postfix-2.2-20050208

2025-08-31 22:25:24 +00:00 · 2005-02-08 00:00:00 -05:00
parent 3414d539d2
commit d2c73aa0fe
41 changed files with 344 additions and 746 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -10300,12 +10300,33 @@ Apologies for any names omitted.
 	the input when the action is NOT executed. File:
 	cleanup/cleanup_message.c.
 	Bugfix? Cleanup? Documentation? main.cf now implements
 	${name[?:]value} as promised in the postconf(5) manual.
 	Implemented by deleting the macro processor in dict_eval(),
 	and using the one in mac_expand() instead.  File: util/dict.c.
 20050208
 	Feature: check_ccert_access maptype:mapname for access(5)
 	control, based on code by Victor Duchovni. File:
 	smtpd/smtpd_check.c and documentation.
 	Sanity check: don't allow unlimited message size with
 	limited mailbox size. File: local/local.c, virtual/virtual.c.
 Open problems:
 	Med: local and remote source port and IP address for smtpd
 	policy hook.
-	Med: smtp_connect_timeout_budget (default: 2x smtp_connect_timeout)
+	Med: disable address rewriting after XCLIENT? Introduce a
 	better concept of original submission?
 	Med: find out what TLS attributes to export via the policy
 	servicer hooks: peer CN, issuer CN, peer fingerprint,
 	verification status.
 	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
 	to limit the total time spent trying to connect.
 	Med: transform IPv4-in-IPv6 address literals to IPv4 form
@@ -10336,9 +10357,6 @@ Open problems:
 	Med: eliminate the tls_info data structure.
 	Med: implement ${name[?:]value} in main.cf or update the
 	postconf(5) manual.
 	Low: reject HELO with any domain name or IP address that
 	this MTA is the final destination for.
@@ -10384,7 +10402,9 @@ Open problems:
 	Med: silly queue file bit so that the queue manager doesn't
 	skip files when fast flush is requested while a queue scan
-	is in progress.
+	is in progress. The bit is set by the flush server and is
 	reset when the mail is deferred, so that it survives queue
 	manager restart.
 	Med: postsuper -r should do something with recipients in
 	bounce logfiles.
--- a/postfix/README_FILES/SMTPD_ACCESS_README
+++ b/postfix/README_FILES/SMTPD_ACCESS_README
@@ -125,6 +125,12 @@ Examples of simple restriction lists are:
    # Whitelisting: local clients may specify any destination. Others may not.
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    # Block clients that speak too early.
    smtpd_data_restrictions = reject_unauth_pipelining
    # Enforce mail volume quota via policy service callouts.
    smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
 Each restriction list is evaluated from left to right until some restriction
 produces a result of PERMIT, REJECT or DEFER (try again later). The end of the
 list is equivalent to a PERMIT result. By placing a PERMIT restriction before a
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -382,8 +382,8 @@ Example:
 SSeerrvveerr aacccceessss ccoonnttrrooll
-Postfix TLS support introduces two additional features for Postfix SMTP server
+Postfix TLS support introduces three additional features for Postfix SMTP
-access control:
+server access control:
    permit_tls_clientcerts
        Allow the remote SMTP client SMTP request if the client certificate
@@ -394,6 +394,10 @@ access control:
        Allow the remote client SMTP request if the client certificate passes
        verification.
    check_ccert_access type:table
        If the client certificate passes verification, use its fingerprint as a
        key for the specified access(5) table.
 The permit_tls_all_clientcerts feature must be used with caution, because it
 can result in too many access permissions. Use this feature only if a special
 CA issues the client certificates, and only if this CA is listed as trusted CA.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -7,17 +7,25 @@ snapshot release).  Patches are issued for the official release
 and change the patchlevel and the release date. Patches are never
 issued for snapshot releases.
 Major changes with snapshot Postfix-2.2-20050208
 ================================================
 New "check_ccert_maps maptype:mapname" feature to enforce access
 control based on (hexadecimal) client certificate fingerprints.
 Major changes with snapshot Postfix-2.2-20050206
 ================================================
 Support for address rewriting in outgoing SMTP mail. This is useful
 for sites that have no valid Internet domain name, and that use a
 domain name such as localdomain.local instead. Mail addresses that
-use such domain names are often rejected by mail servers.  The new
+use such domain names are often rejected by mail servers.  
-smtp_generics_maps feature allows you to replace local mail addresses
+
-by valid Internet addresses when mail needs to be sent across the
+The new smtp_generics_maps feature allows you to replace local mail
 addresses by valid Internet addresses when mail is sent across the
 Internet.  It has no effect on mail that is sent between accounts
-on the local machine.
+on the local machine. The syntax is described in generics(5) and
 a detailed example is in the STANDARD_CONFIGURATION_README file.
 Example:
--- a/postfix/conf/relocated
+++ b/postfix/conf/relocated
@@ -62,8 +62,8 @@
 #               in $inet_interfaces or $proxy_interfaces.
 # 
 #        @domain
-#               Matches  every  other  address in domain. This form
+#               Matches  other  addresses  in domain. This form has
-#               has the lowest precedence.
+#               the lowest precedence.
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
--- a/postfix/html/ADDRESS_REWRITING_README.html
+++ b/postfix/html/ADDRESS_REWRITING_README.html
@@ -685,12 +685,12 @@ recipients. Postfix provides three mechanisms: </p>
 the specified address. In Postfix versions before 2.1, this feature
 is implemented by <a href="smtpd.8.html">smtpd(8)</a>, <a href="qmqpd.8.html">qmqpd(8)</a>, or <a href="pickup.8.html">pickup(8)</a>. </dd>
-<dt> <a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = type:table  </dt> <dd> Search the specified
+<dt> <a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = <a href="DATABASE_README.html">type:table</a>  </dt> <dd> Search the specified
 "<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope sender address for an
 automatic BCC address. This feature is available in Postfix 2.1
 and later. </dd>
-<dt> <a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = type:table  </dt> <dd> Search the specified
+<dt> <a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = <a href="DATABASE_README.html">type:table</a>  </dt> <dd> Search the specified
 "<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope recipient address for
 an automatic BCC address. This feature is available in Postfix 2.1
 and later. </dd>
--- a/postfix/html/DATABASE_README.html
+++ b/postfix/html/DATABASE_README.html
@@ -335,7 +335,7 @@ are given in <a href="pgsql_table.5.html">pgsql_table(5)</a>. </dd>
 <dt> <b>proxy</b> (read-only) </dt>
 <dd> Access information via the Postfix <a href="proxymap.8.html">proxymap(8)</a> service. The
-lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:type:table". </dd>
+lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html">type:table</a>". </dd>
 <dt> <b>regexp</b> (read-only) </dt>
--- a/postfix/html/IPV6_README.html
+++ b/postfix/html/IPV6_README.html
@@ -192,7 +192,7 @@ information inside "<tt>[]</tt>", like this: </p>
 IPv6 address information inside "<tt>[]</tt>" in the main.cf parameter
 value and in files specified with a "<i>/file/name</i>" pattern.
 IPv6 addresses contain the ":" character, and would otherwise be
-confused with a "<i>type:table</i>" pattern. </b>  </p>
+confused with a "<i><a href="DATABASE_README.html">type:table</a></i>" pattern. </b>  </p>
