postfix-2.5-20070613

2025-09-01 14:45:32 +00:00 · 2007-06-13 00:00:00 -05:00
parent 476834efdd
commit c176ce0090
21 changed files with 427 additions and 350 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -13588,273 +13588,16 @@ Apologies for any names omitted.
 	20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
 	qmqpd/qmqpd_peer.c.
-Wish list:
+20070610
-	Update attr_print/scan() so they can send/receive file
+	Isolation: don't allow the pipe(8) delivery agent to leak
-	descriptors. This simplifies kludgy code in many daemons.
+	postdrop group privileges with "user=xxx:postdrop". File:
 	pipe/pipe.c.
-	Make adding date/from/etc. conditional. Perhaps on header
+20070613
 	rewrite context? Do we need a more powerful concept than
 	local_header_rewrite_clients/remote_header_rewrite_domain?
-	Would there be a problem adding $smtpd_mumble_restrictions
+	Bugfix: the Milter client assumed that body edit requests
-	and $smtpd_sender_login_maps to the default proxy_read_maps
+	would never come before header/envelope edit requests.
-	settings?
+	Problem was triggered by Jose-Marcio Martins da Cruz. Also
-
+	streamlined the handling of queue file update errors. File:
-	Remove defer(8) and trace(8) references and man pages. These
+	milter/milter8.c.
 	are services not program names.
 	Bind all deliveries to the same local delivery process,
 	making Postfix perform as poorly as monolithic mailers, but
 	giving a possibility to eliminate duplicate deliveries.
 	Maybe declare loop when resolve_local(mxhost) is true?
 	Update message content length when adding/removing headers.
 	Need scache size limit.
 	Update BACKSCATTER_README to use PCRE because that's what I
 	am using now.
 	Make postcat header/body aware so people can grep headers.
 	Make postmap header/body aware so people can test multi-line
 	header checks.
 	REDIRECT should override original recipient info, and
 	probably override DSN as well.
 	Find out if with Sendmail, a Milter "add recipient" request
 	results in NOTIFY=NONE as Postfix does now.
 	Update FILTER_README with mailing list suggestions to tag
 	with a badness indicator and then filter down-stream.
 	Either document or remove the internal_mail_filter_classes
 	feature (it's disabled by default).
 	Build a command-line test driver for the cleanup engine.
 	This allows us to test it with arbitrary record sequences
 	without having to use a live mail queue.
 	Make null local-part handling configurable: either expand
 	into mailer-daemon (current bahavior) or disallow (strict
 	behavior, currently implemented only in the SMTP server).
 	The type of var_message_limit should be changed from int
 	to long or better, to take advantage of LP64 architectures.
 	This also requires checking all expressions in which
 	var_message_limit appears.
 	Add M flag (enable multi-recipient delivery) to pipe daemon.
 	The usage of TLScontext->cache_type is unclear. It specifies
 	a TLS session cache type (smtpd, smtp, or lmtp), but it is
 	sometimes used as an indicator that TLS session caching is
 	unavailable.  In reality, that decision is made by not
 	registering call-back functions for cache maintenance.
 	Postfix TLS library code should copy any strings that it
 	receives from the application, instead of passing them
 	around as pointers. TLScontext->cache_type is a case in
 	point.
 	Are transport:nexthop null fields the same as in the case
 	of default_transport etc. parameters?
 	Don't lose bits when converting st_dev into maildir file
 	name. It's 64 bits on Linux. Found with the BEAM source
 	code analyzer. Is this really a problem, or are they just
 	using 64 bits for upwards compatibility with LP64 systems?
 	Do or don't introduce unknown_reverse_client_reject_code.
 	Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
 	UNIX).
 	Tempfail when a Milter application wants content access,
 	while it is configured in an SMTP server that runs before
 	the smtpd_proxy filter.
 	Log DSN original recipient when rejecting mail.
 	Keep whitespace between label and ":"?
 	Make the map case folding/locking options configurable, if
 	not at run-time then at least at compile time so we get
 	consistent behavior across applications.
 	Investigate what it would take to eliminate oqmgr, and to
 	make the old behavior configurable in a unified queue
 	manager.  This would shave another 2.7 KLOC from the source
 	footprint.
 	Document the case folding strategy for match_list like
 	features.
 	Eliminate the (incoming,deferred)->active rename operation.
 	Softbounce fallback-to-ISP for SOHO users. This requires
 	playing with the soft_error test in the smtp_trouble.c
 	module, and avoiding delivery to backup MX hosts.
 	In the SMTP server, set a "pipelining detected" flag at the
 	start of a session and at protocol synchronization points,
 	so that reject_unauth_pipelining can be specified in any
 	access rule.
 	Centralize main.cf parameter input so that defaults work
 	consistently. What about parameter names that are prefixed
 	with mail delivery transport names?
 	Fix default time unit handling so that we can have a default
 	bounce lifetime of $maximal_queue_lifetime, without causing
 	panics when a non-default maximal_queue_lifetime setting
 	includes no time unit.
