postfix-2.3.1

2025-08-29 13:18:12 +00:00 · 2006-07-24 00:00:00 -05:00 · 2006-07-24 00:00:00 -05:00 · bfbbcb2a17
commit bfbbcb2a17
parent 8236a6ce4c
59 changed files with 833 additions and 477 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -12188,17 +12188,18 @@ Apologies for any names omitted.
 20060510
 	Preliminary TLS_README and postconf(5) changes completed.
 	Victor Duchovni.
 	Added smtp_tls_policy_maps and smtp_tls_protocols features
 	to the smtp/lmtp client, changed smtp_tls_cipherlist to
-	only apply when TLS is mandatory.
+	only apply when TLS is mandatory. Victor Duchovni.
 20060512
 	Destinations that share a common server may have distinct
 	TLS protocol and cipherlist requirements, with mandatory
 	TLS add the protocol and cipherlist values to the TLS session
-	lookup key.
+	lookup key. Victor Duchovni.
 20060516
@ -12228,14 +12229,14 @@ Apologies for any names omitted.
 	The smtp_tls_policy_maps table now implements parent domain
 	matching for destinations that are bare domains (without
-	enclosin [] or optional :port suffix). This allows one to
+	enclosing [] or optional :port suffix). This allows one to
 	set TLS policy for a domain and all sub-domains. Victor
 	Duchovni.
 20060519
 	The same parameter can bind to different variables in
-	different daemons, ignore the variable name when eliminating
+	different daemons. Ignore the variable name when eliminating
 	duplicates in extract.awk. Victor Duchovni.
 20060523
@ -12482,7 +12483,7 @@ Apologies for any names omitted.
 	after an opportunistic TLS handshake fails. Specify
 	"smtp_sasl_auth_enforce = no" to deliver mail anyway.  File:
 	smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
-	SASL passwords.
+	SASL passwords. This was undone with the 20060719 workaround.
 20060709
@ -12523,9 +12524,10 @@ Apologies for any names omitted.
 	after the header label and ":" in an interesting manner.
 	It eats one space (not tab). File: milter/milter8.c.
-	Workaround: if sender-depedendent SASL passwords are enabled,
+	Workaround: if sender-dependent SASL passwords are enabled,
 	don't defer delivery when a SASL password exists but the
 	server doesn't announce SASL support. File: smtp/smtp_proto.c.
 	This was undone with the 20060719 workaround.
 	Cleanup: format of cleanup milter reject messages.  File:
 	cleanup_milter.c.
@ -12533,3 +12535,79 @@ Apologies for any names omitted.
 	Bugfix: file/memory leak if a transfer of multiple milters
 	from smtpd to cleanup broke in the middle.  Found by Coverity.
 	File: milter/milter.c.
 20060716
 	Bugfix: "sendmail -bs" panic caused by a missing
 	SMTPD_STATE_ALONE() guard before a milter_abort() call.
 	File: smtpd/smtpd.c.
 	Bugfix (bug introduced with Postfix 2.2): the Postfix SMTP
 	client enforced Mandatory TLS only when talking to an ESMTP
 	server; enforcement did not happen if Postfix could somehow
 	be forced to send HELO instead of EHLO.  Victor Duchovni.
 	File: src/smtp/smtp_proto.c.
 20060718
 	Bugfix (bug introduced 20060711): null pointer bug when
 	rejecting SMTP mail with Milter application.  File:
 	cleanup/cleanup_milter.c.
 	Workaround (problem introduced in 200605/200606 TLS update):
 	the Postfix SMTP server now issues TLS session IDs even
 	when TLS session caching is turned off, otherwise MS Outlook
 	fails to deliver mail. There may also be interoperability
 	issues with other MTAs that we haven't discovered yet.
 	Specify "smtpd_tls_always_issue_session_ids = no" to disable
 	the workaround. Victor Duchovni. Files: smtpd/smtpd.c,
 	tls/tls_server.c.
 20060719
 	Cleanup: the smtp_sasl_auth_enforce feature is gone. It was
 	meant to work around a problem that was introduced with
 	plaintext fallback after a failed TLS handshake.  Unfortunately,
 	it created more problems than it solved. We now address the
 	underlying problem more directly as described next. File:
 	smtp/smtp_proto.c.
 	Safety: don't fall back to plaintext delivery after failed
 	TLS handshake, when the Postfix SMTP client would have
 	attempted to log in with SASL after successful TLS handshake.
 	This avoids undesirable behavior regardless of whether the
 	server does support SASL over plaintext (unexpected password
 	disclosure) and whether the server doesn't support SASL
 	over plaintext (insufficient mail relay permission).  Files:
 	smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c.
 20060720
 	Compatibility: replace %% in milter replies by %, and strip
 	single (i.e. invalid) % characters. File: milter/milter8.c.
 	Compatibility: $_ macro support for Milter applications.
 	Files: smtpd/smtpd.c, smtpd/smtpd_milter.c,
 	cleanup/cleanup_state.c, cleanup/cleanup_milter.c.
 20060721
 	Safety: disable Milter processing after "postsuper -r".  If
 	the mail has been filtered there is no need to do it again.
 	Moreover, when mail has passed through an external content
 	filter, we don't have sufficient information to reproduce
 	the exact same SMTP events and Sendmail macros that Milters
 	received when the mail originally arrived in Postfix.  This
 	change does not affect Milter applications that run behind
 	an after-queue content filter. File: pickup/pickup.c.
 	Bugfix: Milters received a truncated ORCPT=xxx parameter
 	due to destructive parsing of something that didn't have
 	to be preserved before Milter support was added to Postfix.
 	File: smtpd/smtpd.c.
 20060724
 	Bugfix: when updating the same header multiple times, the
 	Postfix Milter client created a queue file that caused
 	delivery agents to loop.  File: cleanup/cleanup_milter.c.
--- a/postfix/Makefile.in
+++ b/postfix/Makefile.in
@ -61,6 +61,8 @@ depend_update:
 tidy:	clean
 	rm -f Makefile */Makefile src/*/Makefile
 	cp Makefile.init Makefile
 	rm -f README_FILES/RELEASE_NOTES
 	ln -s ../RELEASE_NOTES README_FILES
 	rm -f bin/[!CRS]* lib/[!CRS]* include/[!CRS]* libexec/[!CRS]* \
 	    junk */junk */*/junk \
 	    *core */*core */*/*core \
--- a/postfix/README_FILES/DB_README
+++ b/postfix/README_FILES/DB_README
@ -74,7 +74,7 @@ BBuuiillddiinngg PPoossttffiixx oonn BBSSDD ssyysstteem
 Some BSD systems ship with multiple Berkeley DB implementations. Normally,
 Postfix builds with the default DB version that ships with the system.
-To build Postfix on BSD systems with a specific DB version, use a variant of
+To build Postfix on BSD systems with a non-default DB version, use a variant of
 the following commands:
    % make tidy
--- a/postfix/README_FILES/FILTER_README
+++ b/postfix/README_FILES/FILTER_README
@ -344,12 +344,10 @@ the Postfix master.cf file:
    real client name IP address. See smtp(8) and XFORWARD_README for more
    information.
-  * With "-o disable_mime_output_conversion=yes", the scan delivery agent will
+  * The "-o disable_mime_output_conversion=yes" is a workaround that prevents
-    not convert 8BITMIME mail to quoted-printable form while delivering to the
+    the breaking of domainkeys and other digital signatures. This is needed
-    content filter, as that would invalidate domainkeys and other digital
+    because some SMTP-based content filters don't announce 8BITMIME support,
-    signatures. This workaround is needed because some SMTP-based content
+    even though they can handle it just fine.
    filters don't announce 8BITMIME support, even though they can handle it
    just fine.
 AAddvvaanncceedd ccoonntteenntt ffiilltteerr:: rruunnnniinngg tthhee ccoonntteenntt ffiilltteerr
--- a/postfix/README_FILES/LINUX_README
+++ b/postfix/README_FILES/LINUX_README
@ -5,10 +5,15 @@ PPoossttffiixx aanndd LLiinnuuxx
 BBeerrkkeelleeyy DDBB iissssuueess
 Warning: if you can't compile Postfix because the file "db.h" isn't found, then
-you MUST install the Berkeley DB development package (package name: db???-
+you MUST install the Berkeley DB development package (name: db???-devel-???)
-devel-???) that comes with your Linux system. Only that package contains the
+that matches your system library. You can find out what is installed with the
-files that correspond to the Berkeley DB version that is used by the system
+rpm command. For example:
-library routines.
+
    $ rrppmm --qqff //uussrr//lliibb//lliibbddbb..ssoo
    db4-4.3.29-2
 This means that you need to install db4-devel-4.3.29-2 (on some systems,
 specify /lib/libdb.so in the rpm query).
 DO NOT download some Berkeley DB version from the network. Every Postfix
 program will dump core when it is built with a different Berkeley DB version
--- a/postfix/README_FILES/MILTER_README
+++ b/postfix/README_FILES/MILTER_README
@ -104,7 +104,7 @@ On other platforms you have two options:
    Sendmail source code instead:
        $ ggzzccaatt sseennddmmaaiill--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
-        $ ccdd sseennddmmaaiill--xx..yy..zz
+        $ ccdd sseennddmmaaiill--xx..yy..zz//lliibbmmiilltteerr
        $ mmaakkee
        [...lots of output omitted...]
@ -316,6 +316,9 @@ workarounds section below for solutions.
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |j                   |Always                   |value of myhostname       |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |_                   |Always                   |The validated client name |
    |                    |                         |and address               |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{auth_authen}       |MAIL, DATA, EOM          |SASL login name           |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{auth_author}       |MAIL, DATA, EOM          |SASL sender               |
@ -382,9 +385,9 @@ message).
 WWoorrkkaarroouunnddss
 Content filters may break domain key etc. signatures. If you use an SMTP-based
-filter as described in FILTER_README, then you should add a line to master.cf
+content filter, then you should add a line to master.cf with "-
-with "disable_mime_output_conversion = yes", as described in the advanced
+o disable_mime_output_conversion=yes" (note: no spaces around the "="), as
-content filter example.
+described in the advanced content filter example.
 Sendmail Milter applications were originally developed for the Sendmail version
 8 MTA, which has a different architecture than Postfix. The result is that some
--- a/postfix/README_FILES/RELEASE_NOTES
+++ b/postfix/README_FILES/RELEASE_NOTES
@ -1,113 +0,0 @@
 The stable Postfix release is called postfix-2.2.x where 2=major
 release number, 2=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
 postfix-2.3-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 Incompatibility with Postfix 2.1 and earlier
 ============================================
 If you upgrade from Postfix 2.1 or earlier, read RELEASE_NOTES-2.2
 before proceeding.
 Major changes with snapshot 20050510
 ====================================
 This release improves usability of DSN (enhanced status codes) in
 Postfix access tables, RBL reply templates and in transport maps
 that use the error(8) delivery agent.
 - When the SMTP server rejects a sender address, it transforms a
  recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding
  sender DSN status, and vice versa.
 - When the SMTP server rejects non-address information (such as the
  HELO command parameter or the client hostname/address), it
  transforms a sender or recipient DSN status into a generic
  non-address DSN status (e.g., 4.0.0).
 These transformations are needed when the same access table or RBL
 reply template are used for client, helo, sender, or recipient
 restrictions; or when the same error(8) mailer information is used
 for both senders and recipients.
 Incompatibility with snapshot 20050503
 ======================================
 The format of some "warning:" messages in the maillog has changed
 so that they are easier to sort:
 - The logging now talks about "access table", instead of using three
 different expressions "access table", "access map" and "SMTPD access
 map" for the same thing.
 - "non-SMTP command" is now logged BEFORE the client name/address
 and the offending client input, instead of at the end.
 Major change with snapshot 20050427+DSN
 =======================================
 This is experimental DSN support added to snapshot 20050427.  The
 code is not for production purposes; it is not fully tested, some
 names and interfaces are still rough around the edges, and it does
 not update the oqmgr so you have to use qmgr instead.  Some
 implementation notes and open issues are described in the
 DSN_SUPPORT_README file (top-level directory).
 Incompatibility with snapshot 20050329
 ======================================
 If you use TLS, you need to execute "postfix reload" because the
 TLS manager protocol has changed.
 Incompatibility with snapshot 20050328
 ======================================
 The logging format has changed. Postfix delivery agents now log the
 RFC 3463 enhanced status code as "dsn=x.y.z" where y and z can be
 up to three digits each. See the file pfloggsum-dsn-patch for an
 update to the pfloggsum script.
 After you upgrade from Postfix 2.2 or 2.3 you need to execute
 "postfix reload", otherwise you will keep running the old Postfix
 queue manager, which gives no special treatment to the enhanced
 status codes that it receives from Postfix delivery agents.
 Major changes with snapshot 20050328
 ====================================
 This release introduces support for RFC 3463 enhanced status codes.
 For example, status code 5.1.1 means "recipient unknown". Postfix
 recognizes enhanced status codes in remote server replies, generates
 enhanced status codes while handling email, and reports enhanced
 status codes in non-delivery notifications.  This improves the user
 interaction with mail clients that hide the text of error messages
 from users.