 <h2><a name="limitations">Known Limitations</a></h2>
--- a/postfix/html/Makefile.in.snapshot
+++ b/postfix/html/Makefile.in.snapshot
@@ -1,258 +0,0 @@
 SHELL	= /bin/sh
 # For now, just hard-coded rules for daemons, commands, config files.
 DAEMONS	=  bounce.8.html cleanup.8.html defer.8.html error.8.html local.8.html \
 	lmtp.8.html master.8.html pickup.8.html pipe.8.html qmgr.8.html \
 	showq.8.html smtp.8.html smtpd.8.html trivial-rewrite.8.html \
 	oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \
 	trace.8.html verify.8.html proxymap.8.html anvil.8.html
 COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
 	postconf.1.html postfix.1.html postkick.1.html postlock.1.html \
 	postlog.1.html postdrop.1.html postmap.1.html sendmail.1.html \
 	postqueue.1.html postsuper.1.html smtp-source.1.html \
 	smtp-sink.1.html qmqp-source.1.html qmqp-sink.1.html
 CONFIG	= access.5.html aliases.5.html canonical.5.html relocated.5.html \
 	transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
 	cidr_table.5.html tcp_table.5.html header_checks.5.html \
 	ldap_table.5.html mysql_table.5.html pgsql_table.5.html
 AWK	= awk '{ print; if (NR == 1) print ".pl 9999" }'
 MAN2HTML = man2html -t "Postfix manual - `IFS=.; set \`echo $@\`; echo \"$$1($$2)\"`"
 update:	$(DAEMONS) $(COMMANDS) $(CONFIG)
 Makefile: Makefile.in
 	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../src/makedefs; cat $?) >$@
 clean:
 	echo clean
 tidy:	clean
 clobber:
 	rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
 bounce.8.html: ../src/bounce/bounce.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 defer.8.html: bounce.8.html
 	rm -f $@
 	ln -s $? $@
 error.8.html: ../src/error/error.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 flush.8.html: ../src/flush/flush.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 cleanup.8.html: ../src/cleanup/cleanup.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 anvil.8.html: ../src/anvil/anvil.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 lmtp.8.html: ../src/lmtp/lmtp.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 local.8.html: ../src/local/local.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 master.8.html: ../src/master/master.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 oqmgr.8.html: ../src/oqmgr/qmgr.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | sed -e 's/qmgr[^_]/o&/' \
 			  -e 's/qmgr$$/o&/' \
 			  -e 's/QMGR[^_]/O&/' | \
 	    $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pickup.8.html: ../src/pickup/pickup.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pipe.8.html: ../src/pipe/pipe.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 proxymap.8.html: ../src/proxymap/proxymap.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmgr.8.html: ../src/qmgr/qmgr.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmqpd.8.html: ../src/qmqpd/qmqpd.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 showq.8.html: ../src/showq/showq.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 spawn.8.html: ../src/spawn/spawn.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 smtp.8.html: ../src/smtp/smtp.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 smtpd.8.html: ../src/smtpd/smtpd.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 virtual.8.html: ../src/virtual/virtual.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 trace.8.html: bounce.8.html
 	rm -f $@
 	ln -s $? $@
 trivial-rewrite.8.html: ../src/trivial-rewrite/trivial-rewrite.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 verify.8.html: ../src/verify/verify.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postalias.1.html: ../src/postalias/postalias.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postcat.1.html: ../src/postcat/postcat.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postconf.1.html: ../src/postconf/postconf.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postdrop.1.html: ../src/postdrop/postdrop.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postfix.1.html: ../src/postfix/postfix.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postkick.1.html: ../src/postkick/postkick.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postlock.1.html: ../src/postlock/postlock.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postlog.1.html: ../src/postlog/postlog.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postmap.1.html: ../src/postmap/postmap.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postqueue.1.html: ../src/postqueue/postqueue.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postsuper.1.html: ../src/postsuper/postsuper.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 sendmail.1.html: ../src/sendmail/sendmail.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 mailq.1.html: sendmail.1.html
 	PATH=../mantools:$$PATH; \
 	rm -f $@
 	ln -s $? $@
 newaliases.1.html: sendmail.1.html
 	PATH=../mantools:$$PATH; \
 	rm -f $@
 	ln -s $? $@
 smtp-source.1.html: ../src/smtpstone/smtp-source.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 smtp-sink.1.html: ../src/smtpstone/smtp-sink.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmqp-source.1.html: ../src/smtpstone/qmqp-source.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmqp-sink.1.html: ../src/smtpstone/qmqp-sink.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 access.5.html: ../proto/access
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 aliases.5.html: ../proto/aliases
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 canonical.5.html: ../proto/canonical
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 cidr_table.5.html: ../proto/cidr_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 header_checks.5.html: ../proto/header_checks
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 ldap_table.5.html: ../proto/ldap_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 mysql_table.5.html: ../proto/mysql_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pcre_table.5.html: ../proto/pcre_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pgsql_table.5.html: ../proto/pgsql_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 regexp_table.5.html: ../proto/regexp_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 relocated.5.html: ../proto/relocated
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 tcp_table.5.html: ../proto/tcp_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 transport.5.html: ../proto/transport
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 virtual.5.html: ../proto/virtual
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
--- a/postfix/html/Makefile.in.stable
+++ b/postfix/html/Makefile.in.stable
@@ -1,258 +0,0 @@
 SHELL	= /bin/sh
 # For now, just hard-coded rules for daemons, commands, config files.
 DAEMONS	=  bounce.8.html cleanup.8.html defer.8.html error.8.html local.8.html \
 	lmtp.8.html master.8.html pickup.8.html pipe.8.html qmgr.8.html \
 	showq.8.html smtp.8.html smtpd.8.html trivial-rewrite.8.html \
 	oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \
 	trace.8.html verify.8.html proxymap.8.html
 COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
 	postconf.1.html postfix.1.html postkick.1.html postlock.1.html \
 	postlog.1.html postdrop.1.html postmap.1.html sendmail.1.html \
 	postqueue.1.html postsuper.1.html smtp-source.1.html \
 	smtp-sink.1.html qmqp-source.1.html qmqp-sink.1.html
 CONFIG	= access.5.html aliases.5.html canonical.5.html relocated.5.html \
 	transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
 	cidr_table.5.html header_checks.5.html \
 	ldap_table.5.html mysql_table.5.html pgsql_table.5.html
 AWK	= awk '{ print; if (NR == 1) print ".pl 9999" }'
 MAN2HTML = man2html -t "Postfix manual - `IFS=.; set \`echo $@\`; echo \"$$1($$2)\"`"
 update:	$(DAEMONS) $(COMMANDS) $(CONFIG)
 Makefile: Makefile.in
 	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../src/makedefs; cat $?) >$@
 clean:
 	echo clean
 tidy:	clean
 clobber:
 	rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
 bounce.8.html: ../src/bounce/bounce.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 defer.8.html: bounce.8.html
 	rm -f $@
 	ln -s $? $@
 error.8.html: ../src/error/error.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 flush.8.html: ../src/flush/flush.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 cleanup.8.html: ../src/cleanup/cleanup.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 anvil.8.html: ../src/anvil/anvil.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 lmtp.8.html: ../src/lmtp/lmtp.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 local.8.html: ../src/local/local.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 master.8.html: ../src/master/master.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 oqmgr.8.html: ../src/oqmgr/qmgr.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | sed -e 's/qmgr[^_]/o&/' \
 			  -e 's/qmgr$$/o&/' \
 			  -e 's/QMGR[^_]/O&/' | \
 	    $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pickup.8.html: ../src/pickup/pickup.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pipe.8.html: ../src/pipe/pipe.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 proxymap.8.html: ../src/proxymap/proxymap.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmgr.8.html: ../src/qmgr/qmgr.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmqpd.8.html: ../src/qmqpd/qmqpd.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 showq.8.html: ../src/showq/showq.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 spawn.8.html: ../src/spawn/spawn.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 smtp.8.html: ../src/smtp/smtp.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 smtpd.8.html: ../src/smtpd/smtpd.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 virtual.8.html: ../src/virtual/virtual.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 trace.8.html: bounce.8.html
 	rm -f $@
 	ln -s $? $@
 trivial-rewrite.8.html: ../src/trivial-rewrite/trivial-rewrite.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 verify.8.html: ../src/verify/verify.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postalias.1.html: ../src/postalias/postalias.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postcat.1.html: ../src/postcat/postcat.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postconf.1.html: ../src/postconf/postconf.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postdrop.1.html: ../src/postdrop/postdrop.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postfix.1.html: ../src/postfix/postfix.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postkick.1.html: ../src/postkick/postkick.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postlock.1.html: ../src/postlock/postlock.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postlog.1.html: ../src/postlog/postlog.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postmap.1.html: ../src/postmap/postmap.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postqueue.1.html: ../src/postqueue/postqueue.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 postsuper.1.html: ../src/postsuper/postsuper.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 sendmail.1.html: ../src/sendmail/sendmail.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 mailq.1.html: sendmail.1.html
 	PATH=../mantools:$$PATH; \
 	rm -f $@
 	ln -s $? $@
 newaliases.1.html: sendmail.1.html
 	PATH=../mantools:$$PATH; \
 	rm -f $@
 	ln -s $? $@
 smtp-source.1.html: ../src/smtpstone/smtp-source.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 smtp-sink.1.html: ../src/smtpstone/smtp-sink.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmqp-source.1.html: ../src/smtpstone/qmqp-source.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 qmqp-sink.1.html: ../src/smtpstone/qmqp-sink.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 access.5.html: ../proto/access
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 aliases.5.html: ../proto/aliases
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 canonical.5.html: ../proto/canonical
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 cidr_table.5.html: ../proto/cidr_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 header_checks.5.html: ../proto/header_checks
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 ldap_table.5.html: ../proto/ldap_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 mysql_table.5.html: ../proto/mysql_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pcre_table.5.html: ../proto/pcre_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 pgsql_table.5.html: ../proto/pgsql_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 regexp_table.5.html: ../proto/regexp_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 relocated.5.html: ../proto/relocated
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 tcp_table.5.html: ../proto/tcp_table
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 transport.5.html: ../proto/transport
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
 virtual.5.html: ../proto/virtual
 	PATH=../mantools:$$PATH; \
 	srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
--- a/postfix/html/SMTPD_ACCESS_README.html
+++ b/postfix/html/SMTPD_ACCESS_README.html
@@ -179,6 +179,12 @@ described in the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
