRIAGE</b>
+       <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
+              The  internal  service  that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
+              allowed connections to.
+
+<b>AFTER-GREETING TESTS</b>
+       These tests are executed  after  the  remote  SMTP  client
+       receives the "220 servername" greeting. If a client passes
+       all tests  during  this  phase,  it  will  receive  a  4XX
+       response  to  RCPT  TO commands until the client hangs up.
+       After this, the client will be allowed to talk directly to
+       a Postfix SMTP server process.
+
        <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
               The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
               client sends a bare newline character, that  is,  a
@@ -231,150 +258,136 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               Enable  "pipelining"  SMTP  protocol  tests  in the
               <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
 
-<b>AFTER-TRIAGE CONTROLS</b>
-       <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
-              The internal service  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  forwards
-              allowed connections to.
-
 <b>CACHE CONTROLS</b>
        <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
-              The  amount  of  time  between  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
+              The amount  of  time  between  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  cache
               cleanup runs.
 
        <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a>                   (btree:$data_direc-</b>
        <b>tory/postscreen_cache)</b>
-              Persistent storage  for  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  server
+              Persistent  storage  for  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
               decisions.
 
        <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
               The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an
-              expired temporary  whitelist  entry  before  it  is
+              expired  temporary  whitelist  entry  before  it is
               removed.
 
        <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
-              The  amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
               result from a successful "bare newline" SMTP proto-
               col test.
 
        <b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
-              The  amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
               result from a successful DNS blocklist test.
 
        <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
-              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
+              The  amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
               result from a successful PREGREET test.
 
        <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
-              The  amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
-              result from a  successful  "non_smtp_command"  SMTP
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
+              result  from  a  successful "non_smtp_command" SMTP
               protocol test.
 
        <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
-              The  amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
               result from a successful "pipelining" SMTP protocol
               test.
 
 <b>RESOURCE CONTROLS</b>
        <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
-              Upon  input,  long lines are chopped up into pieces
-              of at most this length; upon delivery,  long  lines
+              Upon input, long lines are chopped up  into  pieces
+              of  at  most this length; upon delivery, long lines
               are reconstructed.
 
        <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b>
        <b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b>
-              How  many  simultaneous  connections  any client is
+              How many simultaneous  connections  any  client  is
               allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
 
        <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
-              The limit on the total number of commands per  SMTP
-              session  for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
+              The  limit on the total number of commands per SMTP
+              session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP  protocol
               engine.
 
        <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b>
-              The command "read" time limit  for  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
-              built-in SMTP protocol engine.
+              The  time limit to read an entire command line with
+              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
 
        <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
-              The  number of clients that can be waiting for ser-
+              The number of clients that can be waiting for  ser-
               vice from a real SMTP server process.
 
        <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
-              The number of non-whitelisted clients that  can  be
-              waiting  for  a  decision whether they will receive
+              The  number  of non-whitelisted clients that can be
+              waiting for a decision whether  they  will  receive
               service from a real SMTP server process.
 
        <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
-              How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may  take  to
-              respond  to  an SMTP client command or to perform a
+              How  much  time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
+              respond to an SMTP client command or to  perform  a
               cache operation before it is terminated by a built-
               in watchdog timer.
 
 <b>STARTTLS CONTROLS</b>
        <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
-              The  SMTP  TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
-              server; when a non-empty value is  specified,  this
+              The SMTP TLS security level for  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+              server;  when  a non-empty value is specified, this
               overrides       the       obsolete       parameters
               <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>.
 
        <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b>
-              The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry  in  mas-
+              The  name  of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in mas-
               ter.cf.
 
 <b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
-       These  parameters  are  supported  for  compatibility with
+       These parameters  are  supported  for  compatibility  with
        <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters.
 
        <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
-              Opportunistic TLS:  announce  STARTTLS  support  to
-              SMTP  clients,  but do not require that clients use
+              Opportunistic  TLS:  announce  STARTTLS  support to
+              SMTP clients, but do not require that  clients  use
               TLS encryption.
 
        <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
-              Mandatory TLS: announce STARTTLS  support  to  SMTP
-              clients,  and  require that clients use TLS encryp-
+              Mandatory  TLS:  announce  STARTTLS support to SMTP
+              clients, and require that clients use  TLS  encryp-
               tion.
 
-<b>TROUBLE SHOOTING CONTROLS</b>
-       <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b>
-              List  of   characters   that   are   permitted   in
-              <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions.
-
-       <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b>
-              Optional  information  that is appended after a 4XX
-              or 5XX server response.
-
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number  of  digits  after the decimal
+              The maximal number  of  digits  after  the  decimal
               point when logging sub-second delay values.
 
