postfix-3.5-20190210

2025-08-22 09:57:34 +00:00 · 2019-02-10 00:00:00 -05:00 · 2019-02-10 00:00:00 -05:00 · c6eaaf0bf1
commit c6eaaf0bf1
parent 67965c8458
30 changed files with 1282 additions and 491 deletions
--- a/postfix/AAAREADME
+++ b/postfix/AAAREADME
@ -149,6 +149,7 @@ Postfix daemons:
    src/oqmgr/		Old queue manager
    src/pickup/		Local pickup
    src/pipe/		Pipe delivery
    src/postlogd/	Syslog alternative, logs to file or stdout
    src/postscreen/	Zombie blocker
    src/proxymap/	Table lookup proxy agent
    src/qmgr/		Queue manager
@ -159,7 +160,7 @@ Postfix daemons:
    src/smtpd/		SMTP server
    src/spawn/		Run non-Postfix server
    src/tlsmgr/		TLS session keys and random pool
-    src/tlsproxy/	TLS proxy for postscreen
+    src/tlsproxy/	TLS proxy for postscreen and outbound connection reuse
    src/trivial-rewrite/ Address rewriting and resolving
    src/verify/		address verification service
    src/virtual/	virtual mailbox-only delivery agent
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -17692,7 +17692,7 @@ Apologies for any names omitted.
 20120330
-	Workaround: specify "\c" at the start of an smtp_reject_footer
+	Workaround: specify "\c" at the start of an smtpd_reject_footer
 	template to suppress the line break between the reply text
 	and the footer text. Files: global/smtp_reply_footer.c,
 	proto/postconf.proto.
@ -23633,10 +23633,10 @@ Apologies for any names omitted.
 20180812
-	Feature: smtp_reject_footer_maps (as well as the postscreen
+	Feature: smtpd_reject_footer_maps (as well as the postscreen
 	variant postscreen_reject_footer_maps). This is indexed
 	with the SMTP server response text, and overrides the footer
-	specified with smtp_reject_footer. Files: global/mail_params.h,
+	specified with smtpd_reject_footer. Files: global/mail_params.h,
 	mantools/postlink, postscreen/postscreen.c,
 	postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c,
 	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c.
@ -24105,3 +24105,12 @@ Apologies for any names omitted.
 	Debugging: tlsproxy(8) now logs more details about unexpected
 	configuration differences between the Postfix SMTP client
 	and the tlsproxy(8) daemon.
 20190210
 	Documentation: Postfix 3.4.0 RELEASE NOTES.
 	Documentation: added BDAT_README.
 	Documentation: global TLS settings. Files: mantools/postlink,
 	smtp/smtp.c, tlsproxy/tlsproxy.c.
--- a/postfix/README_FILES/AAAREADME
+++ b/postfix/README_FILES/AAAREADME
@ -78,6 +78,7 @@ OOtthheerr ttooppiiccss
  * ADDRESS_CLASS_README: Address Classes
  * CONNECTION_CACHE_README: Connection cache howto
  * DSN_README: Postfix DSN support
  * BDAT_README: Postfix BDAT (CHUNKING) support
  * PACKAGE_README: Guidelines for Package Builders
  * SCHEDULER_README: Queue Scheduler
  * XCLIENT_README: XCLIENT Command
--- a/postfix/README_FILES/BDAT_README
+++ b/postfix/README_FILES/BDAT_README
@ -0,0 +1,124 @@
 PPoossttffiixx BBDDAATT ((CCHHUUNNKKIINNGG)) ssuuppppoorrtt
 -------------------------------------------------------------------------------
 OOvveerrvviieeww
 Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command) without
 BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled by default.
 Topics covered in this document:
  * Disabling BDAT support
  * Impact on existing configurations
  * Example SMTP session
  * Benefits of CHUNKING (BDAT) support without BINARYMIME
  * Downsides of CHUNKING (BDAT) support
 DDiissaabblliinngg BBDDAATT ssuuppppoorrtt
 BDAT support is enabled by default. To disable BDAT support globally:
    /etc/postfix/main.cf:
        # The logging alternative:
        smtpd_discard_ehlo_keywords = chunking
        # The non-logging alternative:
        smtpd_discard_ehlo_keywords = chunking, silent_discard
 Specify '-o smtpd_discard_ehlo_keywords=' in master.cf for the submission and
 smtps services, if you have clients that benefit from CHUNKING support.
 IImmppaacctt oonn eexxiissttiinngg ccoonnffiigguurraattiioonnss
  * There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
    smtpd_milters, or for postscreen settings, except for the above mentioned
    option to suppress the SMTP server's CHUNKING service announcement.
  * There are no changes in the Postfix queue file content, no changes for
    down-stream SMTP servers or after-queue content filters, and no changes in
    the envelope or message content that Milters will receive.
 EExxaammppllee SSMMTTPP sseessssiioonn
 The main differences are that the Postfix SMTP server announces "CHUNKING"
 support in the EHLO response, and that instead of sending one DATA request, the
 remote SMTP client may send one or more BDAT requests. In the example below,
 "S:" indicates server responses, and "C:" indicates client requests (bold
 font).
        S: 220 server.example.com
        C: EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
        S: 250-server.example.com
        S: 250-PIPELINING
        S: 250-SIZE 153600000
        S: 250-VRFY
        S: 250-ETRN
        S: 250-STARTTLS
        S: 250-AUTH PLAIN LOGIN
        S: 250-ENHANCEDSTATUSCODES
        S: 250-8BITMIME
        S: 250-DSN
        S: 250-SMTPUTF8
        S: 250 CHUNKING
        C: MMAAIILL FFRROOMM::<<sseennddeerr@@eexxaammppllee..ccoomm>>
        S: 250 2.1.0 Ok
        C: RRCCPPTT TTOO::<<rreecciippiieenntt@@eexxaammppllee..ccoomm>>
        S: 250 2.1.5 Ok
        C: BBDDAATT 1100000000
        C: ....ffoolllloowweedd bbyy 1100000000 bbyytteess......
        S: 250 2.0.0 Ok: 10000 bytes
        C: BBDDAATT 112233
        C: ....ffoolllloowweedd bbyy 112233 bbyytteess......
        S: 250 2.0.0 Ok: 123 bytes
        C: BBDDAATT 00 LLAASSTT
        S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
        C: QQUUIITT
        S: 221 2.0.0 Bye
 Internally in Postfix, there is no difference between mail that was received
 with BDAT or with DATA. Postfix smtpd_mumble_restrictions, policy delegation
 queries, smtpd_proxy_filter and Milters all behave as if Postfix received (MAIL
 + RCPT + DATA + end-of-data). However, Postfix will log BDAT-related failures
 as "xxx after BDAT" to avoid complicating troubleshooting (xxx = 'lost
 connection' or 'timeout'), and will log a warning when a client sends a
 malformed BDAT command.
 BBeenneeffiittss ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt wwiitthhoouutt BBIINNAARRYYMMIIMMEE
 Support for CHUNKING (BDAT) was added to improve interoperability with some
 clients, a benefit that would reportedly exist even without Postfix support for
 BINARYMIME. Since June 2018, Wietse's mail server has received BDAT commands
 from a variety of systems.
 Postfix does not support BINARYMIME at this time because:
  * BINARYMIME support would require moderately invasive changes to Postfix, to
    support email content that is not line-oriented. With BINARYMIME, the
    Content-Length: message header specifies the length of content that may or
    may not have line boundaries. Without BINARYMIME support, email RFCs
    require that binary content is base64-encoded, and formatted as lines of
    text.
  * For delivery to non-BINARYMIME systems including UNIX mbox, the available
    options are to convert binary content into 8bit text, one of the 7bit forms
    (base64 or quoted-printable), or to return email as undeliverable. Any
    conversion would obviously break digital signatures, so conversion would
    have to happen before signing.
 DDoowwnnssiiddeess ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt
 The RFC 3030 authors did not specify any limitations on how clients may
 pipeline commands (i.e. send commands without waiting for a server response).
 If a server announces PIPELINING support, like Postfix does, then a remote SMTP
 client can pipeline all commands following EHLO, for example, MAIL/RCPT/BDAT/
 BDAT/MAIL/RCPT/BDAT, without ever having to wait for a server response. This
 means that with BDAT, the Postfix SMTP server cannot distinguish between a
 well-behaved client and a spambot, based on their command pipelining behavior.
 If you require "reject_unauth_pipelining" to block spambots, then turn off
 Postfix's CHUNKING announcement as described above.
 In RFC 4468, the authors write that a client may pipeline commands, and that
 after sending BURL LAST or BDAT LAST, a client must wait for the server's
 response. But as this text does not appear in RFC 3030 which defines BDAT, is
 it a useless restriction that Postfix will not enforce.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -1,19 +1,19 @@
-This is the Postfix 3.4 (experimental) release.