    # Whitelisting: local clients may specify any destination. Others may not.
    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
    # Block clients that speak too early.
    <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> = <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
    # Enforce mail volume quota via policy service callouts.
    <a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> = <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/policy
 </pre>
 <p> Each restriction list is evaluated from left to right until
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -580,7 +580,7 @@ recommends a maximum of 24 hours.  </p>
 <h3><a name="server_access">Server access control</a> </h3>
-<p> Postfix TLS support introduces two additional features for
+<p> Postfix TLS support introduces three additional features for
 Postfix SMTP server access control:  </p>
 <blockquote>
@@ -596,6 +596,10 @@ and if its fingerprint is listed in the list of client certificates
 client SMTP request if the client certificate passes verification.
 </p> </dd>
 <dt> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> <a href="DATABASE_README.html">type:table</a></dt> <dd>
 <p> If the client certificate passes verification, use its fingerprint
 as a key for the specified <a href="access.5.html">access(5)</a> table. </p> </dd>
 </dl>
 </blockquote>
--- a/postfix/html/cleanup.8.html
+++ b/postfix/html/cleanup.8.html
@@ -243,8 +243,8 @@ CLEANUP(8)                                             CLEANUP(8)
 <b>RESOURCE AND RATE CONTROLS</b>
       <b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b>
              The maximal number of addresses remembered  by  the
-              address  duplicate  filter  for  <a href="aliases.5.html"><b>aliases</b>(5)</a> or <b>vir-</b>
+              address  duplicate  filter  for  <a href="aliases.5.html"><b>aliases</b>(5)</a> or <a href="virtual.5.html"><b>vir-</b></a>
-              <b>tual</b>(5) alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
+              <a href="virtual.5.html"><b>tual</b>(5)</a> alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
              plays.
       <b><a href="postconf.5.html#header_size_limit">header_size_limit</a> (102400)</b>
--- a/postfix/html/local.8.html
+++ b/postfix/html/local.8.html
@@ -445,8 +445,8 @@ LOCAL(8)                                                 LOCAL(8)
       <b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b>
              The maximal number of addresses remembered  by  the
-              address  duplicate  filter  for  <a href="aliases.5.html"><b>aliases</b>(5)</a> or <b>vir-</b>
+              address  duplicate  filter  for  <a href="aliases.5.html"><b>aliases</b>(5)</a> or <a href="virtual.5.html"><b>vir-</b></a>
-              <b>tual</b>(5) alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
+              <a href="virtual.5.html"><b>tual</b>(5)</a> alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
              plays.
       <b><a href="postconf.5.html#local_destination_concurrency_limit">local_destination_concurrency_limit</a> (2)</b>
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -46,10 +46,12 @@ that starts with whitespace continues a logical line. </p>
 recursively replaced by the value of the named parameter. </p>
 <li> <p> The expression "${name?value}" expands to "value" when
-"$name" is non-empty. </p>
+"$name" is non-empty. This form is supported with Postfix version
 2.2 and later. </p>
 <li> <p> The expression "${name:value}" expands to "value" when
-"$name" is empty. </p>
+"$name" is empty. This form is supported with Postfix version 2.2
 and later.  </p>
 </ul>
@@ -5073,6 +5075,12 @@ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
 </pre>
 <p>For more fine-grained control, use <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> to select
 an appropriate <a href="access.5.html">access(5)</a> policy for each client.
 See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
 <p>This feature is available with Postfix 2.2.</p>
 </DD>
@@ -7050,6 +7058,12 @@ client network address information.
 <dl>
 <dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>When the remote SMTP client certificate is verified successfully,
 use the client certificate fingerprint as lookup key for the specified
 <a href="access.5.html">access(5)</a> database. This feature is available with Postfix 2.2.</dd>
 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>Search the specified access database for the client hostname,
@@ -7077,13 +7091,13 @@ authenticated via the <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
 CA, otherwise all clients with a recognized certificate would be
-allowed to relay.  </dd>
+allowed to relay. This feature is available with Postfix 2.2.</dd>
 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
 <dd>Permit the request when the remote SMTP client certificate is
 verified successfully, and the certificate fingerprint is listed
-in $relay_clientcerts. </dd>
+in $relay_clientcerts. This feature is available with Postfix 2.2.</dd>
 <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 <dd>Reject the request when the reversed client network address is
--- a/postfix/html/postfix.1.html
+++ b/postfix/html/postfix.1.html
@@ -26,56 +26,55 @@ POSTFIX(1)                                             POSTFIX(1)
       The following commands are implemented:
-       <b>check</b>  Validate the  Postfix  mail  system  configuration.
+       <b>check</b>  Warn about bad directory/file ownership or  permis-
              Warn  about bad directory/file ownership or permis-
              sions, and create missing directories.
-       <b>start</b>  Start the Postfix mail system. This also  runs  the
+       <b>start</b>  Start  the  Postfix mail system. This also runs the
              configuration check described above.
       <b>stop</b>   Stop the Postfix mail system in an orderly fashion.
-              Running processes are allowed to terminate at their
+              If  possible, running processes are allowed to ter-
-              earliest convenience.
+              minate at their earliest convenience.
-              Note:  in  order to refresh the Postfix mail system
+              Note: in order to refresh the Postfix  mail  system
-              after a configuration change, do not use the  <b>start</b>
+              after  a configuration change, do not use the <b>start</b>
-              and  <b>stop</b>  commands  in  succession. Use the <b>reload</b>
+              and <b>stop</b> commands in  succession.  Use  the  <b>reload</b>
              command instead.
       <b>abort</b>  Stop the Postfix mail system abruptly. Running pro-
              cesses are signaled to stop immediately.
       <b>flush</b>  Force delivery: attempt to deliver every message in
-              the deferred  mail  queue.  Normally,  attempts  to
+              the  deferred  mail  queue.  Normally,  attempts to
-              deliver  delayed  mail happen at regular intervals,
+              deliver delayed mail happen at  regular  intervals,
              the interval doubling after each failed attempt.
              Warning:  flushing  undeliverable  mail  frequently
-              will  result  in  poor  delivery performance of all
+              will result in poor  delivery  performance  of  all
              other mail.
       <b>reload</b> Re-read configuration files. Running processes ter-
              minate at their earliest convenience.
       <b>set-permissions [</b><i>name</i>=<i>value ...</i><b>]</b>
-              Set   the  ownership  and  permissions  of  Postfix
+              Set  the  ownership  and  permissions  of   Postfix
-              related files and directories, as specified in  the
+              related  files and directories, as specified in the
              <b>postfix-files</b> file.
-              Specify  <i>name</i>=<i>value</i> to override and update specific
+              Specify <i>name</i>=<i>value</i> to override and update  specific
-              main.cf configuration  parameters.  Use  this,  for
+              main.cf  configuration  parameters.  Use  this, for
-              example,  to  change the <b><a href="postconf.5.html#mail_owner">mail_owner</a></b> or <b><a href="postconf.5.html#setgid_group">setgid_group</a></b>
+              example, to change the <b><a href="postconf.5.html#mail_owner">mail_owner</a></b>  or  <b><a href="postconf.5.html#setgid_group">setgid_group</a></b>
              setting for an already installed Postfix system.
              This feature is available in Postfix 2.1 and later.