 	After the 20051222 ISASCII paranoia, lowercase() lowercases
 	ASCII text only.
 	Privacy: remove local command/pathname details from remote
 	delivery status reports, and log them via local msg_warn().
 	Is it safe to cache a connection after it has been used for
 	more than some number of address verification probes?
 	Try to recognize that Resent- headers appear in blocks,
 	newest block first. But don't break on incorrect header
 	block organization.
 	Hard limits on cache sizes (anvil, specifically).
 	Laptop friendliness: make the qmgr remember when the next
 	deferred queue scan needs to be done, and have the pickup
 	server stat() the maildrop directory before searching it.
 	Low: replace_sender/replace_recipient actions in access
 	maps?
 	Low: configurable order of local(8) delivery methods.
 	Med: local and remote source port and IP address for smtpd
 	policy hook.
 	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
 	to limit the total time spent trying to connect.
 	Med: transform IPv4-in-IPv6 address literals to IPv4 form
 	when comparing against local IP addresses?
 	Med: transform IPv4-in-IPv6 address literals to IPv4 form
 	when eliminating MX mailer loops?
 	Med: Postfix requires [] around IPv6 address information
 	in match lists such as mynetworks, debug_peer_list etc.,
 	but the [] must not be specified in access(5) maps. Other
 	places don't care.  For now, this gotcha is documented in
 	IPV6_README and in postconf(5) with each feature that may
 	use IPv6 address information. The general recommendation
 	is not to use [] unless absolutely necessary.
 	Med: the partial address matching of IPv6 addresses in
 	access(5) maps is a bit lame: it repeatedly truncates the
 	last ":octetpair" from the printable address representation
 	until a match is found or until truncation is no longer
 	possible.  Since one or more ":" are usually omitted from
 	the printable IPv6 address representation, this does not
 	really try all the possibilities that one might expect to
 	be tried. For now, this gotcha is documented in access(5).
 	Med: the TLS certificate verification depth parameters never
 	worked.
 	Low: reject HELO with any domain name or IP address that
 	this MTA is the final destination for.
 	Low: should the Delivered-To: test in local(8) be configurable?
 	Low: make mail_addr_find() lookup configurable.
 	Low: update events.c so that 1-second timer requests do not
 	suffer from rounding errors. This is needed for 1-second
 	SMTP session caching time limits. A 1-second interval would
 	become arbitrarily short when an event is scheduled just
 	before the current second rolls over.
 	Low: configurable internal/system locking method.
 	Low: add INSTALL section for pre-existing Postfix systems.
 	Low: add INSTALL section for pre-existing RPM Postfixes.
 	Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
 	Low: noise filter: allow smtp(8) to retry immediately if
 	all MXes return a quick ECONNRESET or 4xx reply during the
 	initial handshake. Retry once? How many times?
 	Low: make post-install a "postfix-only script" so it can
 	take data from the environment instead of main.cf.
 	Low: randomize deferred mail backoff.
 	Med: separate ulimit for delivery to command?
 	Med: option to open queue file early, after MAIL FROM.  This
 	would allow correlation of rejected RCPT TO requests with
 	accepted requests for the same mail transaction.
 	Med: postsuper -r should do something with recipients in
 	bounce logfiles, to make sure the sender will be notified.
 	To be perfectly safe, no process other than the queue manager
 	should move a queue file away from the active queue.
 	This could involve tagging a queue file, and use up another
 	permission bit (postsuper tags a "hot" file, qmgr requeues it).
 	Low: postsuper re-run after renaming files, but only a
 	limited number of times.
 	Low: smtp-source may block when sending large test messages.
 	Med: find a way to log the sender address when MAIL FROM
 	is rejected due to lack of disk space.
 	Low: revise other local delivery agent duplicate filters.
 	Low: all table lookups should consistently use internalized
 	(unquoted) or externalized (quoted) forms as lookup keys.
 	smtpd, qmgr, local, etc. use unquoted address forms as keys.
 	cleanup uses quoted forms.
 	Low: have a configurable list of errno values for mailbox
 	or maildir delivery that result in deferral rather than
 	bouncing mail. What about "killed by signal" exits?
 	Low: after reorganizing configuration parameters, add flags
 	to all parameters whose value can be read from file.
 	Medium: need in-process caching for map lookups. LDAP servers
 	seem to need this in particular. Need a way to expire cached
 	results that are too old.
 	Low: generic showq protocol, to allow for more intelligent
 	processing than just mailq. Maybe marry this with postsuper.
 	Low: default domain for appending to unqualified recipients,
 	so that unqualified names can be delivered locally.
 	Low: The $process_id_directory setting is not used anywhere
 	in Postfix. Problem reported by Michael Smith, texas.net.
 	This should be documented, or better, the code should warn
 	about attempts to set read-only parameters.
 	Low: postconf -e edits parameters that postconf won't list.
 	Low: while converting 8bit text to quoted-printable, perhaps
 	use =46rom to avoid having to produce >From when delivering
 	to mailbox.
 	virtual_mailbox_path expression like forward_path, so that
 	people can specify prefix and suffix.
