diff --git a/postfix/FILTER_README b/postfix/FILTER_README
index 243c2f4c9..709a009b7 100644
--- a/postfix/FILTER_README
+++ b/postfix/FILTER_README
@@ -1,6 +1,6 @@
 This is a very first implementation of Postfix content filtering.
 A Postfix content filter receives unfiltered mail from Postfix and
-re-injects filtered mail back into Postfix.
+either bounces the mail or re-injects filtered mail back into Postfix.
 
 It involves an incompatible change to queue file formats.  Older
 Postfix versions will reject mail that needs to be content filtered,
@@ -24,32 +24,34 @@ The example assumes that only mail arriving via SMTP needs to be
 content filtered.
 
       ..................................
-      .            Postfix             .
-   ------smtpd \                /local-----
-      .         -cleanup->queue-       .
-   -----pickup /                \smtp------
-   ^  .                        |       .
-   |  .                         \pipe-----+
+      :            Postfix             :
+   ----->smtpd \                /local---->
+      :         -cleanup->queue-       :
+   ---->pickup /                \smtp----->
+   ^  :                        |       :
+   |  :                         \pipe-----+
    |  ..................................  |
    |                                      |
    |                                      |
    +------sendmail<-------filter<---------+
 
-Create a dedicated local user account called "filter".  The user
-will never log in, and can be given a "*" password and non-existent
-shell and home.
+1 - Create a dedicated local user account called "filter".  The
+    user will never log in, and can be given a "*" password and
+    non-existent shell and home directory. This user handles all
+    potentially dangerous mail content - that is why it should be
+    a separate account.
 
-Create a directory /var/spool/filter that is accessible only to
-the "filter" user. This is where the content filtering will store
-its temporary files.
+2 - Create a directory /var/spool/filter that is accessible only
+    to the "filter" user. This is where the content filtering will
+    store its temporary files.
 
-Define a content filtering entry in the Postfix master file:
+3 - Define a content filtering entry in the Postfix master file:
 
     /etc/postfix/master.cf:
-	filter	  unix	-	n	n	-	-	pipe
-	    user=filter argv=/some/where/filter -f ${sender} -- ${recipient}
+      filter    unix  -       n       n       -       -       pipe
+        flags=R user=filter argv=/some/where/filter -f ${sender} -- ${recipient}
 
-The filter program can start out as a simple shell script like this:
+The /some/where/filter program can be a simple shell script like this:
 
     #!/bin/sh
 
@@ -85,20 +87,11 @@ content is OK, it is given as input to Postfix sendmail, and the
 exit status of the filter command is whatever exit status Postfix
 sendmail produces.
 
-The problem with content filters like this is that they are not
-very robust, because the software does not talk a well-defined
-protocol with Postfix. If the filter shell script aborts because
-the shell runs into some memory allocation problem, the script will
-not produce a nice exit status as per /usr/include/sysexits.h and
-mail will probably bounce. The same lack of robustness is possible
-when the content filtering software itself runs into a resource
-problem.
-
 I suggest that you play with this script for a while until you are
-satisfied with the results. Run it as root or as the filter user,
-with a real message (headers+body) as input:
+satisfied with the results. Run it as the filter user, with a real
+message (headers+body) as input:
 
-    # /some/where/filter -f sender recipient... <message-file
+    % /some/where/filter -f sender recipient... <message-file
 
 Turn on content filtering for mail arriving via SMTP only, by
 appending "-o content_filter=filter:dummy" to the master.cf
@@ -111,9 +104,17 @@ entry that defines the Postfix SMTP server:
 The content_filter configuration parameter accepts the same
 syntax as the right-hand side in a Postfix transport table.
 
-Postfix snapshot-20000529 requires that you specify a dummy
-destination as shown in the example.  This is no longer necessary
-with later Postfix versions.
+Simple content filter limitations
+=================================
+
+The problem with content filters like the one above is that they
+are not very robust, because the software does not talk a well-defined
+protocol with Postfix. If the filter shell script aborts because
+the shell runs into some memory allocation problem, the script will
+not produce a nice exit status as per /usr/include/sysexits.h and
+mail will probably bounce. The same lack of robustness is possible
+when the content filtering software itself runs into a resource
+problem.
 
