From bd2811a2ed50cf78a21393c570ea29f74e4cc1f9 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Wed, 7 Jul 2010 00:00:00 -0500
Subject: [PATCH] postfix-2.8-20100707

---
 postfix/HISTORY                    | 15 ++++++++----
 postfix/README_FILES/LDAP_README   | 37 +++++++++++++++-------------
 postfix/README_FILES/QSHAPE_README |  7 ++++++
 postfix/RELEASE_NOTES              |  8 +++---
 postfix/WISHLIST                   |  6 +++++
 postfix/conf/postfix-files         |  2 ++
 postfix/html/LDAP_README.html      | 39 ++++++++++++++++--------------
 postfix/html/QSHAPE_README.html    |  7 ++++++
 postfix/html/SQLITE_README.html    |  2 +-
 postfix/html/postconf.5.html       |  9 +++++--
 postfix/html/sqlite_table.5.html   |  8 +++---
 postfix/man/man5/postconf.5        |  9 +++++--
 postfix/mantools/postlink          |  2 +-
 postfix/proto/LDAP_README.html     | 39 ++++++++++++++++--------------
 postfix/proto/QSHAPE_README.html   |  7 ++++++
 postfix/proto/postconf.proto       |  9 +++++--
 postfix/src/global/mail_version.h  |  2 +-
 postfix/src/oqmgr/qmgr_message.c   |  3 +++
 postfix/src/qmgr/qmgr_message.c    |  3 +++
 postfix/src/tls/tls_misc.c         |  1 +
 20 files changed, 140 insertions(+), 75 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 747e4440a..ae9005eb4 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -15823,11 +15823,12 @@ Apologies for any names omitted.
 
 20100610
 
-	Bugfix: Postfix no longer appends the system default CAs
-	to the lists specified with *_tls_CAfile or with *_tls_CApath.
-	This prevents third-party certificates from being trusted
-	and given mail relay permission with permit_tls_all_clientcerts.
-	This change may break valid configurations that do not use
+	Bugfix (introduced Postfix 2.2): Postfix no longer appends
+	the system default CA certificates to the lists specified
+	with *_tls_CAfile or with *_tls_CApath.  This prevents
+	third-party certificates from being trusted and given mail
+	relay permission with permit_tls_all_clientcerts.  This
+	change may break valid configurations that do not use
 	permit_tls_all_clientcerts.  To get the old behavior, specify
 	"tls_append_default_CA = yes".  Files: tls/tls_certkey.c,
 	tls/tls_misc.c, global/mail_params.h.  proto/postconf.proto,
@@ -15855,3 +15856,7 @@ Apologies for any names omitted.
 
 	Cleanup: SQLite read-only driver and documentation.  Files:
 	global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html.
+
+20100707
+
+	Completed the 20100610 bugfix. File: tls/tls_misc.c.
diff --git a/postfix/README_FILES/LDAP_README b/postfix/README_FILES/LDAP_README
index 043b311a2..12ae27530 100644
--- a/postfix/README_FILES/LDAP_README
+++ b/postfix/README_FILES/LDAP_README
@@ -232,8 +232,8 @@ settings, timeouts, ...) we have:
             search_base = dc=example, dc=com
             query_filter = mail=%s
             result_attribute = memberaddr
-        $ postmap -q agroup@example.com ldap:simple.cf
-        auser@example.org,buser@example.org
+        $ postmap -q agroup@example.com ldap:/etc/postfix/simple.cf \
+            auser@example.org,buser@example.org
 
 We search "dc=example, dc=com". The "mail" attribute is used in the
 query_filter to locate the right group, the "result_attribute" setting
@@ -261,8 +261,8 @@ example data.
             query_filter = mail=%s
             result_attribute = maildrop
             special_result_attribute = memberdn
-        $ postmap -q agroup@example.com ldap:special.cf
-        auser@mailhub.example.com,buser@mailhub.example.com
+        $ postmap -q agroup@example.com ldap:/etc/postfix/special.cf \
+            auser@mailhub.example.com,buser@mailhub.example.com
 