        <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
-              The location of  all  postfix  administrative  com-
+              The  location  of  all  postfix administrative com-
               mands.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount  of  time that an idle Postfix
-              daemon process waits  for  an  incoming  connection
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits  for  an incoming connection
               before terminating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -387,12 +400,14 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>HISTORY</b>
-       Many  ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
-       by Michael Tokarev, in OpenBSD spamd, and in  MailChannels
+       This service was introduced with Postfix version 2.8.
+
+       Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier  work
+       by  Michael Tokarev, in OpenBSD spamd, and in MailChannels
        Traffic Control.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 9f4b1f693..994b6b3ef 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -3729,7 +3729,7 @@ and enabled instances are processed in reverse order.
 .PP
 This feature is available in Postfix 2.6 and later.
 .SH postscreen_access_list (default: permit_mynetworks)
-Permanent white/blacklist for remote SMTP client IP addresses;
+Permanent white/blacklist for remote SMTP client IP addresses.
 \fBpostscreen\fR(8) searches this list immediately after a remote SMTP
 client connects.  Specify a comma- or whitespace-separated list of
 commands (in upper or lower case) or lookup tables. The search stops
@@ -3757,11 +3757,16 @@ Blacklist the client and terminate
 the search. Subject the client to the action configured with the
 postscreen_blacklist_action configuration parameter.
 .IP "\fB dunno \fR"
-When used inside a lookup table,
-return from the lookup table and evaluate the next command.
+All \fBpostscreen\fR(8) access lists
+implicitly have this command at the end.
 .br
-When used outside a lookup table, terminate the search, and subject
-the client to the configured before/after 220 greeting tests.
+When \fB dunno \fR
+is executed inside a lookup table, return from the lookup table and
+evaluate the next command.
+.br
+When \fB dunno \fR is executed
+outside a lookup table, terminate the search, and subject the client
+to the configured before/after 220 greeting tests.
 .PP
 Example:
 .PP
@@ -3827,8 +3832,8 @@ one-letter suffix that specifies the time unit).  Time units: s
 This feature is available in Postfix 2.8.
 .SH postscreen_blacklist_action (default: ignore)
 The action that \fBpostscreen\fR(8) takes when an SMTP client is
-permanently blacklisted with the postscreen_blacklist_networks
-parameter.  Specify one of the following:
+permanently blacklisted with the postscreen_access_list parameter.
+Specify one of the following:
 .IP "\fBignore\fR (default)"
 Ignore  this result. Allow other tests to complete.  Repeat
 this test the next time the client connects.
@@ -3898,8 +3903,8 @@ See smtpd_command_filter for further details.
 .PP
 This feature is available in Postfix 2.8 and later.
 .SH postscreen_command_time_limit (default: ${stress?10}${stress:300}s)
-The command "read" time limit for \fBpostscreen\fR(8)'s built-in SMTP
-protocol engine. This bounds the time to receive an entire command.
+The time limit to read an entire command line with \fBpostscreen\fR(8)'s
+built-in SMTP protocol engine.
 .PP
 This feature is available in Postfix 2.8.
 .SH postscreen_disable_vrfy_command (default: $disable_vrfy_command)
diff --git a/postfix/man/man8/dnsblog.8 b/postfix/man/man8/dnsblog.8
index 358efa471..ca6660d8e 100644
--- a/postfix/man/man8/dnsblog.8
+++ b/postfix/man/man8/dnsblog.8
@@ -13,10 +13,14 @@ Postfix DNS white/blacklist logger
 .ad
 .fi
 The \fBdnsblog\fR(8) server implements an ad-hoc DNS
-white/blacklist lookup service that will eventually be
+white/blacklist lookup service. This may eventually be
 replaced by an UDP client that is built directly into the
 \fBpostscreen\fR(8) server.
-
+.SH "PROTOCOL"
+.na
+.nf
+.ad
+.fi
 With each connection, the \fBdnsblog\fR(8) server receives
 a DNS white/blacklist domain name and an IP address. If the
 address is listed under the DNS white/blacklist, the
@@ -80,7 +84,7 @@ The Secure Mailer license must be distributed with this software.
 .nf
 .ad
 .fi
-This service is temporary with Postfix version 2.7.
+This service was introduced with Postfix version 2.8.
 .SH "AUTHOR(S)"
 .na
 .nf
diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8
index 735e9a17b..84b85c23a 100644
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@@ -76,9 +76,6 @@ Problems and transactions are logged to \fBsyslogd\fR(8).
 .SH BUGS
 .ad
 .fi
-The \fBpostscreen\fR(8) server does not yet implement
-the \fBsoft_bounce\fR feature.
-
 The \fBpostscreen\fR(8) built-in SMTP protocol engine
 currently does not announce support for AUTH, XCLIENT or
 XFORWARD.
@@ -135,24 +132,46 @@ to a remote SMTP client.
 A case insensitive list of EHLO keywords (pipelining, starttls,
 auth, etc.) that the \fBpostscreen\fR(8) server will not send in the EHLO
 response to a remote SMTP client.
-.SH "BEFORE-GREETING TRIAGE"
+.SH "TROUBLE SHOOTING CONTROLS"