+This is the Postfix 3.5 (experimental) release.
-The stable Postfix release is called postfix-3.3.x where 3=major
+The stable Postfix release is called postfix-3.4.x where 3=major
-release number, 3=minor release number, x=patchlevel.  The stable
+release number, 4=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
-postfix-3.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
-If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
+If you upgrade from Postfix 3.3 or earlier, read RELEASE_NOTES-3.4
 before proceeding.
 License change
@ -24,217 +24,3 @@ historical IBM Public License 1.0, it is now also distributed with the
 more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 Incompatible changes with snapshot 20190126-nonprod
 ====================================================
 This introduces a new master.cf service 'postlog' with type
 'unix-dgram' that is used by the new postlogd(8) daemon. The
 'unix-dgram' service type is not supported by older Postfix versions.
 Before backing out to an older version, edit the master.cf file and
 remove the postlog entry.
 Major changes with snapshot 20190126-nonprod
 ============================================
 Support for logging to file or stdout, instead of using syslog.
 - Logging to file solves a usability problem for MacOS, and
  eliminates multiple problems with systemd-based systems.
 - Logging to stdout is useful when Postfix runs in a container, as
  it eliminates a syslogd dependency.
 See MAILLOG_README for configuration examples and logfile rotation.
 Incompatible changes with snapshot 20190106
 ===========================================
 Postfix 3.4 drops support for OpenSSL 1.0.1 (end-of-life December
 31, 2016) and earlier releases.
 Major changes with snapshot 20190106
 ====================================
 SNI support in the Postfix SMTP server, the Postfix SMTP client,
 and in the tlsproxy daemon (both server and client roles). See the
 postconf(5) documentation for the new tls_server_sni_maps and
 smtp_tls_servername parameters.
 Support for files that contain multiple (key, certificate, trust
 chain) instances. This was required to implement server-side SNI
 table lookups, but it also eliminates the need for separate cert/key
 files for RSA, DSA, Elliptic Curve, and so on. The file format is
 documented in the TLS_README sections "Server-side certificate and
 private key configuration" and "Client-side certificate and private
 key configuration", and in the postconf(5) documentation for the
 parameters smtp_tls_chain_files, smtpd_tls_chain_files,
 tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.
 Note: the command "postfix tls" does not yet support the new
 consolidated certificate chain format.  If you switch to the new
 format, you'll need to manage your keys and certificates directly,
 rather than via postfix-tls(1).
 Major changes with snapshot 20180826
 ====================================
 Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command)
 without BINARYMIME, in both smtpd(8) and postscreen(8).
 To disable the SMTP server's CHUNKING support:
 /etc/postfix/main.cf:
    # The logging alternative:
    smtpd_discard_ehlo_keywords = chunking
    # The non-logging alternative:
    smtpd_discard_ehlo_keywords = chunking, silent_discard
 Be sure to specify '-o smtpd_discard_ehlo_keywords=' in master.cf
 for the submission and smtps services, in case you have clients
 that benefit from CHUNKING support.
 Impact on existing configurations:
 ----------------------------------
 - There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
  smtpd_milters, or for postscreen settings, except for the additional
  option to suppress the SMTP server's CHUNKING service announcement.
 - There are no changes in the Postfix queue file content, no changes
  for down-stream SMTP servers or after-queue content filters, and
  no changes in the envelope or message content that Milters will
  receive.
 Example SMTP session
 --------------------
 The main differences are that the Postfix SMTP server announces
 "CHUNKING" support in the EHLO response, and that instead of sending
 one DATA request, the remote SMTP client may send one or more BDAT
 requests. In the example below, "S:" indicates server responses,
 and "C:" indicates client requests.
    S: 220 server.example.com
    C: EHLO client.example.com
    S: 250-server.example.com
    S: 250-PIPELINING
    S: 250-SIZE 153600000
    S: 250-VRFY
    S: 250-ETRN
    S: 250-STARTTLS
    S: 250-AUTH PLAIN LOGIN
    S: 250-ENHANCEDSTATUSCODES
    S: 250-8BITMIME
    S: 250-DSN
    S: 250-SMTPUTF8
    S: 250 CHUNKING
    C: MAIL FROM:<sender@example.com>
    S: 250 2.1.0 Ok
    C: RCPT TO:<recipient@example.com>
    S: 250 2.1.5 Ok
    C: BDAT 10000
    C: ..followed by 10000 bytes...
    S: 250 2.0.0 Ok: 10000 bytes
    C: BDAT 123
    C: ..followed by 123 bytes...
    S: 250 2.0.0 Ok: 123 bytes
    C: BDAT 0 LAST
    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
    C: QUIT
    S: 221 2.0.0 Bye
 Internally in Postfix, there is no difference between mail that was
 received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
 policy delegation queries, smtpd_proxy_filter and Milters all behave
 as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
 Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
 complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
 and will log a warning when a client sends a malformed BDAT command.
 Benefits of CHUNKING (BDAT) support without BINARYMIME:
 -------------------------------------------------------
 Support for CHUNKING (BDAT) was added to improve interoperability
 with some clients, a benefit that would reportedly exist even without
 Postfix support for BINARYMIME.
 Postfix does not support BINARYMIME at this time because:
 - BINARYMIME support would require moderately invasive changes to
  support email content that is not line-oriented. With BINARYMIME,
  the Content-Length: header specifies the length of arbitrary
  content that has no line boundaries. Without BINARYMIME, binary
  content is base64-encoded, and formatted as lines of text.
 - There is no conversion of BINARYMIME to a line-oriented 8BITMIME
  form that is compatible with legacy systems including UNIX mbox.
  The available options are to convert binary content into one of
  the 7bit forms (base64 or quoted-printable), or to return email
  as undeliverable. Any conversion would break digital signatures,
  so it would have to happen before signing.
 Downsides of CHUNKING (BDAT) support:
 -------------------------------------
 The RFC 3030 authors did not specify any limitations on how clients
 may pipeline commands (i.e. send commands without waiting for a
 server response). If a server announces PIPELINING support, like
 Postfix does, then a remote SMTP client can pipeline all commands
 following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
 without ever having to wait for a server response. This means that
 with BDAT, the Postfix SMTP server cannot distinguish between a
 well-behaved client and a spambot, based on their command pipelining
 behavior. If you require "reject_unauth_pipelining" to block spambots,
 turn off the CHUNKING support announcement as described above.
 Incompatible change with snapshot 20180701
 ==========================================
 To avoid performance loss under load, the tlsproxy(8) daemon now
 requires a zero process limit in master.cf (this setting is provided
 with the default master.cf file). As tlsproxy(8) processes become
 too busy handling TLS connections, more processes will automatically
 be added. By default, a tlsproxy(8) process will retire after several
 hours.
 To set the tlsproxy process limit to zero:
 # postconf -F tlsproxy/unix/process_limit=0
 # postfix reload
 Major changes with snapshot 20180617
 ====================================
 Preliminary Postfix SMTP client support for multiple deliveries per
 TLS-encrypted connection. This is primarily to improve mail delivery
 performance for destinations that throttle clients when they don't
 combine deliveries.
 This feature is enabled with "smtp_tls_connection_reuse=yes" in
 main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
 It supports all Postfix TLS security levels including dane and
 dane-only.
 The implementation of TLS connection reuse relies on the same
 scache(8) service as used for delivering plaintext SMTP mail, the
 same tlsproxy(8) daemon as used by the postscreen(8) service for
 inbound connections, and relies on the same hints from the qmgr(8)
 daemon. It reuses the configuration parameters described in
 CONNECTION_CACHE_README.
 The following illustrates how TLS connections are reused:
    Initial plaintext SMTP handshake:
      smtp(8) -> remote SMTP server
    Reused SMTP/TLS connection, or new SMTP/TLS connection:
      smtp(8) -> tlsproxy(8) -> remote SMTP server
    Cached SMTP/TLS connection:
      scache(8) -> tlsproxy(8) -> remote SMTP server
 There are a few refinements planned:
 - Log the TLS properties every time a connection is reused.
  Currently, the properties are logged when a TLS session is created.
--- a/postfix/RELEASE_NOTES-3.4
+++ b/postfix/RELEASE_NOTES-3.4
@ -0,0 +1,208 @@
 This is the Postfix 3.4 (stable) release.
 The stable Postfix release is called postfix-3.4.x where 3=major
 release number, 4=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
 postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
 before proceeding.
 License change
 ---------------
 This software is distributed with a dual license: in addition to the
 historical IBM Public License 1.0, it is now also distributed with the
 more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 Summary of changes
 ------------------
 Incompatible changes, bdat support, containers, database support,
 logging, safety, tls connection pooling, tls support, usability,
 Incompatible changes
 --------------------
 [Incompat 20180826] The Postfix SMTP server announces CHUNKING (BDAT
 command) by default. In the unlikely case that this breaks some
 important remote SMTP client, disable the feature as follows:
 /etc/postfix/main.cf:
    # The logging alternative:
    smtpd_discard_ehlo_keywords = chunking
    # The non-logging alternative:
    smtpd_discard_ehlo_keywords = chunking, silent_discard
 See BDAT_README for more.