 Note: if the desired member object result attribute is always also present in
 the group, you get surprising results: the expansion also returns the address
@@ -288,12 +288,15 @@ expanded.
             query_filter = mail=%s
             result_attribute = maildrop
             special_result_attribute = memberdn
-        $ postmap -q auser@example.com ldap:no_expand.cf ldap:expand.cf
-        auser@mailhub.example.com
-        $ postmap -q agroup@example.com ldap:no_expand.cf ldap:expand.cf
-        auser@mailhub.example.com,buser@mailhub.example.com
-        $ postmap -q bgroup@example.com ldap:no_expand.cf ldap:expand.cf
-        bgroup@mlm.example.com
+        $ postmap -q auser@example.com \
+            ldap:/etc/postfix/no_expand.cf ldap:/etc/postfix/expand.cf \
+            auser@mailhub.example.com
+        $ postmap -q agroup@example.com \
+            ldap:/etc/postfix/no_expand.cf ldap:/etc/postfix/expand.cf \
+            auser@mailhub.example.com,buser@mailhub.example.com
+        $ postmap -q bgroup@example.com \
+            ldap:/etc/postfix/no_expand.cf ldap:/etc/postfix/expand.cf \
+            bgroup@mlm.example.com
 
 Non-group objects and groups with delayed expansion (those that have a maildrop
 attribute) are rewritten to a single maildrop value. Groups that don't have a
@@ -312,15 +315,15 @@ assume that forwarded groups are never nested inside expanded groups.
             special_result_attribute = memberdn
             terminal_result_attribute = maildrop
             leaf_result_attribute = mail
-        $ postmap -q auser@example.com ldap:fancy.cf
-        auser@mailhub.example.com
-        $ postmap -q cuser@example.com ldap:fancy.cf
-        cuser@example.com
-        $ postmap -q agroup@example.com ldap:fancy.cf
+        $ postmap -q auser@example.com ldap:/etc/postfix/fancy.cf \
+            auser@mailhub.example.com
+        $ postmap -q cuser@example.com ldap:/etc/postfix/fancy.cf \
+            cuser@example.com
+        $ postmap -q agroup@example.com ldap:/etc/postfix/fancy.cf \
 
     auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
-        $ postmap -q bgroup@example.com ldap:fancy.cf
-        bgroup@mlm.example.com
+        $ postmap -q bgroup@example.com ldap:/etc/postfix/fancy.cf \
+            bgroup@mlm.example.com
 
 Above, delayed expansion is enabled via "terminal_result_attribute", which, if
 present, is used as the sole result and all other expansion is suppressed.
diff --git a/postfix/README_FILES/QSHAPE_README b/postfix/README_FILES/QSHAPE_README
index 4a56b6166..eddcc9847 100644
--- a/postfix/README_FILES/QSHAPE_README
+++ b/postfix/README_FILES/QSHAPE_README
@@ -366,6 +366,7 @@ delivery attempts.
         /etc/postfix/main.cf:
             transport_maps = hash:/etc/postfix/transport
             slow_destination_rate_delay = 1
+            slow_destination_concurrency_failed_cohort_limit = 100
 
         /etc/postfix/transport:
             example.com  slow:
@@ -380,6 +381,12 @@ delivery attempts.
     $slow_destination_rate_delay seconds between deliveries to the same
     destination.
 
+    IMPORTANT!! The large slow_destination_concurrency_failed_cohort_limit
+    value is needed. This prevents Postfix from deferring all mail for the same
+    destination after only one connection or handshake error (the reason for
+    this is that non-zero slow_destination_rate_delay forces a per-destination
+    concurrency of 1).
+
   * Earlier Postfix versions:
 
       o In the transport map entry for the problem destination, specify a dead
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 76830b67c..304f401b8 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -17,10 +17,10 @@ before proceeding.
 Incompatibility with snapshot 20100610
 ======================================
 
-Postfix no longer appends the system-supplied default CAs to the
-lists specified with *_tls_CAfile or with *_tls_CApath. This prevents
-third-party certificates from being trusted and given mail relay
-permission with permit_tls_all_clientcerts.
+Postfix no longer appends the system-supplied default CA certificates
+to the lists specified with *_tls_CAfile or with *_tls_CApath. This
+prevents third-party certificates from being trusted and given mail
+relay permission with permit_tls_all_clientcerts.
 