--- a/postfix/README_FILES/OVERVIEW
+++ b/postfix/README_FILES/OVERVIEW
@@ -120,7 +120,7 @@ unnumbered names inside shaded areas represent Postfix queues.
    is described in the QSHAPE_README and TUNING_README documents.
  * The trivial-rewrite(8) server resolves each recipient address according to
-    its local and remote address class, as defined in the ADDRESS_CLASS_README
+    its local or remote address class, as defined in the ADDRESS_CLASS_README
    document. Additional routing information can be specified with the optional
    transport(5) table. The trivial-rewrite(8) server optionally queries the
    relocated(5) table for recipients whose address has changed; mail for such
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -17,7 +17,13 @@ Incompatibility with Postfix 2.3 and earlier
 If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4
 before proceeding.
-Incompatibility with Postfix snapshot 2007XXXX
+Incompatibility with Postfix snapshot 20070613
 ==============================================
 The pipe(8) delivery agent no longer allows delivery with the same
 group ID as the main.cf postdrop group.
 Incompatibility with Postfix snapshot 20070514
 ==============================================
 The default sender address for address verification probes was
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -0,0 +1,283 @@
 Wish list:
 	Really need a cleanup driver that allows testing against
 	Milter applications instead of synthetic events. This would
 	have to provide stubs for clients that talk to Postfix
 	daemon processes. See if this approach can also be used for
 	other daemons.
 	smtpd(8) exempts $address_verify_sender from access controls,
 	but it doesn't know whether cleanup(8) or delivery agents
 	modify the sender. Would it be possible to "calibrate" this
 	exemption, perhaps by having delivery agents pass the probe
 	sender to the verify server, keeping in mind that the probe
 	sender may differ per delivery agent due to output rewriting.
 	Update attr_print/scan() so they can send/receive file
 	descriptors. This simplifies kludgy code in many daemons.
 	Make adding date/from/etc. conditional. Perhaps on header
 	rewrite context? Do we need a more powerful concept than
 	local_header_rewrite_clients/remote_header_rewrite_domain?
 	Would there be a problem adding $smtpd_mumble_restrictions
 	and $smtpd_sender_login_maps to the default proxy_read_maps
 	settings?
 	Remove defer(8) and trace(8) references and man pages. These
 	are services not program names.
 	Bind all deliveries to the same local delivery process,
 	making Postfix perform as poorly as monolithic mailers, but
 	giving a possibility to eliminate duplicate deliveries.
 	Maybe declare loop when resolve_local(mxhost) is true?
 	Update message content length when adding/removing headers.
 	Need scache size limit.
 	Update BACKSCATTER_README to use PCRE because that's what I
 	am using now.
 	Make postcat header/body aware so people can grep headers.
 	Make postmap header/body aware so people can test multi-line
 	header checks.
 	REDIRECT should override original recipient info, and
 	probably override DSN as well.
 	Find out if with Sendmail, a Milter "add recipient" request
 	results in NOTIFY=NONE as Postfix does now.
 	Update FILTER_README with mailing list suggestions to tag
 	with a badness indicator and then filter down-stream.
 	Either document or remove the internal_mail_filter_classes
 	feature (it's disabled by default).
 	Build a command-line test driver for the cleanup engine.
 	This allows us to test it with arbitrary record sequences
 	without having to use a live mail queue.
 	Make null local-part handling configurable: either expand
 	into mailer-daemon (current bahavior) or disallow (strict
 	behavior, currently implemented only in the SMTP server).
 	The type of var_message_limit should be changed from int
 	to long or better, to take advantage of LP64 architectures.
 	This also requires checking all expressions in which
 	var_message_limit appears.
 	Add M flag (enable multi-recipient delivery) to pipe daemon.
 	The usage of TLScontext->cache_type is unclear. It specifies
 	a TLS session cache type (smtpd, smtp, or lmtp), but it is
 	sometimes used as an indicator that TLS session caching is
 	unavailable.  In reality, that decision is made by not
 	registering call-back functions for cache maintenance.
 	Postfix TLS library code should copy any strings that it
 	receives from the application, instead of passing them
 	around as pointers. TLScontext->cache_type is a case in
 	point.
 	Are transport:nexthop null fields the same as in the case
 	of default_transport etc. parameters?
 	Don't lose bits when converting st_dev into maildir file
 	name. It's 64 bits on Linux. Found with the BEAM source
 	code analyzer. Is this really a problem, or are they just
 	using 64 bits for upwards compatibility with LP64 systems?
 	Do or don't introduce unknown_reverse_client_reject_code.
 	Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
 	UNIX).
 	Tempfail when a Milter application wants content access,
 	while it is configured in an SMTP server that runs before
 	the smtpd_proxy filter.
 	Log DSN original recipient when rejecting mail.
 	Keep whitespace between label and ":"?
 	Make the map case folding/locking options configurable, if
 	not at run-time then at least at compile time so we get
 	consistent behavior across applications.