 .na
 .nf
 .ad
 .fi
-.IP "\fBdnsblog_service_name (dnsblog)\fR"
-The name of the \fBdnsblog\fR(8) service entry in master.cf.
+.IP "\fBpostscreen_expansion_filter (see 'postconf -d' output)\fR"
+List of characters that are permitted in postscreen_reject_footer
+attribute expansions.
+.IP "\fBpostscreen_reject_footer ($smtpd_reject_footer)\fR"
+Optional information that is appended after a 4XX or 5XX server
+response.
+.IP "\fBsoft_bounce (no)\fR"
+Safety net to keep mail queued that would otherwise be returned to
+the sender.
+.SH "PERMANENT WHITE/BLACKLIST TEST"
+.na
+.nf
+.ad
+.fi
+This test is executed immediately after a remote SMTP client
+connects. If a client is permanently whitelisted, the client
+will be handed off immediately to a Postfix SMTP server
+process.
 .IP "\fBpostscreen_access_list (permit_mynetworks)\fR"
-Permanent white/blacklist for remote SMTP client IP addresses;
-\fBpostscreen\fR(8) searches this list immediately after a remote SMTP
-client connects.
+Permanent white/blacklist for remote SMTP client IP addresses.
 .IP "\fBpostscreen_blacklist_action (ignore)\fR"
 The action that \fBpostscreen\fR(8) takes when an SMTP client is
-permanently blacklisted with the postscreen_blacklist_networks
-parameter.
-.IP "\fBpostscreen_blacklist_networks (empty)\fR"
-Network addresses that are permanently blacklisted; see the
-postscreen_blacklist_action parameter for possible actions.
+permanently blacklisted with the postscreen_access_list parameter.
+.SH "BEFORE-GREETING TESTS"
+.na
+.nf
+.ad
+.fi
+These tests are executed before the remote SMTP client
+receives the "220 servername" greeting. If no tests remain
+after the successful completion of this phase, the client
+will be handed off immediately to a Postfix SMTP server
+process.
+.IP "\fBdnsblog_service_name (dnsblog)\fR"
+The name of the \fBdnsblog\fR(8) service entry in master.cf.
 .IP "\fBpostscreen_dnsbl_action (ignore)\fR"
 The action that \fBpostscreen\fR(8) takes when an SMTP client's combined
 DNSBL score is equal to or greater than a threshold (as defined
@@ -184,11 +203,20 @@ The amount of time that \fBpostscreen\fR(8) will wait for an SMTP
 client to send a command before its turn, and for DNS blocklist
 lookup results to arrive (default: up to 2 seconds under stress,
 up to 6 seconds otherwise).
-.SH "AFTER-GREETING TRIAGE"
+.IP "\fBsmtpd_service_name (smtpd)\fR"
+The internal service that \fBpostscreen\fR(8) forwards allowed
+connections to.
+.SH "AFTER-GREETING TESTS"
 .na
 .nf
 .ad
 .fi
+These tests are executed after the remote SMTP client
+receives the "220 servername" greeting. If a client passes
+all tests during this phase, it will receive a 4XX response
+to RCPT TO commands until the client hangs up. After this,
+the client will be allowed to talk directly to a Postfix
+SMTP server process.
 .IP "\fBpostscreen_bare_newline_action (ignore)\fR"
 The action that \fBpostscreen\fR(8) takes when an SMTP client sends
 a bare newline character, that is, a newline not preceded by carriage
@@ -217,14 +245,6 @@ the server to respond.
 .IP "\fBpostscreen_pipelining_enable (no)\fR"
 Enable "pipelining" SMTP protocol tests in the \fBpostscreen\fR(8)
 server.
-.SH "AFTER-TRIAGE CONTROLS"
-.na
-.nf
-.ad
-.fi
-.IP "\fBsmtpd_service_name (smtpd)\fR"
-The internal service that \fBpostscreen\fR(8) forwards allowed
-connections to.
 .SH "CACHE CONTROLS"
 .na
 .nf
@@ -267,8 +287,8 @@ with the \fBpostscreen\fR(8) daemon.
 The limit on the total number of commands per SMTP session for
 \fBpostscreen\fR(8)'s built-in SMTP protocol engine.
 .IP "\fBpostscreen_command_time_limit (${stress?10}${stress:300}s)\fR"
-The command "read" time limit for \fBpostscreen\fR(8)'s built-in SMTP
-protocol engine.
+The time limit to read an entire command line with \fBpostscreen\fR(8)'s
+built-in SMTP protocol engine.
 .IP "\fBpostscreen_post_queue_limit ($default_process_limit)\fR"
 The number of clients that can be waiting for service from a
 real SMTP server process.
@@ -304,17 +324,6 @@ but do not require that clients use TLS encryption.
 .IP "\fBpostscreen_enforce_tls ($smtpd_enforce_tls)\fR"
 Mandatory TLS: announce STARTTLS support to SMTP clients, and
 require that clients use TLS encryption.
-.SH "TROUBLE SHOOTING CONTROLS"
-.na
-.nf
-.ad
-.fi
-.IP "\fBpostscreen_expansion_filter (see 'postconf -d' output)\fR"
-List of characters that are permitted in postscreen_reject_footer
-attribute expansions.
-.IP "\fBpostscreen_reject_footer ($smtpd_reject_footer)\fR"
-Optional information that is appended after a 4XX or 5XX server
-response.
 .SH "MISCELLANEOUS CONTROLS"
 .na
 .nf
@@ -368,6 +377,8 @@ The Secure Mailer license must be distributed with this software.
 .nf
 .ad
 .fi
+This service was introduced with Postfix version 2.8.
+
 Many ideas in \fBpostscreen\fR(8) were explored in earlier
 work by Michael Tokarev, in OpenBSD spamd, and in MailChannels
 Traffic Control.
diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html
index 1386efd02..cb7da2cc5 100644
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@@ -28,18 +28,18 @@ mail from end-user clients (MUAs). In a typical deployment,
 postscreen(8) is used on the "port 25" service, while MUA clients
 submit mail via the submission service. </p>
 