 You can, but don't have to, specify RFC 3463 enhanced status codes
 in the output from commands that receive mail from a pipe. If a
 command terminates with non-zero exit status, and an enhanced status
 code is present at the beginning of the command output, then that
 status code takes precedence over the non-zero exit status.
 You can, but don't have to, specify RFC 3463 enhanced status codes
 in Postfix access maps, header/body_checks REJECT actions, or in
 RBL replies.  For example:
    REJECT 5.7.1 You can't go here from there
 The status 5.7.1 means "no authorization, message refused", and is
 the default for access maps, header/body_checks REJECT actions, and
 for RBL replies.
 If you specify your own enhanced status code, the Postfix SMTP
 server will automatically change a leading '5' digit (hard error)
 into '4' where appropriate.  This is needed, for example, with
 soft_bounce=yes.
--- a/postfix/README_FILES/RELEASE_NOTES
+++ b/postfix/README_FILES/RELEASE_NOTES
@ -0,0 +1 @@
 ../RELEASE_NOTES
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@ -71,13 +71,14 @@ no need to link extra libraries into Postfix.
 To generate the necessary Makefiles, execute the following in the Postfix top-
 level directory:
-    % make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
+    % make makefiles CCARGS='-DUSE_SASL_AUTH -
    DDEF_SASL_SERVER_TYPE=\"dovecot\"'
 After this, proceed with "make" as described in the INSTALL document.
 Notes:
-  * The "-DDEF_SASL_SERVER" stuff is not necessary; it just makes Postfix
+  * The "-DDEF_SASL_SERVER_TYPE" stuff is not necessary; it just makes Postfix
    configuration a little more convenient because you don't have to specify
    the SASL plug-in type in the Postfix main.cf file.
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@ -323,8 +323,8 @@ port<>25 and OE (5.01 Mac on all ports).
 It is strictly discouraged to use this mode from main.cf. If you want to
 support this service, enable a special port in master.cf and specify "-
-o smtpd_tls_wrappermode = yes" as an smtpd(8) command line option. Port 465
+o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8)
-(smtps) was once chosen for this feature.
+command line option. Port 465 (smtps) was once chosen for this feature.
 Example:
@ -426,6 +426,17 @@ Example:
    /etc/postfix/main.cf:
        smtpd_tls_session_cache_timeout = 3600s
 When the Postfix SMTP server does not save TLS sessions to an external cache
 database, client-side session caching is unlikely to be useful. To prevent such
 wastage, the Postfix SMTP server can be configured to not issue TLS session
 ids. By default the Postfix SMTP server always issues TLS session ids. This
 works around known interoperability issues with some MUAs, and prevents
 possible interoperability issues with other MTAs.
 Example:
        smtpd_tls_always_issue_session_ids = no
 SSeerrvveerr aacccceessss ccoonnttrrooll
 Postfix TLS support introduces three additional features for Postfix SMTP
@ -1421,15 +1432,18 @@ perfect match between the server hostname and the server certificate, there is
 no guarantee that Postfix is connected to the right server. To avoid this
 loophole, take all of the following steps:
- 1. Use a dedicated transport for all secure-channel deliveries.
+ 1. Use a dedicated message delivery transport (for example, "securetls") as
    illustrated below.
 2. Eliminate MX lookups. Specify local transport(5) table entries for
-    sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
+    sensitive domains with explicit securetls:[mailhost] or securetls:
-    destinations (you can assure security of this table unlike DNS); in the
+    [mailhost]:port destinations (you can assure security of this table unlike
-    smtp_tls_per_site table, specify the value "MUST" for the key [mailhost] or
+    DNS). This prevents false hostname information in DNS MX records from
-    smtp:[mailhost]:port. This prevents false hostname information in DNS MX
+    changing Postfix's notion of the server hostname that is used for TLS
-    records from changing Postfix's notion of the server hostname that is used
+    policy lookup and server certificate verification. The "securetls"
-    for TLS policy lookup and server certificate verification.
+    transport is configured to enforce TLS with peername verification, and to
    disable the SMTP connection cache which could interfere with enforcement of
    smtp_tls_per_site policies.
 3. Disallow CNAME hostname overrides. In main.cf, specify
    "smtp_cname_overrides_servername = no". This prevents false hostname
@ -1459,8 +1473,6 @@ the need for per-site table entries for secure-channel destinations.
    /etc/postfix/master.cf:
        securetls unix  -       -       n       -       100     smtp
            -o smtp_connection_cache_on_demand=no
            -o smtp_connection_cache_destinations=
            -o smtp_enforce_tls=yes
            -o smtp_tls_enforce_peername=yes
--- a/postfix/conf/postfix-files
+++ b/postfix/conf/postfix-files
@ -353,6 +353,7 @@ $html_directory/postconf.1.html:f:root:-:644
 $html_directory/postconf.5.html:f:root:-:644
 $html_directory/postdrop.1.html:f:root:-:644
 $html_directory/postfix-logo.jpg:f:root:-:644
 $html_directory/postfix-manuals.html:f:root:-:644
 $html_directory/postfix.1.html:f:root:-:644
 $html_directory/postkick.1.html:f:root:-:644
 $html_directory/postlock.1.html:f:root:-:644
--- a/postfix/html/DB_README.html
+++ b/postfix/html/DB_README.html
@ -112,7 +112,7 @@ Berkeley DB versions</a></h2>
 Normally, Postfix builds with the default DB version that ships
 with the system. </p>
-<p> To build Postfix on BSD systems with a specific DB version,
+<p> To build Postfix on BSD systems with a non-default DB version,
 use a variant of the following commands: </p>
 <blockquote>
--- a/postfix/html/FILTER_README.html
+++ b/postfix/html/FILTER_README.html
@ -634,12 +634,10 @@ after-filter smtpd process, so that filtered mail is logged with
 the real client name IP address. See <a href="smtp.8.html">smtp(8)</a> and <a href="XFORWARD_README.html">XFORWARD_README</a>
 for more information. </p>
-<li> <p> With "-o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes", the scan
+<li> <p> The "-o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes" is a workaround
-delivery agent will not convert 8BITMIME mail to quoted-printable
+that prevents the breaking of domainkeys and other digital signatures.
-form while delivering to the content filter, as that would invalidate
+This is needed because some SMTP-based content filters don't announce
-domainkeys and other digital signatures.  This workaround is needed
+8BITMIME support, even though they can handle it just fine.  </p>
 because some SMTP-based content filters don't announce 8BITMIME
 support, even though they can handle it just fine.  </p>
 </ul>
--- a/postfix/html/LINUX_README.html
+++ b/postfix/html/LINUX_README.html
@ -21,11 +21,20 @@
 <p> Warning: if you can't compile Postfix because the file "db.h"
 isn't found, then you MUST install the Berkeley DB development
-package (package name: db???-devel-???) that comes with your Linux
+package (name: db???-devel-???) that matches your system library.
-system. Only that package contains the files that correspond to the
+You can find out what is installed with the rpm command. For example:
 Berkeley DB version that is used by the system library routines.
 </p>
 <blockquote>
 <pre>
 $ <b>rpm -qf /usr/lib/libdb.so</b>
 db4-4.3.29-2
 </pre>
 </blockquote>
 <p> This means that you need to install db4-devel-4.3.29-2 (on
 some systems, specify <tt>/lib/libdb.so</tt> in the rpm query). </p>
 <p> DO NOT download some Berkeley DB version from the network.
 Every Postfix program will dump core when it is built with a different
 Berkeley DB version than the version that is used by the system
--- a/postfix/html/MILTER_README.html
+++ b/postfix/html/MILTER_README.html
@ -228,7 +228,7 @@ library from Sendmail source code instead: </p>
 <blockquote>
 <pre>
 $ <b>gzcat sendmail-<i>x.y.z</i>.tar.gz | tar xf -</b>
-$ <b>cd sendmail-<i>x.y.z</i></b>
+$ <b>cd sendmail-<i>x.y.z</i>/libmilter</b>
 $ <b>make</b>
 [...<i>lots of output omitted</i>...]
 </pre>
@ -521,6 +521,9 @@ href="#workarounds">workarounds</a> section below for solutions.
 <tr> <td> j </td> <td> Always </td> <td> value of <a href="postconf.5.html#myhostname">myhostname</a> </td>
 </tr>
 <tr> <td> _ </td> <td> Always </td> <td> The validated client name
 and address </td> </tr>
 <tr> <td> {auth_authen} </td> <td> MAIL, DATA, EOM </td> <td> SASL
 login name </td> </tr>
@ -613,9 +616,9 @@ TO </td> </tr>
 <h2><a name="workarounds">Workarounds</a></h2>
 <p> Content filters may break domain key etc. signatures. If you
-use an SMTP-based filter as described in <a href="FILTER_README.html">FILTER_README</a>, then you
+use an SMTP-based content filter, then you should add a line to
-should add a line to <a href="master.5.html">master.cf</a> with "<a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>
+<a href="master.5.html">master.cf</a> with "-o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes" (note: no
-= yes", as described in the <a
+spaces around the "="), as described in the <a
 href="FILTER_README.html#advanced_filter">advanced content filter</a>
 example. </p>
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@ -127,7 +127,7 @@ in the Postfix top-level directory: </p>
 <blockquote>
 <pre>
-% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
+% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER_TYPE=\"dovecot\"'
 </pre>
 </blockquote>
@ -138,7 +138,7 @@ in the Postfix top-level directory: </p>
 <ul>
-<li> <p> The "-DDEF_SASL_SERVER" stuff is not necessary; it just
+<li> <p> The "-DDEF_SASL_SERVER_TYPE" stuff is not necessary; it just
 makes Postfix configuration a little more convenient because you
 don't have to specify the SASL plug-in type in the Postfix <a href="postconf.5.html">main.cf</a>
 file.  </p>
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@ -490,8 +490,9 @@ and OE (5.01 Mac on all ports). </p>
 <p> It is strictly discouraged to use this mode from <a href="postconf.5.html">main.cf</a>. If
 you want to support this service, enable a special port in <a href="master.5.html">master.cf</a>
-and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> = yes" as an <a href="smtpd.8.html">smtpd(8)</a> command
+and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" (note: no space around
-line option.  Port 465 (smtps) was once chosen for this feature.
+the "=") as an <a href="smtpd.8.html">smtpd(8)</a> command line option.  Port 465 (smtps) was
 once chosen for this feature.
 </p>
 <p> Example: </p>
@ -631,6 +632,22 @@ recommends a maximum of 24 hours.  </p>
 </pre>
 </blockquote>
 <p> When the Postfix SMTP server does not save TLS sessions to an
 external cache database, client-side session caching is unlikely
 to be useful.  To prevent such wastage, the Postfix SMTP server can
 be configured to not issue TLS session ids. By default the Postfix
 SMTP server always issues TLS session ids. This works around known
 interoperability issues with some MUAs, and prevents possible
 interoperability issues with other MTAs. </p>
 <p> Example: </p>
 <blockquote>
 <pre>
    <a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> = no
 </pre>
 </blockquote>
 <h3><a name="server_access">Server access control</a> </h3>
 <p> Postfix TLS support introduces three additional features for
@ -1822,10 +1839,10 @@ the following information:  </p>
 <dl>
 <dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
-name of the server that the Postfix SMTP client connects to; this name
+name of the server that the Postfix SMTP client connects to; this
-may be obtained from other DNS lookups, such as MX lookups or CNAME
+name may be obtained from other DNS lookups, such as MX lookups or
-lookups. Use of the hostname lookup key is discouraged; always use the
+CNAME lookups. Use of the hostname lookup key is discouraged; always
-next-hop destination instead. </dd>
+use the next-hop destination instead. </dd>
 <dt> next-hop destination </dt> <dd> This is normally the domain portion
 of the recipient address, but it may be overridden by information from
@ -1924,17 +1941,19 @@ steps: </p>
 <ol>
-<li> <p> Use a dedicated transport for all secure-channel deliveries. </p>
+<li> <p> Use a dedicated message delivery transport (for example,
 "securetls") as illustrated below. </p>
 <li> <p> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table
-entries for sensitive domains with explicit <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]
+entries for sensitive domains with explicit securetls:[<i>mailhost</i>]
-or <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
+or securetls:[<i>mailhost</i>]:<i>port</i> destinations (you can
-security of this table unlike DNS); in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
+assure security of this table unlike DNS). This prevents false
-table, specify the value "MUST" for the key [<i>mailhost</i>] or
+hostname information in DNS MX records from changing Postfix's
-<a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
+notion of the server hostname that is used for TLS policy lookup
-information in DNS MX records from changing Postfix's notion of the
+and server certificate verification. The "securetls" transport is
-server hostname that is used for TLS policy lookup and server certificate
+configured to enforce TLS with peername verification, and to disable
-verification. </p>
+the SMTP connection cache which could interfere with enforcement
 of <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> policies. </p>
 <li> <p> Disallow CNAME hostname overrides. In <a href="postconf.5.html">main.cf</a>, specify
 "<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
@ -1971,8 +1990,6 @@ destinations. </p>
 /etc/postfix/<a href="master.5.html">master.cf</a>:
    securetls unix  -       -       n       -       100     smtp
        -o <a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a>=no
        -o <a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a>=
        -o <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>=yes
        -o <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>=yes
 </pre>
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -3556,17 +3556,6 @@ Enable SASL authentication in the Postfix LMTP client.
