postfix-3.9-20231221

2025-08-28 20:57:56 +00:00 · 2023-12-21 00:00:00 -05:00 · 2023-12-21 00:00:00 -05:00 · dd0f14446a
commit dd0f14446a
parent a41effbfcb
11 changed files with 289 additions and 119 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -27631,12 +27631,15 @@ Apologies for any names omitted.
 	cleanup/test-queue-file18, cleanup/cleanup_milter.in18[a-d],
 	cleanup/cleanup_milter.ref18[a-d][12].
-20231219
+20231221
-	Protocol enforcement: with "smtpd_forbid_bare_newline =
+	Security: with "smtpd_forbid_bare_newline = yes" (the default
-	yes" (the default for Postfix 3.9), reply with "Error: bare
+	for Postfix 3.9), reply with "Error: bare <LF> received"
-	<LF> received" and disconnect when an SMTP client sends a
+	and disconnect when an SMTP client sends a line ending in
-	line ending in <LF>, violating the RFC 5321 requirement
+	<LF>, violating the RFC 5321 requirement that lines must
-	that lines must end in <CR><LF>. Files: mantools/postlink,
+	end in <CR><LF>. This prevents SMTP smuggling attacks that
-	proto/postconf.proto, global/mail_params.h, global/smtp_stream.c,
+	target a recipient at a Postfix server. For backwards
-	global/smtp_stream.h, smtpd/smtpd.c.
+	compatibility, local clients are excluded by default with
 	"smtpd_forbid_bare_newline_exclusions = $mynetworks". Files:
 	mantools/postlink, proto/postconf.proto, global/mail_params.h,
 	global/smtp_stream.c, global/smtp_stream.h, smtpd/smtpd.c.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -26,6 +26,29 @@ now also distributed with the more recent Eclipse Public License
 license of their choice. Those who are more comfortable with the
 IPL can continue with that license.
 Incompatible changes with snapshot 20231221
 ===========================================
 Postfix 3.9 by default disconnects a client that sends a 'bare
 newline' ending in SMTP. This prevents an SMTP smuggling attack
 that targets recipients at a Postfix server. For background,
 see https://www.postfix.org/smtp-smuggling.html
 For compatibility with non-standard clients, Postfix 3.9 by default
 excludes clients in mynetworks from this countermeasure.
 The Postfix 3.9 default settings are:
    # Disconnect remote SMTP clients that send bare newlines, but
    # allow local clients with non-standard SMTP implementations
    # such as netcat, fax machines, or load balancer health checks.
    #
    smtpd_forbid_bare_newline = yes
    smtpd_forbid_bare_newline_exclusions = $mynetworks
 This feature is back-ported to all supported stable releases, with
 the difference that "smtpd_forbid_bare_newline = no" by default.
 Incompatible changes with snapshot 20230903
 ===========================================
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -15927,10 +15927,49 @@ This feature is available in Postfix 2.0 and later.
 <p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
 when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
 the <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
-This feature is enabled by default with Postfix &ge; 3.9 but may
+This feature is enabled by default with Postfix &ge; 3.9. Use
-not work with non-standard clients such as netcat. Specify
+<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> to exclude non-standard clients
-"<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable (not recommended for
+such as netcat. Specify "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable
-an Internet-connected MTA). </p>
+(not recommended for an Internet-connected MTA). </p>
 <p> Example: </p>
 <blockquote>
 <pre>
 # Disconnect remote SMTP clients that send bare newlines, but allow
 # local clients with non-standard SMTP implementations such as netcat,
 # fax machines, or load balancer health checks.
 #
 <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
 <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
 </pre>
 </blockquote>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
 3.6.13, and 3.5.23. </p>
 </DD>
 <DT><b><a name="smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>
 (default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
 <p> Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
 enforcement. It uses the same syntax and parent-domain matching
 behavior as <a href="postconf.5.html#mynetworks">mynetworks</a>. </p>
 <p> Example: </p>
 <blockquote>
 <pre>
 # Disconnect remote SMTP clients that send bare newlines, but allow
 # local clients with non-standard SMTP implementations such as netcat,
 # fax machines, or load balancer health checks.
 #
 <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
 <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
 </pre>
 </blockquote>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
 3.6.13, and 3.5.23. </p>
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@ -1002,56 +1002,60 @@ SMTPD(8)                                                              SMTPD(8)
              remote SMTP client sends a line ending in  &lt;LF&gt;,  violating  the
              <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
       <b><a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
              Exclude  the  specified  clients  from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
              enforcement.