 Advanced content filtering example
 ===================================
@@ -132,20 +133,20 @@ port 10025 that receives mail via the SMTP protocol, and that
 submits mail back into Postfix via localhost port 10026.
 
       ..................................
-      .            Postfix             .
-   ------smtpd \                /local-----
-      .         -cleanup->queue-       .
-   -----pickup /    ^       |   \smtp------
-      .             |       v          .
-      .           smtpd    smtp        .
-      .           10026     |          .
+      :            Postfix             :
+   ----->smtpd \                /local---->
+      :         -cleanup->queue-       :
+   ---->pickup /    ^       |   \smtp----->
+      :             |       v          :
+      :           smtpd    smtp        :
+      :           10026     |          :
       ......................|...........
                     ^       |
                     |       v
                 ....|............
-                .   |     10025 .
-                .   filtering   .
-                .               .
+                :   |     10025 :
+                :   filter      :
+                :               :
                 .................
 
 To enable content filtering in this manner, specify in main.cf a
@@ -174,12 +175,8 @@ up to 10 content filtering processes on demand:
 
 "filter" is a dedicated local user account.  The user will never
 log in, and can be given a "*" password and non-existent shell and
-home.
-
-The spawn server is part of Postfix but is not installed by default.
-Edit the top-level Makefile.in file, run "make makefiles", "make",
-and "make install". The manual page isn't installed by default,
-either. See the spawn.c source file.
+home directory.  This user handles all potentially dangerous mail
+content - that is why it should be a separate account.
 
 The /some/where/filter command is most likely a PERL script. PERL
 has modules that make talking SMTP easy. The command-line specifies
@@ -192,7 +189,8 @@ it can be used with other mailers too, which is a nice spin-off.
 The simplest content filter just copies SMTP commands and data
 between its inputs and outputs. If it has a problem, all it has to
 do is to reply to an input of `.' with `550 content rejected', and
-to disconnect its output side instead of sending `.'.
+to disconnect without sending `.' on the connection that injects
+mail back into Postfix.
 
 The job of the content filter is to either bounce mail with a
 suitable diagnostic, or to feed the mail back into Postfix through
diff --git a/postfix/INSTALL.sh b/postfix/INSTALL.sh
index df4f74351..2dfbfcbe6 100644
--- a/postfix/INSTALL.sh
+++ b/postfix/INSTALL.sh
@@ -6,6 +6,7 @@
 PATH=/bin:/usr/bin:/usr/sbin:/usr/etc:/sbin:/etc
 umask 022
 
+test -t 0 &&
 cat <<EOF
 
 Warning: this script replaces existing sendmail or Postfix programs.
@@ -124,6 +125,7 @@ fi
 
 # Find out the location of configuration files.
 
+test -t 0 &&
 for name in install_root tempdir config_directory
 do
     while :
@@ -168,6 +170,7 @@ test -f $CONFIG_DIRECTORY/install.cf && . $CONFIG_DIRECTORY/install.cf
 
 # Override default settings.
 
+test -t 0 &&
 for name in daemon_directory command_directory \
     queue_directory sendmail_path newaliases_path mailq_path mail_owner\
     setgid manpages
diff --git a/postfix/LMTP_README b/postfix/LMTP_README
index 1c44a1395..42954076f 100644
--- a/postfix/LMTP_README
+++ b/postfix/LMTP_README
@@ -1,14 +1,12 @@
-[Based on information that was provided by Amous Gouaux]
-
 Postfix LMTP support
 ====================
 
 LMTP stands for Local Mail Transfer Protocol, and is detailed in
 RFC2033.  This protocol is used to communicate with the final
-delivery agent, which may be on the local host or a remote host.
+delivery agent, which may run on the local host or a remote host.
 
 This protocol opens up interesting possibilities: one Postfix front
-end system can drive multiple mailbox back end systems over LMTP.
+end machine can drive multiple mailbox back end machines over LMTP.
 As the mail load increases you add Postfix front end systems and
 LMTP mailbox back end systems.  You can use LDAP or mysql to share
 the user database among the front end and back end systems.
@@ -51,54 +49,68 @@ given in the lmtp(8) manual page.
 Using main.cf configuration
 ===========================
 
-This is the simplest LMTP configuration.  The settings
-local_transport, mailbox_transport, and fallback_transport can
-support the following connections:
+This is the simplest LMTP configuration.  
 