 </p>
 </DD>
 <DT><b><a name="lmtp_sasl_auth_enforce">lmtp_sasl_auth_enforce</a>
 (default: yes)</b></DT><DD>
 <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a>
 configuration parameter.  See there for details. </p>
 <p> This feature is available in Postfix 2.3 and later. </p>
 </DD>
 <DT><b><a name="lmtp_sasl_mechanism_filter">lmtp_sasl_mechanism_filter</a>
@ -7590,19 +7579,6 @@ Example:
 </pre>
 </DD>
 <DT><b><a name="smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a>
 (default: yes)</b></DT><DD>
 <p> If sender-dependent SASL passwords are turned off, defer mail
 delivery when an SMTP server does not support SASL authentication,
 while <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> contains SASL login/password information
 for that server.  </p>
 <p> This feature is available in Postfix 2.3 and later. </p>
 </DD>
 <DT><b><a name="smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
@ -9819,7 +9795,7 @@ null sender address.
 <DT><b><a name="smtpd_peername_lookup">smtpd_peername_lookup</a>
 (default: yes)</b></DT><DD>
-<p> Attempt to look up the Postfix SMTP client hostname, and verify that
+<p> Attempt to look up the remote SMTP client hostname, and verify that
 the name matches the client IP address. A client name is set to
 "unknown" when it cannot be looked up or verified, or when name
 lookup is disabled.  Turning off name lookup reduces delays due to
@ -10780,6 +10756,36 @@ feature is therefore not recommended. </p>
 <p> This feature is available in Postfix 2.2 and later.  </p>
 </DD>
 <DT><b><a name="smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a>
 (default: yes)</b></DT><DD>
 <p> Force the Postfix SMTP server to issue a TLS session id, even
 when TLS session caching is turned off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>
 is empty). This behavior is compatible with Postfix &lt; 2.3. </p>
 <p> With Postfix 2.3 and later the Postfix SMTP server can disable
 session id generation when TLS session caching is turned off. This
 keeps clients from caching sessions that almost certainly cannot
 be re-used.  </p>
 <p> By default, the Postfix SMTP server always generates TLS session
 ids. This works around a known defect in mail client applications
 such as MS Outlook, and may also prevent interoperability issues
 with other MTAs. </p>
 <p> Example: </p>
 <blockquote>
 <pre>
    <a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> = no
 </pre>
 </blockquote>
 <p> This feature is available in Postfix 2.3 and later. </p>
 </DD>
 <DT><b><a name="smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
--- a/postfix/html/postfix-manuals.html
+++ b/postfix/html/postfix-manuals.html
@ -113,9 +113,9 @@ the following convention:  </p>
 <li> <a href="bounce.5.html">bounce(5)</a>, Postfix bounce message templates 
-<li> <a href="master.5.html">master(5)</a>, Postfix master.cf file syntax 
+<li> <a href="master.5.html">master(5)</a>, Postfix <a href="master.5.html">master.cf</a> file syntax 
-<li> <a href="postconf.5.html">postconf(5)</a>, Postfix main.cf file syntax 
+<li> <a href="postconf.5.html">postconf(5)</a>, Postfix <a href="postconf.5.html">main.cf</a> file syntax 
 </ul>
--- a/postfix/html/postfix.1.html
+++ b/postfix/html/postfix.1.html
@ -62,7 +62,7 @@ POSTFIX(1)                                                          POSTFIX(1)
              <b>postfix-files</b> file.
              Specify <i>name</i>=<i>value</i> to override and update  specific
-              main.cf  configuration  parameters.  Use  this, for
+              <a href="postconf.5.html">main.cf</a>  configuration  parameters.  Use  this, for
              example, to change the <b><a href="postconf.5.html#mail_owner">mail_owner</a></b>  or  <b><a href="postconf.5.html#setgid_group">setgid_group</a></b>
              setting for an already installed Postfix system.
@ -71,13 +71,13 @@ POSTFIX(1)                                                          POSTFIX(1)
              <b>fix/post-install set-permissions</b>".
       <b>upgrade-configuration [</b><i>name</i>=<i>value ...</i><b>]</b>
-              Update  the <b>main.cf</b> and <b>master.cf</b> files with infor-
+              Update  the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a> files with infor-
              mation that Postfix needs in order to run:  add  or
              update  services,  and  add or update configuration
              parameter settings.
              Specify <i>name</i>=<i>value</i> to override and update  specific
-              main.cf configuration parameters.
+              <a href="postconf.5.html">main.cf</a> configuration parameters.
              This feature is available in Postfix 2.1 and later.
              With  Postfix  2.0  and  earlier,  use  "<b>/etc/post-</b>
@ -86,7 +86,7 @@ POSTFIX(1)                                                          POSTFIX(1)
       The following options are implemented:
       <b>-c</b> <i>config</i><b>_</b><i>dir</i>
-              Read  the <b>main.cf</b> and <b>master.cf</b> configuration files
+              Read  the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a> configuration files
              in the named directory instead of the default  con-
              figuration  directory.   Use  this  to  distinguish
              between multiple  Postfix  instances  on  the  same
@ -118,7 +118,7 @@ POSTFIX(1)                                                          POSTFIX(1)
              present.
 <b>CONFIGURATION PARAMETERS</b>
-       The   following   <b>main.cf</b>   configuration  parameters  are
+       The   following   <a href="postconf.5.html"><b>main.cf</b></a>   configuration  parameters  are
       exported as environment variables with the same names:
       <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
@ -130,8 +130,8 @@ POSTFIX(1)                                                          POSTFIX(1)
              daemon programs.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  main.cf  and
+              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
-              master.cf configuration files.
+              <a href="master.5.html">master.cf</a> configuration files.
       <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
              The  location of the Postfix top-level queue direc-
@ -173,8 +173,8 @@ POSTFIX(1)                                                          POSTFIX(1)
       Other configuration parameters:
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location  of  the Postfix main.cf and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
-              master.cf configuration files.
+              <a href="master.5.html">master.cf</a> configuration files.
       <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
              The list of environment parameters that  a  Postfix
@ -190,8 +190,8 @@ POSTFIX(1)                                                          POSTFIX(1)
              becomes, for example, "postfix/smtpd".
 <b>FILES</b>
-       /etc/postfix/main.cf, Postfix configuration parameters
+       /etc/postfix/<a href="postconf.5.html">main.cf</a>, Postfix configuration parameters
-       /etc/postfix/master.cf, Postfix daemon processes
+       /etc/postfix/<a href="master.5.html">master.cf</a>, Postfix daemon processes
       /etc/postfix/postfix-files, file/directory permissions
       /etc/postfix/postfix-script, administrative commands
       /etc/postfix/post-install, post-installation configuration
@ -214,8 +214,8 @@ POSTFIX(1)                                                          POSTFIX(1)
       Postfix configuration:
       <a href="bounce.5.html">bounce(5)</a>, Postfix bounce message templates
-       <a href="master.5.html">master(5)</a>, Postfix master.cf file syntax
+       <a href="master.5.html">master(5)</a>, Postfix <a href="master.5.html">master.cf</a> file syntax
-       <a href="postconf.5.html">postconf(5)</a>, Postfix main.cf file syntax
+       <a href="postconf.5.html">postconf(5)</a>, Postfix <a href="postconf.5.html">main.cf</a> file syntax
       Table-driven mechanisms:
       <a href="access.5.html">access(5)</a>, Postfix SMTP access control table
@ -283,6 +283,14 @@ POSTFIX(1)                                                          POSTFIX(1)
       P.O. Box 704
       Yorktown Heights, NY 10598, USA
       TLS support by:
       Lutz Jaenicke
       Brandenburg University of Technology
       Cottbus, Germany
       Victor Duchovni
       Morgan Stanley
       SASL support originally by:
       Till Franke
       SuSE Rhein/Main AG
--- a/postfix/html/postsuper.1.html
+++ b/postfix/html/postsuper.1.html
@ -30,7 +30,7 @@ POSTSUPER(1)                                                      POSTSUPER(1)
       Options:
       <b>-c</b> <i>config</i><b>_</b><i>dir</i>
-              The  <b>main.cf</b>  configuration  file  is  in the named
+              The  <a href="postconf.5.html"><b>main.cf</b></a>  configuration  file  is  in the named
              directory  instead  of  the  default  configuration
              directory.  See  also  the  MAIL_CONFIG environment
              setting below.
@ -136,12 +136,32 @@ POSTSUPER(1)                                                      POSTSUPER(1)
              case.
              A requeued message is moved to the <b>maildrop</b>  queue,
-              from  where  it is copied by the pickup daemon to a
+              from  where  it  is  copied  by  the  <a href="pickup.8.html"><b>pickup</b>(8)</a> and
-              new file whose name is guaranteed to match the  new
+              <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemons to a new  queue  file.  In  many
-              queue file inode number. The new queue file is sub-
+              respects  its  handling  differs from that of a new
-              jected again to mail address rewriting and  substi-
+              local submission.
-              tution. This is useful when rewriting rules or vir-
+
-              tual mappings have changed.
+              <b>o</b>      The  message  is  not   subjected   to   the
                     <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> or <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a> settings.
                     When mail has  passed  through  an  external
                     content filter, this would produce incorrect
                     results with Milter applications that depend
                     on  original  SMTP connection state informa-
                     tion.
              <b>o</b>      The  message  is  subjected  again  to  mail
                     address rewriting and substitution.  This is
                     useful when rewriting rules or virtual  map-
                     pings have changed.
                     The  address  rewriting  context  (local  or
                     remote) is the same as when the message  was
                     received.
              <b>o</b>      The  message  is  subjected to the same <a href="postconf.5.html#content_filter">con</a>-
                     <a href="postconf.5.html#content_filter">tent_filter</a> settings (if any)  as  used  for
                     new  local mail submissions.  This is useful
                     when <a href="postconf.5.html#content_filter">content_filter</a> settings have changed.
              Warning: Postfix queue IDs are reused.  There is  a
              very  small  possibility that <a href="postsuper.1.html"><b>postsuper</b>(1)</a> requeues
@ -180,21 +200,21 @@ POSTSUPER(1)                                                      POSTSUPER(1)
 <b>ENVIRONMENT</b>
       MAIL_CONFIG
-              Directory with the <b>main.cf</b> file.
+              Directory with the <a href="postconf.5.html"><b>main.cf</b></a> file.
 <b>BUGS</b>
       Mail that is not sanitized by Postfix (i.e.  mail  in  the
       <b>maildrop</b> queue) cannot be placed "on hold".
 <b>CONFIGURATION PARAMETERS</b>
-       The  following  <b>main.cf</b> parameters are especially relevant
+       The  following  <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
       to this program.  The text below provides only a parameter
       summary.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including exam-
       ples.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  main.cf  and
+              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
-              master.cf configuration files.
+              <a href="master.5.html">master.cf</a> configuration files.
       <b><a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a> (1)</b>
              The  number of subdirectory levels for queue direc-
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@ -293,13 +293,6 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 2.3 and later:
       <b><a href="postconf.5.html#smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a> (yes)</b>
              If sender-dependent SASL passwords are turned  off,
              defer  mail  delivery  when an SMTP server does not
              support SASL authentication, while  <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_pass</a>-
              <a href="postconf.5.html#smtp_sasl_password_maps">word_maps</a>  contains SASL login/password information
              for that server.
       <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
              Enable sender-dependent authentication in the Post-
              fix  SMTP  client; this is available only with SASL
@ -387,6 +380,16 @@ SMTP(8)                                                                SMTP(8)
              offers  STARTTLS,  when  TLS is not already enabled
              for that server.
       <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
              Optional lookup tables with the Postfix SMTP client
              TLS security policy by next-hop destination; when a
              non-empty value is specified,  this  overrides  the
              obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
              List  of TLS protocols that the Postfix SMTP client
              will use with mandatory TLS encryption.
       <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
              The verification depth for remote SMTP server  cer-
              tificates.
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@ -130,6 +130,13 @@ SMTPD(8)                                                              SMTPD(8)
              Postpone the start  of  an  SMTP  mail  transaction
              until a valid RCPT TO command is received.
       Available in Postfix version 2.3 and later:
       <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
              Force  the  Postfix SMTP server to issue a TLS ses-
              sion id, even when TLS session  caching  is  turned
              off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
 <b>ADDRESS REWRITING CONTROLS</b>
       See  the  <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed
       discussion of Postfix address rewriting.
@ -355,6 +362,11 @@ SMTPD(8)                                                              SMTPD(8)
              authority (CA) that issued the Postfix SMTP  server
              certificate.
       <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
              Force  the  Postfix SMTP server to issue a TLS ses-
              sion id, even when TLS session  caching  is  turned
              off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
       <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
              Ask  a remote SMTP client for a client certificate.