 Unfortunately this change may break certificate verification on
 sites that don't use permit_tls_all_clientcerts.  Specify
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 285221991..b92af354e 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -2,6 +2,12 @@ Wish list:
 
 	Remove this file from the stable release.
 
+	Update history in manpage/readme for SQLite driver.
+
+	Make postconf aware of magical suffixes (the ones that
+	combine with transport names) and show them in "postconf
+	-n" output. Making this work with "postconf -d" is trickier.
+
 	Need a regular expression table to translate address
 	verification responses into hard/soft/accept reply codes.
 
diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files
index baccc02a6..2f0552bed 100644
--- a/postfix/conf/postfix-files
+++ b/postfix/conf/postfix-files
@@ -280,6 +280,7 @@ $readme_directory/SCHEDULER_README:f:root:-:644
 $readme_directory/SMTPD_ACCESS_README:f:root:-:644
 $readme_directory/SMTPD_POLICY_README:f:root:-:644
 $readme_directory/SMTPD_PROXY_README:f:root:-:644
+$readme_directory/SOHO_README:f:root:-:644
 $readme_directory/STANDARD_CONFIGURATION_README:f:root:-:644
 $readme_directory/STRESS_README:f:root:-:644
 $readme_directory/TLS_LEGACY_README:f:root:-:644
@@ -330,6 +331,7 @@ $html_directory/SCHEDULER_README.html:f:root:-:644
 $html_directory/SMTPD_ACCESS_README.html:f:root:-:644
 $html_directory/SMTPD_POLICY_README.html:f:root:-:644
 $html_directory/SMTPD_PROXY_README.html:f:root:-:644
+$html_directory/SOHO_README.html:f:root:-:644
 $html_directory/STANDARD_CONFIGURATION_README.html:f:root:-:644
 $html_directory/STRESS_README.html:f:root:-:644
 $html_directory/TLS_LEGACY_README.html:f:root:-:644
diff --git a/postfix/html/LDAP_README.html b/postfix/html/LDAP_README.html
index 2a9483aa2..ac1239b8b 100644
--- a/postfix/html/LDAP_README.html
+++ b/postfix/html/LDAP_README.html
@@ -336,8 +336,8 @@ related settings (hosts, ports, bind settings, timeouts, ...) we have:
         search_base = dc=example, dc=com
         query_filter = mail=%s
         result_attribute = memberaddr
-    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:simple.cf
-    auser@example.org,buser@example.org
+    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:/etc/postfix/simple.cf \
+        auser@example.org,buser@example.org
 </pre>
 </blockquote> 
 
@@ -369,8 +369,8 @@ assume for the moment that groups never have a "maildrop" (the "bgroup"
         query_filter = mail=%s
         result_attribute = maildrop
         special_result_attribute = memberdn
-    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:special.cf
-    auser@mailhub.example.com,buser@mailhub.example.com
+    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:/etc/postfix/special.cf \
+        auser@mailhub.example.com,buser@mailhub.example.com
 </pre>
 </blockquote> 
 
@@ -400,12 +400,15 @@ never nested members of groups that are directly expanded. </p>
         query_filter = mail=%s
         result_attribute = maildrop
         special_result_attribute = memberdn
-    $ postmap -q auser@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
-    auser@mailhub.example.com
-    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
-    auser@mailhub.example.com,buser@mailhub.example.com
-    $ postmap -q bgroup@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
-    bgroup@mlm.example.com
+    $ postmap -q auser@example.com \
+        <a href="ldap_table.5.html">ldap</a>:/etc/postfix/no_expand.cf <a href="ldap_table.5.html">ldap</a>:/etc/postfix/expand.cf \
+        auser@mailhub.example.com
+    $ postmap -q agroup@example.com \
+        <a href="ldap_table.5.html">ldap</a>:/etc/postfix/no_expand.cf <a href="ldap_table.5.html">ldap</a>:/etc/postfix/expand.cf \
+        auser@mailhub.example.com,buser@mailhub.example.com
+    $ postmap -q bgroup@example.com \
+        <a href="ldap_table.5.html">ldap</a>:/etc/postfix/no_expand.cf <a href="ldap_table.5.html">ldap</a>:/etc/postfix/expand.cf \
+        bgroup@mlm.example.com
 </pre>
 </blockquote> 
 