-1.  LMTP over TCP sockets.
+1.  LMTP over UNIX-domain sockets.
 
-    mailbox_transport = lmtp
+    The UNIX-domain socket is specified as a name in the local file
+    system.  This "/path/name" should be the socket created by the
+    LMTP server on the local machine. See the specific examples
+    later in this document.
 
-    Instead of delivering local mail to a mail box such as
-    /var/mail/$user, a connection will be made over TCP to an LMTP
-    server.  Currently the default port for this connection is 24,
-    but this can be customized in the "/etc/services" file.
+    The settings local_transport, mailbox_transport, and
+    fallback_transport support the following connections:
+
+	mailbox_transport = lmtp:unix:/path/name
+
+    The Postfix local delivery agent expands aliases and .forward
+    files, and delegates mailbox delivery to the LMTP server.
+
+	local_transport = lmtp:unix:/path/name
+
+    Mail that resolves as local is directly given to the LMTP server.
+    The mail is not processed by the Postfix local delivery agent;
+    therefore aliases and .forward files are not expanded.
+
+	fallback_transport = lmtp:unix:/path/name
+
+    The Postfix local delivery agent expands aliases and .forward files,
+    and delivers to /var/mail/$user for users that have a UNIX account.
+    Mail for other local users is delegated to the LMTP server.
 
     NOTE:
 
-        With connections over TCP sockets, some Cyrus implementations
-        insist on SASL-style authentication, which is not currently
-        supported by the Postfix LMTP client.  See the examples below 
-        for additional details.
-
-
-2.  LMTP over UNIX-domain sockets.
-
-    mailbox_transport = lmtp:unix:/path/name
-
-    In this case the LMTP connection will be made over a UNIX-domain
-    socket.  This "/path/name" should be the socket created by the
-    LMTP server on the local machine.
-
-    NOTE 1:
-
-        If you configured Cyrus using the "--with-libwrap" option, be 
-        sure to allow access to the "lmtpd" service from "0.0.0.0".
-        Otherwise LMTP deliveries over UNIX-domain sockets will be
-        blocked.  See the examples below for more on using libwrap.
-
-    NOTE 2:
-
 	If you run the lmtp client chrooted, the interpretation of
 	the /path/name is relative to the Postfix queue directory
 	(typically, /var/spool/postfix).
 
-    NOTE 3:
-
 	By default, the Postfix LMTP client does not run chrooted.
 	With LMTP delivery to the local machine there is no good
 	reason to run the Postfix LMTP client chrooted.
 
+2.  LMTP over TCP sockets.
+
+    Currently the default TCP port number for this type of connection
+    is 24, but this can be customized in the "/etc/services" file.
+    Specific examples are given later in this document.
+
+    The settings local_transport, mailbox_transport, and
+    fallback_transport support the following connections:
+
+	mailbox_transport = lmtp:hostname:port
+	local_transport = lmtp:hostname:port
+	fallback_transport = lmtp:hostname:port
+
+    See the previous section for a discussion of the differences
+    between these three delivery methods.
+
+    NOTE:
+
+	With connections over TCP sockets, later Cyrus implementations
+	insist on SASL-style authentication. This means that Postfix
+	must be built with SASL support (see SASL_README).  The
+	examples below show how to enable this in the Postfix LMTP
+	client.
 
 Examples:
 
@@ -120,15 +132,9 @@ Examples:
 
         mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
 
-    In this case, mail that is resolved to be local will be delivered
-    to the Cyrus lmtpd server via the socket "/var/imap/socket/lmtp".  
-
-    If you configured Cyrus using the "--with-libwrap" option, you
-    will need the following:
-
-    /etc/hosts.allow:
-
-        lmtpd : 0.0.0.0
+    In this case, the Postfix local delivery agent expands aliases
+    and .forward files, and delegates mailbox delivery to the Cyrus
+    lmtpd server via the socket "/var/imap/socket/lmtp".
 