@ -694,9 +706,9 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix version 2.3 and later:
       <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
-              Attempt to look up the Postfix  SMTP  client  host-
+              Attempt to look up the remote SMTP client hostname,
-              name,  and  verify that the name matches the client
+              and  verify  that  the  name  matches the client IP
-              IP address.
+              address.
       The per SMTP client connection count and request rate lim-
       its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
--- a/postfix/man/man1/postfix.1
+++ b/postfix/man/man1/postfix.1
@ -259,6 +259,14 @@ IBM T.J. Watson Research
 P.O. Box 704
 Yorktown Heights, NY 10598, USA
 TLS support by:
 Lutz Jaenicke
 Brandenburg University of Technology
 Cottbus, Germany
 Victor Duchovni
 Morgan Stanley
 SASL support originally by:
 Till Franke
 SuSE Rhein/Main AG
--- a/postfix/man/man1/postsuper.1
+++ b/postfix/man/man1/postsuper.1
@ -127,13 +127,31 @@ the program reads queue IDs from standard input.
 Specify \fB-r ALL\fR to requeue all messages. As a safety
 measure, the word \fBALL\fR must be specified in upper case.
 .sp
-A requeued message is moved to the \fBmaildrop\fR queue, from
+A requeued message is moved to the \fBmaildrop\fR queue,
-where it is copied by the pickup daemon to a new file whose name
+from where it is copied by the \fBpickup\fR(8) and
-is guaranteed to match the new queue file inode number. The
+\fBcleanup\fR(8) daemons to a new queue file. In many
-new queue file is subjected again to mail address rewriting and
+respects its handling differs from that of a new local
-substitution. This is useful when rewriting rules or virtual
+submission.
-mappings have changed.
+.RS
 .IP \(bu
 The message is not subjected to the smtpd_milters or
 non_smtpd_milters settings.  When mail has passed through
 an external content filter, this would produce incorrect
 results with Milter applications that depend on original
 SMTP connection state information.
 .IP \(bu
 The message is subjected again to mail address rewriting
 and substitution.  This is useful when rewriting rules or
 virtual mappings have changed.
 .sp
 The address rewriting context (local or remote) is the same
 as when the message was received.
 .IP \(bu
 The message is subjected to the same content_filter settings
 (if any) as used for new local mail submissions.  This is
 useful when content_filter settings have changed.
 .RE
 .IP
 Warning: Postfix queue IDs are reused.
 There is a very small possibility that \fBpostsuper\fR(1) requeues
 the wrong message file when it is executed while the Postfix mail
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -1901,11 +1901,6 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
 .SH lmtp_sasl_auth_enable (default: no)
 Enable SASL authentication in the Postfix LMTP client.
 .SH lmtp_sasl_auth_enforce (default: yes)
 The LMTP-specific version of the smtp_sasl_auth_enforce
 configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH lmtp_sasl_mechanism_filter (default: empty)
 The LMTP-specific version of the smtp_sasl_mechanism_filter
 configuration parameter.  See there for details.
@ -4218,13 +4213,6 @@ smtp_sasl_auth_enable = yes
 .fi
 .ad
 .ft R
 .SH smtp_sasl_auth_enforce (default: yes)
 If sender-dependent SASL passwords are turned off, defer mail
 delivery when an SMTP server does not support SASL authentication,
 while smtp_sasl_password_maps contains SASL login/password information
 for that server.
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtp_sasl_mechanism_filter (default: empty)
 If non-empty, a Postfix SMTP client filter for the remote SMTP
 server's list of offered SASL mechanisms.  Different client and
@ -5831,7 +5819,7 @@ This list overrides any commands built into the Postfix SMTP server.
 The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the
 null sender address.
 .SH smtpd_peername_lookup (default: yes)
-Attempt to look up the Postfix SMTP client hostname, and verify that
+Attempt to look up the remote SMTP client hostname, and verify that
 the name matches the client IP address. A client name is set to
 "unknown" when it cannot be looked up or verified, or when name
 lookup is disabled.  Turning off name lookup reduces delays due to
@ -6457,6 +6445,37 @@ smtpd_tls_CApath = /etc/postfix/certs
 .ft R
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_tls_always_issue_session_ids (default: yes)
 Force the Postfix SMTP server to issue a TLS session id, even
 when TLS session caching is turned off (smtpd_tls_session_cache_database
 is empty). This behavior is compatible with Postfix < 2.3.
 .PP
 With Postfix 2.3 and later the Postfix SMTP server can disable
 session id generation when TLS session caching is turned off. This
 keeps clients from caching sessions that almost certainly cannot
 be re-used.
 .PP
 By default, the Postfix SMTP server always generates TLS session
 ids. This works around a known defect in mail client applications
 such as MS Outlook, and may also prevent interoperability issues
 with other MTAs.
 .PP
 Example:
 .na
 .nf
 .in +4
 .nf
 .na
 .ft C
    smtpd_tls_always_issue_session_ids = no
 .fi
 .ad
 .ft R
 .in -4
 .fi
 .ad
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtpd_tls_ask_ccert (default: no)
 Ask a remote SMTP client for a client certificate. This
 information is needed for certificate based mail relaying with,
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@ -262,11 +262,6 @@ If non-empty, a Postfix SMTP client filter for the remote SMTP
 server's list of offered SASL mechanisms.
 .PP
 Available in Postfix version 2.3 and later:
 .IP "\fBsmtp_sasl_auth_enforce (yes)\fR"
 If sender-dependent SASL passwords are turned off, defer mail
 delivery when an SMTP server does not support SASL authentication,
 while smtp_sasl_password_maps contains SASL login/password information
 for that server.
 .IP "\fBsmtp_sender_dependent_authentication (no)\fR"
 Enable sender-dependent authentication in the Postfix SMTP client; this is
 available only with SASL authentication, and disables SMTP connection
@ -327,6 +322,13 @@ Enable additional Postfix SMTP client logging of TLS activity.
 .IP "\fBsmtp_tls_note_starttls_offer (no)\fR"
 Log the hostname of a remote SMTP server that offers STARTTLS,
 when TLS is not already enabled for that server.
 .IP "\fBsmtp_tls_policy_maps (empty)\fR"
 Optional lookup tables with the Postfix SMTP client TLS security
 policy by next-hop destination; when a non-empty value is specified,
 this overrides the obsolete smtp_tls_per_site parameter.
 .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
 List of TLS protocols that the Postfix SMTP client will use
 with mandatory TLS encryption.
 .IP "\fBsmtp_tls_scert_verifydepth (5)\fR"
 The verification depth for remote SMTP server certificates.
 .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@ -124,6 +124,12 @@ to a remote SMTP client.
 .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR"
 Postpone the start of an SMTP mail transaction until a valid
 RCPT TO command is received.
 .PP
 Available in Postfix version 2.3 and later:
 .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
 Force the Postfix SMTP server to issue a TLS session id, even
 when TLS session caching is turned off (smtpd_tls_session_cache_database
 is empty).
 .SH "ADDRESS REWRITING CONTROLS"
 .na
 .nf
@ -310,6 +316,10 @@ The file with the certificate of the certification authority
 .IP "\fBsmtpd_tls_CAfile (empty)\fR"
 The file with the certificate of the certification authority
 (CA) that issued the Postfix SMTP server certificate.
 .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
 Force the Postfix SMTP server to issue a TLS session id, even
 when TLS session caching is turned off (smtpd_tls_session_cache_database
 is empty).
 .IP "\fBsmtpd_tls_ask_ccert (no)\fR"
 Ask a remote SMTP client for a client certificate.
 .IP "\fBsmtpd_tls_auth_only (no)\fR"
@ -562,7 +572,7 @@ before it is flushed upon receipt of EHLO, RSET, or end of DATA.
 .PP
 Available in Postfix version 2.3 and later:
 .IP "\fBsmtpd_peername_lookup (yes)\fR"
-Attempt to look up the Postfix SMTP client hostname, and verify that
+Attempt to look up the remote SMTP client hostname, and verify that
 the name matches the client IP address.
 .PP
 The per SMTP client connection count and request rate limits are
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -253,7 +253,6 @@ while (<>) {
    s;\blmtp_rcpt_timeout\b;<a href="postconf.5.html#lmtp_rcpt_timeout">$&</a>;g;
    s;\blmtp_rset_timeout\b;<a href="postconf.5.html#lmtp_rset_timeout">$&</a>;g;
    s;\blmtp_sasl_auth_enable\b;<a href="postconf.5.html#lmtp_sasl_auth_enable">$&</a>;g;
    s;\blmtp_sasl_auth_enforce\b;<a href="postconf.5.html#lmtp_sasl_auth_enforce">$&</a>;g;
    s;\blmtp_sasl_password_maps\b;<a href="postconf.5.html#lmtp_sasl_password_maps">$&</a>;g;
    s;\blmtp_sasl_security_options\b;<a href="postconf.5.html#lmtp_sasl_security_options">$&</a>;g;
    s;\blmtp_sasl_type\b;<a href="postconf.5.html#lmtp_sasl_type">$&</a>;g;
@ -526,7 +525,6 @@ while (<>) {
    s;\bsmtp_[-</Bb>]*\n* *[<Bb>]*sasl_[-</Bb>]*\n* *[<Bb>]*tls_[-</Bb>]*\n* *[<Bb>]*secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_tls_security_options">$&</a>;g;
    s;\bsmtp_sasl_tls_verified_secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_tls_verified_security_options">$&</a>;g;
    s;\bsmtp_sasl_type\b;<a href="postconf.5.html#smtp_sasl_type">$&</a>;g;
    s;\bsmtp_sasl_auth_enforce\b;<a href="postconf.5.html#smtp_sasl_auth_enforce">$&</a>;g;
    s;\bsmtp_starttls_timeout\b;<a href="postconf.5.html#smtp_starttls_timeout">$&</a>;g;
    s;\bsmtp_tls_CAfile\b;<a href="postconf.5.html#smtp_tls_CAfile">$&</a>;g;
    s;\bsmtp_tls_CApath\b;<a href="postconf.5.html#smtp_tls_CApath">$&</a>;g;
@ -577,6 +575,7 @@ while (<>) {
    s;\bsmtpd_tls_req_ccert\b;<a href="postconf.5.html#smtpd_tls_req_ccert">$&</a>;g;
    s;\bsmtpd_tls_session_cache_database\b;<a href="postconf.5.html#smtpd_tls_session_cache_database">$&</a>;g;
    s;\bsmtpd_tls_session_cache_timeout\b;<a href="postconf.5.html#smtpd_tls_session_cache_timeout">$&</a>;g;
    s;\bsmtpd_tls_always_issue_session_ids\b;<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">$&</a>;g;
    s;\bsmtpd_tls_wrappermode\b;<a href="postconf.5.html#smtpd_tls_wrappermode">$&</a>;g;
    s;\bsmtpd_use_tls\b;<a href="postconf.5.html#smtpd_use_tls">$&</a>;g;
    s;\btls_daemon_random_bytes\b;<a href="postconf.5.html#tls_daemon_random_bytes">$&</a>;g;
--- a/postfix/proto/DB_README.html
+++ b/postfix/proto/DB_README.html
@ -112,7 +112,7 @@ Berkeley DB versions</a></h2>
 Normally, Postfix builds with the default DB version that ships
 with the system. </p>
-<p> To build Postfix on BSD systems with a specific DB version,
+<p> To build Postfix on BSD systems with a non-default DB version,
 use a variant of the following commands: </p>
 <blockquote>
--- a/postfix/proto/FILTER_README.html
+++ b/postfix/proto/FILTER_README.html
@ -634,12 +634,10 @@ after-filter smtpd process, so that filtered mail is logged with
 the real client name IP address. See smtp(8) and XFORWARD_README
 for more information. </p>
-<li> <p> With "-o disable_mime_output_conversion=yes", the scan
+<li> <p> The "-o disable_mime_output_conversion=yes" is a workaround
-delivery agent will not convert 8BITMIME mail to quoted-printable
+that prevents the breaking of domainkeys and other digital signatures.
-form while delivering to the content filter, as that would invalidate
+This is needed because some SMTP-based content filters don't announce
-domainkeys and other digital signatures.  This workaround is needed
+8BITMIME support, even though they can handle it just fine.  </p>
 because some SMTP-based content filters don't announce 8BITMIME
 support, even though they can handle it just fine.  </p>
 </ul>
--- a/postfix/proto/LINUX_README.html
+++ b/postfix/proto/LINUX_README.html
@ -21,11 +21,20 @@
 <p> Warning: if you can't compile Postfix because the file "db.h"
 isn't found, then you MUST install the Berkeley DB development
-package (package name: db???-devel-???) that comes with your Linux
+package (name: db???-devel-???) that matches your system library.
-system. Only that package contains the files that correspond to the
+You can find out what is installed with the rpm command. For example:
 Berkeley DB version that is used by the system library routines.