-<p> postscreen(8) is the first layer in a multi-layer defense. <p>
+<p> postscreen(8) is part of a multi-layer defense. <p>
 
 <ul>
 
-<li> <p> The postscreen(8) layer blocks connections from zombies
-and other spambots that are responsible for about 90% of all spam.
-It is implemented as a single process to make this defense as cheap
-as possible. </p>
+<li> <p> As the first layer, postscreen(8) blocks connections from
+zombies and other spambots that are responsible for about 90% of
+all spam.  It is implemented as a single process to make this defense
+as cheap as possible. </p>
 
 <li> <p> The second layer implements more complex SMTP-level access
-checks that are available with Postfix SMTP servers, policy daemons,
-and Milter applications. </p>
+checks with Postfix SMTP servers, policy daemons, and Milter
+applications. </p>
 
 <li> <p> The third layer performs light-weight content inspection
 with the Postfix built-in header_checks and body_checks. This can
@@ -672,6 +672,23 @@ without blocking mail: </p>
 
 <ol>
 
+<li> <p> Make sure that local clients and systems with non-standard
+SMTP implementations are excluded from any postscreen(8) tests. The
+default is to exclude all clients in mynetworks. To exclude additional
+clients, for example, third-party performance monitoring tools (these
+tend to have broken SMTP implementations): </p>
+
+<pre>
+/etc/postfix/main.cf:
+    # Exclude broken clients by whitelisting. Clients in mynetworks
+    # should always be whitelisted.
+    postscreen_access_list = permit_mynetworks, 
+        cidr:/etc/postfix/postscreen_access.cidr
+
+/etc/postfix/postscreen_access.cidr:
+    192.168.254.0/24 permit
+</pre>
+
 <li> <p> Comment out the "<tt>smtp  inet ... smtpd</tt>" service
 in master.cf, including any "<tt>-o parameter=value</tt>" entries
 that follow.  </p>
@@ -768,10 +785,6 @@ string. </p>
 greeting</a>" for details about the logging from these postscreen(8)
 tests. </p>
 
-<li> <p> By default, postscreen(8) whitelists all clients in
-mynetworks.  This is a safety feature to avoid you from getting
-into trouble with local users. </p>
-
 <li> <p> If you run Postfix 2.6 or earlier you must stop and start
 the master daemon ("<tt>postfix stop; postfix start</tt>").  This
 is needed because the Postfix "pass" master service type did not
@@ -802,6 +815,27 @@ services. </p>
 
 <h3> <a name="blocking"> Blocking mail with postscreen(8) </a> </h3>
 
+<p> For compatibility with smtpd(8), postscreen(8) implements the
+soft_bounce safety feature. This causes Postfix to reject mail with
+a "try again" reply code. </p>
+
+<ul> 
+
+<li> <p> To turn this on for all of Postfix, specify "<tt>soft_bounce
+= yes</tt>" in main.cf. </p>
+
+<li> <p> To turn this on for postscreen(8) only, append "<tt>-o
+soft_bounce=yes</tt>" (note: NO SPACES around '=') to the postscreen
+entry in master.cf. <p>
+
+</ul>
+
+<p> Execute "<tt>postfix reload</tt>" to make the change effective. </p>
+
+<p> After testing, do not forget to remove the soft_bounce feature,
+otherwise senders won't receive their non-delivery notification
+until many days later.  </p>
+
 <p> To use the postscreen(8) service to block mail, edit main.cf and
 specify one or more of: </p>
 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index eea3a2892..4e6df6662 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -12831,7 +12831,7 @@ IP address. </p>
 
 %PARAM postscreen_access_list permit_mynetworks
 
-<p> Permanent white/blacklist for remote SMTP client IP addresses;
+<p> Permanent white/blacklist for remote SMTP client IP addresses.
 postscreen(8) searches this list immediately after a remote SMTP
 client connects.  Specify a comma- or whitespace-separated list of
 commands (in upper or lower case) or lookup tables. The search stops
@@ -12861,10 +12861,12 @@ server process. </dd>
 the search. Subject the client to the action configured with the
 postscreen_blacklist_action configuration parameter. </dd>
 