       <b>upgrade-configuration [</b><i>name</i>=<i>value ...</i><b>]</b>
-              Update  the <b>main.cf</b> and <b>master.cf</b> files with infor-
+              Update the <b>main.cf</b> and <b>master.cf</b> files with  infor-
-              mation that Postfix needs in order to run:  add  or
+              mation  that  Postfix needs in order to run: add or
-              update  services,  and  add or update configuration
+              update services, and add  or  update  configuration
              parameter settings.
-              Specify <i>name</i>=<i>value</i> to override and update  specific
+              Specify  <i>name</i>=<i>value</i> to override and update specific
              main.cf configuration parameters.
              This feature is available in Postfix 2.1 and later.
@@ -83,10 +82,10 @@ POSTFIX(1)                                             POSTFIX(1)
       The following options are implemented:
       <b>-c</b> <i>config</i><b>_</b><i>dir</i>
-              Read the <b>main.cf</b> and <b>master.cf</b> configuration  files
+              Read  the <b>main.cf</b> and <b>master.cf</b> configuration files
-              in  the named directory instead of the default con-
+              in the named directory instead of the default  con-
              figuration  directory.   Use  this  to  distinguish
-              between  multiple  Postfix  instances  on  the same
+              between multiple  Postfix  instances  on  the  same
              host.
       <b>-D</b> (with <b>postfix start</b> only)
@@ -95,11 +94,11 @@ POSTFIX(1)                                             POSTFIX(1)
              parameter.
       <b>-v</b>     Enable verbose logging for debugging purposes. Mul-
-              tiple  <b>-v</b>  options  make  the software increasingly
+              tiple <b>-v</b> options  make  the  software  increasingly
              verbose.
 <b>ENVIRONMENT</b>
-       The <a href="postfix.1.html"><b>postfix</b>(1)</a> command exports the  following  environment
+       The  <a href="postfix.1.html"><b>postfix</b>(1)</a>  command exports the following environment
       variables before executing the <b>postfix-script</b> file:
       <b>MAIL_CONFIG</b>
@@ -115,23 +114,23 @@ POSTFIX(1)                                             POSTFIX(1)
              sent.
 <b>CONFIGURATION PARAMETERS</b>
-       The  following  <b>main.cf</b>   configuration   parameters   are
+       The   following   <b>main.cf</b>   configuration  parameters  are
       exported as environment variables with the same names:
       <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
-              The  location  of  all  postfix administrative com-
+              The location of  all  postfix  administrative  com-
              mands.
       <b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
-              The directory with  Postfix  support  programs  and
+              The  directory  with  Postfix  support programs and
              daemon programs.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location  of  the Postfix main.cf and
+              The default location of  the  Postfix  main.cf  and
              master.cf configuration files.
       <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
              tory.
       <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
@@ -147,7 +146,7 @@ POSTFIX(1)                                             POSTFIX(1)
              location of the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command.
       <b><a href="postconf.5.html#newaliases_path">newaliases_path</a> (see 'postconf -d' output)</b>
-              Sendmail compatibility feature that  specifies  the
+              Sendmail  compatibility  feature that specifies the
              location of the <a href="newaliases.1.html"><b>newaliases</b>(1)</a> command.
       <b><a href="postconf.5.html#mailq_path">mailq_path</a> (see 'postconf -d' output)</b>
@@ -155,7 +154,7 @@ POSTFIX(1)                                             POSTFIX(1)
              the Postfix <a href="mailq.1.html"><b>mailq</b>(1)</a> command is installed.
       <b><a href="postconf.5.html#html_directory">html_directory</a> (see 'postconf -d' output)</b>
-              The location of Postfix HTML  files  that  describe
+              The  location  of  Postfix HTML files that describe
              how to build, configure or operate a specific Post-
              fix subsystem or feature.
@@ -163,26 +162,26 @@ POSTFIX(1)                                             POSTFIX(1)
              Where the Postfix manual pages are installed.
       <b><a href="postconf.5.html#readme_directory">readme_directory</a> (see 'postconf -d' output)</b>
-              The location of Postfix README files that  describe
+              The  location of Postfix README files that describe
              how to build, configure or operate a specific Post-
              fix subsystem or feature.
       Other configuration parameters:
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  main.cf  and
+              The  default  location  of  the Postfix main.cf and
              master.cf configuration files.
       <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
-              The  list  of environment parameters that a Postfix
+              The list of environment parameters that  a  Postfix
-              process will import from a non-Postfix parent  pro-
+              process  will import from a non-Postfix parent pro-
              cess.
       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail system name that is prepended to the pro-
+              The mail system name that is prepended to the  pro-
              cess  name  in  syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".
@@ -271,7 +270,7 @@ POSTFIX(1)                                             POSTFIX(1)
       <a href="QSHAPE_README.html">QSHAPE_README</a>, Postfix queue analysis
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
       software.
 <b>AUTHOR(S)</b>
--- a/postfix/html/postsuper.1.html
+++ b/postfix/html/postsuper.1.html
@@ -38,10 +38,12 @@ POSTSUPER(1)                                         POSTSUPER(1)
       <b>-d</b> <i>queue</i><b>_</b><i>id</i>
              Delete one message with the named queue ID from the
              named   mail  queue(s)  (default:  <b>hold</b>,  <b>incoming</b>,
-              <b>active</b> and <b>deferred</b>).  If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is speci-
+              <b>active</b> and <b>deferred</b>).
-              fied,  the  program  reads  queue IDs from standard
+
-              input. For example, to delete all mail with exactly
+              If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program  reads
-              one recipient <b>user@example.com</b>:
+              queue  IDs  from  standard  input.  For example, to
              delete  all  mail  with   exactly   one   recipient
              <b>user@example.com</b>:
              mailq | tail +2 | awk  'BEGIN { RS = "" }
                  # $7=sender, $8=recipient1, $9=recipient2
@@ -83,26 +85,28 @@ POSTSUPER(1)                                         POSTSUPER(1)
              Put  mail  "on  hold" so that no attempt is made to
              deliver it.  Move one message with the named  queue
              ID from the named mail queue(s) (default: <b>incoming</b>,
-              <b>active</b> and <b>deferred</b>)  to  the  <b>hold</b>  queue.   If  a
+              <b>active</b> and <b>deferred</b>) to the <b>hold</b> queue.
              <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads queue
              IDs from standard input.
-              Specify <b>-h ALL</b> to hold all messages;  for  example,
+              If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program  reads
              queue IDs from standard input.
              Specify  <b>-h  ALL</b> to hold all messages; for example,
              specify  <b>-h  ALL  deferred</b>  to  hold  mail  in  the
-              <b>deferred</b> queue.  As a safety measure, the word  <b>ALL</b>
+              <b>deferred</b>  queue.  As a safety measure, the word <b>ALL</b>
              must be specified in upper case.
-              Note:  while  mail  is "on hold" it will not expire
+              Note: while mail is "on hold" it  will  not  expire
-              when its  time  in  the  queue  exceeds  the  <b><a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+              when  its  time  in  the  queue  exceeds  the <b><a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
              <b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b>  or  <b><a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>  set-
-              ting. It becomes subject to expiration after it  is
+              ting.  It becomes subject to expiration after it is
              released from "hold".
       <b>-H</b> <i>queue</i><b>_</b><i>id</i>
              Release mail that was put "on hold".  Move one mes-
-              sage with the named queue ID from  the  named  mail
+              sage  with  the  named queue ID from the named mail
-              queue(s) (default: <b>hold</b>) to the <b>deferred</b> queue.  If
+              queue(s) (default: <b>hold</b>) to the <b>deferred</b> queue.
-              a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is  specified,  the  program  reads
+
              If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program  reads
              queue IDs from standard input.
              Note:  use  "<b>postsuper -r</b>" to release mail that was
@@ -121,55 +125,56 @@ POSTSUPER(1)                                         POSTSUPER(1)
              Requeue  the  message  with the named queue ID from
              the named mail queue(s) (default:  <b>hold</b>,  <b>incoming</b>,
              <b>active</b>  and  <b>deferred</b>).   To  requeue multiple mes-
-              sages, specify multiple  <b>-r</b>  command-line  options.
+              sages, specify multiple <b>-r</b> command-line options.
              Alternatively, if a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the
              program reads queue IDs from standard input.