 	Investigate what it would take to eliminate oqmgr, and to
 	make the old behavior configurable in a unified queue
 	manager.  This would shave another 2.7 KLOC from the source
 	footprint.
 	Document the case folding strategy for match_list like
 	features.
 	Eliminate the (incoming,deferred)->active rename operation.
 	Softbounce fallback-to-ISP for SOHO users. This requires
 	playing with the soft_error test in the smtp_trouble.c
 	module, and avoiding delivery to backup MX hosts.
 	In the SMTP server, set a "pipelining detected" flag at the
 	start of a session and at protocol synchronization points,
 	so that reject_unauth_pipelining can be specified in any
 	access rule.
 	Centralize main.cf parameter input so that defaults work
 	consistently. What about parameter names that are prefixed
 	with mail delivery transport names?
 	Fix default time unit handling so that we can have a default
 	bounce lifetime of $maximal_queue_lifetime, without causing
 	panics when a non-default maximal_queue_lifetime setting
 	includes no time unit.
 	After the 20051222 ISASCII paranoia, lowercase() lowercases
 	ASCII text only.
 	Privacy: remove local command/pathname details from remote
 	delivery status reports, and log them via local msg_warn().
 	Is it safe to cache a connection after it has been used for
 	more than some number of address verification probes?
 	Try to recognize that Resent- headers appear in blocks,
 	newest block first. But don't break on incorrect header
 	block organization.
 	Hard limits on cache sizes (anvil, specifically).
 	Laptop friendliness: make the qmgr remember when the next
 	deferred queue scan needs to be done, and have the pickup
 	server stat() the maildrop directory before searching it.
 	Low: replace_sender/replace_recipient actions in access
 	maps?
 	Low: configurable order of local(8) delivery methods.
 	Med: local and remote source port and IP address for smtpd
 	policy hook.
 	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
 	to limit the total time spent trying to connect.
 	Med: transform IPv4-in-IPv6 address literals to IPv4 form
 	when comparing against local IP addresses?
 	Med: transform IPv4-in-IPv6 address literals to IPv4 form
 	when eliminating MX mailer loops?
 	Med: Postfix requires [] around IPv6 address information
 	in match lists such as mynetworks, debug_peer_list etc.,
 	but the [] must not be specified in access(5) maps. Other
 	places don't care.  For now, this gotcha is documented in
 	IPV6_README and in postconf(5) with each feature that may
 	use IPv6 address information. The general recommendation
 	is not to use [] unless absolutely necessary.
 	Med: the partial address matching of IPv6 addresses in
 	access(5) maps is a bit lame: it repeatedly truncates the
 	last ":octetpair" from the printable address representation
 	until a match is found or until truncation is no longer
 	possible.  Since one or more ":" are usually omitted from
 	the printable IPv6 address representation, this does not
 	really try all the possibilities that one might expect to
 	be tried. For now, this gotcha is documented in access(5).
 	Med: the TLS certificate verification depth parameters never
 	worked.
 	Low: reject HELO with any domain name or IP address that
 	this MTA is the final destination for.
 	Low: should the Delivered-To: test in local(8) be configurable?
 	Low: make mail_addr_find() lookup configurable.
 	Low: update events.c so that 1-second timer requests do not
 	suffer from rounding errors. This is needed for 1-second
 	SMTP session caching time limits. A 1-second interval would
 	become arbitrarily short when an event is scheduled just
 	before the current second rolls over.
 	Low: configurable internal/system locking method.
 	Low: add INSTALL section for pre-existing Postfix systems.
 	Low: add INSTALL section for pre-existing RPM Postfixes.
 	Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
 	Low: noise filter: allow smtp(8) to retry immediately if
 	all MXes return a quick ECONNRESET or 4xx reply during the
 	initial handshake. Retry once? How many times?
 	Low: make post-install a "postfix-only script" so it can
 	take data from the environment instead of main.cf.
 	Low: randomize deferred mail backoff.
 	Med: separate ulimit for delivery to command?
 	Med: option to open queue file early, after MAIL FROM.  This
 	would allow correlation of rejected RCPT TO requests with
 	accepted requests for the same mail transaction.
 	Med: postsuper -r should do something with recipients in
 	bounce logfiles, to make sure the sender will be notified.
 	To be perfectly safe, no process other than the queue manager
 	should move a queue file away from the active queue.
 	This could involve tagging a queue file, and use up another
 	permission bit (postsuper tags a "hot" file, qmgr requeues it).
 	Low: postsuper re-run after renaming files, but only a
 	limited number of times.
 	Low: smtp-source may block when sending large test messages.
 	Med: find a way to log the sender address when MAIL FROM
 	is rejected due to lack of disk space.
 	Low: revise other local delivery agent duplicate filters.
 	Low: all table lookups should consistently use internalized
 	(unquoted) or externalized (quoted) forms as lookup keys.
 	smtpd, qmgr, local, etc. use unquoted address forms as keys.
 	cleanup uses quoted forms.