 </p>
 <blockquote>
 <pre>
 $ <b>rpm -qf /usr/lib/libdb.so</b>
 db4-4.3.29-2
 </pre>
 </blockquote>
 <p> This means that you need to install db4-devel-4.3.29-2 (on
 some systems, specify <tt>/lib/libdb.so</tt> in the rpm query). </p>
 <p> DO NOT download some Berkeley DB version from the network.
 Every Postfix program will dump core when it is built with a different
 Berkeley DB version than the version that is used by the system
--- a/postfix/proto/MILTER_README.html
+++ b/postfix/proto/MILTER_README.html
@ -228,7 +228,7 @@ library from Sendmail source code instead: </p>
 <blockquote>
 <pre>
 $ <b>gzcat sendmail-<i>x.y.z</i>.tar.gz | tar xf -</b>
-$ <b>cd sendmail-<i>x.y.z</i></b>
+$ <b>cd sendmail-<i>x.y.z</i>/libmilter</b>
 $ <b>make</b>
 [...<i>lots of output omitted</i>...]
 </pre>
@ -521,6 +521,9 @@ href="#workarounds">workarounds</a> section below for solutions.
 <tr> <td> j </td> <td> Always </td> <td> value of myhostname </td>
 </tr>
 <tr> <td> _ </td> <td> Always </td> <td> The validated client name
 and address </td> </tr>
 <tr> <td> {auth_authen} </td> <td> MAIL, DATA, EOM </td> <td> SASL
 login name </td> </tr>
@ -613,9 +616,9 @@ TO </td> </tr>
 <h2><a name="workarounds">Workarounds</a></h2>
 <p> Content filters may break domain key etc. signatures. If you
-use an SMTP-based filter as described in FILTER_README, then you
+use an SMTP-based content filter, then you should add a line to
-should add a line to master.cf with "disable_mime_output_conversion
+master.cf with "-o disable_mime_output_conversion=yes" (note: no
-= yes", as described in the <a
+spaces around the "="), as described in the <a
 href="FILTER_README.html#advanced_filter">advanced content filter</a>
 example. </p>
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@ -127,7 +127,7 @@ in the Postfix top-level directory: </p>
 <blockquote>
 <pre>
-% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
+% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER_TYPE=\"dovecot\"'
 </pre>
 </blockquote>
@ -138,7 +138,7 @@ INSTALL document. </p>
 <ul>
-<li> <p> The "-DDEF_SASL_SERVER" stuff is not necessary; it just
+<li> <p> The "-DDEF_SASL_SERVER_TYPE" stuff is not necessary; it just
 makes Postfix configuration a little more convenient because you
 don't have to specify the SASL plug-in type in the Postfix main.cf
 file.  </p>
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@ -490,8 +490,9 @@ and OE (5.01 Mac on all ports). </p>
 <p> It is strictly discouraged to use this mode from main.cf. If
 you want to support this service, enable a special port in master.cf
-and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
+and specify "-o smtpd_tls_wrappermode=yes" (note: no space around
-line option.  Port 465 (smtps) was once chosen for this feature.
+the "=") as an smtpd(8) command line option.  Port 465 (smtps) was
 once chosen for this feature.
 </p>
 <p> Example: </p>
@ -631,6 +632,22 @@ recommends a maximum of 24 hours.  </p>
 </pre>
 </blockquote>
 <p> When the Postfix SMTP server does not save TLS sessions to an
 external cache database, client-side session caching is unlikely
 to be useful.  To prevent such wastage, the Postfix SMTP server can
 be configured to not issue TLS session ids. By default the Postfix
 SMTP server always issues TLS session ids. This works around known
 interoperability issues with some MUAs, and prevents possible
 interoperability issues with other MTAs. </p>
 <p> Example: </p>
 <blockquote>
 <pre>
    smtpd_tls_always_issue_session_ids = no
 </pre>
 </blockquote>
 <h3><a name="server_access">Server access control</a> </h3>
 <p> Postfix TLS support introduces three additional features for
@ -1822,10 +1839,10 @@ the following information:  </p>
 <dl>
 <dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
-name of the server that the Postfix SMTP client connects to; this name
+name of the server that the Postfix SMTP client connects to; this
-may be obtained from other DNS lookups, such as MX lookups or CNAME
+name may be obtained from other DNS lookups, such as MX lookups or
-lookups. Use of the hostname lookup key is discouraged; always use the
+CNAME lookups. Use of the hostname lookup key is discouraged; always
-next-hop destination instead. </dd>
+use the next-hop destination instead. </dd>
 <dt> next-hop destination </dt> <dd> This is normally the domain portion
 of the recipient address, but it may be overridden by information from
@ -1924,17 +1941,19 @@ steps: </p>
 <ol>
-<li> <p> Use a dedicated transport for all secure-channel deliveries. </p>
+<li> <p> Use a dedicated message delivery transport (for example,
 "securetls") as illustrated below. </p>
 <li> <p> Eliminate MX lookups. Specify local transport(5) table
-entries for sensitive domains with explicit smtp:[<i>mailhost</i>]
+entries for sensitive domains with explicit securetls:[<i>mailhost</i>]
-or smtp:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
+or securetls:[<i>mailhost</i>]:<i>port</i> destinations (you can
-security of this table unlike DNS); in the smtp_tls_per_site
+assure security of this table unlike DNS). This prevents false
-table, specify the value "MUST" for the key [<i>mailhost</i>] or
+hostname information in DNS MX records from changing Postfix's
-smtp:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
+notion of the server hostname that is used for TLS policy lookup
-information in DNS MX records from changing Postfix's notion of the
+and server certificate verification. The "securetls" transport is
-server hostname that is used for TLS policy lookup and server certificate
+configured to enforce TLS with peername verification, and to disable
-verification. </p>
+the SMTP connection cache which could interfere with enforcement
 of smtp_tls_per_site policies. </p>
 <li> <p> Disallow CNAME hostname overrides. In main.cf, specify
 "smtp_cname_overrides_servername = no". This prevents false hostname
@ -1971,8 +1990,6 @@ destinations. </p>
 /etc/postfix/master.cf:
    securetls unix  -       -       n       -       100     smtp
        -o smtp_connection_cache_on_demand=no
        -o smtp_connection_cache_destinations=
        -o smtp_enforce_tls=yes
        -o smtp_tls_enforce_peername=yes
 </pre>
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -8941,7 +8941,7 @@ process instance while mail is being forwarded.  </p>
 %PARAM smtpd_peername_lookup yes
-<p> Attempt to look up the Postfix SMTP client hostname, and verify that
+<p> Attempt to look up the remote SMTP client hostname, and verify that
 the name matches the client IP address. A client name is set to
 "unknown" when it cannot be looked up or verified, or when name
 lookup is disabled.  Turning off name lookup reduces delays due to
@ -10367,22 +10367,6 @@ configuration parameter.  See there for details. </p>
 <p> This feature is available in Postfix 2.3 and later. </p>
 %PARAM smtp_sasl_auth_enforce   yes
 <p> If sender-dependent SASL passwords are turned off, defer mail
 delivery when an SMTP server does not support SASL authentication,
 while smtp_sasl_password_maps contains SASL login/password information
 for that server.  </p>
 <p> This feature is available in Postfix 2.3 and later. </p>
 %PARAM lmtp_sasl_auth_enforce   yes
 <p> The LMTP-specific version of the smtp_sasl_auth_enforce
 configuration parameter.  See there for details. </p>
 <p> This feature is available in Postfix 2.3 and later. </p>
 %PARAM smtpd_tls_security_level
 <p> The SMTP TLS security level for the Postfix SMTP server; when
@ -10444,3 +10428,29 @@ notifications by the smtp(8) and smtpd(8) processes. </dd>
 Postfix-generated email messages. The user is warned. </p>
 <p> This feature is available in Postfix 2.3 and later. </p>
 %PARAM smtpd_tls_always_issue_session_ids yes
 <p> Force the Postfix SMTP server to issue a TLS session id, even
 when TLS session caching is turned off (smtpd_tls_session_cache_database
 is empty). This behavior is compatible with Postfix &lt; 2.3. </p>
 <p> With Postfix 2.3 and later the Postfix SMTP server can disable
 session id generation when TLS session caching is turned off. This
 keeps clients from caching sessions that almost certainly cannot
 be re-used.  </p>
 <p> By default, the Postfix SMTP server always generates TLS session
 ids. This works around a known defect in mail client applications
 such as MS Outlook, and may also prevent interoperability issues
 with other MTAs. </p>
 <p> Example: </p>
 <blockquote>
 <pre>
    smtpd_tls_always_issue_session_ids = no
 </pre>
 </blockquote>
 <p> This feature is available in Postfix 2.3 and later. </p>
--- a/postfix/src/cleanup/cleanup.h
+++ b/postfix/src/cleanup/cleanup.h
@ -91,7 +91,10 @@ typedef struct CLEANUP_STATE {
 #endif
    MILTERS *milters;			/* mail filters */
    const char *client_name;		/* real or ersatz client */
    const char *reverse_name;		/* real or ersatz client */
    const char *client_addr;		/* real or ersatz client */
    int     client_af;			/* real or ersatz client */
    const char *client_port;		/* real or ersatz client */
 } CLEANUP_STATE;
 /*
--- a/postfix/src/cleanup/cleanup_milter.c
+++ b/postfix/src/cleanup/cleanup_milter.c
@ -779,6 +779,10 @@ static const char *cleanup_upd_header(void *context, ssize_t index,
     * The lookup result will never be a pointer record.
     * 
     * Index 1 is the first matching header instance.
     * 
     * XXX When a header is updated repeatedly we create jumps to jumps. To
     * eliminate this, rewrite the loop below so that we can start with the
     * pointer record that points to the header that's being edited.
     */
 #define DONT_SAVE_RECORD	0
 #define NO_PTR_BACKUP		0
@ -826,7 +830,8 @@ static const char *cleanup_upd_header(void *context, ssize_t index,
 		    avail_space += read_offset - saved_read_offset;
 		    jumped = 1;
 		}
-		if (rec_goto(state->dst, STR(rec_buf)) < 0) {
+		if (rec_goto(state->dst, STR(rec_buf)) < 0
 		    || (read_offset = vstream_ftell(state->dst)) < 0) {
 		    msg_warn("%s: read file %s: %m", myname, cleanup_path);
 		    CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state,
 								   errno));
@ -1215,12 +1220,21 @@ static const char *cleanup_milter_eval(const char *name, void *ptr)
    /*
     * Connect macros.
     */
    if (strcmp(name, S8_MAC__) == 0) {
 	vstring_sprintf(state->temp1, "%s [%s]",
 			state->reverse_name, state->client_addr);
 	if (strcasecmp(state->client_name, state->reverse_name) != 0)
 	    vstring_strcat(state->temp1, " (may be forged)");
 	return (STR(state->temp1));
    }
    if (strcmp(name, S8_MAC_J) == 0)
 	return (var_myhostname);
    if (strcmp(name, S8_MAC_CLIENT_ADDR) == 0)
-	return (nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR));
+	return (state->client_addr);
    if (strcmp(name, S8_MAC_CLIENT_NAME) == 0)
-	return (nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME));
+	return (state->client_name);
    if (strcmp(name, S8_MAC_CLIENT_PTR) == 0)
 	return (state->reverse_name);
    /*
     * MAIL FROM macros.
@ -1277,6 +1291,12 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *event,
    if (msg_verbose)
 	msg_info("%s: %s", myname, resp);
    /*
     * Sanity check.
     */
    if (state->client_name == 0)
 	msg_panic("%s: missing client info initialization", myname);
    /*
     * We don't report errors that were already reported by the content
     * editing call-back routines. See cleanup_milter_error() above.
@ -1354,6 +1374,38 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *event,
    return (ret);
 }
 /* cleanup_milter_client_init - initialize real or ersatz client info */
 static void cleanup_milter_client_init(CLEANUP_STATE *state)
 {
    const char *proto_attr;
    /*
     * Either the cleanup client specifies a name, address and protocol, or
     * we have a local submission and pretend localhost/127.0.0.1/AF_INET.
     */
 #define NO_CLIENT_PORT	"0"
    state->client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME);
    state->reverse_name =
 	nvtable_find(state->attr, MAIL_ATTR_ACT_REVERSE_CLIENT_NAME);
    state->client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR);
    state->client_port = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_PORT);
    proto_attr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_AF);
    if (state->client_name == 0 || state->client_addr == 0 || proto_attr == 0
 	|| !alldig(proto_attr)) {
 	state->client_name = "localhost";
 	state->client_addr = "127.0.0.1";
 	state->client_af = AF_INET;
    } else
 	state->client_af = atoi(proto_attr);
    if (state->reverse_name == 0)
 	state->reverse_name = state->client_name;
    if (state->client_port == 0)
 	state->client_port = NO_CLIENT_PORT;
 }
 /* cleanup_milter_inspect - run message through mail filter */
 void    cleanup_milter_inspect(CLEANUP_STATE *state, MILTERS *milters)
@ -1364,6 +1416,12 @@ void    cleanup_milter_inspect(CLEANUP_STATE *state, MILTERS *milters)
    if (msg_verbose)
 	msg_info("enter %s", myname);
    /*
     * Initialize, in case we're called via smtpd(8).