@@ -429,14 +432,14 @@ expanded groups. </p>
         special_result_attribute = memberdn
         terminal_result_attribute = maildrop
         leaf_result_attribute = mail
-    $ postmap -q auser@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
-    auser@mailhub.example.com
-    $ postmap -q cuser@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
-    cuser@example.com
-    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
-    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
-    $ postmap -q bgroup@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
-    bgroup@mlm.example.com
+    $ postmap -q auser@example.com <a href="ldap_table.5.html">ldap</a>:/etc/postfix/fancy.cf \
+        auser@mailhub.example.com
+    $ postmap -q cuser@example.com <a href="ldap_table.5.html">ldap</a>:/etc/postfix/fancy.cf \
+        cuser@example.com
+    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:/etc/postfix/fancy.cf \
+        auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+    $ postmap -q bgroup@example.com <a href="ldap_table.5.html">ldap</a>:/etc/postfix/fancy.cf \
+        bgroup@mlm.example.com
 </pre>
 </blockquote> 
 
diff --git a/postfix/html/QSHAPE_README.html b/postfix/html/QSHAPE_README.html
index f20746688..185862a98 100644
--- a/postfix/html/QSHAPE_README.html
+++ b/postfix/html/QSHAPE_README.html
@@ -507,6 +507,7 @@ the same destination.  </p>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
     slow_destination_rate_delay = 1
+    slow_destination_concurrency_failed_cohort_limit = 100
 
 /etc/postfix/transport:
     example.com  slow:
@@ -524,6 +525,12 @@ the same destination.  </p>
 $slow_destination_rate_delay seconds between deliveries to the same
 destination.  </p>
 
+<p> IMPORTANT!! The large slow_destination_concurrency_failed_cohort_limit
+value is needed. This prevents Postfix from deferring all mail for
+the same destination after only one connection or handshake error
+(the reason for this is that non-zero slow_destination_rate_delay
+forces a per-destination concurrency of 1).  </p>
+
 <li> <p> Earlier Postfix versions: </p>
 
 <ul>
diff --git a/postfix/html/SQLITE_README.html b/postfix/html/SQLITE_README.html
index 7b78f7465..89c43d29c 100644
--- a/postfix/html/SQLITE_README.html
+++ b/postfix/html/SQLITE_README.html
@@ -54,7 +54,7 @@ map type in <a href="postconf.5.html">main.cf</a> like this: </p>
 
 <blockquote>
 <pre>
-<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="mysql_table.5.html">sqlite</a>:/etc/postfix/sqlite-aliases.cf
+<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="sqlite_table.5.html">sqlite</a>:/etc/postfix/sqlite-aliases.cf
 </pre>
 </blockquote>
 
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 37824d458..976401fd2 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -1980,6 +1980,11 @@ transport-specific override, where <i>transport</i> is the <a href="master.5.htm
 name of the message delivery transport.
 </p>
 
+<p> NOTE: with a non-zero _destination_rate_delay, specify a
+<a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit"><i>transport</i>_destination_concurrency_failed_cohort_limit</a> of 10
+or more to prevent Postfix from deferring all mail for the same
+destination after only one connection or handshake error. </p>
+
 <p> This feature is available in Postfix 2.5 and later. </p>
 
 
@@ -10880,8 +10885,8 @@ Example:
 (default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
 