 	Low: have a configurable list of errno values for mailbox
 	or maildir delivery that result in deferral rather than
 	bouncing mail. What about "killed by signal" exits?
 	Low: after reorganizing configuration parameters, add flags
 	to all parameters whose value can be read from file.
 	Medium: need in-process caching for map lookups. LDAP servers
 	seem to need this in particular. Need a way to expire cached
 	results that are too old.
 	Low: generic showq protocol, to allow for more intelligent
 	processing than just mailq. Maybe marry this with postsuper.
 	Low: default domain for appending to unqualified recipients,
 	so that unqualified names can be delivered locally.
 	Low: The $process_id_directory setting is not used anywhere
 	in Postfix. Problem reported by Michael Smith, texas.net.
 	This should be documented, or better, the code should warn
 	about attempts to set read-only parameters.
 	Low: postconf -e edits parameters that postconf won't list.
 	Low: while converting 8bit text to quoted-printable, perhaps
 	use =46rom to avoid having to produce >From when delivering
 	to mailbox.
 	virtual_mailbox_path expression like forward_path, so that
 	people can specify prefix and suffix.
--- a/postfix/conf/transport
+++ b/postfix/conf/transport
@@ -267,6 +267,7 @@
 # 
 # SEE ALSO
 #        trivial-rewrite(8), rewrite and resolve addresses
 #        master(5), master.cf file format
 #        postconf(5), configuration parameters
 #        postmap(1), Postfix lookup table manager
 # 
--- a/postfix/html/OVERVIEW.html
+++ b/postfix/html/OVERVIEW.html
@@ -340,7 +340,7 @@ delayed mail delivery attempts is described in the <a href="QSHAPE_README.html">
 and <a href="TUNING_README.html">TUNING_README</a> documents. </p>
 <li> <p> The <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> server resolves each recipient
-address according to its local and remote address class, as defined
+address according to its local or remote address class, as defined
 in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> document.  Additional routing information
 can be specified with the optional <a href="transport.5.html">transport(5)</a> table.  The
 <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> server optionally queries the <a href="relocated.5.html">relocated(5)</a> table
--- a/postfix/html/error.8.html
+++ b/postfix/html/error.8.html
@@ -18,21 +18,22 @@ ERROR(8)                                                              ERROR(8)
       queue  file, a sender address, the reason for non-delivery
       (specified as the  next-hop  destination),  and  recipient
       information.   The  reason  may  be  prefixed  with an <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC</a>
-       <a href="http://www.faqs.org/rfcs/rfc3463.html">3463</a>-compatible detail code.  This program expects  to  be
+       <a href="http://www.faqs.org/rfcs/rfc3463.html">3463</a>-compatible  detail  code;  if  none  is  specified  a
-       run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
+       default 4.0.0 or 5.0.0 code is used instead.  This program
       expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
-       Depending  on  the  service  name  in  <a href="master.5.html">master.cf</a>, <b>error</b> or
+       Depending on the  service  name  in  <a href="master.5.html">master.cf</a>,  <b>error</b>  or
-       <b>retry</b>, the server bounces or defers all recipients in  the
+       <b>retry</b>,  the server bounces or defers all recipients in the
-       delivery  request  using the "next-hop" information as the
+       delivery request using the "next-hop" information  as  the
-       reason for non-delivery. The <b>retry</b> service  name  is  sup-
+       reason  for  non-delivery.  The <b>retry</b> service name is sup-
       ported as of Postfix 2.4.
-       Delivery   status  reports  are  sent  to  the  <a href="bounce.8.html"><b>bounce</b>(8)</a>,
+       Delivery  status  reports  are  sent  to  the   <a href="bounce.8.html"><b>bounce</b>(8)</a>,
       <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate.
 <b>SECURITY</b>
       The <a href="error.8.html"><b>error</b>(8)</a> mailer is not security-sensitive. It does not
-       talk  to the network, and can be run chrooted at fixed low
+       talk to the network, and can be run chrooted at fixed  low
       privilege.
 <b>STANDARDS</b>
@@ -41,39 +42,39 @@ ERROR(8)                                                              ERROR(8)
 <b>DIAGNOSTICS</b>
       Problems and transactions are logged to <b>syslogd</b>(8).
-       Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b>  parameter,
+       Depending  on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter,
-       the  postmaster  is notified of bounces and of other trou-
+       the postmaster is notified of bounces and of  other  trou-
       ble.
 <b>CONFIGURATION PARAMETERS</b>
       Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically as <a href="error.8.html"><b>error</b>(8)</a>
-       processes  run  for only a limited amount of time. Use the
+       processes run for only a limited amount of time.  Use  the
       command "<b>postfix reload</b>" to speed up a change.
-       The text below provides  only  a  parameter  summary.  See
+       The  text  below  provides  only  a parameter summary. See
       <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
       <b><a href="postconf.5.html#2bounce_notice_recipient">2bounce_notice_recipient</a> (postmaster)</b>
-              The  recipient of undeliverable mail that cannot be
+              The recipient of undeliverable mail that cannot  be
              returned to the sender.