 [Incompat 20190126] This introduces a new master.cf service 'postlog'
 with type 'unix-dgram' that is used by the new postlogd(8) daemon.
 Before backing out to an older Postfix version, edit the master.cf
 file and remove the postlog entry.
 [Incompat 20190106] Postfix 3.4 drops support for OpenSSL 1.0.1
 (end-of-life was December 31, 2016) and all earlier releases.
 [Incompat 20180701] To avoid performance loss under load, the
 tlsproxy(8) daemon now requires a zero process limit in master.cf
 (this setting is provided with the default master.cf file). By
 default, a tlsproxy(8) process will retire after several hours.
 To set the tlsproxy process limit to zero:
 # postconf -F tlsproxy/unix/process_limit=0
 # postfix reload
 Major changes - bdat support
 --------------------
 [Feature 20180826] Postfix SMTP server support for RFC 3030 CHUNKING
 (the BDAT command) without BINARYMIME, in both smtpd(8) and
 postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions,
 and smtpd_proxy_filter. See BDAT_README for more.
 Major changes - containers
 --------------------------
 [Feature 20190126] Support for logging to file or stdout, instead
 of using syslog.
 - Logging to file solves a usability problem for MacOS, and
  eliminates multiple problems with systemd-based systems.
 - Logging to stdout is useful when Postfix runs in a container, as
  it eliminates a syslogd dependency.
 See MAILLOG_README for configuration examples and logfile rotation.
 [Feature 20180422] Better handling of undocumented(!) Linux behavior
 whether or not signals are delivered to a PID=1 process.
 Major changes - database support
 --------------------------------
 [Feature 20181105] Support for (key, list of filenames) in map
 source text.
 - Currently, this feature is used only by tls_server_sni_maps.
 - When a map is created from source with "postmap -F maptype:mapname",
  the command processes each key as usual and processes each value
  as a list of filenames, concatenates the content of those files
  (with one newline character in-between files), and stores an entry
  with (key, base64-encoded result).
 - When a map is queried with "postmap -F -q ...", the command
  base64-decodes each value. It reports an error when a value is
  not in base64 form.
  This "postmap -F -q ..." behavior also works when querying the
  memory-resident map types cidr:, inline:, pcre:, randmap:, regexp:,
  and static:. Postfix reads the files specified as table values,
  stores base64-encoded content, and base64-decodes content upon
  table lookup.
  Internally, Postfix will turn on this behavior for lookups (not
  updates) when a map is opened with the DICT_FLAG_RHS_IS_FILE flag.
 Major changes - logging
 -----------------------
 [Feature 20190126] Support for logging to file or stdout, instead
 of using syslog.
 - Logging to file solves a usability problem for MacOS, and
  eliminates multiple problems with systemd-based systems.
 - Logging to stdout is useful when Postfix runs in a container, as
  it eliminates a syslogd dependency.
 See MAILLOG_README for configuration examples and logfile rotation.
 Major changes - safety
 ----------------------
 [Feature 20180623] Automatic retirement: dnsblog(8) and tlsproxy(8) process
 will now voluntarily retire after after max_idle*max_use, or some
 sane limit if either limit is disabled. Without this, a process
 could stay busy for days or more.
 Major changes - tls connection pooling
 --------------------------------------
 [Feature 20180617] Postfix SMTP client support for multiple deliveries
 per TLS-encrypted connection. This is primarily to improve mail
 delivery performance for destinations that throttle clients when
 they don't combine deliveries.
 This feature is enabled with "smtp_tls_connection_reuse=yes" in
 main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
 It supports all Postfix TLS security levels including dane and
 dane-only.
 The implementation of TLS connection reuse relies on the same
 scache(8) service as used for delivering plaintext SMTP mail, the
 same tlsproxy(8) daemon as used by the postscreen(8) service for
 inbound connections, and relies on the same hints from the qmgr(8)
 daemon. It reuses the configuration parameters described in
 CONNECTION_CACHE_README.
 The Postfix SMTP client now logs whether an SMTP-over-TLS connection
 is newly established ("TLS connection established") or whether the
 connection is reused ("TLS connection reused").
 The following illustrates how TLS connections are reused:
    Initial plaintext SMTP handshake:
      smtp(8) -> remote SMTP server
    Reused SMTP/TLS connection, or new SMTP/TLS connection:
      smtp(8) -> tlsproxy(8) -> remote SMTP server
    Cached SMTP/TLS connection:
      scache(8) -> tlsproxy(8) -> remote SMTP server
 Major changes - tls support
 ---------------------------
 [Feature 20190106] SNI support in the Postfix SMTP server, the
 Postfix SMTP client, and in the tlsproxy(8) daemon (both server and
 client roles). See the postconf(5) documentation for the new
 tls_server_sni_maps and smtp_tls_servername parameters.
 [Feature 20190106] Support for files that contain multiple (key,
 certificate, trust chain) instances. This was required to implement
 server-side SNI table lookups, but it also eliminates the need for
 separate cert/key files for RSA, DSA, Elliptic Curve, and so on.
 The file format is documented in the TLS_README sections "Server-side
 certificate and private key configuration" and "Client-side certificate
 and private key configuration", and in the postconf(5) documentation
 for the parameters smtp_tls_chain_files, smtpd_tls_chain_files,
 tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.
 Note: the command "postfix tls" does not yet support the new
 consolidated certificate chain format.  If you switch to the new
 format, you'll need to manage your keys and certificates directly,
 rather than via postfix-tls(1).
 Major changes - usability
 -------------------------
 [Feature 20180812] Support for smtpd_reject_footer_maps (as well
 as the postscreen variant postscreen_reject_footer_maps) for more
 informative reject messages. This is indexed with the Postfix SMTP
 server response text, and overrides the footer specified with
 smtpd_reject_footer.  One will want to use a pcre: or regexp: map
 with this.
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@ -1,18 +1,15 @@
 Wish list:
-	Move tls_proxy_client_scan.c _to_string() function
+	Things to do before the stable release:
 	to tls_proxy_client_misc.c.
-	In tlsproxy, include parameter names in the diffs between
+	Spell-check, double-word check, HTML validator check,
-	expected and client properties. This requires a function
+	mantools/missing-proxy-read-maps check.
-	tls_proxy_client_init_with_names_to_string().
+
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
 	make tls_pre_jail_init() safe by design for use in programs
 	that implement both clients and servers.
 	postfix rotate-log command: mv postfix.log postfix.log.$(date
 	+%Y%M%d-%H%M%S) to avoid data loss if called repeatedly.
 	In smtpd(8) and postscreen(8), set the ehlo_discard_mask
 	to ~0 so that STARTTLS, BDAT, DSN, etc. work only for clients
 	that send EHLO.
@ -23,13 +20,6 @@ Wish list:
 	In postscreen, don't fork after 'postfix reload' when
 	psc_check_queue_length (and psc_post_queue_length?) is zero.
 	Things to do before the stable release:
 	Spell-check, double-word check, HTML validator check,
 	mantools/missing-proxy-read-maps check.
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
 	After I/O error, store errno in VSTREAM object before errno
 	may be overwritten.