 <p>
-Clients that are excluded from connection count, connection rate,
-or SMTP request rate restrictions. See the <a href="postconf.5.html#mynetworks">mynetworks</a> parameter
+Clients that are excluded from smtpd_client_*_count/rate_limit
+restrictions. See the <a href="postconf.5.html#mynetworks">mynetworks</a> parameter
 description for the parameter value syntax.
 </p>
 
diff --git a/postfix/html/sqlite_table.5.html b/postfix/html/sqlite_table.5.html
index c385d77cc..acf9f90a4 100644
--- a/postfix/html/sqlite_table.5.html
+++ b/postfix/html/sqlite_table.5.html
@@ -10,9 +10,9 @@ SQLITE_TABLE(5)                                                SQLITE_TABLE(5)
        sqlite_table - Postfix SQLite configuration
 
 <b>SYNOPSIS</b>
-       <b>postmap -q "</b><i>string</i><b>" <a href="mysql_table.5.html">sqlite</a>:/etc/postfix/filename</b>
+       <b>postmap -q "</b><i>string</i><b>" <a href="sqlite_table.5.html">sqlite</a>:/etc/postfix/filename</b>
 
-       <b>postmap -q - <a href="mysql_table.5.html">sqlite</a>:/etc/postfix/</b><i>filename</i> &lt;<i>inputfile</i>
+       <b>postmap -q - <a href="sqlite_table.5.html">sqlite</a>:/etc/postfix/</b><i>filename</i> &lt;<i>inputfile</i>
 
 <b>DESCRIPTION</b>
        The  Postfix  mail system uses optional tables for address
@@ -22,7 +22,7 @@ SQLITE_TABLE(5)                                                SQLITE_TABLE(5)
        Alternatively,  lookup  tables  can be specified as SQLite
        databases.  In order to  use  SQLite  lookups,  define  an
        SQLite source as a lookup table in <a href="postconf.5.html">main.cf</a>, for example:
-           <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="mysql_table.5.html">sqlite</a>:/etc/sqlite-aliases.cf
+           <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="sqlite_table.5.html">sqlite</a>:/etc/sqlite-aliases.cf
 
        The  file /etc/postfix/sqlite-aliases.cf has the same for-
        mat as the Postfix  <a href="postconf.5.html">main.cf</a>  file,  and  can  specify  the
@@ -35,7 +35,7 @@ SQLITE_TABLE(5)                                                SQLITE_TABLE(5)
        with a slash or a dot.  The SQLite parameters will then be
        accessible as the name you've given the source in its def-
        inition, an underscore, and the  name  of  the  parameter.
-       For  example,  if  the map is specified as "<a href="mysql_table.5.html">sqlite</a>:<i>sqlite-</i>
+       For  example,  if  the map is specified as "<a href="sqlite_table.5.html">sqlite</a>:<i>sqlite-</i>
        <i>name</i>", the parameter "query" below  would  be  defined  in
        <a href="postconf.5.html">main.cf</a> as "<i>sqlitename</i>_query".
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index a8f09df44..dd373f27f 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -1150,6 +1150,11 @@ Use \fItransport\fR_destination_rate_delay to specify a
 transport-specific override, where \fItransport\fR is the master.cf
 name of the message delivery transport.
 .PP
+NOTE: with a non-zero _destination_rate_delay, specify a
+\fItransport\fR_destination_concurrency_failed_cohort_limit of 10
+or more to prevent Postfix from deferring all mail for the same
+destination after only one connection or handshake error.
+.PP
 This feature is available in Postfix 2.5 and later.
 .SH default_destination_recipient_limit (default: 50)
 The default maximal number of recipients per message delivery.
@@ -6634,8 +6639,8 @@ smtpd_client_connection_rate_limit = 1000
 .ad
 .ft R
 .SH smtpd_client_event_limit_exceptions (default: $mynetworks)
-Clients that are excluded from connection count, connection rate,
-or SMTP request rate restrictions. See the mynetworks parameter
+Clients that are excluded from smtpd_client_*_count/rate_limit
+restrictions. See the mynetworks parameter
 description for the parameter value syntax.
 .PP
 By default, clients in trusted networks are excluded. Specify a
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index cca42d882..23cce4bfc 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -979,7 +979,7 @@ while (<>) {
     s/\b(nisplus):/<a href="nisplus_table.5.html">$1<\/a>:/g;
     s/\b(ldap):/<a href="ldap_table.5.html">$1<\/a>:/g;
     s/\b(regexp):/<a href="regexp_table.5.html">$1<\/a>:/g;
-    s/\b(sqlite):/<a href="mysql_table.5.html">$1<\/a>:/g;
+    s/\b(sqlite):/<a href="sqlite_table.5.html">$1<\/a>:/g;
     s/\b(tcp):/<a href="tcp_table.5.html">$1<\/a>:/g;
 