     */
    if (state->client_name == 0)
 	cleanup_milter_client_init(state);
    /*
     * Process mail filter replies. The reply format is verified by the mail
     * filter library.
@ -1382,9 +1440,6 @@ void    cleanup_milter_emul_mail(CLEANUP_STATE *state,
 				         const char *addr)
 {
    const char *resp;
    const char *proto_attr;
    const char *client_port;
    int     client_af;
    const char *helo;
    const char *argv[2];
@ -1397,33 +1452,14 @@ void    cleanup_milter_emul_mail(CLEANUP_STATE *state,
 			 cleanup_ins_header, cleanup_del_header,
 			 cleanup_add_rcpt, cleanup_del_rcpt,
 			 cleanup_repl_body, (void *) state);
-
+    if (state->client_name == 0)
-    /*
+	cleanup_milter_client_init(state);
     * Either the cleanup client specifies a name, address and protocol, or
     * we have a local submission and pretend localhost/127.0.0.1/AF_INET.
     */
 #define NO_CLIENT_PORT	"0"
    state->client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME);
    state->client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR);
    client_port = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_PORT);
    proto_attr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_AF);
    if (state->client_name == 0 || state->client_addr == 0 || proto_attr == 0
 	|| !alldig(proto_attr)) {
 	state->client_name = "localhost";
 	state->client_addr = "127.0.0.1";
 	client_af = AF_INET;
    } else
 	client_af = atoi(proto_attr);
    if (client_port == 0)
 	client_port = NO_CLIENT_PORT;
    /*
     * Emulate SMTP events.
     */
    if ((resp = milter_conn_event(milters, state->client_name, state->client_addr,
-				  client_port, client_af)) != 0) {
+			      state->client_port, state->client_af)) != 0) {
 	cleanup_milter_apply(state, "CONNECT", resp);
 	return;
    }
@ -1453,9 +1489,16 @@ void    cleanup_milter_emul_rcpt(CLEANUP_STATE *state,
 				         MILTERS *milters,
 				         const char *addr)
 {
    const char *myname = "cleanup_milter_emul_rcpt";
    const char *resp;
    const char *argv[2];
    /*
     * Sanity check.
     */
    if (state->client_name == 0)
 	msg_panic("%s: missing client info initialization", myname);
    /*
     * CLEANUP_STAT_CONT and CLEANUP_STAT_DEFER both update the reason
     * attribute, but CLEANUP_STAT_DEFER takes precedence. It terminates
@ -1479,8 +1522,15 @@ void    cleanup_milter_emul_rcpt(CLEANUP_STATE *state,
 void    cleanup_milter_emul_data(CLEANUP_STATE *state, MILTERS *milters)
 {
    const char *myname = "cleanup_milter_emul_data";
    const char *resp;
    /*
     * Sanity check.
     */
    if (state->client_name == 0)
 	msg_panic("%s: missing client info initialization", myname);
    if ((resp = milter_data_event(milters)) != 0)
 	cleanup_milter_apply(state, "DATA", resp);
 }
@ -1716,7 +1766,7 @@ int     main(int unused_argc, char **argv)
 		msg_warn("bad add_header argument count: %d", argv->argc);
 	    } else {
 		flatten_args(arg_buf, argv->argv + 2);
-		cleanup_add_header(state, argv->argv[2], STR(arg_buf));
+		cleanup_add_header(state, argv->argv[1], STR(arg_buf));
 	    }
 	} else if (strcmp(argv->argv[0], "ins_header") == 0) {
 	    if (argv->argc < 3) {
--- a/postfix/src/cleanup/cleanup_milter.in1
+++ b/postfix/src/cleanup/cleanup_milter.in1
@ -9,4 +9,6 @@ ins_header 2 X-Test-Header test header value 2
 del_header 2 X-Test-Header
 ins_header 3 X-Test-Header test header value 3
 upd_header 1 X X-replaced-header replacement header text
 upd_header 1 X X-replaced-header replacement header text
 upd_header 1 X X-replaced-header replacement header text
 close
--- a/postfix/src/cleanup/cleanup_milter.ref1
+++ b/postfix/src/cleanup/cleanup_milter.ref1
@ -38,8 +38,10 @@
     1353 pointer_record:            1193
     1193 deleted_text: X-Test-Header: test header value 1
     1229 pointer_record:            1370
-     1370 regular_text: X: X-replaced-header replacement header text
+     1370 pointer_record:            1433
-     1416 pointer_record:             881
+     1433 pointer_record:            1496
     1496 regular_text: X: X-replaced-header replacement header text
     1542 pointer_record:             881
      881 regular_text: Y: 1234567
      893 regular_text: Message-Id: <20060514010427.E0F703D1E36@tail.porcupine.org>
      954 regular_text: Date: Sat, 13 May 2006 21:04:18 -0400 (EDT)
--- a/postfix/src/cleanup/cleanup_state.c
+++ b/postfix/src/cleanup/cleanup_state.c
@ -109,7 +109,10 @@ CLEANUP_STATE *cleanup_state_alloc(VSTREAM *src)
    state->verp_delims = 0;
    state->milters = 0;
    state->client_name = 0;
    state->reverse_name = 0;
    state->client_addr = 0;
    state->client_af = 0;
    state->client_port = 0;
    return (state);
 }
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@ -1183,6 +1183,10 @@ extern char *var_smtpd_tls_scache_db;
 #define DEF_SMTPD_TLS_SCACHTIME	"3600s"
 extern int var_smtpd_tls_scache_timeout;
 #define VAR_SMTPD_TLS_SET_SESSID	"smtpd_tls_always_issue_session_ids"
 #define DEF_SMTPD_TLS_SET_SESSID	1
 extern bool var_smtpd_tls_set_sessid;
 #define VAR_SMTPD_DELAY_OPEN	"smtpd_delay_open_until_valid_rcpt"
 #define DEF_SMTPD_DELAY_OPEN	1
 extern bool var_smtpd_delay_open;
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,8 +20,8 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20060711"
+#define MAIL_RELEASE_DATE	"20060724"
-#define MAIL_VERSION_NUMBER	"2.3.0"
+#define MAIL_VERSION_NUMBER	"2.3.1"
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@ -488,7 +488,7 @@ static void milter8_close_stream(MILTER8 *milter)
 /* milter8_read_resp - receive command code now, receive data later */
 static int milter8_read_resp(MILTER8 *milter, int event, unsigned char *command,
-			            ssize_t *data_len)
+			             ssize_t *data_len)
 {
    UINT32_TYPE len;
    ssize_t pkt_len;
@ -963,6 +963,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 #define IN_CONNECT_EVENT(e) ((e) == SMFIC_CONNECT || (e) == SMFIC_HELO)
    for (;;) {
 	char   *cp;
 	char   *rp;
 	char    ch;
 	if (milter8_read_resp(milter, event, &cmd, &data_size) != 0)
 	    return (milter->def_reply);
 	if (msg_verbose)
@ -1081,6 +1085,11 @@ static const char *milter8_event(MILTER8 *milter, int event,
 	     * Decision: "ddd d.d+.d+ text". This decision is final (i.e.
 	     * Sendmail 8 changes receiver state). Note: the reply may be in
 	     * multi-line SMTP format.
 	     * 
 	     * XXX Sendmail compatibility: sendmail 8 uses the reply as a format
 	     * string; therefore any '%' characters in the reply are doubled.
 	     * Postfix doesn't use replies as format strings; we replace '%%'
 	     * by '%', and remove single (i.e. invalid) '%' characters.
 	     */
 	case SMFIR_REPLYCODE:
 	    if (milter8_read_data(milter, data_size,
@ -1097,6 +1106,15 @@ static const char *milter8_event(MILTER8 *milter, int event,
 		milter8_conf_error(milter);
 		return (milter->def_reply);
 	    }
 	    if ((rp = cp = strchr(STR(milter->buf), '%')) != 0) {
 		for (;;) {
 		    if ((ch = *cp++) == '%')
 			ch = *cp++;
 		    *rp++ = ch;
 		    if (ch == 0)
 			break;
 		}
 	    }
 	    if (IN_CONNECT_EVENT(event)) {
 #ifdef LIBMILTER_AUTO_DISCONNECT
 		milter8_close_stream(milter);
--- a/postfix/src/milter/test-list
+++ b/postfix/src/milter/test-list
@ -1,3 +1,13 @@
 # Reject with text 
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c connect -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c helo -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c mail -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c rcpt -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c header -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c eoh -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c body -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a "554 5.7.1 1% 2%% 3%%%" -c eom -p inet:9999@127.0.0.1
 # Tempfail tests
 ./test-milter -C 1 -a tempfail -c connect -p inet:9999@127.0.0.1
 ./test-milter -C 1 -a tempfail -c helo -p inet:9999@127.0.0.1
--- a/postfix/src/milter/test-milter.c
+++ b/postfix/src/milter/test-milter.c
@ -96,17 +96,23 @@ static char *reply_code;
 static char *reply_dsn;
 static char *reply_message;
 #ifdef SMFIR_INSHEADER
 static char *ins_hdr;
 static int ins_idx;
 static char *ins_val;
 #endif
 #ifdef SMFIR_CHGHEADER
 static char *chg_hdr;
 static int chg_idx;
 static char *chg_val;
 #endif
 static int test_reply(SMFICTX *ctx, int code)
 {
-    (void) fflush(stdout);			/* In case output redirected. */
+    (void) fflush(stdout);		/* In case output redirected. */
    if (code == SMFIR_REPLYCODE) {
 	if (smfi_setreply(ctx, reply_code, reply_dsn, reply_message) != MI_SUCCESS)
@ -214,10 +220,14 @@ static sfsistat test_body(SMFICTX *ctx, unsigned char *data, size_t data_len)
 static sfsistat test_eom(SMFICTX *ctx)
 {
    printf("test_eom\n");
 #ifdef SMFIR_INSHEADER
    if (ins_hdr && smfi_insheader(ctx, ins_idx, ins_hdr, ins_val) == MI_FAILURE)
 	fprintf(stderr, "smfi_insheader failed");
 #endif
 #ifdef SMFIR_CHGHEADER
    if (chg_hdr && smfi_chgheader(ctx, chg_hdr, chg_idx, chg_val) == MI_FAILURE)
 	fprintf(stderr, "smfi_chgheader failed");
 #endif
    return (test_reply(ctx, test_eom_reply));
 }
@ -319,11 +329,16 @@ int     main(int argc, char **argv)
 	    }
 	    break;
 	case 'i':
 #ifdef SMFIR_INSHEADER
 	    if (ins_hdr) {
 		fprintf(stderr, "too many -i options\n");
 		exit(1);
 	    }
 	    parse_hdr_info(optarg, &ins_idx, &ins_hdr, &ins_val);
 #else
 	    fprintf(stderr, "no libmilter support to insert header\n");
 	    exit(1);
 #endif
 	    break;
 	case 'p':
 	    if (smfi_setconn(optarg) == MI_FAILURE) {
@ -332,11 +347,16 @@ int     main(int argc, char **argv)
 	    }
 	    break;
 	case 'r':
 #ifdef SMFIR_CHGHEADER
 	    if (chg_hdr) {
 		fprintf(stderr, "too many -r options\n");
 		exit(1);
 	    }
 	    parse_hdr_info(optarg, &chg_idx, &chg_hdr, &chg_val);
 #else
 	    fprintf(stderr, "no libmilter support to change header\n");
 	    exit(1);
 #endif
 	    break;
 	case 'v':
 	    verbose++;
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@ -221,9 +221,7 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
     * mail system against unreasonable inputs. This also requires that we
     * limit the size of envelope records written by the local posting agent.
     * 
-     * Allow attribute records if the queue file is owned by the mail system
+     * Records with named attributes are filtered by postdrop(1).
     * (postsuper -r) or if the attribute specifies the MIME body type
     * (sendmail -B).
     * 
     * We must allow PTR records here because of "postsuper -r".
     */
@ -249,6 +247,8 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
 	/*
 	 * XXX Workaround: REC_TYPE_FILT (used in envelopes) == REC_TYPE_CONT
 	 * (used in message content).
 	 * 
 	 * As documented in postsuper(1), ignore content filter record.
 	 */
 	if (*expected != REC_TYPE_CONTENT[0]) {
 	    if (type == REC_TYPE_FILT)
@ -322,7 +322,7 @@ static int pickup_copy(VSTREAM *qfile, VSTREAM *cleanup,
    }
    /*
-     * Add content inspection transport.
+     * Add content inspection transport. See also postsuper(1).
     */
    if (*var_filter_xport)
 	rec_fprintf(cleanup, REC_TYPE_FILT, "%s", var_filter_xport);
@ -344,7 +344,10 @@ static int pickup_copy(VSTREAM *qfile, VSTREAM *cleanup,
     * For messages belonging to $mail_owner also log the maildrop queue id.
     * This supports message tracking for mail requeued via "postsuper -r".