--- a/postfix/html/BDAT_README.html
+++ b/postfix/html/BDAT_README.html
@ -0,0 +1,178 @@
 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
 <html>
 <head>
 <title>Postfix BDAT (CHUNKING) support</title>
 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
 </head>
 <body>
 <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
 BDAT (CHUNKING) support</h1>
 <hr>
 <h2>Overview </h2>
 <p> Postfix SMTP server supports <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> CHUNKING (the BDAT command)
 without BINARYMIME, in both <a href="smtpd.8.html">smtpd(8)</a> and <a href="postscreen.8.html">postscreen(8)</a>. It is enabled
 by default. </p>
 <p> Topics covered in this document: </p>
 <ul>
 <li><a href="#disable"> Disabling BDAT support</a>
 <li><a href="#impact"> Impact on existing configurations</a>
 <li><a href="#example"> Example SMTP session</a>
 <li> <a href="#benefits">Benefits of CHUNKING (BDAT) support without BINARYMIME</a>
 <li> <a href="#downsides">Downsides of CHUNKING (BDAT) support</a>
 </ul>
 <h2> <a name="disable"> Disabling BDAT support </a> </h2>
 <p> BDAT support is enabled by default. To disable BDAT support
 globally: </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
    # The logging alternative:
    <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking
    # The non-logging alternative:
    <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent_discard
 </pre>
 </blockquote>
 <p> Specify '-o <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>=' in <a href="master.5.html">master.cf</a>
 for the submission and smtps services, if you have clients
 that benefit from CHUNKING support. </p>
 <h2> <a name="impact"> Impact on existing configurations </a> </h2>
 <ul>
 <li> <p> There are no changes for smtpd_mumble_restrictions,
 <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>, <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>, or for postscreen settings,
 except for the above mentioned option to suppress the SMTP server's
 CHUNKING service announcement. </p>
 <li> <p> There are no changes in the Postfix queue file content,
 no changes for down-stream SMTP servers or after-queue content
 filters, and no changes in the envelope or message content that
 Milters will receive. </p>
 </ul>
 <h2> <a name="example"> Example SMTP session</a> </h2>
 <p> The main differences are that the Postfix SMTP server announces
 "CHUNKING" support in the EHLO response, and that instead of sending
 one DATA request, the remote SMTP client may send one or more BDAT
 requests. In the example below, "S:" indicates server responses,
 and "C:" indicates client requests (bold font). </p>
 <blockquote>
 <pre>
    S: 220 server.example.com
    C: <b>EHLO client.example.com</b>
    S: 250-server.example.com
    S: 250-PIPELINING
    S: 250-SIZE 153600000
    S: 250-VRFY
    S: 250-ETRN
    S: 250-STARTTLS
    S: 250-AUTH PLAIN LOGIN
    S: 250-ENHANCEDSTATUSCODES
    S: 250-8BITMIME
    S: 250-DSN
    S: 250-SMTPUTF8
    S: 250 CHUNKING
    C: <b>MAIL FROM:&lt;sender@example.com&gt;</b>
    S: 250 2.1.0 Ok
    C: <b>RCPT TO:&lt;recipient@example.com&gt;</b>
    S: 250 2.1.5 Ok
    C: <b>BDAT 10000</b>
    C: <b>..followed by 10000 bytes...</b>
    S: 250 2.0.0 Ok: 10000 bytes
    C: <b>BDAT 123</b>
    C: <b>..followed by 123 bytes...</b>
    S: 250 2.0.0 Ok: 123 bytes
    C: <b>BDAT 0 LAST</b>
    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
    C: <b>QUIT</b>
    S: 221 2.0.0 Bye
 </pre>
 </blockquote>
 <p> Internally in Postfix, there is no difference between mail that
 was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
 policy delegation queries, <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> and Milters all behave
 as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
 Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
 complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
 and will log a warning when a client sends a malformed BDAT command.
 </p>
 <h2> <a name="benefits">Benefits of CHUNKING (BDAT) support without
 BINARYMIME</a> </h2>
 <p> Support for CHUNKING (BDAT) was added to improve interoperability
 with some clients, a benefit that would reportedly exist even without
 Postfix support for BINARYMIME. Since June 2018, Wietse's mail
 server has received BDAT commands from a variety of systems. </p>
 <p> Postfix does not support BINARYMIME at this time because: </p>
 <ul>
 <li> <p> BINARYMIME support would require moderately invasive
 changes to Postfix, to support email content that is not line-oriented.
 With BINARYMIME, the Content-Length: message header specifies the
 length of content that may or may not have line boundaries. Without
 BINARYMIME support, email RFCs require that binary content is
 base64-encoded, and formatted as lines of text. </p>
 <li> <p> For delivery to non-BINARYMIME systems including UNIX mbox,
 the available options are to convert binary content into 8bit text,
 one of the 7bit forms (base64 or quoted-printable), or to return
 email as undeliverable. Any conversion would obviously break digital
 signatures, so conversion would have to happen before signing. </p>
 </ul>
 <h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
 </h2>
 <p> The <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> authors did not specify any limitations on how
 clients may pipeline commands (i.e. send commands without waiting
 for a server response). If a server announces PIPELINING support,
 like Postfix does, then a remote SMTP client can pipeline all
 commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
 without ever having to wait for a server response. This means that
 with BDAT, the Postfix SMTP server cannot distinguish between a
 well-behaved client and a spambot, based on their command pipelining
 behavior. If you require "<a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>" to block spambots,
 then turn off Postfix's CHUNKING announcement as described above.
 </p>
 <p> In <a href="http://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
 commands, and that after sending BURL LAST or BDAT LAST, a client
 must wait for the server's response. But as this text does not
 appear in <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
 that Postfix will not enforce. </p>
 </body>
 </html>
--- a/postfix/html/index.html
+++ b/postfix/html/index.html
@ -199,6 +199,8 @@ Recipients </a>
 <li> <a href="DSN_README.html"> Postfix DSN support </a>
 <li> <a href="BDAT_README.html"> Postfix BDAT (CHUNKING) support </a>
 <li> <a href="PACKAGE_README.html"> Guidelines for Package Builders
 </a>
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@ -547,6 +547,15 @@ SMTP(8)                                                                SMTP(8)
       <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
              List or bit-mask of OpenSSL bug work-arounds to disable.
       Available in Postfix version 2.11-3.1:
       <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
       <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
              digests of trust-anchors with certificate usage "2".
       Available in Postfix version 2.11 and later:
       <b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
--- a/postfix/html/postlogd.8.html
+++ b/postfix/html/postlogd.8.html
@ -31,7 +31,7 @@ POSTLOGD(8)                                                        POSTLOGD(8)
       <b><a href="postconf.5.html#maillog_file">log_file</a></b> (also, logging to stdout would interfere with the operation of
       some of these programs). These programs can log to <a href="postlogd.8.html"><b>postlogd</b>(8)</a> if  they
       are run by the super-user, or if their executable file has set-gid per-
-       mission. Do not set this permision on programs other  than  <a href="postdrop.1.html"><b>postdrop</b>(1)</a>
+       mission. Do not set this permission on programs other than  <a href="postdrop.1.html"><b>postdrop</b>(1)</a>
       and <a href="postqueue.1.html"><b>postqueue</b>(1)</a>.
 <b>CONFIGURATION PARAMETERS</b>
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@ -547,6 +547,15 @@ SMTP(8)                                                                SMTP(8)
       <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
              List or bit-mask of OpenSSL bug work-arounds to disable.
       Available in Postfix version 2.11-3.1:
       <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
       <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
              digests of trust-anchors with certificate usage "2".
       Available in Postfix version 2.11 and later:
       <b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@ -1322,7 +1322,8 @@ SMTPD(8)                                                              SMTPD(8)
 <b>README FILES</b>
       <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>, blocking unknown hosted or relay recipients
-       <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation
+       <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>, Postfix address manipulation
       <a href="BDAT_README.html">BDAT_README</a>, Postfix CHUNKING support
       <a href="FILTER_README.html">FILTER_README</a>, external after-queue content filter
       <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>, blocking unknown local recipients
       <a href="MILTER_README.html">MILTER_README</a>, before-queue mail filter applications
--- a/postfix/html/tlsproxy.8.html
+++ b/postfix/html/tlsproxy.8.html
@ -55,7 +55,103 @@ TLSPROXY(8)                                                        TLSPROXY(8)
       The text below provides only a parameter summary. See  <a href="postconf.5.html"><b>postconf</b>(5)</a>  for
       more details including examples.
-<b>STARTTLS SUPPORT CONTROLS</b>
+<b>STARTTLS GLOBAL CONTROLS</b>
       The  following settings are global and therefore cannot be overruled by
       information specified in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request.
       <b><a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> (no)</b>
              Append the system-supplied default Certification Authority  cer-
              tificates   to   the   ones   specified   with  *_tls_CApath  or
              *_tls_CAfile.
       <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
              The number of pseudo-random bytes that an  <a href="smtp.8.html"><b>smtp</b>(8)</a>  or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
              process  requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
              internal pseudo random number generator (PRNG).
       <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b>
              The OpenSSL cipherlist for "high" grade ciphers.
       <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
              The OpenSSL cipherlist for "medium" or higher grade ciphers.
       <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
              The OpenSSL cipherlist for "low" or higher grade ciphers.
       <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
              The OpenSSL cipherlist for "export" or higher grade ciphers.
       <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
              The OpenSSL cipherlist for "NULL"  grade  ciphers  that  provide
              authentication without encryption.
       <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b>
              The  elliptic curve used by the Postfix SMTP server for sensibly
              strong ephemeral ECDH key exchange.
       <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b>
              The elliptic curve used by the Postfix SMTP server for maximally
              strong ephemeral ECDH key exchange.
       <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
              List or bit-mask of OpenSSL bug work-arounds to disable.
       <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b>
              With SSLv3 and later, use the Postfix SMTP server's cipher pref-
              erence order instead of the remote  client's  cipher  preference
              order.
       Available in Postfix version 2.9 and later:
       <b><a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> (no)</b>
              A  temporary  migration  aid for sites that use certificate <i>pub-</i>
              <i>lic-key</i> fingerprints with Postfix  2.9.0..2.9.5,  which  use  an
              incorrect algorithm.