 2.  LMTP over TCP sockets.
 
@@ -139,104 +145,50 @@ Examples:
 
         SERVICES { 
             ... 
-            lmtp cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0 
+            lmtp cmd="lmtpd" listen="127.0.0.1:lmtp" prefork=0 
             ... 
         } 
 
-XXX does this mean that connections will be accepted only on 127.0.0.1?
-
     /etc/services:
 
-        lmtp 2003/tcp
+        lmtp 24/tcp
 
     /etc/postfix/main.cf:
 
-        mailbox_transport = lmtp
+        mailbox_transport = lmtp:localhost
+	lmtp_sasl_auth_enable = yes
+	lmtp_sasl_password_maps = hash:/etc/postfix/lmtp_sasl_pass
 
     /etc/postfix/master.cf:
 
         lmtp      unix  -       -       n       -       -       lmtp
 
-    Mail that Postfix resolves to be local will be delivered via TCP
-    to the Cyrus LMTP server.  Postfix will make a connection to port
-    2003 on the local host, subsequently transmitting the message to
-    the lmtpd server managed by the Cyrus master process.  Since
-    Postfix does not currently support LMTP-AUTH, the "-a" lmtpd
-    option is required.
+    /etc/postfix/lmtp_sasl_pass:
+	localhost.my.domain	username:password
 
-    CAUTION:
+    Instead of "hash", use the map type of your choice.  Some
+    systems use "dbm" instead.  Use "postconf -m" to find out what
+    map types are supported.
 
-        If you run lmtpd with the "-a" option, be certain that you
-        restrict what systems can connect to this service.  This can
-        be done in either one of two ways:
-
-        a.  Compile Cyrus with libwrap support, configuring
-            "/etc/hosts.allow" to restrict access to this service to
-            only your mail server.
-
-        b.  In the cyrus.conf file, for the "listen" argument to the
-            "lmtp" service, specify the address (in this case
-            localhost), that the service should bind to.  This can
-            also be convenient if you have a private network between
-            your Postfix server and your Cyrus server.
-
-        If neither of these actions are taken, anybody will be able
-        to drop junk into your Cyrus message store!  
-
-
-3.  LMTP over TCP sockets, using hosts.allow.
-
-    While similar to the previous example, this one varies in how the
-    lmtpd service is protected from unauthorized use.  Instead of
-    binding the lmtpd service to a specific Internet address, access
-    will be controlled using the "/etc/hosts.allow" tcp_wrappers
-    configuration file.  The tcp_wrappers package is available from:
-
-        ftp://ftp.porcupine.org/pub/security/index.html
-
-    To take advantage of tcp_wrappers, Cyrus will need to be
-    configured using the "--with-libwrap" option.  See the Cyrus
-    documentation for more details.
-
-    Here are excerpts of the pertinent files:
-
-    /etc/hosts.allow:
-
-        lmtpd : localhost : ALLOW
-        lmtpd : ALL@ALL : DENY
-
-    /etc/cyrus.conf:
-
-        SERVICES { 
-            ... 
-            lmtp cmd="lmtpd -a" listen="lmtp" prefork=0 
-            ... 
-        } 
-
-    /etc/services:
-
-        lmtp 2003/tcp
-
-    /etc/postfix/main.cf:
-
-        mailbox_transport = lmtp
-
-    The syntax shown in the hosts.allow excerpt above is valid if
-    tcp_wrappers is compiled using a "make" argument of:
-
-        STYLE=-DPROCESS_OPTIONS
-
-    See the tcp_wrappers hosts_options(5) man page for more details.
+    With the above settings, the Postfix local delivery agent
+    expands aliases and .forward files, and delegates mailbox
+    delivery to the the Cyrus LMTP server.  Postfix makes a
+    connection to port 24 on the local host, subsequently
+    transmitting the message to the lmtpd server managed by the
+    Cyrus master process.
 
 
 Using transport map configuration
 =================================
 
-This approach is quite similar to specifying the LMTP service in the
-Postfix main.cf configuration file.  However, now we will use a
-transport map to route mail to the appropriate LMTP server.  Why
-might this approach be useful?  This could be handy if you wish to
-route mail for multiple domains to their respective mail retrieval
+This approach is quite similar to specifying the LMTP service in
+the Postfix main.cf configuration file.  However, now we will use
+a transport map to route mail to the appropriate LMTP server,
+instead of depending on delegation by the Postfix local delivery
+agent.
+
+Why might this approach be useful?  This could be handy if you wish
+to route mail for multiple domains to their respective mail retrieval
 (IMAP/POP) server.  Example:
 
     /etc/postfix/transport:
@@ -399,7 +351,7 @@ configure inetd.  This involves the following file edits:
 
     /etc/services:
 
-        lmtp 2003/tcp
+        lmtp 24/tcp
 
     /etc/inetd.conf:
 
diff --git a/postfix/SASL_README b/postfix/SASL_README
index d793787e8..354d8eb74 100644
--- a/postfix/SASL_README
+++ b/postfix/SASL_README
@@ -62,11 +62,14 @@ Reportedly, Microsoft Internet Explorer version 5 requires the
 non-standard SASL LOGIN authentication method. To enable this
 authentication method, specify ``./configure --enable-login''.
 