-<dt> <b> dunno </b> </dt> <dd> When used inside a lookup table,
-return from the lookup table and evaluate the next command.  <br>
-When used outside a lookup table, terminate the search, and subject
-the client to the configured before/after 220 greeting tests. </dd>
+<dt> <b> dunno </b> </dt> <dd> All postscreen(8) access lists
+implicitly have this command at the end. <br> When <b> dunno </b>
+is executed inside a lookup table, return from the lookup table and
+evaluate the next command.  <br> When <b> dunno </b> is executed
+outside a lookup table, terminate the search, and subject the client
+to the configured before/after 220 greeting tests. </dd>
 
 </dl>
 
@@ -12900,8 +12902,8 @@ value to disable this feature.  </p>
 %PARAM postscreen_blacklist_action ignore
 
 <p> The action that postscreen(8) takes when an SMTP client is
-permanently blacklisted with the postscreen_blacklist_networks
-parameter.  Specify one of the following: </p>
+permanently blacklisted with the postscreen_access_list parameter.
+Specify one of the following: </p>
 
 <dl>
 
@@ -13178,9 +13180,8 @@ and error commands.  </p>
 
 %PARAM postscreen_command_time_limit ${stress?10}${stress:300}s
 
-<p> The command "read" time limit for postscreen(8)'s built-in SMTP
-protocol engine. This bounds the time to receive an entire command.
-</p>
+<p> The time limit to read an entire command line with postscreen(8)'s
+built-in SMTP protocol engine. </p>
 