     # Do nice links for smtp:host:port etc.
diff --git a/postfix/proto/LDAP_README.html b/postfix/proto/LDAP_README.html
index 8cf9998d0..a7d351386 100644
--- a/postfix/proto/LDAP_README.html
+++ b/postfix/proto/LDAP_README.html
@@ -336,8 +336,8 @@ related settings (hosts, ports, bind settings, timeouts, ...) we have:
         search_base = dc=example, dc=com
         query_filter = mail=%s
         result_attribute = memberaddr
-    $ postmap -q agroup@example.com ldap:simple.cf
-    auser@example.org,buser@example.org
+    $ postmap -q agroup@example.com ldap:/etc/postfix/simple.cf \
+        auser@example.org,buser@example.org
 </pre>
 </blockquote> 
 
@@ -369,8 +369,8 @@ assume for the moment that groups never have a "maildrop" (the "bgroup"
         query_filter = mail=%s
         result_attribute = maildrop
         special_result_attribute = memberdn
-    $ postmap -q agroup@example.com ldap:special.cf
-    auser@mailhub.example.com,buser@mailhub.example.com
+    $ postmap -q agroup@example.com ldap:/etc/postfix/special.cf \
+        auser@mailhub.example.com,buser@mailhub.example.com
 </pre>
 </blockquote> 
 
@@ -400,12 +400,15 @@ never nested members of groups that are directly expanded. </p>
         query_filter = mail=%s
         result_attribute = maildrop
         special_result_attribute = memberdn
-    $ postmap -q auser@example.com ldap:no_expand.cf ldap:expand.cf
-    auser@mailhub.example.com
-    $ postmap -q agroup@example.com ldap:no_expand.cf ldap:expand.cf
-    auser@mailhub.example.com,buser@mailhub.example.com
-    $ postmap -q bgroup@example.com ldap:no_expand.cf ldap:expand.cf
-    bgroup@mlm.example.com
+    $ postmap -q auser@example.com \
+        ldap:/etc/postfix/no_expand.cf ldap:/etc/postfix/expand.cf \
+        auser@mailhub.example.com
+    $ postmap -q agroup@example.com \
+        ldap:/etc/postfix/no_expand.cf ldap:/etc/postfix/expand.cf \
+        auser@mailhub.example.com,buser@mailhub.example.com
+    $ postmap -q bgroup@example.com \
+        ldap:/etc/postfix/no_expand.cf ldap:/etc/postfix/expand.cf \
+        bgroup@mlm.example.com
 </pre>
 </blockquote> 
 
@@ -429,14 +432,14 @@ expanded groups. </p>
         special_result_attribute = memberdn
         terminal_result_attribute = maildrop
         leaf_result_attribute = mail
-    $ postmap -q auser@example.com ldap:fancy.cf
-    auser@mailhub.example.com
-    $ postmap -q cuser@example.com ldap:fancy.cf
-    cuser@example.com
-    $ postmap -q agroup@example.com ldap:fancy.cf
-    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
-    $ postmap -q bgroup@example.com ldap:fancy.cf
-    bgroup@mlm.example.com
+    $ postmap -q auser@example.com ldap:/etc/postfix/fancy.cf \
+        auser@mailhub.example.com
+    $ postmap -q cuser@example.com ldap:/etc/postfix/fancy.cf \
+        cuser@example.com
+    $ postmap -q agroup@example.com ldap:/etc/postfix/fancy.cf \
+        auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+    $ postmap -q bgroup@example.com ldap:/etc/postfix/fancy.cf \
+        bgroup@mlm.example.com
 </pre>
 </blockquote> 
 
diff --git a/postfix/proto/QSHAPE_README.html b/postfix/proto/QSHAPE_README.html
index 2ba89f91a..972c567fb 100644
--- a/postfix/proto/QSHAPE_README.html
+++ b/postfix/proto/QSHAPE_README.html
@@ -507,6 +507,7 @@ the same destination.  </p>
 /etc/postfix/main.cf:
     transport_maps = hash:/etc/postfix/transport
     slow_destination_rate_delay = 1
+    slow_destination_concurrency_failed_cohort_limit = 100
 