       <b><a href="postconf.5.html#bounce_notice_recipient">bounce_notice_recipient</a> (postmaster)</b>
-              The recipient of postmaster notifications with  the
+              The  recipient of postmaster notifications with the
              message  headers  of  mail  that  Postfix  did  not
-              deliver and of  SMTP  conversation  transcripts  of
+              deliver  and  of  SMTP  conversation transcripts of
              mail that Postfix did not receive.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
+              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
              <a href="master.5.html">master.cf</a> configuration files.
       <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process may take  to
+              How  much time a Postfix daemon process may take to
-              handle  a  request  before  it  is  terminated by a
+              handle a request  before  it  is  terminated  by  a
              built-in watchdog timer.
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The maximal number  of  digits  after  the  decimal
+              The  maximal  number  of  digits  after the decimal
              point when logging sub-second delay values.
       <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
@@ -85,37 +86,37 @@ ERROR(8)                                                              ERROR(8)
              over an internal communication channel.
       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount  of  time that an idle Postfix
+              The maximum amount of time  that  an  idle  Postfix
-              daemon process waits  for  an  incoming  connection
+              daemon  process  waits  for  an incoming connection
              before terminating voluntarily.
       <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal  number of incoming connections that a
+              The maximal number of incoming connections  that  a
-              Postfix daemon process will service  before  termi-
+              Postfix  daemon  process will service before termi-
              nating voluntarily.
       <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The  list of error classes that are reported to the
+              The list of error classes that are reported to  the
              postmaster.
       <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
              process.
       <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
              process.
       <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
              tory.
       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
+              The mail system  name  that  is  prepended  to  the
-              process name in syslog  records,  so  that  "smtpd"
+              process  name  in  syslog  records, so that "smtpd"
              becomes, for example, "postfix/smtpd".
 <b>SEE ALSO</b>
@@ -128,7 +129,7 @@ ERROR(8)                                                              ERROR(8)
       syslogd(8), system logging
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
       software.
 <b>AUTHOR(S)</b>
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -43,7 +43,8 @@ that starts with whitespace continues a logical line. </p>
 <ul>
 <li> <p> The expressions "$name", "${name}" or "$(name)" are
-recursively replaced by the value of the named parameter. </p>
+recursively replaced by the value of the named parameter.
 Specify "$$" to produce a single "$" character. </p>
 <li> <p> The expression "${name?value}" expands to "value" when
 "$name" is non-empty. This form is supported with Postfix version
--- a/postfix/html/transport.5.html
+++ b/postfix/html/transport.5.html
@@ -273,6 +273,7 @@ TRANSPORT(5)                                                      TRANSPORT(5)
 <b>SEE ALSO</b>
       <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, rewrite and resolve addresses
       <a href="master.5.html">master(5)</a>, <a href="master.5.html">master.cf</a> file format
       <a href="postconf.5.html">postconf(5)</a>, configuration parameters
       <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -34,6 +34,7 @@ A parameter value may refer to other parameters.
 .IP \(bu 
 The expressions "$name", "${name}" or "$(name)" are
 recursively replaced by the value of the named parameter.
 Specify "$$" to produce a single "$" character.
 .IP \(bu
 The expression "${name?value}" expands to "value" when
 "$name" is non-empty. This form is supported with Postfix
--- a/postfix/man/man5/transport.5
+++ b/postfix/man/man5/transport.5
@@ -282,6 +282,7 @@ List of transport lookup tables.
 .na
 .nf
 trivial-rewrite(8), rewrite and resolve addresses
 master(5), master.cf file format
 postconf(5), configuration parameters
 postmap(1), Postfix lookup table manager
 .SH "README FILES"
--- a/postfix/man/man8/error.8
+++ b/postfix/man/man8/error.8
@@ -17,7 +17,8 @@ requests from
 the queue manager. Each request specifies a queue file, a sender
 address, the reason for non-delivery (specified as the
 next-hop destination), and recipient information.
-The reason may be prefixed with an RFC 3463-compatible detail code.
+The reason may be prefixed with an RFC 3463-compatible detail code;
 if none is specified a default 4.0.0 or 5.0.0 code is used instead.
 This program expects to be run from the \fBmaster\fR(8) process
 manager.
--- a/postfix/proto/OVERVIEW.html
+++ b/postfix/proto/OVERVIEW.html
@@ -340,7 +340,7 @@ delayed mail delivery attempts is described in the QSHAPE_README
 and TUNING_README documents. </p>
 <li> <p> The trivial-rewrite(8) server resolves each recipient
-address according to its local and remote address class, as defined
+address according to its local or remote address class, as defined
 in the ADDRESS_CLASS_README document.  Additional routing information
 can be specified with the optional transport(5) table.  The
 trivial-rewrite(8) server optionally queries the relocated(5) table
--- a/postfix/proto/postconf.html.prolog
+++ b/postfix/proto/postconf.html.prolog
@@ -43,7 +43,8 @@ that starts with whitespace continues a logical line. </p>
 <ul>
 <li> <p> The expressions "$name", "${name}" or "$(name)" are
-recursively replaced by the value of the named parameter. </p>
+recursively replaced by the value of the named parameter.