 <p> This feature is available in Postfix 2.8.  </p>
 
diff --git a/postfix/src/dnsblog/dnsblog.c b/postfix/src/dnsblog/dnsblog.c
index 09cb18d37..89d1f0df7 100644
--- a/postfix/src/dnsblog/dnsblog.c
+++ b/postfix/src/dnsblog/dnsblog.c
@@ -7,10 +7,12 @@
 /*	\fBdnsblog\fR [generic Postfix daemon options]
 /* DESCRIPTION
 /*	The \fBdnsblog\fR(8) server implements an ad-hoc DNS
-/*	white/blacklist lookup service that will eventually be
+/*	white/blacklist lookup service. This may eventually be
 /*	replaced by an UDP client that is built directly into the
 /*	\fBpostscreen\fR(8) server.
-/*
+/* PROTOCOL
+/* .ad
+/* .fi
 /*	With each connection, the \fBdnsblog\fR(8) server receives
 /*	a DNS white/blacklist domain name and an IP address. If the
 /*	address is listed under the DNS white/blacklist, the
@@ -64,7 +66,7 @@
 /* HISTORY
 /* .ad
 /* .fi
-/*	This service is temporary with Postfix version 2.7.
+/*	This service was introduced with Postfix version 2.8.
 /* AUTHOR(S)
 /*	Wietse Venema
 /*	IBM T.J. Watson Research
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 3fb73c2f9..a766bc151 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110115"
-#define MAIL_VERSION_NUMBER	"2.8"
+#define MAIL_RELEASE_DATE	"20110116"
+#define MAIL_VERSION_NUMBER	"2.9"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index 0e9d61807..dd3927130 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -62,9 +62,6 @@
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /* BUGS
-/*	The \fBpostscreen\fR(8) server does not yet implement
-/*	the \fBsoft_bounce\fR feature.
-/*
 /*	The \fBpostscreen\fR(8) built-in SMTP protocol engine
 /*	currently does not announce support for AUTH, XCLIENT or
 /*	XFORWARD.
@@ -117,22 +114,40 @@
 /*	A case insensitive list of EHLO keywords (pipelining, starttls,
 /*	auth, etc.) that the \fBpostscreen\fR(8) server will not send in the EHLO
 /*	response to a remote SMTP client.
-/* BEFORE-GREETING TRIAGE
+/* TROUBLE SHOOTING CONTROLS
 /* .ad
 /* .fi
-/* .IP "\fBdnsblog_service_name (dnsblog)\fR"
-/*	The name of the \fBdnsblog\fR(8) service entry in master.cf.
+/* .IP "\fBpostscreen_expansion_filter (see 'postconf -d' output)\fR"
+/*	List of characters that are permitted in postscreen_reject_footer
+/*	attribute expansions.
+/* .IP "\fBpostscreen_reject_footer ($smtpd_reject_footer)\fR"
+/*	Optional information that is appended after a 4XX or 5XX server
+/*	response.
+/* .IP "\fBsoft_bounce (no)\fR"
+/*	Safety net to keep mail queued that would otherwise be returned to
+/*	the sender.
+/* PERMANENT WHITE/BLACKLIST TEST
+/* .ad
+/* .fi
+/*	This test is executed immediately after a remote SMTP client
+/*	connects. If a client is permanently whitelisted, the client
+/*	will be handed off immediately to a Postfix SMTP server
+/*	process.
 /* .IP "\fBpostscreen_access_list (permit_mynetworks)\fR"
-/*	Permanent white/blacklist for remote SMTP client IP addresses;
-/*	\fBpostscreen\fR(8) searches this list immediately after a remote SMTP
-/*	client connects.
+/*	Permanent white/blacklist for remote SMTP client IP addresses.
 /* .IP "\fBpostscreen_blacklist_action (ignore)\fR"
 /*	The action that \fBpostscreen\fR(8) takes when an SMTP client is
-/*	permanently blacklisted with the postscreen_blacklist_networks
-/*	parameter.
-/* .IP "\fBpostscreen_blacklist_networks (empty)\fR"
-/*	Network addresses that are permanently blacklisted; see the
-/*	postscreen_blacklist_action parameter for possible actions.
+/*	permanently blacklisted with the postscreen_access_list parameter.
+/* BEFORE-GREETING TESTS
+/* .ad
+/* .fi
+/*	These tests are executed before the remote SMTP client
+/*	receives the "220 servername" greeting. If no tests remain
+/*	after the successful completion of this phase, the client
+/*	will be handed off immediately to a Postfix SMTP server
+/*	process.
+/* .IP "\fBdnsblog_service_name (dnsblog)\fR"
+/*	The name of the \fBdnsblog\fR(8) service entry in master.cf.
 /* .IP "\fBpostscreen_dnsbl_action (ignore)\fR"
 /*	The action that \fBpostscreen\fR(8) takes when an SMTP client's combined
 /*	DNSBL score is equal to or greater than a threshold (as defined
@@ -164,9 +179,18 @@
 /*	client to send a command before its turn, and for DNS blocklist
 /*	lookup results to arrive (default: up to 2 seconds under stress,
 /*	up to 6 seconds otherwise).
-/* AFTER-GREETING TRIAGE
+/* .IP "\fBsmtpd_service_name (smtpd)\fR"
+/*	The internal service that \fBpostscreen\fR(8) forwards allowed
+/*	connections to.
+/* AFTER-GREETING TESTS
 /* .ad
 /* .fi
+/*	These tests are executed after the remote SMTP client
+/*	receives the "220 servername" greeting. If a client passes
+/*	all tests during this phase, it will receive a 4XX response
+/*	to RCPT TO commands until the client hangs up. After this,
+/*	the client will be allowed to talk directly to a Postfix
+/*	SMTP server process.
 /* .IP "\fBpostscreen_bare_newline_action (ignore)\fR"
 /*	The action that \fBpostscreen\fR(8) takes when an SMTP client sends
 /*	a bare newline character, that is, a newline not preceded by carriage
@@ -195,12 +219,6 @@
 /* .IP "\fBpostscreen_pipelining_enable (no)\fR"
 /*	Enable "pipelining" SMTP protocol tests in the \fBpostscreen\fR(8)
 /*	server.
-/* AFTER-TRIAGE CONTROLS
-/* .ad
-/* .fi
-/* .IP "\fBsmtpd_service_name (smtpd)\fR"
-/*	The internal service that \fBpostscreen\fR(8) forwards allowed
-/*	connections to.
 /* CACHE CONTROLS
 /* .ad
 /* .fi
@@ -239,8 +257,8 @@
 /*	The limit on the total number of commands per SMTP session for
 /*	\fBpostscreen\fR(8)'s built-in SMTP protocol engine.
 /* .IP "\fBpostscreen_command_time_limit (${stress?10}${stress:300}s)\fR"
-/*	The command "read" time limit for \fBpostscreen\fR(8)'s built-in SMTP
-/*	protocol engine.
+/*	The time limit to read an entire command line with \fBpostscreen\fR(8)'s
+/*	built-in SMTP protocol engine.
 /* .IP "\fBpostscreen_post_queue_limit ($default_process_limit)\fR"
 /*	The number of clients that can be waiting for service from a
 /*	real SMTP server process.
@@ -272,15 +290,6 @@
 /* .IP "\fBpostscreen_enforce_tls ($smtpd_enforce_tls)\fR"
 /*	Mandatory TLS: announce STARTTLS support to SMTP clients, and
 /*	require that clients use TLS encryption.
-/* TROUBLE SHOOTING CONTROLS
-/* .ad
-/* .fi
-/* .IP "\fBpostscreen_expansion_filter (see 'postconf -d' output)\fR"
-/*	List of characters that are permitted in postscreen_reject_footer
-/*	attribute expansions.
-/* .IP "\fBpostscreen_reject_footer ($smtpd_reject_footer)\fR"
-/*	Optional information that is appended after a 4XX or 5XX server
-/*	response.
 /* MISCELLANEOUS CONTROLS
 /* .ad
 /* .fi
@@ -324,6 +333,8 @@
 /* HISTORY
 /* .ad
 /* .fi
+/*	This service was introduced with Postfix version 2.8.
+/*
 /*	Many ideas in \fBpostscreen\fR(8) were explored in earlier
 /*	work by Michael Tokarev, in OpenBSD spamd, and in MailChannels
 /*	Traffic Control.
diff --git a/postfix/src/postscreen/postscreen_send.c b/postfix/src/postscreen/postscreen_send.c
index 9a99997fe..dfb61cf99 100644
--- a/postfix/src/postscreen/postscreen_send.c
+++ b/postfix/src/postscreen/postscreen_send.c
@@ -22,6 +22,10 @@
 /*	a warning (except EPIPE) with the client address and port,
 /*	and returns a non-zero result (all errors including EPIPE).
 /*
+/*	psc_send_reply() does a best effort to send the reply, but
+/*	it won't block when the output is throttled by a hostile
+/*	peer.
+/*
 /*	PSC_SEND_REPLY() is a legacy wrapper for psc_send_reply().
 /*	It will eventually be replaced by its expansion.
 /*
@@ -88,26 +92,26 @@ int     psc_send_reply(PSC_STATE *state, const char *text)
      */
     start = VSTRING_LEN(state->send_buf);
     vstring_strcat(state->send_buf, text);
-    if (*var_psc_rej_footer && (*text == '4' || *text == '5'))
-	smtp_reply_footer(state->send_buf, start, var_psc_rej_footer,
-			  STR(psc_expand_filter), psc_expand_lookup,
-			  (char *) state);
 