 /etc/postfix/transport:
     example.com  slow:
@@ -524,6 +525,12 @@ the same destination.  </p>
 $slow_destination_rate_delay seconds between deliveries to the same
 destination.  </p>
 
+<p> IMPORTANT!! The large slow_destination_concurrency_failed_cohort_limit
+value is needed. This prevents Postfix from deferring all mail for
+the same destination after only one connection or handshake error
+(the reason for this is that non-zero slow_destination_rate_delay
+forces a per-destination concurrency of 1).  </p>
+
 <li> <p> Earlier Postfix versions: </p>
 
 <ul>
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 2e28e08d3..923f1a222 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -4592,8 +4592,8 @@ This feature is available in Postfix 2.2 and later.
 %PARAM smtpd_client_event_limit_exceptions $mynetworks
 
 <p>
-Clients that are excluded from connection count, connection rate,
-or SMTP request rate restrictions. See the mynetworks parameter
+Clients that are excluded from smtpd_client_*_count/rate_limit
+restrictions. See the mynetworks parameter
 description for the parameter value syntax.
 </p>
 
@@ -12059,6 +12059,11 @@ transport-specific override, where <i>transport</i> is the master.cf
 name of the message delivery transport.
 </p>
 
+<p> NOTE: with a non-zero _destination_rate_delay, specify a
+<i>transport</i>_destination_concurrency_failed_cohort_limit of 10
+or more to prevent Postfix from deferring all mail for the same
+destination after only one connection or handshake error. </p>
+
 <p> This feature is available in Postfix 2.5 and later. </p>
 
 %PARAM transport_destination_rate_delay $default_destination_rate_delay
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index f7703cd42..eb04015d0 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20100618"
+#define MAIL_RELEASE_DATE	"20100707"
 #define MAIL_VERSION_NUMBER	"2.8"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/oqmgr/qmgr_message.c b/postfix/src/oqmgr/qmgr_message.c
index 05e6a339a..3408b3f4e 100644
--- a/postfix/src/oqmgr/qmgr_message.c
+++ b/postfix/src/oqmgr/qmgr_message.c
@@ -724,6 +724,9 @@ static int qmgr_message_read(QMGR_MESSAGE *message)
 		    msg_warn("%s: ignoring bad VERP request: \"%.100s\"",
 			     message->queue_id, start);
 		} else {
+		    if (msg_verbose)
+			msg_info("%s: enabling VERP for sender \"%.100s\"",
+				 message->queue_id, message->sender);
 		    message->single_rcpt = 1;
 		    message->verp_delims = mystrdup(start);
 		}
diff --git a/postfix/src/qmgr/qmgr_message.c b/postfix/src/qmgr/qmgr_message.c
index e54750849..c65728387 100644
--- a/postfix/src/qmgr/qmgr_message.c
+++ b/postfix/src/qmgr/qmgr_message.c
@@ -765,6 +765,9 @@ static int qmgr_message_read(QMGR_MESSAGE *message)
 		    msg_warn("%s: ignoring bad VERP request: \"%.100s\"",
 			     message->queue_id, start);
 		} else {
+		    if (msg_verbose)
+			msg_info("%s: enabling VERP for sender \"%.100s\"",
+				 message->queue_id, message->sender);
 		    message->single_rcpt = 1;
 		    message->verp_delims = mystrdup(start);
 		}
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index c1fd1c52a..1a324b939 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -421,6 +421,7 @@ void    tls_param_init(void)
 
     get_mail_conf_str_table(str_table);
     get_mail_conf_int_table(int_table);
+    get_mail_conf_bool_table(bool_table);
 }
 
 /* tls_set_ciphers - Set SSL context cipher list */