-Reportedly, older Microsoft software mis-implements the AUTH
-protocol, and requires that the server replies to EHLO with
-"250-AUTH=stuff..." instead of "250-AUTH stuff...". To accomodate
-such clients, set "allow_broken_auth_clients = yes" in the main.cf
-file.
+Older Microsoft SMTP client software implements a non-standard 
+version of the AUTH protocol syntax, and expects that the SMTP
+server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
+stuff".  To accomodate such clients in addition to conformant
+clients, set "broken_sasl_auth_clients = yes" in the main.cf file.
+
+The Postfix SMTP client is backwards compatible with SMTP servers
+that use the non-standard AUTH protocol syntax.
 
 Building Postfix with SASL authentication support
 =================================================
diff --git a/postfix/conf/access b/postfix/conf/access
index a8a9d354f..78f93f188 100644
--- a/postfix/conf/access
+++ b/postfix/conf/access
@@ -83,35 +83,36 @@
 #        REJECT Reject the address etc. that matches the pattern. A
 #               generic error response message is generated.
 # 
-#        OK
+#        OK     Accept the address etc. that matches the pattern.
 # 
-#        Any other text
-#               Accept the address etc. that matches the pattern.
+#        restriction...
+#               Apply the named UCE  restriction  (permit,  reject,
+#               reject_unauth_destination, and so on).
 # 
 # REGULAR EXPRESSION TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        the table is given in the form of regular expressions. For
-#        a description of regular expression lookup  table  syntax,
+#        a  description  of regular expression lookup table syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each  pattern  is  a regular expression that is applied to
+#        Each pattern is a regular expression that  is  applied  to
 #        the entire string being looked up. Depending on the appli-
-#        cation,  that  string  is  an  entire  client hostname, an
+#        cation, that string  is  an  entire  client  hostname,  an
 #        entire client IP address, or an entire mail address. Thus,
-#        no  parent  domain  or  parent network search is done, and
-#        user@domain mail addresses are not broken  up  into  their
+#        no parent domain or parent network  search  is  done,  and
+#        user@domain  mail  addresses  are not broken up into their
 #        user@ and domain constituent parts.
 # 
-#        Patterns  are  applied  in  the  order as specified in the
-#        table, until a pattern is found that  matches  the  search
+#        Patterns are applied in the  order  as  specified  in  the
+#        table,  until  a  pattern is found that matches the search
 #        string.
 # 
-#        Actions  are the same as with normal indexed file lookups,
-#        with the additional feature that parenthesized  substrings
-#        from  the pattern can be interpolated as $1, $2 and so on.
+#        Actions are the same as with normal indexed file  lookups,
+#        with  the additional feature that parenthesized substrings
+#        from the pattern can be interpolated as $1, $2 and so  on.
 # 
 # BUGS
-#        The table format does not understand quoting  conventions.
+#        The  table format does not understand quoting conventions.
 # 
 #                                                                 2
 # 
@@ -124,7 +125,7 @@
 #        regexp_table(5) format of POSIX regular expression tables
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index 383ba957e..0818d204c 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -94,36 +94,36 @@ ACCESS(5)                                               ACCESS(5)
        <b>REJECT</b> Reject the address etc. that matches the pattern. A
               generic error response message is generated.
 
-       <b>OK</b>
+       <b>OK</b>     Accept the address etc. that matches the pattern.
 
-       <i>Any</i> <i>other</i> <i>text</i>
-              Accept the address etc. that matches the pattern.
+       <i>restriction...</i>
+              Apply the named UCE  restriction  (<b>permit</b>,  reject,
+              <b>reject</b><i>_</i><b>unauth</b><i>_</i><b>destination</b>, and so on).
 