              Specify <b>-r ALL</b> to requeue all messages. As a safety
-              measure,  the  word  <b>ALL</b> must be specified in upper
+              measure, the word <b>ALL</b> must be  specified  in  upper
              case.
-              A requeued message is moved to the <b>maildrop</b>  queue,
+              A  requeued message is moved to the <b>maildrop</b> queue,
-              from  where  it is copied by the pickup daemon to a
+              from where it is copied by the pickup daemon  to  a
-              new file whose name is guaranteed to match the  new
+              new  file whose name is guaranteed to match the new
              queue file inode number. The new queue file is sub-
-              jected again to mail address rewriting and  substi-
+              jected  again to mail address rewriting and substi-
              tution. This is useful when rewriting rules or vir-
              tual mappings have changed.
-              Warning: Postfix queue IDs are reused.  There is  a
+              Warning:  Postfix queue IDs are reused.  There is a
-              very  small  possibility that <a href="postsuper.1.html"><b>postsuper</b>(1)</a> requeues
+              very small possibility that  <a href="postsuper.1.html"><b>postsuper</b>(1)</a>  requeues
-              the wrong message file when it  is  executed  while
+              the  wrong  message  file when it is executed while
-              the  Postfix  mail  system  is running, but no harm
+              the Postfix mail system is  running,  but  no  harm
              should be done.
-       <b>-s</b>     Structure check and structure repair.  This  should
+       <b>-s</b>     Structure  check and structure repair.  This should
              be done once before Postfix startup.
-              <b>o</b>      Rename  files  whose name does not match the
+              <b>o</b>      Rename files whose name does not  match  the
                     message file inode number. This operation is
-                     necessary  after restoring a mail queue from
+                     necessary after restoring a mail queue  from
                     a different machine, or from backup media.
              <b>o</b>      Move queue files that are in the wrong place
                     in the file system hierarchy and remove sub-
                     directories that are no longer needed.  File
-                     position  rearrangements are necessary after
+                     position rearrangements are necessary  after
                     a  change  in  the  <b><a href="postconf.5.html#hash_queue_names">hash_queue_names</a></b>  and/or
                     <b><a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a></b> configuration parameters.
       <b>-v</b>     Enable verbose logging for debugging purposes. Mul-
-              tiple <b>-v</b> options  make  the  software  increasingly
+              tiple  <b>-v</b>  options  make  the software increasingly
              verbose.
 <b>DIAGNOSTICS</b>
-       Problems  are reported to the standard error stream and to
+       Problems are reported to the standard error stream and  to
       <b>syslogd</b>(8).
-       <a href="postsuper.1.html"><b>postsuper</b>(1)</a> reports the number of messages  deleted  with
+       <a href="postsuper.1.html"><b>postsuper</b>(1)</a>  reports  the number of messages deleted with
-       <b>-d</b>,  the number of messages requeued with <b>-r</b>, and the num-
+       <b>-d</b>, the number of messages requeued with <b>-r</b>, and the  num-
-       ber of messages whose queue file name was fixed  with  <b>-s</b>.
+       ber  of  messages whose queue file name was fixed with <b>-s</b>.
-       The  report is written to the standard error stream and to
+       The report is written to the standard error stream and  to
       <b>syslogd</b>(8).
 <b>ENVIRONMENT</b>
@@ -177,36 +182,36 @@ POSTSUPER(1)                                         POSTSUPER(1)
              Directory with the <b>main.cf</b> file.
 <b>BUGS</b>
-       Mail that is not sanitized by Postfix (i.e.  mail  in  the
+       Mail  that  is  not sanitized by Postfix (i.e. mail in the
       <b>maildrop</b> queue) cannot be placed "on hold".
 <b>CONFIGURATION PARAMETERS</b>
-       The  following  <b>main.cf</b> parameters are especially relevant
+       The following <b>main.cf</b> parameters are  especially  relevant
       to this program.  The text below provides only a parameter
-       summary.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including exam-
+       summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including  exam-
       ples.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  main.cf  and
+              The  default  location  of  the Postfix main.cf and
              master.cf configuration files.
       <b><a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a> (1)</b>
-              The  number of subdirectory levels for queue direc-
+              The number of subdirectory levels for queue  direc-
-              tories listed with the <a href="postconf.5.html#hash_queue_names">hash_queue_names</a>  parameter.
+              tories  listed with the <a href="postconf.5.html#hash_queue_names">hash_queue_names</a> parameter.
       <b><a href="postconf.5.html#hash_queue_names">hash_queue_names</a> (deferred, defer)</b>
-              The  names  of  queue  directories  that  are split
+              The names  of  queue  directories  that  are  split
              across multiple subdirectory levels.
       <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
              tory.
       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail system name that is prepended to the pro-
+              The mail system name that is prepended to the  pro-
              cess  name  in  syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".
@@ -215,7 +220,7 @@ POSTSUPER(1)                                         POSTSUPER(1)
       <a href="postqueue.1.html">postqueue(1)</a>, unprivileged queue operations
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
       software.
 <b>AUTHOR(S)</b>
--- a/postfix/html/relocated.5.html
+++ b/postfix/html/relocated.5.html
@@ -68,8 +68,8 @@ RELOCATED(5)                                         RELOCATED(5)
              in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>.
       @<i>domain</i>
-              Matches  every  other  address in <i>domain</i>. This form
+              Matches  other  addresses  in <i>domain</i>. This form has
-              has the lowest precedence.
+              the lowest precedence.
 <b>ADDRESS EXTENSION</b>
       When a mail address localpart contains the optional recip-
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -8,7 +8,7 @@
 # SYNOPSIS
 #	\fBmake makefiles \fIname=value...\fR
 # DESCRIPTION
-#	The \fBmakedefs\fR command identifies the program compilation
+#	The \fBmakedefs\fR command identifies the compilation
 #	environment, and emits macro definitions on the standard output
 #	stream that can be prepended to template Makefiles.
 #
--- a/postfix/man/man1/postfix.1
+++ b/postfix/man/man1/postfix.1
@@ -25,15 +25,15 @@ runs the \fBpostfix-script\fR shell script to do the actual work.
 The following commands are implemented:
 .IP \fBcheck\fR
-Validate the Postfix mail system configuration. Warn about bad
+Warn about bad directory/file ownership or permissions,
-directory/file ownership or permissions, and create missing
+and create missing directories.
 directories.
 .IP \fBstart\fR
 Start the Postfix mail system. This also runs the configuration
 check described above.
 .IP \fBstop\fR
-Stop the Postfix mail system in an orderly fashion. Running processes
+Stop the Postfix mail system in an orderly fashion. If
-are allowed to terminate at their earliest convenience.
+possible, running processes are allowed to terminate at
 their earliest convenience.
 .sp
 Note: in order to refresh the Postfix mail system after a
 configuration change, do not use the \fBstart\fR and \fBstop\fR
--- a/postfix/man/man1/postsuper.1
+++ b/postfix/man/man1/postsuper.1
@@ -37,6 +37,7 @@ MAIL_CONFIG environment setting below.
 Delete one message with the named queue ID from the named
 mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
 \fBdeferred\fR).
 If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
 queue IDs from standard input. For example, to delete all mail
 with exactly one recipient \fBuser@example.com\fR:
@@ -82,6 +83,7 @@ Put mail "on hold" so that no attempt is made to deliver it.
 Move one message with the named queue ID from the named
 mail queue(s) (default: \fBincoming\fR, \fBactive\fR and
 \fBdeferred\fR) to the \fBhold\fR queue.
 If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
 queue IDs from standard input.
 .sp
@@ -98,6 +100,7 @@ expiration after it is released from "hold".
 Release mail that was put "on hold".
 Move one message with the named queue ID from the named
 mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue.
 If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
 queue IDs from standard input.
 .sp
@@ -117,6 +120,7 @@ mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
 \fBdeferred\fR).
 To requeue multiple messages, specify multiple \fB-r\fR
 command-line options.
 Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified,
 the program reads queue IDs from standard input.
 .sp
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -36,10 +36,12 @@ The expressions "$name", "${name}" or "$(name)" are
 recursively replaced by the value of the named parameter.
 .IP \(bu
 The expression "${name?value}" expands to "value" when
-"$name" is non-empty.
+"$name" is non-empty. This form is supported with Postfix
 version 2.2 and later.