 <b>TARPIT CONTROLS</b>
-       When  a  remote  SMTP  client makes errors, the Postfix SMTP server can
+       When a remote SMTP client makes errors, the  Postfix  SMTP  server  can
-       insert delays before responding. This can help to  slow  down  run-away
+       insert  delays  before  responding. This can help to slow down run-away
-       software.   The  behavior is controlled by an error counter that counts
+       software.  The behavior is controlled by an error counter  that  counts
       the number of errors within an SMTP session that a client makes without
       delivering mail.
       <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
-              With  Postfix  version  2.1  and later: the SMTP server response
+              With Postfix version 2.1 and later:  the  SMTP  server  response
-              delay after a client has made more than  $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>
+              delay  after a client has made more than $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>
-              errors,  and  fewer than $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without
+              errors, and fewer than $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a>  errors,  without
              delivering mail.
       <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
-              The number of errors a remote SMTP client  is  allowed  to  make
+              The  number  of  errors  a remote SMTP client is allowed to make
-              without  delivering  mail  before  the Postfix SMTP server slows
+              without delivering mail before the  Postfix  SMTP  server  slows
              down all its responses.
       <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (normal: 20, overload: 1)</b>
-              The maximal number of errors a remote SMTP client is allowed  to
+              The  maximal number of errors a remote SMTP client is allowed to
              make without delivering mail.
       <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (normal: 100, overload: 1)</b>
-              The  number  of  junk commands (NOOP, VRFY, ETRN or RSET) that a
+              The number of junk commands (NOOP, VRFY, ETRN or  RSET)  that  a
-              remote SMTP client can  send  before  the  Postfix  SMTP  server
+              remote  SMTP  client  can  send  before  the Postfix SMTP server
              starts to increment the error counter with each junk command.
       Available in Postfix version 2.1 and later:
       <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
-              The  number  of recipients that a remote SMTP client can send in
+              The number of recipients that a remote SMTP client can  send  in
              excess  of  the  limit  specified  with  $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>,
-              before  the Postfix SMTP server increments the per-session error
+              before the Postfix SMTP server increments the per-session  error
              count for each excess recipient.
 <b>ACCESS POLICY DELEGATION CONTROLS</b>
-       As of version 2.1, Postfix can be configured to delegate access  policy
+       As  of version 2.1, Postfix can be configured to delegate access policy
-       decisions  to  an  external  server that runs outside Postfix.  See the
+       decisions to an external server that runs  outside  Postfix.   See  the
       file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for more information.
       <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
-              The time after which an idle SMTPD policy service connection  is
+              The  time after which an idle SMTPD policy service connection is
              closed.
       <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
-              The  time  after which an active SMTPD policy service connection
+              The time after which an active SMTPD policy  service  connection
              is closed.
       <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
-              The time limit for connecting to, writing to, or receiving  from
+              The  time limit for connecting to, writing to, or receiving from
              a delegated SMTPD policy server.
       Available in Postfix version 3.0 and later:
@ -1061,81 +1065,81 @@ SMTPD(8)                                                              SMTPD(8)
              The default action when an SMTPD policy service request fails.
       <b><a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> (0)</b>
-              The  maximal number of requests per SMTPD policy service connec-
+              The maximal number of requests per SMTPD policy service  connec-
              tion, or zero (no limit).
       <b><a href="postconf.5.html#smtpd_policy_service_try_limit">smtpd_policy_service_try_limit</a> (2)</b>
-              The maximal number of attempts to send an SMTPD  policy  service
+              The  maximal  number of attempts to send an SMTPD policy service
              request before giving up.
       <b><a href="postconf.5.html#smtpd_policy_service_retry_delay">smtpd_policy_service_retry_delay</a> (1s)</b>
-              The  delay between attempts to resend a failed SMTPD policy ser-
+              The delay between attempts to resend a failed SMTPD policy  ser-
              vice request.
       Available in Postfix version 3.1 and later:
       <b><a href="postconf.5.html#smtpd_policy_service_policy_context">smtpd_policy_service_policy_context</a> (empty)</b>
-              Optional information that the Postfix SMTP server  specifies  in
+              Optional  information  that the Postfix SMTP server specifies in
-              the  "policy_context"  attribute  of  a  policy  service request
+              the "policy_context"  attribute  of  a  policy  service  request
-              (originally, to share the same service endpoint  among  multiple
+              (originally,  to  share the same service endpoint among multiple
              <a href="postconf.5.html#check_policy_service">check_policy_service</a> clients).
 <b>ACCESS CONTROLS</b>
-       The  <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to all the SMTP
+       The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to all the  SMTP
       server access control features.
       <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
-              Wait   until   the   RCPT   TO   command    before    evaluating
+              Wait    until    the   RCPT   TO   command   before   evaluating
              $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>,     $<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>     and
              $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>,  or  wait  until  the  ETRN  command
-              before       evaluating      $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>      and
+              before      evaluating      $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>       and
              $<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>.