     */
-    if (info->st.st_uid == var_owner_uid) {
+#define MAIL_IS_REQUEUED(info) \
    ((info)->st.st_uid == var_owner_uid && ((info)->st.st_mode & S_IROTH) == 0)
    if (MAIL_IS_REQUEUED(info)) {
 	msg_info("%s: uid=%d from=<%s> orig_id=%s", info->id,
 		 (int) info->st.st_uid, info->sender,
 		 ((name = strrchr(info->path, '/')) != 0 ?
@ -442,6 +445,13 @@ static int pickup_file(PICKUP_INFO *info)
     * bounces its copy of the message. because the original input file is
     * not readable by the bounce service.
     * 
     * If mail is re-injected with "postsuper -r", disable Milter applications.
     * If they were run before the mail was queued then there is no need to
     * run them again. Moreover, the queue file does not contain enough
     * information to reproduce the exact same SMTP events and Sendmail
     * macros that Milters received when the mail originally arrived in
     * Postfix.
     * 
     * The actual message copying code is in a separate routine, so that it is
     * easier to implement the many possible error exits without forgetting
     * to close files, or to release memory.
@ -449,6 +459,9 @@ static int pickup_file(PICKUP_INFO *info)
    cleanup_flags =
 	input_transp_cleanup(CLEANUP_FLAG_BOUNCE | CLEANUP_FLAG_MASK_EXTERNAL,
 			     pickup_input_transp_mask);
    /* As documented in postsuper(1). */
    if (MAIL_IS_REQUEUED(info))
 	cleanup_flags &= ~CLEANUP_FLAG_MILTER;
    cleanup = mail_connect_wait(MAIL_CLASS_PUBLIC, var_cleanup_service);
    if (attr_scan(cleanup, ATTR_FLAG_STRICT,
--- a/postfix/src/postfix/postfix.c
+++ b/postfix/src/postfix/postfix.c
@ -239,6 +239,14 @@
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	TLS support by:
 /*	Lutz Jaenicke
 /*	Brandenburg University of Technology
 /*	Cottbus, Germany
 /*
 /*	Victor Duchovni
 /*	Morgan Stanley
 /*
 /*	SASL support originally by:
 /*	Till Franke
 /*	SuSE Rhein/Main AG
--- a/postfix/src/postsuper/postsuper.c
+++ b/postfix/src/postsuper/postsuper.c
@ -121,13 +121,31 @@
 /*	Specify \fB-r ALL\fR to requeue all messages. As a safety
 /*	measure, the word \fBALL\fR must be specified in upper case.
 /* .sp
-/*	A requeued message is moved to the \fBmaildrop\fR queue, from
+/*	A requeued message is moved to the \fBmaildrop\fR queue,
-/*	where it is copied by the pickup daemon to a new file whose name
+/*	from where it is copied by the \fBpickup\fR(8) and
-/*	is guaranteed to match the new queue file inode number. The
+/*	\fBcleanup\fR(8) daemons to a new queue file. In many
-/*	new queue file is subjected again to mail address rewriting and
+/*	respects its handling differs from that of a new local
-/*	substitution. This is useful when rewriting rules or virtual
+/*	submission.
-/*	mappings have changed.
+/* .RS
 /* .IP \(bu
 /*	The message is not subjected to the smtpd_milters or
 /*	non_smtpd_milters settings.  When mail has passed through
 /*	an external content filter, this would produce incorrect
 /*	results with Milter applications that depend on original
 /*	SMTP connection state information.
 /* .IP \(bu
 /*	The message is subjected again to mail address rewriting
 /*	and substitution.  This is useful when rewriting rules or
 /*	virtual mappings have changed.
 /* .sp
 /*	The address rewriting context (local or remote) is the same
 /*	as when the message was received.
 /* .IP \(bu
 /*	The message is subjected to the same content_filter settings
 /*	(if any) as used for new local mail submissions.  This is
 /*	useful when content_filter settings have changed.
 /* .RE
 /* .IP
 /*	Warning: Postfix queue IDs are reused.
 /*	There is a very small possibility that \fBpostsuper\fR(1) requeues
 /*	the wrong message file when it is executed while the Postfix mail
--- a/postfix/src/smtp/lmtp_params.c
+++ b/postfix/src/smtp/lmtp_params.c
@ -95,6 +95,5 @@
 #endif
 	VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
 	VAR_LMTP_SASL_ENFORCE, DEF_LMTP_SASL_ENFORCE, &var_smtp_sasl_enforce,
 	0,
    };
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@ -234,11 +234,6 @@
 /*	server's list of offered SASL mechanisms.
 /* .PP
 /*	Available in Postfix version 2.3 and later:
 /* .IP "\fBsmtp_sasl_auth_enforce (yes)\fR"
 /*	If sender-dependent SASL passwords are turned off, defer mail
 /*	delivery when an SMTP server does not support SASL authentication,
 /*	while smtp_sasl_password_maps contains SASL login/password information
 /*	for that server.
 /* .IP "\fBsmtp_sender_dependent_authentication (no)\fR"
 /*	Enable sender-dependent authentication in the Postfix SMTP client; this is
 /*	available only with SASL authentication, and disables SMTP connection
@ -297,6 +292,13 @@
 /* .IP "\fBsmtp_tls_note_starttls_offer (no)\fR"
 /*	Log the hostname of a remote SMTP server that offers STARTTLS,
 /*	when TLS is not already enabled for that server.
 /* .IP "\fBsmtp_tls_policy_maps (empty)\fR"
 /*	Optional lookup tables with the Postfix SMTP client TLS security
 /*	policy by next-hop destination; when a non-empty value is specified,
 /*	this overrides the obsolete smtp_tls_per_site parameter.
 /* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
 /*	List of TLS protocols that the Postfix SMTP client will use
 /*	with mandatory TLS encryption.
 /* .IP "\fBsmtp_tls_scert_verifydepth (5)\fR"
 /*	The verification depth for remote SMTP server certificates.
 /* .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
@ -697,7 +699,6 @@ bool    var_smtp_sender_auth;
 char   *var_lmtp_tcp_port;
 int     var_scache_proto_tmout;
 bool    var_smtp_cname_overr;
 bool    var_smtp_sasl_enforce;
 /*
  * Global variables.
--- a/postfix/src/smtp/smtp_params.c
+++ b/postfix/src/smtp/smtp_params.c
@ -99,6 +99,5 @@
 #endif
 	VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
 	VAR_SMTP_SASL_ENFORCE, DEF_SMTP_SASL_ENFORCE, &var_smtp_sasl_enforce,
 	0,
    };
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@ -359,7 +359,6 @@ int     smtp_helo(SMTP_STATE *state)
 				       "host %s refused to talk to me: %s",
 				       session->namaddr,
 				       translit(resp->str, "\n", " ")));
 	    return (0);
 	}
    } else {
 	where = "performing the LHLO handshake";
@ -372,93 +371,106 @@ int     smtp_helo(SMTP_STATE *state)
    }
    /*
-     * Determine what server EHLO keywords to ignore, typically to avoid
+     * No early returns allowed, to ensure consistent handling of TLS and
-     * inter-operability problems.
+     * SASL policies.
     */
-    if (smtp_ehlo_dis_maps == 0
+    if (session->features & SMTP_FEATURE_ESMTP) {
 	|| (ehlo_words = maps_find(smtp_ehlo_dis_maps, state->session->addr, 0)) == 0)
 	ehlo_words = var_smtp_ehlo_dis_words;
    discard_mask = ehlo_mask(ehlo_words);
    if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
 	msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask));
-    /*
+	/*
-     * Pick up some useful features offered by the SMTP server. XXX Until we
+	 * Determine what server EHLO keywords to ignore, typically to avoid
-     * have a portable routine to convert from string to off_t with proper
+	 * inter-operability problems.
-     * overflow detection, ignore the message size limit advertised by the
+	 */
-     * SMTP server. Otherwise, we might do the wrong thing when the server
+	if (smtp_ehlo_dis_maps == 0
-     * advertises a really huge message size limit.
+	    || (ehlo_words = maps_find(smtp_ehlo_dis_maps,
-     * 
+				       state->session->addr, 0)) == 0)
-     * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", because
+	    ehlo_words = var_smtp_ehlo_dis_words;
-     * MicroSoft implemented AUTH based on an old draft.
+	discard_mask = ehlo_mask(ehlo_words);
-     */
+	if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
-    lines = resp->str;
+	    msg_info("discarding EHLO keywords: %s",
-    for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) {
+		     str_ehlo_mask(discard_mask));
 	if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t=")) != 0) {
 	    if (n == 0) {
 		if (session->helo != 0)
 		    myfree(session->helo);
-		/*
+	/*
-		 * XXX: Keep the original case: we don't expect a single SMTP
+	 * Pick up some useful features offered by the SMTP server. XXX Until
-		 * server to randomly change the case of its helo response.
+	 * we have a portable routine to convert from string to off_t with
-		 * If different capitalization is detected, we should assume
+	 * proper overflow detection, ignore the message size limit
-		 * disjoint TLS caches.
+	 * advertised by the SMTP server. Otherwise, we might do the wrong
-		 */
+	 * thing when the server advertises a really huge message size limit.
-		session->helo = mystrdup(word);
+	 * 
-		if (strcasecmp(word, var_myhostname) == 0
+	 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...",
-		 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) {
+	 * because MicroSoft implemented AUTH based on an old draft.
-		    msg_warn("host %s replied to HELO/EHLO with my own hostname %s",
+	 */
-			     session->namaddrport, var_myhostname);
+	lines = resp->str;
-		    if (session->features & SMTP_FEATURE_BEST_MX)
+	for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) {
-			return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
+	    if (mystrtok(&words, "- ")
 		&& (word = mystrtok(&words, " \t=")) != 0) {
 		if (n == 0) {
 		    if (session->helo != 0)
 			myfree(session->helo);
 		    /*
 		     * XXX: Keep the original case: we don't expect a single
 		     * SMTP server to randomly change the case of its helo
 		     * response. If different capitalization is detected, we
 		     * should assume disjoint TLS caches.
 		     */
 		    session->helo = mystrdup(word);
 		    if (strcasecmp(word, var_myhostname) == 0
 			&& (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) {
 			msg_warn("host %s replied to HELO/EHLO"
 				 " with my own hostname %s",
 				 session->namaddrport, var_myhostname);
 			if (session->features & SMTP_FEATURE_BEST_MX)
 			    return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
 					     SMTP_RESP_FAKE(&fake, "5.4.6"),
 					 "mail for %s loops back to myself",
-					       request->nexthop));
+						   request->nexthop));
-		    else
+			else
-			return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
+			    return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
 					     SMTP_RESP_FAKE(&fake, "4.4.6"),
 					 "mail for %s loops back to myself",
-					       request->nexthop));
+						   request->nexthop));
-		}
+		    }
-	    } else if (strcasecmp(word, "8BITMIME") == 0) {
+		} else if (strcasecmp(word, "8BITMIME") == 0) {
-		if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
+		    if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
-		    session->features |= SMTP_FEATURE_8BITMIME;
+			session->features |= SMTP_FEATURE_8BITMIME;
-	    } else if (strcasecmp(word, "PIPELINING") == 0) {
+		} else if (strcasecmp(word, "PIPELINING") == 0) {
-		if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
+		    if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
-		    session->features |= SMTP_FEATURE_PIPELINING;
+			session->features |= SMTP_FEATURE_PIPELINING;
-	    } else if (strcasecmp(word, "XFORWARD") == 0) {
+		} else if (strcasecmp(word, "XFORWARD") == 0) {
-		if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
+		    if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
-		    while ((word = mystrtok(&words, " \t")) != 0)
+			while ((word = mystrtok(&words, " \t")) != 0)
-			session->features |= name_code(xforward_features,
+			    session->features |=
-						 NAME_CODE_FLAG_NONE, word);
+				name_code(xforward_features,
-	    } else if (strcasecmp(word, "SIZE") == 0) {
+					  NAME_CODE_FLAG_NONE, word);
-		if ((discard_mask & EHLO_MASK_SIZE) == 0) {
+		} else if (strcasecmp(word, "SIZE") == 0) {
-		    session->features |= SMTP_FEATURE_SIZE;
+		    if ((discard_mask & EHLO_MASK_SIZE) == 0) {
-		    if ((word = mystrtok(&words, " \t")) != 0) {
+			session->features |= SMTP_FEATURE_SIZE;
-			if (!alldig(word))
+			if ((word = mystrtok(&words, " \t")) != 0) {
-			    msg_warn("bad EHLO SIZE limit \"%s\" from %s",
+			    if (!alldig(word))
-				     word, session->namaddrport);
+				msg_warn("bad EHLO SIZE limit \"%s\" from %s",
-			else
+					 word, session->namaddrport);
-			    session->size_limit = off_cvt_string(word);
+			    else
 				session->size_limit = off_cvt_string(word);
 			}
 		    }
 		}
 #ifdef USE_TLS
-	    } else if (strcasecmp(word, "STARTTLS") == 0) {
+		} else if (strcasecmp(word, "STARTTLS") == 0) {
-		/* Ignored later if we already sent STARTTLS. */
+		    /* Ignored later if we already sent STARTTLS. */
-		if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
+		    if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
-		    session->features |= SMTP_FEATURE_STARTTLS;
+			session->features |= SMTP_FEATURE_STARTTLS;
 #endif
 #ifdef USE_SASL_AUTH
-	    } else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0) {
+		} else if (var_smtp_sasl_enable
-		if ((discard_mask & EHLO_MASK_AUTH) == 0)
+			   && strcasecmp(word, "AUTH") == 0) {
-		    smtp_sasl_helo_auth(session, words);
+		    if ((discard_mask & EHLO_MASK_AUTH) == 0)
 			smtp_sasl_helo_auth(session, words);
 #endif
-	    } else if (strcasecmp(word, "DSN") == 0) {
+		} else if (strcasecmp(word, "DSN") == 0) {
-		if ((discard_mask & EHLO_MASK_DSN) == 0)
+		    if ((discard_mask & EHLO_MASK_DSN) == 0)
-		    session->features |= SMTP_FEATURE_DSN;
+			session->features |= SMTP_FEATURE_DSN;
 		}
 		n++;
 	    }
 	    n++;
 	}
    }
    if (msg_verbose)
@ -600,16 +612,6 @@ int     smtp_helo(SMTP_STATE *state)
 #ifdef USE_SASL_AUTH
    if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH))
 	return (smtp_sasl_helo_login(state));
    else if (var_smtp_sasl_enable
 	     && *var_smtp_sasl_passwd
 	     && !var_smtp_sender_auth
 	     && var_smtp_sasl_enforce
 	     && smtp_sasl_passwd_lookup(session) != 0)
 	return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
 			       SMTP_RESP_FAKE(&fake, "4.7.0"),
 			       "SASL login/password exists, but host %s "
 			       "does not announce SASL authentication support",
 			       session->namaddr));
 #endif
    return (0);
@ -744,11 +746,22 @@ static int smtp_start_tls(SMTP_STATE *state)
 	DONT_USE_DEAD_SESSION;
 	/*
-	 * If TLS is optional, try again, this time without TLS.