 .IP \(bu
 The expression "${name:value}" expands to "value" when
-"$name" is empty.
+"$name" is empty. This form is supported with Postfix
 version 2.2 and later.
 .RE
 .IP \(bu
 When the same parameter is defined multiple times, only the last
@@ -2743,6 +2745,12 @@ relay_clientcerts = hash:/etc/postfix/relay_clientcerts
 .fi
 .ad
 .ft R
 .PP
 For more fine-grained control, use check_ccert_access to select
 an appropriate \fBaccess\fR(5) policy for each client.
 See RESTRICTION_CLASS_README.
 .PP
 This feature is available with Postfix 2.2.
 .SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit)
 The maximal number of parallel deliveries to the same destination
 via the relay message delivery transport. This limit is enforced
@@ -3925,6 +3933,10 @@ restriction that matches wins.
 .PP
 The following restrictions are specific to client hostname or
 client network address information.
 .IP "\fBcheck_ccert_access \fItype:table\fR\fR"
 When the remote SMTP client certificate is verified successfully,
 use the client certificate fingerprint as lookup key for the specified
 \fBaccess\fR(5) database. This feature is available with Postfix 2.2.
 .IP "\fBcheck_client_access \fItype:table\fR\fR"
 Search the specified access database for the client hostname,
 parent domains, client IP address, or networks obtained by stripping
@@ -3943,11 +3955,11 @@ Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
 CA, otherwise all clients with a recognized certificate would be
-allowed to relay.
+allowed to relay. This feature is available with Postfix 2.2.
 .IP "\fBpermit_tls_clientcerts\fR"
 Permit the request when the remote SMTP client certificate is
 verified successfully, and the certificate fingerprint is listed
-in $relay_clientcerts.
+in $relay_clientcerts. This feature is available with Postfix 2.2.
 .IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
 Reject the request when the reversed client network address is
 listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR
--- a/postfix/man/man5/relocated.5
+++ b/postfix/man/man5/relocated.5
@@ -67,7 +67,7 @@ Matches \fIuser\fR@\fIsite\fR when \fIsite\fR is $\fBmyorigin\fR,
 when \fIsite\fR is listed in $\fBmydestination\fR, or when \fIsite\fR
 is listed in $\fBinet_interfaces\fR or $\fBproxy_interfaces\fR.
 .IP @\fIdomain\fR
-Matches every other address in \fIdomain\fR. This form has the lowest
+Matches other addresses in \fIdomain\fR. This form has the lowest
 precedence.
 .SH "ADDRESS EXTENSION"
 .na
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -578,7 +578,7 @@ while (<>) {
    s/\b[A-Z0-9_]*_README\b/<a href="$&.html">$&<\/a>/g;
    s/\bINSTALL\b/<a href="$&.html">$&<\/a>/g;
    s/\bOVERVIEW\b/<a href="$&.html">$&<\/a>/g;
-    s/"type:table"/"<a href="DATABASE_README.html">type:table<\/a>"/g;
+    s/\btype:table\b/<a href="DATABASE_README.html">type:table<\/a>/g;
    # Split manual page hyperlinks across newlines
@@ -597,6 +597,7 @@ while (<>) {
    # Access restrictions - client
    s;\bcheck_client_access\b;<a href="postconf.5.html#check_client_access">$&</a>;g;
    s;\bcheck_ccert_access\b;<a href="postconf.5.html#check_ccert_access">$&</a>;g;
    s;\bpermit_inet_interfaces\b;<a href="postconf.5.html#permit_inet_interfaces">$&</a>;g;
    s;\bpermit_mynetworks\b;<a href="postconf.5.html#permit_mynetworks">$&</a>;g;
    s;\bpermit_sasl_authenticated\b;<a href="postconf.5.html#permit_sasl_authenticated">$&</a>;g;
--- a/postfix/proto/SMTPD_ACCESS_README.html
+++ b/postfix/proto/SMTPD_ACCESS_README.html
@@ -179,6 +179,12 @@ described in the postconf(5) manual page. </p>
    # Whitelisting: local clients may specify any destination. Others may not.
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    # Block clients that speak too early.
    smtpd_data_restrictions = reject_unauth_pipelining
    # Enforce mail volume quota via policy service callouts.
    smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
 </pre>
 <p> Each restriction list is evaluated from left to right until
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -580,7 +580,7 @@ recommends a maximum of 24 hours.  </p>
 <h3><a name="server_access">Server access control</a> </h3>
-<p> Postfix TLS support introduces two additional features for
+<p> Postfix TLS support introduces three additional features for
 Postfix SMTP server access control:  </p>
 <blockquote>
@@ -596,6 +596,10 @@ and if its fingerprint is listed in the list of client certificates
 client SMTP request if the client certificate passes verification.
 </p> </dd>
 <dt> check_ccert_access type:table</dt> <dd>
 <p> If the client certificate passes verification, use its fingerprint
 as a key for the specified access(5) table. </p> </dd>
 </dl>
 </blockquote>
--- a/postfix/proto/postconf.html.prolog
+++ b/postfix/proto/postconf.html.prolog
@@ -46,10 +46,12 @@ that starts with whitespace continues a logical line. </p>
 recursively replaced by the value of the named parameter. </p>
 <li> <p> The expression "${name?value}" expands to "value" when
-"$name" is non-empty. </p>
+"$name" is non-empty. This form is supported with Postfix version
 2.2 and later. </p>
 <li> <p> The expression "${name:value}" expands to "value" when
-"$name" is empty. </p>
+"$name" is empty. This form is supported with Postfix version 2.2
 and later.  </p>
 </ul>
--- a/postfix/proto/postconf.man.prolog
+++ b/postfix/proto/postconf.man.prolog
@@ -36,10 +36,12 @@ The expressions "$name", "${name}" or "$(name)" are
 recursively replaced by the value of the named parameter.
 .IP \(bu
 The expression "${name?value}" expands to "value" when
-"$name" is non-empty.
+"$name" is non-empty. This form is supported with Postfix
 version 2.2 and later.
 .IP \(bu
 The expression "${name:value}" expands to "value" when
-"$name" is empty.
+"$name" is empty. This form is supported with Postfix
 version 2.2 and later.
 .RE
 .IP \(bu
 When the same parameter is defined multiple times, only the last
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -4313,6 +4313,12 @@ client network address information.
 <dl>
 <dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>When the remote SMTP client certificate is verified successfully,
 use the client certificate fingerprint as lookup key for the specified
 access(5) database. This feature is available with Postfix 2.2.</dd>
 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>Search the specified access database for the client hostname,
@@ -4341,13 +4347,13 @@ authenticated via the RFC 2554 (AUTH) protocol. </dd>
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
 CA, otherwise all clients with a recognized certificate would be
-allowed to relay.  </dd>
+allowed to relay. This feature is available with Postfix 2.2.</dd>
 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
 <dd>Permit the request when the remote SMTP client certificate is
 verified successfully, and the certificate fingerprint is listed
-in $relay_clientcerts. </dd>
+in $relay_clientcerts. This feature is available with Postfix 2.2.</dd>
 <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 <dd>Reject the request when the reversed client network address is
@@ -7873,6 +7879,12 @@ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
 </pre>
 <p>For more fine-grained control, use check_ccert_access to select
 an appropriate access(5) policy for each client.
 See RESTRICTION_CLASS_README.</p>
 <p>This feature is available with Postfix 2.2.</p>
 %PARAM smtpd_tls_cipherlist
 <p> Controls the Postfix SMTP server TLS cipher selection scheme.
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1662,6 +1662,7 @@ extern char *var_perm_mx_networks;
 extern int var_access_map_code;
 #define CHECK_CLIENT_ACL	"check_client_access"
 #define CHECK_CCERT_ACL		"check_ccert_access"
 #define CHECK_HELO_ACL		"check_helo_access"
 #define CHECK_SENDER_ACL	"check_sender_access"
 #define CHECK_RECIP_ACL		"check_recipient_access"
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
  * Patches change the patchlevel and the release date. Snapshots change the
  * release date only.
  */
-#define MAIL_RELEASE_DATE	"20050207"
+#define MAIL_RELEASE_DATE	"20050208"
 #define MAIL_VERSION_NUMBER	"2.2"
 #define VAR_MAIL_VERSION	"mail_version"
--- a/postfix/src/local/local.c
+++ b/postfix/src/local/local.c
@@ -790,7 +790,7 @@ static void pre_init(char *unused_name, char **unused_argv)
     * file.