     /*
-     * XXX For soft_bounce support, it is not sufficient to fix replies here.
-     * We also need to fix the REJECT messages that are logged by the dummy
-     * SMTP engine. Those messages are set with the PSC_DROP_SESSION_STATE
-     * and PSC_ENFORCE_SESSION_STATE macros, and we should not mess up all
-     * the code that invokes those macros.
+     * For soft_bounce support, we also fix the REJECT logging before the
+     * dummy SMTP engine calls the psc_send_reply() output routine. We do
+     * some double work, but it is for debugging only.
      */
-#if 0
     if (var_soft_bounce) {
 	if (text[0] == '5')
 	    STR(state->send_buf)[start + 0] = '4';
 	if (text[4] == '5')
 	    STR(state->send_buf)[start + 4] = '4';
     }
-#endif
+
+    /*
+     * Append the optional reply footer.
+     */
+    if (*var_psc_rej_footer && (*text == '4' || *text == '5'))
+	smtp_reply_footer(state->send_buf, start, var_psc_rej_footer,
+			  STR(psc_expand_filter), psc_expand_lookup,
+			  (char *) state);
 
     /*
      * Do a best effort sending text, but don't block when the output is
diff --git a/postfix/src/postscreen/postscreen_smtpd.c b/postfix/src/postscreen/postscreen_smtpd.c
index bed1d6661..8e9ec6885 100644
--- a/postfix/src/postscreen/postscreen_smtpd.c
+++ b/postfix/src/postscreen/postscreen_smtpd.c
@@ -24,8 +24,12 @@
 /*
 /*	Unlike the Postfix SMTP server, this engine does not announce
 /*	PIPELINING support. This exposes spambots that pipeline
-/*	their commands anyway. To pass this test, the client has
-/*	to speak SMTP all the way to the RCPT TO command.
+/*	their commands anyway. Like the Postfix SMTP server, this
+/*	engine will accept input with bare newline characters. To
+/*	pass the "pipelining" and "bare newline" test, the client
+/*	has to properly speak SMTP all the way to the RCPT TO
+/*	command. These tests fail if the client violates the protocol
+/*	at any stage.
 /*
 /*	No support is announced for AUTH, XCLIENT or XFORWARD.
 /*	Clients that need this should be whitelisted or should talk
@@ -42,10 +46,13 @@
 /*	a per-session command counter, and terminates the session
 /*	with a 421 reply when the command count exceeds the limit.
 /*
-/*	We limit the command count so that we don't have to worry
-/*	about becoming blocked while sending responses (20 replies
-/*	of about 40 bytes plus greeting banners). Otherwise we would
-/*	have to make the output event-driven, just like the input.
+/*	We limit the command count, as well as the total time to
+/*	receive a command. This limits the time per client more
+/*	effectively than would be possible with read() timeouts.
+/*
+/*	There is no concern about getting blocked on output.  The
+/*	psc_send() routine uses non-blocking output, and discards
+/*	output that the client is not willing to receive.
 /* PROTOCOL INSPECTION VERSUS CONTENT INSPECTION
 /*	The goal of postscreen is to keep spambots away from Postfix.
 /*	To recognize spambots, postscreen measures properties of
@@ -70,11 +77,11 @@
 /*	making long-term decisions after single measurements, and
 /*	that is why postscreen does not inspect message content.
 /* REJECTING RCPT TO VERSUS SENDING LIVE SOCKETS TO SMTPD(8)
-/*	When deep protocol tests are enabled, postscreen rejects
-/*	the RCPT TO command from a good client, and forces it to
-/*	deliver mail in a later session. This is why deep protocol
-/*	tests have a longer expiration time than pre-handshake
-/*	tests.
+/*	When post-handshake protocol tests are enabled, postscreen
+/*	rejects the RCPT TO command from a good client, and forces
+/*	it to deliver mail in a later session. This is why
+/*	post-handshake protocol tests have a longer expiration time
+/*	than pre-handshake tests.
 /*
 /*	Instead, postscreen could send the network socket to smtpd(8)
 /*	and ship the session history (including TLS and other SMTP
@@ -188,7 +195,9 @@ static void psc_smtpd_read_event(int, char *);
   * Encapsulation. The STARTTLS, EHLO and AUTH command handlers temporarily
   * suspend SMTP command events, send an asynchronous proxy request, and
   * resume SMTP command events after receiving the asynchrounous proxy
-  * response.
+  * response (the EHLO handler must asynchronously talk to the auth server
+  * before it can announce the SASL mechanism list; the list can depend on
+  * the client IP address and on the presence on TLS encryption).
   */
 #define PSC_RESUME_SMTP_CMD_EVENTS(state) do { \
 	PSC_READ_EVENT_REQUEST2(vstream_fileno((state)->smtp_client_stream), \
@@ -411,15 +420,17 @@ static int psc_starttls_cmd(PSC_STATE *state, char *args)
 static char *psc_extract_addr(VSTRING *result, const char *string)
 {
     const unsigned char *cp = (const unsigned char *) string;
+    char   *addr;
+    char   *colon;
     int     stop_at;
     int     inquote = 0;
 