 <b>REGULAR</b> <b>EXPRESSION</b> <b>TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        the table is given in the form of regular expressions. For
-       a description of regular expression lookup  table  syntax,
+       a  description  of regular expression lookup table syntax,
        see <a href="regexp_table.5.html"><b>regexp</b><i>_</i><b>table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre</b><i>_</i><b>table</b>(5)</a>.
 
-       Each  pattern  is  a regular expression that is applied to
+       Each pattern is a regular expression that  is  applied  to
        the entire string being looked up. Depending on the appli-
-       cation,  that  string  is  an  entire  client hostname, an
+       cation, that string  is  an  entire  client  hostname,  an
        entire client IP address, or an entire mail address. Thus,
-       no  parent  domain  or  parent network search is done, and
-       <i>user@domain</i> mail addresses are not broken  up  into  their
+       no parent domain or parent network  search  is  done,  and
+       <i>user@domain</i>  mail  addresses  are not broken up into their
        <i>user@</i> and <i>domain</i> constituent parts.
 
-       Patterns  are  applied  in  the  order as specified in the
-       table, until a pattern is found that  matches  the  search
+       Patterns are applied in the  order  as  specified  in  the
+       table,  until  a  pattern is found that matches the search
        string.
 
-       Actions  are the same as with normal indexed file lookups,
-       with the additional feature that parenthesized  substrings
-       from  the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
+       Actions are the same as with normal indexed file  lookups,
+       with  the additional feature that parenthesized substrings
+       from the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so  on.
 
 <b>BUGS</b>
-       The table format does not understand quoting  conventions.
-
+       The  table format does not understand quoting conventions.
 
 
 
@@ -144,7 +144,7 @@ ACCESS(5)                                               ACCESS(5)
        <a href="regexp_table.5.html">regexp_table(5)</a> format of POSIX regular expression tables
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index a6fe58de5..7b6fb6bff 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -77,7 +77,7 @@ SMTPD(8)                                                 SMTPD(8)
               For  example, allow <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a>-style address forms with
               comments, like Sendmail does.
 
-       <b>allow</b><i>_</i><b>broken</b><i>_</i><b>auth</b><i>_</i><b>clients</b>
+       <b>broken</b><i>_</i><b>sasl</b><i>_</i><b>auth</b><i>_</i><b>clients</b>
               Support older Microsoft clients that  mis-implement
               the AUTH protocol, and that expect an EHLO response
               of "250 AUTH=list" instead of "250 AUTH list".
@@ -90,7 +90,7 @@ SMTPD(8)                                                 SMTPD(8)
               same  syntax  as  the  right-hand side of a Postfix
               transport table.
 
-<b>Authenication</b> <b>controls</b>
+<b>Authentication</b> <b>controls</b>
        <b>enable</b><i>_</i><b>sasl</b><i>_</i><b>authentication</b>
               Enable per-session authentication as per  <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC  2554</a>
               (SASL).   This functionality is available only when
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index 39a376ecd..851a1390f 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -76,8 +76,10 @@ the numerical code and text.
 Reject the address etc. that matches the pattern. A generic
 error response message is generated.
 .IP \fBOK\fR
-.IP "\fIAny other text\fR"
 Accept the address etc. that matches the pattern.
+.IP \fIrestriction...\fR
+Apply the named UCE restriction (\fBpermit\fR, \fRreject\fR,
+\fBreject_unauth_destination\fR, and so on).
 .SH REGULAR EXPRESSION TABLES
 .na
 .nf
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index f8eccc0cb..4beea5182 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -71,7 +71,7 @@ a configuration change.
 .IP \fBstrict_rfc821_envelopes\fR
 Disallow non-RFC 821 style addresses in envelopes. For example,
 allow RFC822-style address forms with comments, like Sendmail does.
-.IP \fBallow_broken_auth_clients\fR
+.IP \fBbroken_sasl_auth_clients\fR
 Support older Microsoft clients that mis-implement the AUTH
 protocol, and that expect an EHLO response of "250 AUTH=list"
 instead of "250 AUTH list".
@@ -81,7 +81,7 @@ The name of a mail delivery transport that filters mail and that
 either bounces mail or re-injects the result back into Postfix.
 This parameter uses the same syntax as the right-hand side of
 a Postfix transport table.
-.SH "Authenication controls"
+.SH "Authentication controls"
 .IP \fBenable_sasl_authentication\fR
 Enable per-session authentication as per RFC 2554 (SASL).
 This functionality is available only when explicitly selected
diff --git a/postfix/proto/access b/postfix/proto/access
index 1402fb628..23b4fd960 100644
--- a/postfix/proto/access
+++ b/postfix/proto/access
@@ -64,8 +64,10 @@
 #	Reject the address etc. that matches the pattern. A generic
 #	error response message is generated.
 # .IP \fBOK\fR
-# .IP "\fIAny other text\fR"
 #	Accept the address etc. that matches the pattern.
+# .IP \fIrestriction...\fR
+#	Apply the named UCE restriction (\fBpermit\fR, \fRreject\fR,
+#	\fBreject_unauth_destination\fR, and so on).
 # REGULAR EXPRESSION TABLES
 # .ad
 # .fi
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 93a5bf9cd..ba4fa86f2 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -241,7 +241,7 @@ extern bool var_strict_rfc821_env;
   * Standards violation: send "250 AUTH=list" in order to accomodate broken
   * Microsoft clients.
   */
-#define VAR_BROKEN_AUTH_CLNTS	"allow_broken_auth_clients"
+#define VAR_BROKEN_AUTH_CLNTS	"broken_sasl_auth_clients"
 #define DEF_BROKEN_AUTH_CLNTS	0
 extern bool var_broken_auth_clients;
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index c69c7e47a..da23e7e5d 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -15,7 +15,7 @@
   * Version of this program.
   */
 #define VAR_MAIL_VERSION	"mail_version"
-#define DEF_MAIL_VERSION	"Snapshot-20010122"
+#define DEF_MAIL_VERSION	"Snapshot-20010124"
 extern char *var_mail_version;
 