     */
    if (var_mailbox_limit) {
-	if (var_mailbox_limit < var_message_limit)
+	if (var_mailbox_limit < var_message_limit || var_message_limit == 0)
 	    msg_fatal("main.cf configuration error: %s is smaller than %s",
 		      VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT);
 	set_file_limit(var_mailbox_limit);
--- a/postfix/src/postfix/postfix.c
+++ b/postfix/src/postfix/postfix.c
@@ -19,15 +19,15 @@
 /*
 /*	The following commands are implemented:
 /* .IP \fBcheck\fR
-/*	Validate the Postfix mail system configuration. Warn about bad
+/*	Warn about bad directory/file ownership or permissions,
-/*	directory/file ownership or permissions, and create missing
+/*	and create missing directories.
 /*	directories.
 /* .IP \fBstart\fR
 /*	Start the Postfix mail system. This also runs the configuration
 /*	check described above.
 /* .IP \fBstop\fR
-/*	Stop the Postfix mail system in an orderly fashion. Running processes
+/*	Stop the Postfix mail system in an orderly fashion. If
-/*	are allowed to terminate at their earliest convenience.
+/*	possible, running processes are allowed to terminate at
 /*	their earliest convenience.
 /* .sp
 /*	Note: in order to refresh the Postfix mail system after a
 /*	configuration change, do not use the \fBstart\fR and \fBstop\fR
--- a/postfix/src/postsuper/postsuper.c
+++ b/postfix/src/postsuper/postsuper.c
@@ -31,6 +31,7 @@
 /*	Delete one message with the named queue ID from the named
 /*	mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
 /*	\fBdeferred\fR).
 /*
 /*	If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
 /*	queue IDs from standard input. For example, to delete all mail
 /*	with exactly one recipient \fBuser@example.com\fR:
@@ -76,6 +77,7 @@
 /*	Move one message with the named queue ID from the named
 /*	mail queue(s) (default: \fBincoming\fR, \fBactive\fR and
 /*	\fBdeferred\fR) to the \fBhold\fR queue.
 /*
 /*	If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
 /*	queue IDs from standard input.
 /* .sp
@@ -92,6 +94,7 @@
 /*	Release mail that was put "on hold".
 /*	Move one message with the named queue ID from the named
 /*	mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue.
 /*
 /*	If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
 /*	queue IDs from standard input.
 /* .sp
@@ -111,6 +114,7 @@
 /*	\fBdeferred\fR).
 /*	To requeue multiple messages, specify multiple \fB-r\fR
 /*	command-line options.
 /*
 /*	Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified,
 /*	the program reads queue IDs from standard input.
 /* .sp
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -336,6 +336,7 @@ static int check_rcpt_maps(SMTPD_STATE *, const char *, const char *);
  * Reject context.
  */
 #define SMTPD_NAME_CLIENT	"Client host"
 #define SMTPD_NAME_CCERT	"Client certificate"
 #define SMTPD_NAME_HELO		"Helo command"
 #define SMTPD_NAME_SENDER	"Sender address"
 #define SMTPD_NAME_RECIPIENT	"Recipient address"
@@ -2341,6 +2342,39 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
    CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
 }
 /* check_ccert_access - access for TLS clients by certificate fingerprint */
 #ifdef USE_TLS
 static int check_ccert_access(SMTPD_STATE *state, const char *table,
 			              const char *def_acl)
 {
    char   *myname = "check_ccert_access";
    int     found;
    if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
 	if (msg_verbose)
 	    msg_info("%s: %s", myname, state->tls_info.peer_fingerprint);
 	/*
 	 * Regexp tables don't make sense for certificate fingerprints. That
 	 * may be so, but we can't ignore the entire check_ccert_access
 	 * request without logging a warning.
 	 * 
 	 * Log the peer CommonName when access is denied. Non-printable
 	 * characters will be neutered by smtpd_check_reject(). The SMTP
 	 * client name and address are always syslogged as part of a "reject"
 	 * event.
 	 */
 	return (check_access(state, table, state->tls_info.peer_fingerprint,
 			     DICT_FLAG_NONE, &found, state->tls_info.peer_CN,
 			     SMTPD_NAME_CCERT, def_acl));
    }
    return (SMTPD_CHECK_DUNNO);
 }
 #endif
 /* check_mail_access - OK/FAIL based on mail address lookup */
 static int check_mail_access(SMTPD_STATE *state, const char *table,
@@ -3204,6 +3238,10 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 		    status = reject_rbl_domain(state, *cpp, state->name,
 					       SMTPD_NAME_CLIENT);
 	    }
 #ifdef USE_TLS
 	} else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) {
 	    status = check_ccert_access(state, *cpp, def_acl);
 #endif
 	}
 	/*
--- a/postfix/src/util/dict.c
+++ b/postfix/src/util/dict.c
@@ -117,8 +117,8 @@
 /*	dict_eval() expands macro references in the specified string.
 /*	The result is owned by the dictionary manager. Make a copy if the
 /*	result is to survive multiple dict_eval() calls. When the
-/*	\fIrecursive\fR argument is non-zero, macros references are
+/*	\fIrecursive\fR argument is non-zero, macro references in macro
-/*	expanded recursively.
+/*	lookup results are expanded recursively.
 /*
 /*	dict_walk() iterates over all registered dictionaries in some
 /*	arbitrary order, and invokes the specified action routine with
@@ -183,7 +183,7 @@
 #include "vstream.h"
 #include "vstring.h"
 #include "readlline.h"
-#include "mac_parse.h"
+#include "mac_expand.h"
 #include "stringops.h"
 #include "iostuff.h"
 #include "dict.h"
@@ -410,94 +410,52 @@ void    dict_load_fp(const char *dict_name, VSTREAM *fp)
    vstring_free(buf);
 }
- /*
+/* dict_eval_lookup - macro parser call-back routine */
  * Helper for macro expansion callback.
  */
 struct dict_eval_context {
    const char *dict_name;		/* where to look */
    VSTRING *buf;			/* result buffer */
    int     recursive;			/* recursive or not */
 };
-/* dict_eval_action - macro parser call-back routine */
+static const char *dict_eval_lookup(const char *key, int unused_type,
-
+				            char *dict_name)
 static int dict_eval_action(int type, VSTRING *buf, char *ptr)
 {
    struct dict_eval_context *ctxt = (struct dict_eval_context *) ptr;
    char   *myname = "dict_eval_action";
    const char *pp;
    if (msg_verbose > 1)
 	msg_info("%s: type %s buf %s context %s \"%s\" %s",
 		 myname, type == MAC_PARSE_VARNAME ? "variable" : "literal",
 		 STR(buf), ctxt->dict_name, STR(ctxt->buf),
 		 ctxt->recursive ? "recursive" : "non-recursive");
    /*
-     * In order to support recursion, we must save the dict_lookup() result.
+     * XXX how would one recover?
     * We use the input buffer since it will not be needed anymore.
     */
-    if (type == MAC_PARSE_VARNAME) {
+    if ((pp = dict_lookup(dict_name, key)) == 0 && dict_errno != 0)
-	if ((pp = dict_lookup(ctxt->dict_name, STR(buf))) == 0) {
+	msg_fatal("dictionary %s: lookup %s: temporary error", dict_name, key);
-	    if (dict_errno)			/* XXX how would one recover? */
+
-		msg_fatal("dictionary %s: lookup %s: temporary error",
+    return (pp);
 			  ctxt->dict_name, STR(buf));
 	} else if (ctxt->recursive) {
 	    vstring_strcpy(buf, pp);		/* XXX clobber input */
 	    dict_eval(ctxt->dict_name, STR(buf), ctxt->recursive);
 	} else {
 	    vstring_strcat(ctxt->buf, pp);
 	}
    } else {
 	vstring_strcat(ctxt->buf, STR(buf));
    }
    return (0);
 }
 /* dict_eval - expand embedded dictionary references */
 const char *dict_eval(const char *dict_name, const char *value, int recursive)
 {
    const char *myname = "dict_eval";
    static VSTRING *buf;
-    static struct dict_eval_context ctxt;
+    int     status;
    static int loop = 0;
    /*
     * Sanity check.
     */
    if (loop > 100)
 	msg_fatal("unreasonable macro nesting: \"%s\"", value);
    /*
     * Initialize.