     /*
      * smtpd(8) incompatibility: we allow more invalid address forms, and we
-     * don't strip @site1,site2:user@site3 route addresses. We are not going
-     * to deliver them so we won't have to worry about addresses that end up
-     * being nonsense after stripping. This may have to change when we pass
-     * the socket to a real SMTP server and replay message envelope commands.
+     * don't validate recipients. We are not going to deliver them so we
+     * won't have to worry about deliverability. This may have to change when
+     * we pass the socket to a real SMTP server and replay message envelope
+     * commands.
      */
 
     /* Skip SP characters. */
@@ -448,7 +459,15 @@ static char *psc_extract_addr(VSTRING *result, const char *string)
 	}
     }
     VSTRING_TERMINATE(result);
-    return (STR(result));
+
+    /*
+     * smtpd(8) compatibility: truncate deprecated route address form. This
+     * is primarily to simplify logfile analysis.
+     */
+    addr = STR(result);
+    if (*addr == '@' && (colon = strchr(addr, ':')) != 0)
+	addr = colon + 1;
+    return (addr);
 }
 
 /* psc_mail_cmd - record MAIL and respond */
@@ -478,6 +497,22 @@ static int psc_mail_cmd(PSC_STATE *state, char *args)
     return (PSC_SEND_REPLY(state, "250 2.1.0 Ok\r\n"));
 }
 
+/* psc_soften_reply - copy and soft-bounce a reply */
+
+static char *psc_soften_reply(const char *reply)
+{
+    static VSTRING *buf = 0;
+
+    if (buf == 0)
+	buf = vstring_alloc(100);
+    vstring_strcpy(buf, reply);
+    if (reply[0] == '5')
+	STR(buf)[0] = '4';
+    if (reply[4] == '5')
+	STR(buf)[4] = '4';
+    return (STR(buf));
+}
+
 /* psc_rcpt_cmd record RCPT and respond */
 
 static int psc_rcpt_cmd(PSC_STATE *state, char *args)
@@ -501,7 +536,9 @@ static int psc_rcpt_cmd(PSC_STATE *state, char *args)
     msg_info("NOQUEUE: reject: RCPT from [%s]:%s: %.*s; "
 	     "from=<%s>, to=<%s>, proto=%s, helo=<%s>",
 	     PSC_CLIENT_ADDR_PORT(state),
-	     (int) strlen(state->rcpt_reply) - 2, state->rcpt_reply,
+	     (int) strlen(state->rcpt_reply) - 2,
+	     var_soft_bounce == 0 ? state->rcpt_reply :
+	     psc_soften_reply(state->rcpt_reply),
 	     state->sender, addr, state->protocol,
 	     state->helo_name ? state->helo_name : "");
     return (PSC_SEND_REPLY(state, state->rcpt_reply));
@@ -700,7 +737,7 @@ static void psc_smtpd_read_event(int event, char *context)
      */
 
     /*
-     * Note: on entry into this function the VSTREAM buffer is still empty,
+     * Note: on entry into this function the VSTREAM buffer may be non-empty,
      * so we test the "no more input" condition at the bottom of the loops.
      */
     for (;;) {
@@ -825,7 +862,8 @@ static void psc_smtpd_read_event(int event, char *context)
 	/*
 	 * Reset the command buffer write pointer and state machine in
 	 * preparation for the next command. For this to work as expected,
-	 * VSTRING_RESET() must be non-destructive.
+	 * VSTRING_RESET() must be non-destructive. We just can't ask for the
+	 * VSTRING_LEN() and vstring_end() results.
 	 */
 	state->read_state = PSC_SMTPD_CMD_ST_ANY;
 	VSTRING_RESET(state->cmd_buffer);
@@ -837,7 +875,7 @@ static void psc_smtpd_read_event(int event, char *context)
 	 * session state structure. When this happens we must leave the SMTP
 	 * engine to avoid a dangling pointer problem.
 	 */
-	cmd_buffer_ptr = vstring_str(state->cmd_buffer);
+	cmd_buffer_ptr = STR(state->cmd_buffer);
 	if (msg_verbose)
 	    msg_info("< [%s]:%s: %s", state->smtp_client_addr,
 		     state->smtp_client_port, cmd_buffer_ptr);