 Specify "$$" to produce a single "$" character. </p>
 <li> <p> The expression "${name?value}" expands to "value" when
 "$name" is non-empty. This form is supported with Postfix version
--- a/postfix/proto/postconf.man.prolog
+++ b/postfix/proto/postconf.man.prolog
@@ -34,6 +34,7 @@ A parameter value may refer to other parameters.
 .IP \(bu 
 The expressions "$name", "${name}" or "$(name)" are
 recursively replaced by the value of the named parameter.
 Specify "$$" to produce a single "$" character.
 .IP \(bu
 The expression "${name?value}" expands to "value" when
 "$name" is non-empty. This form is supported with Postfix
--- a/postfix/proto/transport
+++ b/postfix/proto/transport
@@ -258,6 +258,7 @@
 #	List of transport lookup tables.
 # SEE ALSO
 #	trivial-rewrite(8), rewrite and resolve addresses
 #	master(5), master.cf file format
 #	postconf(5), configuration parameters
 #	postmap(1), Postfix lookup table manager
 # README FILES
--- a/postfix/src/error/error.c
+++ b/postfix/src/error/error.c
@@ -11,7 +11,8 @@
 /*	the queue manager. Each request specifies a queue file, a sender
 /*	address, the reason for non-delivery (specified as the
 /*	next-hop destination), and recipient information.
-/*	The reason may be prefixed with an RFC 3463-compatible detail code.
+/*	The reason may be prefixed with an RFC 3463-compatible detail code;
 /*	if none is specified a default 4.0.0 or 5.0.0 code is used instead.
 /*	This program expects to be run from the \fBmaster\fR(8) process
 /*	manager.
 /*
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20070531"
+#define MAIL_RELEASE_DATE	"20070613"
 #define MAIL_VERSION_NUMBER	"2.5"
 #ifdef SNAPSHOT
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@@ -475,6 +475,26 @@ static int milter8_comm_error(MILTER8 *milter)
    return (milter->state = MILTER8_STAT_ERROR);
 }
 /* milter8_edit_error - local message/envelope edit error */
 static void milter8_edit_error(MILTER8 *milter, const char *reply)
 {
    /*
     * Close the socket so that we don't receive later Milter replies while
     * we're handling the next email message. Set the Milter handle state to
     * ERROR, i.e. don't report further MTA events via this handle. We don't
     * want surprises when this code gets reused for a protocol that allows
     * envelope or header updates before the end-of-body MTA event.
     */
    if (milter->fp != 0) {
 	(void) vstream_fclose(milter->fp);
 	milter->fp = 0;
    }
    milter8_def_reply(milter, reply);
    milter->state = MILTER8_STAT_ERROR;
 }
 /* milter8_close_stream - close stream to milter application */
 static void milter8_close_stream(MILTER8 *milter)
@@ -1002,6 +1022,27 @@ static const char *milter8_event(MILTER8 *milter, int event,
 	    msg_info("reply: %s data %ld bytes",
 		     (smfir_name = str_name_code(smfir_table, cmd)) != 0 ?
 		     smfir_name : "unknown", (long) data_size);
 	/*
 	 * Handle unfinished message body replacement first.
 	 */
 	if (body_line_buf != 0 && cmd != SMFIR_REPLBODY) {
 	    /* In case the last body replacement line didn't end in CRLF. */
 	    if (LEN(body_line_buf) > 0)
 		edit_resp = parent->repl_body(parent->chg_context,
 					      MILTER_BODY_LINE,
 					      body_line_buf);
 	    if (edit_resp == 0)
 		edit_resp = parent->repl_body(parent->chg_context,
 					      MILTER_BODY_END,
 					      (VSTRING *) 0);
 	    if (edit_resp) {
 		milter8_edit_error(milter, edit_resp);
 		MILTER8_EVENT_BREAK(milter->def_reply);
 	    }
 	    vstring_free(body_line_buf);
 	    body_line_buf = 0;
 	}
 	switch (cmd) {
 	    /*
@@ -1212,8 +1253,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 			edit_resp = parent->del_header(parent->chg_context,
 						       (ssize_t) index,
 						       STR(milter->buf));
-		    if (edit_resp)
+		    if (edit_resp) {
-			MILTER8_EVENT_BREAK(edit_resp);
+			milter8_edit_error(milter, edit_resp);
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    }
 		    continue;
 #endif
@@ -1229,8 +1272,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 		    edit_resp = parent->add_header(parent->chg_context,
 						   STR(milter->buf),
 						   STR(milter->body));
-		    if (edit_resp)
+		    if (edit_resp) {
-			MILTER8_EVENT_BREAK(edit_resp);
+			milter8_edit_error(milter, edit_resp);