     */
    if (buf == 0)
 	buf = vstring_alloc(10);
    if (loop++ == 0) {
 	VSTRING_RESET(buf);
 	VSTRING_TERMINATE(buf);
    }
    ctxt.buf = buf;
    ctxt.recursive = recursive;
    ctxt.dict_name = dict_name;
    /*
     * Expand macros, possibly recursively.
     */
-    if (msg_verbose > 1)
+#define DONT_FILTER (char *) 0
 	msg_info("dict_eval[%d] %s", loop, value);
    mac_parse(value, dict_eval_action, (char *) &ctxt);
    if (msg_verbose > 1)
 	msg_info("dict_eval[%d] result %s", loop, STR(buf));
    /*
     * Cleanup.
     */
    loop--;
    VSTRING_TERMINATE(buf);
    status = mac_expand(buf, value,
 			recursive ? MAC_EXP_FLAG_RECURSE : MAC_EXP_FLAG_NONE,
 			DONT_FILTER, dict_eval_lookup, (char *) dict_name);
    if (status & MAC_PARSE_ERROR)
 	msg_fatal("dictionary %s: macro processing error", dict_name);
    if (msg_verbose) {
 	if (strcmp(value, STR(buf)) != 0)
 	    msg_info("%s: expand %s -> %s", myname, value, STR(buf));
 	else
 	    msg_info("%s: const  %s", myname, value);
    }
    return (STR(buf));
 }
--- a/postfix/src/util/dict_open.c
+++ b/postfix/src/util/dict_open.c
@@ -88,9 +88,14 @@
 /*	into the right-hand side.
 /* .IP DICT_FLAG_NO_PROXY
 /*	Disallow access through the \fBproxymap\fR service.
 /* .IP DICT_FLAG_NO_UNAUTH
 /*	Disallow network lookup mechanisms that lack any form of
 /*	authentication (example: tcp_table; even NIS can be secured
 /*	to some extent by requiring that the server binds to a
 /*	privileged port).
 /* .IP DICT_FLAG_PARANOID
-/*	A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB
+/*	A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB,
-/*	and DICT_FLAG_NO_PROXY.
+/*	DICT_FLAG_NO_PROXY and DICT_FLAG_NO_UNAUTH.
 /* .PP
 /*	Specify DICT_FLAG_NONE for no special processing.
 /*
--- a/postfix/src/util/mac_expand.c
+++ b/postfix/src/util/mac_expand.c
@@ -45,7 +45,7 @@
 /*	Bit-wise OR of zero or more of the following:
 /* .RS
 /* .IP MAC_EXP_FLAG_RECURSE
-/*	Expand $name recursively. This should never be done with
+/*	Expand macros in lookup results. This should never be done with
 /*	data whose origin is untrusted.
 /* .PP
 /*	The constant MAC_EXP_FLAG_NONE specifies a manifest null value.
@@ -59,7 +59,7 @@
 /*	MAC_EXP_MODE_TEST to test the existence of the named attribute
 /*	or MAC_EXP_MODE_USE to use the value of the named attribute,
 /*	and the caller context that was given to mac_expand(). A null
-/*	result means that the requested attribute was not defined.
+/*	result value means that the requested attribute was not defined.
 /* .IP context
 /*	Caller context that is passed on to the attribute lookup routine.
 /* DIAGNOSTICS
@@ -136,8 +136,11 @@ static int mac_expand_callback(int type, VSTRING *buf, char *ptr)
    /*
     * $Name etc. reference.
     * 
     * In order to support expansion of lookup results, we must save the lookup
     * result. We use the input buffer since it will not be needed anymore.
     */
-    if (type == MAC_PARSE_VARNAME) {
+    if (type == MAC_PARSE_EXPR) {
 	/*
 	 * Look for the ? or : delimiter. In case of a syntax error, return
@@ -183,7 +186,8 @@ static int mac_expand_callback(int type, VSTRING *buf, char *ptr)
 	    } else if (*text == 0) {
 		 /* void */ ;
 	    } else if (mc->flags & MAC_EXP_FLAG_RECURSE) {
-		mac_parse(text, mac_expand_callback, (char *) mc);
+		vstring_strcpy(buf, text);
 		mac_parse(vstring_str(buf), mac_expand_callback, (char *) mc);
 	    } else {
 		len = VSTRING_LEN(mc->result);
 		vstring_strcat(mc->result, text);
@@ -201,17 +205,9 @@ static int mac_expand_callback(int type, VSTRING *buf, char *ptr)
     * Literal text.
     */
    else {
-	text = vstring_str(buf);
+	vstring_strcat(mc->result, vstring_str(buf));
 	vstring_strcat(mc->result, text);
    }
    /*
     * Give the poor tester a clue of what is going on.
     */
    if (msg_verbose)
 	msg_info("%s: %s = %s", myname, vstring_str(buf),
 		 text ? text : "(undef)");
    mc->level--;
    return (mc->status);
--- a/postfix/src/util/mac_parse.c
+++ b/postfix/src/util/mac_parse.c
@@ -23,9 +23,11 @@
 /*	found, and \fIcontext\fR is passed on unmodified from the caller.
 /*	The application is at liberty to clobber \fIbuf\fR.
 /* .IP MAC_PARSE_LITERAL
-/*	The text in \fIbuf\fR is literal text.
+/*	The content of \fIbuf\fR is literal text.
-/* .IP MAC_PARSE_VARNAME
+/* .IP MAC_PARSE_EXPR
-/*	The text in \fIbuf\fR is a macro expression.
+/*	The content of \fIbuf\fR is a macro expression: either a
 /*	bare macro name without the preceding "$", or all the text
 /*	inside $() or ${}.
 /* .PP
 /*	The action routine result value is the bit-wise OR of zero or more
 /*	of the following:
@@ -72,11 +74,11 @@
  * execute the action, and reset the temporary buffer for re-use.
  */
 #define MAC_PARSE_ACTION(status, type, buf, context) \
-	{ \
+	do { \
 	    VSTRING_TERMINATE(buf); \
-	    status |= action(type, buf, context); \
+	    status |= action((type), (buf), (context)); \
 	    VSTRING_RESET(buf); \
-	}
+	} while(0)
 /* mac_parse - split string into literal text and macro references */
@@ -138,7 +140,7 @@ int     mac_parse(const char *value, MAC_PARSE_FN action, char *context)
 		msg_warn("empty macro name: \"%s\"", value);
 		break;
 	    }
-	    MAC_PARSE_ACTION(status, MAC_PARSE_VARNAME, buf, context);
+	    MAC_PARSE_ACTION(status, MAC_PARSE_EXPR, buf, context);
 	}
    }
    if (VSTRING_LEN(buf) > 0 && (status & MAC_PARSE_ERROR) == 0)
@@ -167,8 +169,8 @@ static int mac_parse_print(int type, VSTRING *buf, char *unused_context)
    char   *type_name;
    switch (type) {
-    case MAC_PARSE_VARNAME:
+    case MAC_PARSE_EXPR:
-	type_name = "MAC_PARSE_VARNAME";
+	type_name = "MAC_PARSE_EXPR";
 	break;
    case MAC_PARSE_LITERAL:
 	type_name = "MAC_PARSE_LITERAL";
--- a/postfix/src/util/mac_parse.h
+++ b/postfix/src/util/mac_parse.h
@@ -20,7 +20,8 @@
  * External interface.
  */
 #define MAC_PARSE_LITERAL	1
-#define MAC_PARSE_VARNAME	2
+#define MAC_PARSE_EXPR		2
 #define MAC_PARSE_VARNAME	MAC_PARSE_EXPR	/* 2.1 compatibility */
 #define MAC_PARSE_OK		0
 #define MAC_PARSE_ERROR		(1<<0)
--- a/postfix/src/virtual/virtual.c
+++ b/postfix/src/virtual/virtual.c
@@ -457,7 +457,7 @@ static void pre_init(char *unused_name, char **unused_argv)
     * file.
     */
    if (var_virt_mailbox_limit) {
-	if (var_virt_mailbox_limit < var_message_limit)
+	if (var_virt_mailbox_limit < var_message_limit || var_message_limit == 0)
 	    msg_fatal("main.cf configuration error: %s is smaller than %s",
 		      VAR_VIRT_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT);
 	set_file_limit(var_virt_mailbox_limit);