       Available in Postfix version 2.11-3.1:
       <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
       <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
              digests of trust-anchors with certificate usage "2".
       Available in Postfix version 2.11 and later:
       <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
              The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
       Available in Postfix version 3.0 and later:
       <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> &gt;<b>= 3.0: aes-256-cbc, Postfix</b> &lt;  <b>3.0:</b>
       <b>aes-128-cbc)</b>
              Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
       <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
              The location of the OpenSSL command line program <b>openssl</b>(1).
       Available in Postfix version 3.2 and later:
       <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
              The prioritized list of elliptic curves supported by the Postfix
              SMTP client and server.
       Available in Postfix version 3.4 and later:
       <b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b>
              Optional  lookup tables that map names received from remote SMTP
              clients via the TLS Server Name Indication  (SNI)  extension  to
              the appropriate keys and certificate chains.
 <b>STARTTLS SERVER CONTROLS</b>
       These  settings are clones of Postfix SMTP server settings.  They allow
       <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
       the  Postfix  SMTP  server, before dropping privileges, so that the key
       files can be kept read-only for root. These settings can currently  not
       be  overruled  by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request, but that
       limitation may be removed in a future version.
       <b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b>
              A file containing (PEM  format)  CA  certificates  of  root  CAs
              trusted to sign either remote SMTP client certificates or inter-
@ -155,27 +251,16 @@ TLSPROXY(8)                                                        TLSPROXY(8)
              when a non-empty value is specified, this overrides the obsolete
              parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
       Available in Postfix version 2.11 and later:
       <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
              The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
       Available in Postfix version 3.4 and later:
       <b><a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a> ($<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>)</b>
              Files  with  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys and certificate
              chains in PEM format.
-       <b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b>
+<b>STARTTLS CLIENT CONTROLS</b>
-              Optional  lookup tables that map names received from remote SMTP
+       These settings are clones of Postfix SMTP client settings.  They  allow
              clients via the TLS Server Name Indication  (SNI)  extension  to
              the appropriate keys and certificate chains.
 <b>TLS CLIENT CONTROLS</b>
       These  parameters  are  clones  of  SMTP  client  settings.  They allow
       <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
-       the  SMTP client, before dropping privileges, so that the key files can
+       the Postfix SMTP client, before dropping privileges, so  that  the  key
-       be kept read-only for root.
+       files can be kept read-only for root. Some settings may be overruled by
       information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request.
       Available in Postfix version 3.4 and later:
--- a/postfix/man/man8/postlogd.8
+++ b/postfix/man/man8/postlogd.8
@ -34,7 +34,7 @@ Other non\-daemon Postfix programs will never write directly to
 with the operation of some of these programs). These programs
 can log to \fBpostlogd\fR(8) if they are run by the super\-user,
 or if their executable file has set\-gid permission. Do not
-set this permision on programs other than \fBpostdrop\fR(1)
+set this permission on programs other than \fBpostdrop\fR(1)
 and \fBpostqueue\fR(1).
 .SH "CONFIGURATION PARAMETERS"
 .na
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@ -489,6 +489,13 @@ Available in Postfix version 2.8 and later:
 .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
 List or bit\-mask of OpenSSL bug work\-arounds to disable.
 .PP
 Available in Postfix version 2.11\-3.1:
 .IP "\fBtls_dane_digest_agility (on)\fR"
 Configure RFC7671 DANE TLSA digest algorithm agility.
 .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
 digests of trust\-anchors with certificate usage "2".
 .PP
 Available in Postfix version 2.11 and later:
 .IP "\fBsmtp_tls_trust_anchor_file (empty)\fR"
 Zero or more PEM\-format files with trust\-anchor certificates
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@ -1157,7 +1157,8 @@ Use "\fBpostconf readme_directory\fR" or
 .na
 .nf
 ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
-ADDRESS_REWRITING_README Postfix address manipulation
+ADDRESS_REWRITING_README, Postfix address manipulation
 BDAT_README, Postfix CHUNKING support
 FILTER_README, external after\-queue content filter
 LOCAL_RECIPIENT_README, blocking unknown local recipients
 MILTER_README, before\-queue mail filter applications
--- a/postfix/man/man8/tlsproxy.8
+++ b/postfix/man/man8/tlsproxy.8
@ -71,11 +71,93 @@ reload\fR" to speed up a change.
 The text below provides only a parameter summary. See
 \fBpostconf\fR(5) for more details including examples.
-.SH "STARTTLS SUPPORT CONTROLS"
+.SH "STARTTLS GLOBAL CONTROLS"
 .na
 .nf
 .ad
 .fi
 The following settings are global and therefore cannot be
 overruled by information specified in a \fBtlsproxy\fR(8)
 client request.
 .IP "\fBtls_append_default_CA (no)\fR"
 Append the system\-supplied default Certification Authority
 certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
 .IP "\fBtls_daemon_random_bytes (32)\fR"
 The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
 internal pseudo random number generator (PRNG).
 .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
 The OpenSSL cipherlist for "high" grade ciphers.
 .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
 The OpenSSL cipherlist for "medium" or higher grade ciphers.
 .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
 The OpenSSL cipherlist for "low" or higher grade ciphers.
 .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
 The OpenSSL cipherlist for "export" or higher grade ciphers.
 .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
 The OpenSSL cipherlist for "NULL" grade ciphers that provide
 authentication without encryption.
 .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
 The elliptic curve used by the Postfix SMTP server for sensibly
 strong
 ephemeral ECDH key exchange.
 .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
 The elliptic curve used by the Postfix SMTP server for maximally
 strong
 ephemeral ECDH key exchange.
 .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
 List or bit\-mask of OpenSSL bug work\-arounds to disable.
 .IP "\fBtls_preempt_cipherlist (no)\fR"
 With SSLv3 and later, use the Postfix SMTP server's cipher
 preference order instead of the remote client's cipher preference
 order.
 .PP
 Available in Postfix version 2.9 and later:
 .IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
 A temporary migration aid for sites that use certificate
 \fIpublic\-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
 an incorrect algorithm.
 .PP
 Available in Postfix version 2.11\-3.1:
 .IP "\fBtls_dane_digest_agility (on)\fR"
 Configure RFC7671 DANE TLSA digest algorithm agility.
 .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
 digests of trust\-anchors with certificate usage "2".
 .PP
 Available in Postfix version 2.11 and later:
 .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
 The name of the \fBtlsmgr\fR(8) service entry in master.cf.
 .PP
 Available in Postfix version 3.0 and later:
 .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes\-256\-cbc, Postfix < 3.0: aes\-128\-cbc)\fR"
 Algorithm used to encrypt RFC5077 TLS session tickets.
 .IP "\fBopenssl_path (openssl)\fR"
 The location of the OpenSSL command line program \fBopenssl\fR(1).
 .PP
 Available in Postfix version 3.2 and later:
 .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
 The prioritized list of elliptic curves supported by the Postfix
 SMTP client and server.
 .PP
 Available in Postfix version 3.4 and later:
 .IP "\fBtls_server_sni_maps (empty)\fR"
 Optional lookup tables that map names received from remote SMTP
 clients via the TLS Server Name Indication (SNI) extension to the
 appropriate keys and certificate chains.
 .SH "STARTTLS SERVER CONTROLS"
 .na
 .nf
 .ad
 .fi
 These settings are clones of Postfix SMTP server settings.
 They allow \fBtlsproxy\fR(8) to load the same certificate
 and private key information as the Postfix SMTP server,
 before dropping privileges, so that the key files can be
 kept read\-only for root. These settings can currently not
 be overruled by information in a \fBtlsproxy\fR(8) client
 request, but that limitation may be removed in a future
 version.
 .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR"
 A file containing (PEM format) CA certificates of root CAs
 trusted to sign either remote SMTP client certificates or intermediate
@ -150,29 +232,20 @@ client certificate in order to allow TLS connections to proceed.
 The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server;
 when a non\-empty value is specified, this overrides the obsolete
 parameters smtpd_use_tls and smtpd_enforce_tls.
 .PP
 Available in Postfix version 2.11 and later:
 .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
 The name of the \fBtlsmgr\fR(8) service entry in master.cf.
 .PP
 Available in Postfix version 3.4 and later:
 .IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR"
 Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate
 chains in PEM format.
-.IP "\fBtls_server_sni_maps (empty)\fR"
+.SH "STARTTLS CLIENT CONTROLS"
 Optional lookup tables that map names received from remote SMTP
 clients via the TLS Server Name Indication (SNI) extension to the
 appropriate keys and certificate chains.
 .SH "TLS CLIENT CONTROLS"
 .na
 .nf
 .ad
 .fi
-These parameters are clones of SMTP client settings. They
+These settings are clones of Postfix SMTP client settings.