 /* LICENSE
diff --git a/postfix/src/lmtp/lmtp.c b/postfix/src/lmtp/lmtp.c
index ec0e1c73c..b9bc3c481 100644
--- a/postfix/src/lmtp/lmtp.c
+++ b/postfix/src/lmtp/lmtp.c
@@ -458,9 +458,12 @@ static void post_init(char *unused_name, char **unused_argv)
 static void pre_init(char *unused_name, char **unused_argv)
 {
     debug_peer_init();
-#ifdef USE_SASL_AUTH
     if (var_lmtp_sasl_enable)
+#ifdef USE_SASL_AUTH
 	lmtp_sasl_initialize();
+#else
+	msg_warn("%s is true, but SASL support is not compiled in",
+		 VAR_LMTP_SASL_ENABLE);
 #endif
 }
 
@@ -525,6 +528,7 @@ int     main(int argc, char **argv)
     static CONFIG_BOOL_TABLE bool_table[] = {
 	VAR_LMTP_CACHE_CONN, DEF_LMTP_CACHE_CONN, &var_lmtp_cache_conn,
 	VAR_LMTP_SKIP_QUIT_RESP, DEF_LMTP_SKIP_QUIT_RESP, &var_lmtp_skip_quit_resp,
+	VAR_LMTP_SASL_ENABLE, DEF_LMTP_SASL_ENABLE, &var_lmtp_sasl_enable,
 	0,
     };
 
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 78d9a7f52..c40200727 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -658,9 +658,7 @@ static void print_parameter(int mode, char *ptr)
 #define INSIDE(p,t) (ptr >= (char *) t && ptr < ((char *) t) + sizeof(t))
 
     /*
-     * This is gross, but the best we can do on short notice. Instead of
-     * guessing we should use a tagged union. This is what code looks like
-     * when written under the pressure of a first public release.
+     * This is gross, but the best we can do on short notice.
      */
     if (INSIDE(ptr, time_table))
 	print_time(mode, (CONFIG_TIME_TABLE *) ptr);
diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c
index febdc3701..e9311ef4a 100644
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@@ -735,7 +735,8 @@ int     main(int argc, char **argv)
      * reset the saved set-userid, which would be a security vulnerability.
      */
     if (geteuid() == 0 && getuid() != 0) {
-	msg_warn("sendmail has set-uid root file permissions, or is run from a set-uid root process");
+	msg_warn("the Postfix sendmail command has set-uid root file permissions");
+	msg_warn("or the command is run from a set-uid root process");
 	msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
 	set_ugid(getuid(), getgid());
     }
@@ -903,7 +904,7 @@ int     main(int argc, char **argv)
 	msg_fatal("-t can be used only in delivery mode");
 
     if (site_to_flush && mode != SM_MODE_ENQUEUE)
-	msg_fatal("-t can be used only in delivery mode");
+	msg_fatal("-qR can be used only in delivery mode");
 
     if (extract_recipients && argv[OPTIND])
 	msg_fatal("cannot handle command-line recipients with -t");
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 6bce6f2e9..477e33b71 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -360,9 +360,12 @@ static void pre_init(char *unused_name, char **unused_argv)
 {
     debug_peer_init();
 