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    }
 		    continue;
 		    /*
@@ -1257,8 +1302,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 						   (ssize_t) index + 1,
 						   STR(milter->buf),
 						   STR(milter->body));
-		    if (edit_resp)
+		    if (edit_resp) {
-			MILTER8_EVENT_BREAK(edit_resp);
+			milter8_edit_error(milter, edit_resp);
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    }
 		    continue;
 #endif
@@ -1272,8 +1319,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    edit_resp = parent->add_rcpt(parent->chg_context,
 						 STR(milter->buf));
-		    if (edit_resp)
+		    if (edit_resp) {
-			MILTER8_EVENT_BREAK(edit_resp);
+			milter8_edit_error(milter, edit_resp);
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    }
 		    continue;
 		    /*
@@ -1286,8 +1335,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    edit_resp = parent->del_rcpt(parent->chg_context,
 						 STR(milter->buf));
-		    if (edit_resp)
+		    if (edit_resp) {
-			MILTER8_EVENT_BREAK(edit_resp);
+			milter8_edit_error(milter, edit_resp);
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    }
 		    continue;
 		    /*
@@ -1323,6 +1374,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 			    VSTRING_ADDCH(body_line_buf, ch);
 			}
 		    }
 		    if (edit_resp) {
 			milter8_edit_error(milter, edit_resp);
 			MILTER8_EVENT_BREAK(milter->def_reply);
 		    }
 		    continue;
 		}
 	    }
@@ -1348,35 +1403,11 @@ static const char *milter8_event(MILTER8 *milter, int event,
    }
    /*
-     * Finish message body replacement.
+     * Clean up after aborted message body replacement.
     */
-    if (body_line_buf != 0) {
+    if (body_line_buf)
 	if (edit_resp == 0) {
 	    /* In case the last body replacement line didn't end in CRLF. */
 	    if (LEN(body_line_buf) > 0)
 		edit_resp = parent->repl_body(parent->chg_context,
 					      MILTER_BODY_LINE,
 					      body_line_buf);
 	    if (edit_resp == 0)
 		edit_resp = parent->repl_body(parent->chg_context,
 					      MILTER_BODY_END,
 					      (VSTRING *) 0);
 	}
 	vstring_free(body_line_buf);
 	/*
 	 * Override a non-reject/discard result value after body replacement
 	 * failure.
 	 * 
 	 * XXX Some cleanup clients ask the cleanup server to bounce mail for
 	 * them. In that case we must override a hard reject retval result
 	 * after queue file update failure. This is not a big problem; the
 	 * odds are small that a Milter application sends a hard reject after
 	 * replacing the message body.
 	 */
 	if (edit_resp && (retval == 0 || strchr("DS4", retval[0]) == 0))
 	    retval = edit_resp;
    }
    return (retval);
 }
--- a/postfix/src/milter/test-milter.c
+++ b/postfix/src/milter/test-milter.c
@@ -243,14 +243,6 @@ static sfsistat test_body(SMFICTX *ctx, unsigned char *data, size_t data_len)
 static sfsistat test_eom(SMFICTX *ctx)
 {
    printf("test_eom\n");
 #ifdef SMFIR_INSHEADER
    if (ins_hdr && smfi_insheader(ctx, ins_idx, ins_hdr, ins_val) == MI_FAILURE)
 	fprintf(stderr, "smfi_insheader failed");
 #endif
 #ifdef SMFIR_CHGHEADER
    if (chg_hdr && smfi_chgheader(ctx, chg_hdr, chg_idx, chg_val) == MI_FAILURE)
 	fprintf(stderr, "smfi_chgheader failed");
 #endif
 #ifdef SMFIR_REPLBODY
    if (body_file) {
 	char    buf[BUFSIZ + 2];
@@ -278,6 +270,14 @@ static sfsistat test_eom(SMFICTX *ctx)
 	    (void) fclose(fp);
 	}
    }
 #endif
 #ifdef SMFIR_INSHEADER
    if (ins_hdr && smfi_insheader(ctx, ins_idx, ins_hdr, ins_val) == MI_FAILURE)
 	fprintf(stderr, "smfi_insheader failed");
 #endif
 #ifdef SMFIR_CHGHEADER
    if (chg_hdr && smfi_chgheader(ctx, chg_hdr, chg_idx, chg_val) == MI_FAILURE)
 	fprintf(stderr, "smfi_chgheader failed");
 #endif
    return (test_reply(ctx, test_eom_reply));
 }
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@@ -923,6 +923,9 @@ static void get_service_attr(PIPE_ATTR *attr, char **argv)
    if (attr->gid == var_owner_gid)
 	msg_fatal("user= command-line attribute specifies mail system owner %s group id %ld",
 		  var_mail_owner, (long) attr->gid);
    if (attr->gid == var_sgid_gid)
 	msg_fatal("user= command-line attribute specifies mail system %s group id %ld",
 		  var_sgid_group, (long) attr->gid);
    /*
     * Give the poor tester a clue of what is going on.