-allow \fBtlsproxy\fR(8) to load the same certificate and
+They allow \fBtlsproxy\fR(8) to load the same certificate
-private key information as the SMTP client, before dropping
+and private key information as the Postfix SMTP client,
-privileges, so that the key files can be kept read\-only for
+before dropping privileges, so that the key files can be
-root.
+kept read\-only for root. Some settings may be overruled by
 information in a \fBtlsproxy\fR(8) client request.
 .PP
 Available in Postfix version 3.4 and later:
 .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -763,6 +763,8 @@ while (<>) {
    s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
    s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
    s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
    s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
    s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
    s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
    s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;
--- a/postfix/proto/BDAT_README.html
+++ b/postfix/proto/BDAT_README.html
@ -0,0 +1,178 @@
 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
 <html>
 <head>
 <title>Postfix BDAT (CHUNKING) support</title>
 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
 </head>
 <body>
 <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
 BDAT (CHUNKING) support</h1>
 <hr>
 <h2>Overview </h2>
 <p> Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command)
 without BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled
 by default. </p>
 <p> Topics covered in this document: </p>
 <ul>
 <li><a href="#disable"> Disabling BDAT support</a>
 <li><a href="#impact"> Impact on existing configurations</a>
 <li><a href="#example"> Example SMTP session</a>
 <li> <a href="#benefits">Benefits of CHUNKING (BDAT) support without BINARYMIME</a>
 <li> <a href="#downsides">Downsides of CHUNKING (BDAT) support</a>
 </ul>
 <h2> <a name="disable"> Disabling BDAT support </a> </h2>
 <p> BDAT support is enabled by default. To disable BDAT support
 globally: </p>
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
    # The logging alternative:
    smtpd_discard_ehlo_keywords = chunking
    # The non-logging alternative:
    smtpd_discard_ehlo_keywords = chunking, silent_discard
 </pre>
 </blockquote>
 <p> Specify '-o smtpd_discard_ehlo_keywords=' in master.cf
 for the submission and smtps services, if you have clients
 that benefit from CHUNKING support. </p>
 <h2> <a name="impact"> Impact on existing configurations </a> </h2>
 <ul>
 <li> <p> There are no changes for smtpd_mumble_restrictions,
 smtpd_proxy_filter, smtpd_milters, or for postscreen settings,
 except for the above mentioned option to suppress the SMTP server's
 CHUNKING service announcement. </p>
 <li> <p> There are no changes in the Postfix queue file content,
 no changes for down-stream SMTP servers or after-queue content
 filters, and no changes in the envelope or message content that
 Milters will receive. </p>
 </ul>
 <h2> <a name="example"> Example SMTP session</a> </h2>
 <p> The main differences are that the Postfix SMTP server announces
 "CHUNKING" support in the EHLO response, and that instead of sending
 one DATA request, the remote SMTP client may send one or more BDAT
 requests. In the example below, "S:" indicates server responses,
 and "C:" indicates client requests (bold font). </p>
 <blockquote>
 <pre>
    S: 220 server.example.com
    C: <b>EHLO client.example.com</b>
    S: 250-server.example.com
    S: 250-PIPELINING
    S: 250-SIZE 153600000
    S: 250-VRFY
    S: 250-ETRN
    S: 250-STARTTLS
    S: 250-AUTH PLAIN LOGIN
    S: 250-ENHANCEDSTATUSCODES
    S: 250-8BITMIME
    S: 250-DSN
    S: 250-SMTPUTF8
    S: 250 CHUNKING
    C: <b>MAIL FROM:&lt;sender@example.com&gt;</b>
    S: 250 2.1.0 Ok
    C: <b>RCPT TO:&lt;recipient@example.com&gt;</b>
    S: 250 2.1.5 Ok
    C: <b>BDAT 10000</b>
    C: <b>..followed by 10000 bytes...</b>
    S: 250 2.0.0 Ok: 10000 bytes
    C: <b>BDAT 123</b>
    C: <b>..followed by 123 bytes...</b>
    S: 250 2.0.0 Ok: 123 bytes
    C: <b>BDAT 0 LAST</b>
    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
    C: <b>QUIT</b>
    S: 221 2.0.0 Bye
 </pre>
 </blockquote>
 <p> Internally in Postfix, there is no difference between mail that
 was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
 policy delegation queries, smtpd_proxy_filter and Milters all behave
 as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
 Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
 complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
 and will log a warning when a client sends a malformed BDAT command.
 </p>
 <h2> <a name="benefits">Benefits of CHUNKING (BDAT) support without
 BINARYMIME</a> </h2>
 <p> Support for CHUNKING (BDAT) was added to improve interoperability
 with some clients, a benefit that would reportedly exist even without
 Postfix support for BINARYMIME. Since June 2018, Wietse's mail
 server has received BDAT commands from a variety of systems. </p>
 <p> Postfix does not support BINARYMIME at this time because: </p>
 <ul>
 <li> <p> BINARYMIME support would require moderately invasive
 changes to Postfix, to support email content that is not line-oriented.
 With BINARYMIME, the Content-Length: message header specifies the
 length of content that may or may not have line boundaries. Without
 BINARYMIME support, email RFCs require that binary content is
 base64-encoded, and formatted as lines of text. </p>
 <li> <p> For delivery to non-BINARYMIME systems including UNIX mbox,
 the available options are to convert binary content into 8bit text,
 one of the 7bit forms (base64 or quoted-printable), or to return
 email as undeliverable. Any conversion would obviously break digital
 signatures, so conversion would have to happen before signing. </p>
 </ul>
 <h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
 </h2>
 <p> The RFC 3030 authors did not specify any limitations on how
 clients may pipeline commands (i.e. send commands without waiting
 for a server response). If a server announces PIPELINING support,
 like Postfix does, then a remote SMTP client can pipeline all
 commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
 without ever having to wait for a server response. This means that
 with BDAT, the Postfix SMTP server cannot distinguish between a
 well-behaved client and a spambot, based on their command pipelining
 behavior. If you require "reject_unauth_pipelining" to block spambots,
 then turn off Postfix's CHUNKING announcement as described above.
 </p>
 <p> In RFC 4468, the authors write that a client may pipeline
 commands, and that after sending BURL LAST or BDAT LAST, a client
 must wait for the server's response. But as this text does not
 appear in RFC 3030 which defines BDAT, is it a useless restriction
 that Postfix will not enforce. </p>
 </body>
 </html>
--- a/postfix/proto/Makefile.in
+++ b/postfix/proto/Makefile.in
@ -11,6 +11,7 @@ HTML	= ../html/ADDRESS_CLASS_README.html \
 	../html/ADDRESS_VERIFICATION_README.html \
 	../html/BACKSCATTER_README.html \
 	../html/BASIC_CONFIGURATION_README.html \
 	../html/BDAT_README.html \
 	../html/BUILTIN_FILTER_README.html \
 	../html/CDB_README.html \
 	../html/COMPATIBILITY_README.html \
@ -57,6 +58,7 @@ README	= ../README_FILES/ADDRESS_CLASS_README \
 	../README_FILES/ADDRESS_VERIFICATION_README \
 	../README_FILES/BACKSCATTER_README \
 	../README_FILES/BASIC_CONFIGURATION_README \
 	../README_FILES/BDAT_README \
 	../README_FILES/BUILTIN_FILTER_README \
 	../README_FILES/CDB_README \
 	../README_FILES/COMPATIBILITY_README \
@ -179,6 +181,9 @@ clobber:
 ../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
 	$(DETAB) $? | $(POSTLINK) >$@
 ../html/BDAT_README.html: BDAT_README.html
 	$(DETAB) $? | $(POSTLINK) >$@
 ../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
 	$(DETAB) $? | $(POSTLINK) >$@
@ -338,6 +343,9 @@ clobber:
 ../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
 	$(DETAB) $? | $(HT2READ) >$@
 ../README_FILES/BDAT_README: BDAT_README.html
 	$(DETAB) $? | $(HT2READ) >$@
 ../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
 	$(DETAB) $? | $(HT2READ) >$@
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,8 +20,8 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20190209"
+#define MAIL_RELEASE_DATE	"20190210"
-#define MAIL_VERSION_NUMBER	"3.4"
+#define MAIL_VERSION_NUMBER	"3.5"
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- a/postfix/src/master/master_conf.c
+++ b/postfix/src/master/master_conf.c
@ -30,6 +30,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	Wietse Venema
 /*	Google, Inc.
 /*	111 8th Avenue
 /*	New York, NY 10011, USA
 /*--*/
 /* System libraries. */
--- a/postfix/src/postlogd/postlogd.c
+++ b/postfix/src/postlogd/postlogd.c
@ -26,7 +26,7 @@
 /*	with the operation of some of these programs). These programs
 /*	can log to \fBpostlogd\fR(8) if they are run by the super-user,
 /*	or if their executable file has set-gid permission. Do not
-/*	set this permision on programs other than \fBpostdrop\fR(1)
+/*	set this permission on programs other than \fBpostdrop\fR(1)
 /*	and \fBpostqueue\fR(1).