+	 * If TLS is optional, try delivery to the same server over a
-	 * Specifically, this session is not final, don't defer any
+	 * plaintext connection. Otherwise we would defer mail forever with
-	 * recipients yet.
+	 * destinations that have no alternate MX host.
 	 * 
 	 * Don't fall back to plaintext if we were willing to use SASL-over-TLS
 	 * authentication. If the server doesn't announce SASL support over
 	 * plaintext connections, then we don't want delivery to fail with
 	 * "relay access denied".
 	 */
-	if (session->tls_level == TLS_LEV_MAY)
+	if (session->tls_level == TLS_LEV_MAY
 #ifdef USE_SASL_AUTH
 	    && !(var_smtp_sasl_enable
 		 && *var_smtp_sasl_passwd
 		 && smtp_sasl_passwd_lookup(session))
 #endif
 	    )
 	    RETRY_AS_PLAINTEXT;
 	return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
 			       SMTP_RESP_FAKE(&fake, "4.7.5"),
--- a/postfix/src/smtp/smtp_sasl_glue.c
+++ b/postfix/src/smtp/smtp_sasl_glue.c
@ -175,9 +175,13 @@ int     smtp_sasl_passwd_lookup(SMTP_SESSION *session)
 	 && (value = mail_addr_find(smtp_sasl_passwd_map,
 				 state->request->sender, (char **) 0)) != 0)
 	|| (value = maps_find(smtp_sasl_passwd_map, session->host, 0)) != 0
-	|| (value = maps_find(smtp_sasl_passwd_map, session->dest, 0)) != 0) {
+      || (value = maps_find(smtp_sasl_passwd_map, session->dest, 0)) != 0) {
 	if (session->sasl_username)
 	    myfree(session->sasl_username);
 	session->sasl_username = mystrdup(value);
 	passwd = split_at(session->sasl_username, ':');
 	if (session->sasl_passwd)
 	    myfree(session->sasl_passwd);
 	session->sasl_passwd = mystrdup(passwd ? passwd : "");
 	if (msg_verbose)
 	    msg_info("%s: host `%s' user `%s' pass `%s'",
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@ -108,6 +108,12 @@
 /* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR"
 /*	Postpone the start of an SMTP mail transaction until a valid
 /*	RCPT TO command is received.
 /* .PP
 /*	Available in Postfix version 2.3 and later:
 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
 /*	Force the Postfix SMTP server to issue a TLS session id, even
 /*	when TLS session caching is turned off (smtpd_tls_session_cache_database
 /*	is empty).
 /* ADDRESS REWRITING CONTROLS
 /* .ad
 /* .fi
@ -278,6 +284,10 @@
 /* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
 /*	The file with the certificate of the certification authority
 /*	(CA) that issued the Postfix SMTP server certificate.
 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
 /*	Force the Postfix SMTP server to issue a TLS session id, even
 /*	when TLS session caching is turned off (smtpd_tls_session_cache_database
 /*	is empty).
 /* .IP "\fBsmtpd_tls_ask_ccert (no)\fR"
 /*	Ask a remote SMTP client for a client certificate.
 /* .IP "\fBsmtpd_tls_auth_only (no)\fR"
@ -520,7 +530,7 @@
 /* .PP
 /*	Available in Postfix version 2.3 and later:
 /* .IP "\fBsmtpd_peername_lookup (yes)\fR"
-/*	Attempt to look up the Postfix SMTP client hostname, and verify that
+/*	Attempt to look up the remote SMTP client hostname, and verify that
 /*	the name matches the client IP address.
 /* .PP
 /*	The per SMTP client connection count and request rate limits are
@ -1070,6 +1080,7 @@ char   *var_smtpd_tls_mand_proto;
 bool    var_smtpd_tls_received_header;
 bool    var_smtpd_tls_req_ccert;
 int     var_smtpd_tls_scache_timeout;
 bool    var_smtpd_tls_set_sessid;
 int     var_tls_daemon_rand_bytes;
 #endif
@ -1520,7 +1531,7 @@ static void helo_reset(SMTPD_STATE *state)
    if (state->helo_name) {
 	myfree(state->helo_name);
 	state->helo_name = 0;
-	if (smtpd_milters)
+	if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
 	    milter_abort(smtpd_milters);
    }
 }
@ -1688,6 +1699,8 @@ static int mail_open_stream(SMTPD_STATE *state)
 	     */
 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
 			MAIL_ATTR_ACT_CLIENT_NAME, state->name);
 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
 		    MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name);
 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
 			MAIL_ATTR_ACT_CLIENT_ADDR, state->addr);
 	    if (state->helo_name)
@ -2235,10 +2248,11 @@ static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 		smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
 		return (-1);
 	    }
 	    vstring_strcpy(state->dsn_orcpt_buf, arg + 6);
 	    if (dsn_orcpt_addr
-		|| (coded_addr = split_at(arg + 6, ';')) == 0
+		|| (coded_addr = split_at(STR(state->dsn_orcpt_buf), ';')) == 0
 		|| xtext_unquote(state->dsn_buf, coded_addr) == 0
-		|| *(dsn_orcpt_type = arg + 6) == 0) {
+		|| *(dsn_orcpt_type = STR(state->dsn_orcpt_buf)) == 0) {
 		state->error_mask |= MAIL_ERROR_PROTOCOL;
 		smtpd_chat_reply(state,
 			     "501 5.5.4 Error: Bad ORCPT parameter syntax");
@ -4218,6 +4232,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 	    props.verifydepth = var_smtpd_tls_ccert_vd;
 	    props.cache_type = TLS_MGR_SCACHE_SMTPD;
 	    props.scache_timeout = var_smtpd_tls_scache_timeout;
 	    props.set_sessid = var_smtpd_tls_set_sessid;
 	    props.cert_file = var_smtpd_tls_cert_file;
 	    props.key_file = var_smtpd_tls_key_file;
 	    props.dcert_file = var_smtpd_tls_dcert_file;
@ -4250,14 +4265,14 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 		msg_warn("Can't require client certs unless TLS is required");
 	    props.cipherlist =
-	    	tls_cipher_list(enforce_tls ?
+		tls_cipher_list(enforce_tls ?
-				    tls_cipher_level(var_smtpd_tls_mand_ciph) :
+				tls_cipher_level(var_smtpd_tls_mand_ciph) :
-				    TLS_CIPHER_EXPORT,
+				TLS_CIPHER_EXPORT,
 				var_smtpd_tls_excl_ciph,
 				havecert ? "" : "aRSA aDSS",
 				wantcert ? "aNULL" : "",
-				enforce_tls ?  var_smtpd_tls_mand_excl :
+				enforce_tls ? var_smtpd_tls_mand_excl :
-				    TLS_END_EXCLUDE,
+				TLS_END_EXCLUDE,
 				TLS_END_EXCLUDE);
 	    if (props.cipherlist == 0) {
@ -4268,8 +4283,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 				    var_smtpd_tls_excl_ciph,
 				    havecert ? "" : "aRSA aDSS",
 				    wantcert ? "aNULL" : "",
-				    enforce_tls ?  var_smtpd_tls_mand_excl :
+				    enforce_tls ? var_smtpd_tls_mand_excl :
-					TLS_END_EXCLUDE,
+				    TLS_END_EXCLUDE,
 				    TLS_END_EXCLUDE);
 	    }
 	    if (havecert || oknocert)
@ -4439,6 +4454,7 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
 	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
 	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
 	VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
 #endif
 	VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
 	VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
--- a/postfix/src/smtpd/smtpd.h
+++ b/postfix/src/smtpd/smtpd.h
@ -145,6 +145,7 @@ typedef struct SMTPD_STATE {
    char   *dsn_envid;			/* temporary MAIL FROM state */
    int     dsn_ret;			/* temporary MAIL FROM state */
    VSTRING *dsn_buf;			/* scratch space for xtext expansion */
    VSTRING *dsn_orcpt_buf;		/* scratch space for ORCPT parsing */
    /*
     * Pass-through proxy client.
--- a/postfix/src/smtpd/smtpd_milter.c
+++ b/postfix/src/smtpd/smtpd_milter.c
@ -78,6 +78,15 @@ const char *smtpd_milter_eval(const char *name, void *ptr)
    /*
     * Connect macros.
     */
    if (strcmp(name, S8_MAC__) == 0) {
 	if (state->expand_buf == 0)
 	    state->expand_buf = vstring_alloc(10);
 	vstring_sprintf(state->expand_buf, "%s [%s]",
 			state->reverse_name, state->addr);
 	if (strcasecmp(state->name, state->reverse_name) != 0)
 	    vstring_strcat(state->expand_buf, " (may be forged)");
 	return (STR(state->expand_buf));
    }
    if (strcmp(name, S8_MAC_J) == 0)
 	return (var_myhostname);
    if (strcmp(name, S8_MAC_CLIENT_ADDR) == 0)
--- a/postfix/src/smtpd/smtpd_state.c
+++ b/postfix/src/smtpd/smtpd_state.c
@ -137,6 +137,7 @@ void    smtpd_state_init(SMTPD_STATE *state, VSTREAM *stream,
 #endif
    state->dsn_envid = 0;
    state->dsn_buf = vstring_alloc(100);
    state->dsn_orcpt_buf = vstring_alloc(100);
 #ifdef USE_TLS
    state->tls_use_tls = 0;
    state->tls_enforce_tls = 0;
@ -212,6 +213,8 @@ void    smtpd_state_reset(SMTPD_STATE *state)
 	vstring_free(state->instance);
    if (state->dsn_buf)
 	vstring_free(state->dsn_buf);
    if (state->dsn_orcpt_buf)
 	vstring_free(state->dsn_orcpt_buf);
 #ifdef USE_SASL_AUTH
    if (var_smtpd_sasl_enable)
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@ -17,7 +17,7 @@
 #include <name_code.h>
 /*
-  * TLS enforcement levels. Non-sentinel values also be used to indicate
+  * TLS enforcement levels. Non-sentinel values may also be used to indicate
  * the actual security level of a session.
  */
 #define TLS_LEV_NOTFOUND	-1	/* sentinel */
@ -174,6 +174,7 @@ typedef struct {
    int     verifydepth;
    const char *cache_type;
    long    scache_timeout;
    int     set_sessid;
    const char *cert_file;
    const char *key_file;
    const char *dcert_file;
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@ -447,7 +447,7 @@ SSL_CTX *tls_server_init(const tls_server_props *props)
 	tls_print_errors();
 	cachable = 0;
    }
-    if (cachable) {
+    if (cachable || props->set_sessid) {
 	/*
 	 * Initialize the session cache.
@ -474,8 +474,10 @@ SSL_CTX *tls_server_init(const tls_server_props *props)
 	SSL_CTX_set_session_cache_mode(server_ctx,
 				       SSL_SESS_CACHE_SERVER |
 				       SSL_SESS_CACHE_NO_AUTO_CLEAR);
-	SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb);
+	if (cachable) {
-	SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
+	    SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb);
 	    SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
 	}
 	/*
 	 * OpenSSL ignores timed-out sessions. We need to set the internal