-#ifdef USE_SASL_AUTH
     if (var_smtp_sasl_enable)
+#ifdef USE_SASL_AUTH
 	smtp_sasl_initialize();
+#else
+	msg_warn("%s is true, but SASL support is not compiled in",
+		 VAR_SMTP_SASL_ENABLE);
 #endif
 }
 
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 970d869fc..3c885537e 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -57,7 +57,7 @@
 /* .IP \fBstrict_rfc821_envelopes\fR
 /*	Disallow non-RFC 821 style addresses in envelopes. For example,
 /*	allow RFC822-style address forms with comments, like Sendmail does.
-/* .IP \fBallow_broken_auth_clients\fR
+/* .IP \fBbroken_sasl_auth_clients\fR
 /*	Support older Microsoft clients that mis-implement the AUTH
 /*	protocol, and that expect an EHLO response of "250 AUTH=list"
 /*	instead of "250 AUTH list".
@@ -67,7 +67,7 @@
 /*	either bounces mail or re-injects the result back into Postfix.
 /*	This parameter uses the same syntax as the right-hand side of
 /*	a Postfix transport table.
-/* .SH "Authenication controls"
+/* .SH "Authentication controls"
 /* .IP \fBenable_sasl_authentication\fR
 /*	Enable per-session authentication as per RFC 2554 (SASL).
 /*	This functionality is available only when explicitly selected
@@ -1415,9 +1415,12 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
     debug_peer_init();
     msg_cleanup(smtpd_cleanup);
 
-#ifdef USE_SASL_AUTH
     if (var_smtpd_sasl_enable)
+#ifdef USE_SASL_AUTH
 	smtpd_sasl_initialize();
+#else
+	msg_warn("%s is true, but SASL support is not compiled in",
+		 VAR_SMTPD_SASL_ENABLE);
 #endif
 }
 
diff --git a/postfix/src/smtpd/smtpd.h b/postfix/src/smtpd/smtpd.h
index 447ad932e..29fb3d2d7 100644
--- a/postfix/src/smtpd/smtpd.h
+++ b/postfix/src/smtpd/smtpd.h
@@ -8,6 +8,11 @@
 /* DESCRIPTION
 /* .nf
 
+ /*
+  * System library.
+  */
+#include <unistd.h>
+
  /*
   * SASL library.
   */
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 3d8c0e130..1bebfa76d 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -281,6 +281,7 @@
 /* Application-specific. */
 
 #include "smtpd.h"
+#include "smtpd_sasl_glue.h"
 #include "smtpd_check.h"
 
  /*
diff --git a/postfix/src/smtpstone/smtp-sink.c b/postfix/src/smtpstone/smtp-sink.c
index a41801354..81aab916b 100644
--- a/postfix/src/smtpstone/smtp-sink.c
+++ b/postfix/src/smtpstone/smtp-sink.c
@@ -336,11 +336,16 @@ static void connect_event(int unused_event, char *context)
 
     if ((fd = accept(sock, &sa, &len)) >= 0) {
 	if (msg_verbose)
-	    msg_info("connect (%s)", sa.sa_family == AF_LOCAL ? "AF_LOCAL" :
+	    msg_info("connect (%s)",
+#ifdef AF_LOCAL
+		     sa.sa_family == AF_LOCAL ? "AF_LOCAL" :
+#else
+		     sa.sa_family == AF_UNIX ? "AF_UNIX" :
+#endif
+		     sa.sa_family == AF_INET ? "AF_INET" :
 #ifdef AF_INET6
 		     sa.sa_family == AF_INET6 ? "AF_INET6" :
 #endif
-		     sa.sa_family == AF_INET ? "AF_INET" :
 		     "unknown protocol family");
 	non_blocking(fd, NON_BLOCKING);
 	state = (SINK_STATE *) mymalloc(sizeof(*state));