 /* CONFIGURATION PARAMETERS
 /* .ad
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@ -459,6 +459,13 @@
 /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
 /*	List or bit-mask of OpenSSL bug work-arounds to disable.
 /* .PP
 /*	Available in Postfix version 2.11-3.1:
 /* .IP "\fBtls_dane_digest_agility (on)\fR"
 /*	Configure RFC7671 DANE TLSA digest algorithm agility.
 /* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
 /*	Enable support for RFC 6698 (DANE TLSA) DNS records that contain
 /*	digests of trust-anchors with certificate usage "2".
 /* .PP
 /*	Available in Postfix version 2.11 and later:
 /* .IP "\fBsmtp_tls_trust_anchor_file (empty)\fR"
 /*	Zero or more PEM-format files with trust-anchor certificates
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@ -1095,7 +1095,8 @@
 /* .na
 /* .nf
 /*	ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
-/*	ADDRESS_REWRITING_README Postfix address manipulation
+/*	ADDRESS_REWRITING_README, Postfix address manipulation
 /*	BDAT_README, Postfix CHUNKING support
 /*	FILTER_README, external after-queue content filter
 /*	LOCAL_RECIPIENT_README, blocking unknown local recipients
 /*	MILTER_README, before-queue mail filter applications
--- a/postfix/src/tls/tls_proxy.h
+++ b/postfix/src/tls/tls_proxy.h
@ -123,6 +123,7 @@ extern int tls_proxy_client_init_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, voi
 extern int tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *);
 extern void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *);
 extern char *tls_proxy_client_init_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *);
 extern char *tls_proxy_client_init_with_names_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *);
 extern int tls_proxy_client_start_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, void *);
 extern int tls_proxy_client_start_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *);
--- a/postfix/src/tls/tls_proxy_client_misc.c
+++ b/postfix/src/tls/tls_proxy_client_misc.c
@ -16,6 +16,10 @@
 /*	char	*tls_proxy_client_param_with_names_to_string(buf, params)
 /*	VSTRING *buf;
 /*	TLS_CLIENT_PARAMS *params;
 /*
 /*	char	*tls_proxy_client_init_to_string(buf, init_props)
 /*	VSTRING *buf;
 /*	TLS_CLIENT_INIT_PROPS *init_props;
 /* DESCRIPTION
 /*	tls_proxy_client_param_from_config() initializes a TLS_CLIENT_PARAMS
 /*	structure from configuration parameters and returns its
@ -25,10 +29,19 @@
 /*	tls_proxy_client_param_to_string() produces a lookup key
 /*	that is unique for the TLS_CLIENT_PARAMS member values.
 /*
-/*	tls_proxy_client_param_with_names_to_string() TODO produces a
+/*	tls_proxy_client_param_with_names_to_string() produces a
-/*	string with "name = value\n" for each TLS_CLIENT_PARAMS member.
+/*	string with "name = value\n" for each TLS_CLIENT_PARAMS
-/*	This may be useful for reporting differences between
+/*	member. This may be useful for reporting differences between
 /*	TLS_CLIENT_PARAMS instances.
 /*
 /*	tls_proxy_client_init_to_string() produces a lookup key
 /*	that is unique for the properties received by
 /*	tls_proxy_client_init_scan().
 /*
 /*	tls_proxy_client_init_with_names_to_string() produces a
 /*	string with "name = value\n" for each TLS_CLIENT_INIT_PROPS
 /*	member. This may be useful for reporting differences between
 /*	TLS_CLIENT_INIT_PROPS instances.
 /* LICENSE
 /* .ad
 /* .fi
@ -141,4 +154,45 @@ char   *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR
    return (vstring_str(buf));
 }
 /* tls_proxy_client_init_to_string - serialize to string */
 char   *tls_proxy_client_init_to_string(VSTRING *buf,
 					        TLS_CLIENT_INIT_PROPS *props)
 {
    vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n"
 		    "%s\n%s\n%s\n%s\n%s\n", props->log_param,
 		    props->log_level, props->verifydepth,
 		    props->cache_type, props->chain_files,
 		    props->cert_file, props->key_file,
 		    props->dcert_file, props->dkey_file,
 		    props->eccert_file, props->eckey_file,
 		    props->CAfile, props->CApath, props->mdalg);
    return (vstring_str(buf));
 }
 /* tls_proxy_client_init_with_names_to_string - serialize to string */
 char   *tls_proxy_client_init_with_names_to_string(VSTRING *buf,
 					        TLS_CLIENT_INIT_PROPS *props)
 {
    vstring_sprintf(buf, "%s = %s\n%s = %s\n%s = %d\n%s = %s\n%s = %s\n"
 		    "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n"
 		    "%s = %s\n%s = %s\n%s = %s\n%s = %s\n",
 		    TLS_ATTR_LOG_PARAM, props->log_param,
 		    TLS_ATTR_LOG_LEVEL, props->log_level,
 		    TLS_ATTR_VERIFYDEPTH, props->verifydepth,
 		    TLS_ATTR_CACHE_TYPE, props->cache_type,
 		    TLS_ATTR_CHAIN_FILES, props->chain_files,
 		    TLS_ATTR_CERT_FILE, props->cert_file,
 		    TLS_ATTR_KEY_FILE, props->key_file,
 		    TLS_ATTR_DCERT_FILE, props->dcert_file,
 		    TLS_ATTR_DKEY_FILE, props->dkey_file,
 		    TLS_ATTR_ECCERT_FILE, props->eccert_file,
 		    TLS_ATTR_ECKEY_FILE, props->eckey_file,
 		    TLS_ATTR_CAFILE, props->CAfile,
 		    TLS_ATTR_CAPATH, props->CApath,
 		    TLS_ATTR_MDALG, props->mdalg);
    return (vstring_str(buf));
 }
 #endif
--- a/postfix/src/tls/tls_proxy_client_scan.c
+++ b/postfix/src/tls/tls_proxy_client_scan.c
@ -21,10 +21,6 @@
 /*	int	flags;
 /*	void	*ptr;
 /*
 /*	char	*tls_proxy_client_init_to_string(buf, init_props)
 /*	VSTRING *buf;
 /*	TLS_CLIENT_INIT_PROPS *init_props;
 /*
 /*	void	tls_proxy_client_init_free(init_props)
 /*	TLS_CLIENT_INIT_PROPS *init_props;
 /*
@ -57,10 +53,6 @@
 /*	scan routine. tls_proxy_client_init_scan() is meant to be passed
 /*	as a call-back function to attr_scan(), as shown below.
 /*
 /*	tls_proxy_client_init_to_string() produces a lookup key
 /*	that is unique for the properties received by
 /*	tls_proxy_client_init_scan().
 /*
 /*	tls_proxy_client_init_free() destroys a TLS_CLIENT_INIT_PROPS
 /*	structure that was created by tls_proxy_client_init_scan().
 /*
@ -324,22 +316,6 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp,
    return (ret);
 }
 /* tls_proxy_client_init_to_string - serialize to string */
 char   *tls_proxy_client_init_to_string(VSTRING *buf,
 					        TLS_CLIENT_INIT_PROPS *props)
 {
    vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n"
 		    "%s\n%s\n%s\n%s\n%s\n", props->log_param,
 		    props->log_level, props->verifydepth,
 		    props->cache_type, props->chain_files,
 		    props->cert_file, props->key_file,
 		    props->dcert_file, props->dkey_file,
 		    props->eccert_file, props->eckey_file,
 		    props->CAfile, props->CApath, props->mdalg);
    return (vstring_str(buf));
 }
 /* tls_proxy_client_certs_free - destroy TLS_PKEYS from stream */
 static void tls_proxy_client_certs_free(TLS_CERTS *tp)
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@ -57,9 +57,89 @@
 /*
 /*	The text below provides only a parameter summary. See
 /*	\fBpostconf\fR(5) for more details including examples.
-/* STARTTLS SUPPORT CONTROLS
+/* STARTTLS GLOBAL CONTROLS
 /* .ad
 /* .fi
 /*	The following settings are global and therefore cannot be
 /*	overruled by information specified in a \fBtlsproxy\fR(8)
 /*	client request.
 /* .IP "\fBtls_append_default_CA (no)\fR"
 /*	Append the system-supplied default Certification Authority
 /*	certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
 /* .IP "\fBtls_daemon_random_bytes (32)\fR"
 /*	The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 /*	process requests from the \fBtlsmgr\fR(8) server in order to seed its
 /*	internal pseudo random number generator (PRNG).
 /* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
 /*	The OpenSSL cipherlist for "high" grade ciphers.
 /* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
 /*	The OpenSSL cipherlist for "medium" or higher grade ciphers.
 /* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
 /*	The OpenSSL cipherlist for "low" or higher grade ciphers.
 /* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
 /*	The OpenSSL cipherlist for "export" or higher grade ciphers.
 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
 /*	The OpenSSL cipherlist for "NULL" grade ciphers that provide
 /*	authentication without encryption.
 /* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
 /*	The elliptic curve used by the Postfix SMTP server for sensibly
 /*	strong
 /*	ephemeral ECDH key exchange.
 /* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
 /*	The elliptic curve used by the Postfix SMTP server for maximally
 /*	strong
 /*	ephemeral ECDH key exchange.
 /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
 /*	List or bit-mask of OpenSSL bug work-arounds to disable.
 /* .IP "\fBtls_preempt_cipherlist (no)\fR"
 /*	With SSLv3 and later, use the Postfix SMTP server's cipher
 /*	preference order instead of the remote client's cipher preference
 /*	order.
 /* .PP
 /*	Available in Postfix version 2.9 and later:
 /* .IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
 /*	A temporary migration aid for sites that use certificate
 /*	\fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
 /*	an incorrect algorithm.
 /* .PP
 /*	Available in Postfix version 2.11-3.1:
 /* .IP "\fBtls_dane_digest_agility (on)\fR"
 /*	Configure RFC7671 DANE TLSA digest algorithm agility.
 /* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
 /*	Enable support for RFC 6698 (DANE TLSA) DNS records that contain
 /*	digests of trust-anchors with certificate usage "2".
 /* .PP
 /*	Available in Postfix version 2.11 and later:
 /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
 /*	The name of the \fBtlsmgr\fR(8) service entry in master.cf.
 /* .PP
 /*	Available in Postfix version 3.0 and later:
 /* .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\fR"
 /*	Algorithm used to encrypt RFC5077 TLS session tickets.
 /* .IP "\fBopenssl_path (openssl)\fR"
 /*	The location of the OpenSSL command line program \fBopenssl\fR(1).
 /* .PP
 /*	Available in Postfix version 3.2 and later:
 /* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
 /*	The prioritized list of elliptic curves supported by the Postfix
 /*	SMTP client and server.
 /* .PP
 /*	Available in Postfix version 3.4 and later:
 /* .IP "\fBtls_server_sni_maps (empty)\fR"
 /*	Optional lookup tables that map names received from remote SMTP
 /*	clients via the TLS Server Name Indication (SNI) extension to the
 /*	appropriate keys and certificate chains.
 /* STARTTLS SERVER CONTROLS
 /* .ad
 /* .fi
 /*	These settings are clones of Postfix SMTP server settings.
 /*	They allow \fBtlsproxy\fR(8) to load the same certificate
 /*	and private key information as the Postfix SMTP server,
 /*	before dropping privileges, so that the key files can be
 /*	kept read-only for root. These settings can currently not
 /*	be overruled by information in a \fBtlsproxy\fR(8) client
 /*	request, but that limitation may be removed in a future
 /*	version.
 /* .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR"
 /*	A file containing (PEM format) CA certificates of root CAs
 /*	trusted to sign either remote SMTP client certificates or intermediate
@ -134,27 +214,18 @@
 /*	The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server;
 /*	when a non-empty value is specified, this overrides the obsolete
 /*	parameters smtpd_use_tls and smtpd_enforce_tls.
 /* .PP
 /*	Available in Postfix version 2.11 and later:
 /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
 /*	The name of the \fBtlsmgr\fR(8) service entry in master.cf.
 /* .PP
 /*	Available in Postfix version 3.4 and later:
 /* .IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR"
 /*	Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate
 /*	chains in PEM format.
-/* .IP "\fBtls_server_sni_maps (empty)\fR"
+/* STARTTLS CLIENT CONTROLS
 /*	Optional lookup tables that map names received from remote SMTP
 /*	clients via the TLS Server Name Indication (SNI) extension to the
 /*	appropriate keys and certificate chains.
 /* TLS CLIENT CONTROLS
 /* .ad
 /* .fi
-/*	These parameters are clones of SMTP client settings. They
+/*	These settings are clones of Postfix SMTP client settings.
-/*	allow \fBtlsproxy\fR(8) to load the same certificate and
+/*	They allow \fBtlsproxy\fR(8) to load the same certificate
-/*	private key information as the SMTP client, before dropping
+/*	and private key information as the Postfix SMTP client,
-/*	privileges, so that the key files can be kept read-only for
+/*	before dropping privileges, so that the key files can be
-/*	root.
+/*	kept read-only for root. Some settings may be overruled by
 /*	information in a \fBtlsproxy\fR(8) client request.
 /* .PP
 /*	Available in Postfix version 3.4 and later:
 /* .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
@ -430,14 +501,14 @@ static TLS_APPL_STATE *tlsp_server_ctx;
 static TLS_APPL_STATE *tlsp_client_ctx;
 static bool tlsp_pre_jail_done;
 static int ask_client_cert;
 static char *tlsp_pre_jail_client_param_key;	/* pre-jail global params */
 static char *tlsp_pre_jail_client_init_key;	/* pre-jail init props */
 /*
  * TLS per-client status.
  */
-static HTABLE *tlsp_client_app_cache;
+static HTABLE *tlsp_client_app_cache;	/* per-client init props */
-static BH_TABLE *tlsp_params_mismatch_filter;
+static BH_TABLE *tlsp_params_mismatch_filter;	/* per-client nag filter */
 static char *tlsp_pre_jail_client_param_key;
 static char *tlsp_pre_jail_client_init_key;
 /*
  * Error handling: if a function detects an error, then that function is
@ -1088,16 +1159,19 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
    /*
     * Use one TLS_APPL_STATE object for all requests that specify the same
     * TLS_CLIENT_INIT_PROPS. Each TLS_APPL_STATE owns an SSL_CTX, which is
-     * expensive to create.
+     * expensive to create. Bug: TLS_CLIENT_PARAMS are not used when creating
     * a TLS_APPL_STATE instance.
     * 
     * First, compute the TLS_APPL_STATE cache lookup key. Save a copy of the
-     * TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS settings from the
+     * pre-jail request TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS
-     * pre-jail internal request.
+     * settings, so that we can detect post-jail requests that do not match.
     */
    param_buf = vstring_alloc(100);
-    param_key = tls_proxy_client_param_to_string(param_buf, tls_params);
+    param_key = tls_proxy_client_param_with_names_to_string(
 						     param_buf, tls_params);
    init_buf = vstring_alloc(100);
-    init_key = tls_proxy_client_init_to_string(init_buf, init_props);
+    init_key = tls_proxy_client_init_with_names_to_string(
 						      init_buf, init_props);
    if (tlsp_pre_jail_done == 0) {
 	if (tlsp_pre_jail_client_param_key != 0
 	    || tlsp_pre_jail_client_init_key != 0)
@ -1108,9 +1182,9 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
    /*
     * Log a warning if a post-jail request uses unexpected TLS_CLIENT_PARAMS
-     * settings. These differences are problematic because TLS_CLIENT_PARAMS
+     * settings. Bug: TLS_CLIENT_PARAMS settings are not used when creating a
-     * settings are unfortunately not passed to tls_client_init(). Only the
+     * TLS_APPL_STATE instance; this makes a mismatch of TLS_CLIENT_PARAMS
-     * init_props settings are used.
+     * settings problematic.
     */
    if (tlsp_pre_jail_done
 	&& !been_here_fixed(tlsp_params_mismatch_filter, param_key)
@ -1129,10 +1203,12 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
 	/*
 	 * Before creating a TLS_APPL_STATE instance, log a warning if a
 	 * post-jail request differs from the saved pre-jail request AND the
-	 * request specifies file/directory pathname arguments. Requests
+	 * post-jail request specifies file/directory pathname arguments.
-	 * containing pathnames are problematic after chroot (pathname
+	 * Unexpected requests containing pathnames are problematic after
-	 * resolution) and after dropping privileges (key files must be root
+	 * chroot (pathname resolution) and after dropping privileges (key
-	 * read-only).
+	 * files must be root read-only). Unexpected requests are not a
 	 * problem as long as they contain no pathnames (for example a
 	 * tls_loglevel change).
 	 * 
 	 * We could eliminate some of this complication by adding code that
 	 * opens a cert/key lookup table at pre-jail time, and by reading
@ -1607,9 +1683,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
    tlsp_pre_jail_done = 1;
    /*
-     * Unfortunately TLS_CLIENT_PARAMS attributes correspond to global state
+     * Bug: TLS_CLIENT_PARAMS attributes are not used when creating a
-     * and can therefore not be used when creating TLS_APPL_STATE instances,
+     * TLS_APPL_STATE instance; we can only warn about attribute mismatches.
     * but we can warn about attribute mismatches.
     */
    tlsp_params_mismatch_filter = been_here_init(BH_BOUND_NONE, BH_FLAG_NONE);
 }