       <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' output)</b>
-              A list of Postfix features where the pattern "example.com"  also
+              A  list of Postfix features where the pattern "example.com" also
-              matches  subdomains  of  example.com,  instead  of  requiring an
+              matches subdomains  of  example.com,  instead  of  requiring  an
              explicit ".example.com" pattern.
       <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
-              Optional restrictions that the Postfix SMTP  server  applies  in
+              Optional  restrictions  that  the Postfix SMTP server applies in
              the context of a client connection request.
       <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
-              Require  that  a  remote  SMTP client introduces itself with the
+              Require that a remote SMTP client  introduces  itself  with  the
-              HELO or EHLO command before sending the MAIL  command  or  other
+              HELO  or  EHLO  command before sending the MAIL command or other
              commands that require EHLO negotiation.
       <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
-              Optional  restrictions  that  the Postfix SMTP server applies in
+              Optional restrictions that the Postfix SMTP  server  applies  in
              the context of a client HELO command.
       <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
-              Optional restrictions that the Postfix SMTP  server  applies  in
+              Optional  restrictions  that  the Postfix SMTP server applies in
              the context of a client MAIL FROM command.
       <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (see 'postconf -d' output)</b>
-              Optional  restrictions  that  the Postfix SMTP server applies in
+              Optional restrictions that the Postfix SMTP  server  applies  in
-              the   context   of   a   client   RCPT   TO    command,    after
+              the    context    of   a   client   RCPT   TO   command,   after
              <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
       <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
-              Optional  restrictions  that  the Postfix SMTP server applies in
+              Optional restrictions that the Postfix SMTP  server  applies  in
              the context of a client ETRN command.
       <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
-              Forward      mail      with       sender-specified       routing
+              Forward       mail       with      sender-specified      routing
-              (user[@%!]remote[@%!]site)  from  untrusted  clients to destina-
+              (user[@%!]remote[@%!]site) from untrusted  clients  to  destina-
              tions matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
       <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
              User-defined aliases for groups of access restrictions.
       <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b>&lt;&gt;<b>)</b>
-              The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a>  tables  instead  of
+              The  lookup  key  to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables instead of
              the null sender address.
       <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
-              Restrict  the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP access feature to
+              Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP access feature  to
              only domains whose primary MX hosts match the listed networks.
       Available in Postfix version 2.0 and later:
@ -1145,19 +1149,19 @@ SMTPD(8)                                                              SMTPD(8)
              applies in the context of the SMTP DATA command.
       <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
-              What  characters  are  allowed  in $name expansions of RBL reply
+              What characters are allowed in $name  expansions  of  RBL  reply
              templates.
       Available in Postfix version 2.1 and later:
       <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
-              Request that the Postfix SMTP server rejects mail  from  unknown
+              Request  that  the Postfix SMTP server rejects mail from unknown
-              sender  addresses,  even when no explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a>
+              sender addresses, even when no  explicit  <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a>
              access restriction is specified.
       <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
-              Request that the Postfix SMTP server rejects  mail  for  unknown
+              Request  that  the  Postfix SMTP server rejects mail for unknown
-              recipient      addresses,      even     when     no     explicit
+              recipient     addresses,     even     when      no      explicit
              <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restriction is specified.
       Available in Postfix version 2.2 and later:
@ -1171,17 +1175,17 @@ SMTPD(8)                                                              SMTPD(8)
       <b><a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,</b>
       <b><a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>)</b>
              Access restrictions for mail relay control that the Postfix SMTP
-              server applies in the context of the  RCPT  TO  command,  before
+              server  applies  in  the  context of the RCPT TO command, before
              <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
 <b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
-       Postfix  version  2.1 introduces sender and recipient address verifica-
+       Postfix version 2.1 introduces sender and recipient  address  verifica-
       tion.  This feature is implemented by sending probe email messages that
       are  not  actually  delivered.   This  feature  is  requested  via  the
-       <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>   and    <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>    access
+       <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>    and    <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>   access
-       restrictions.   The  status of verification probes is maintained by the
+       restrictions.  The status of verification probes is maintained  by  the
-       <a href="verify.8.html"><b>verify</b>(8)</a> server.  See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> for  infor-
+       <a href="verify.8.html"><b>verify</b>(8)</a>  server.  See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> for infor-
-       mation  about how to configure and operate the Postfix sender/recipient
+       mation about how to configure and operate the Postfix  sender/recipient
       address verification service.
       <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (normal: 3, overload: 1)</b>
@ -1193,7 +1197,7 @@ SMTPD(8)                                                              SMTPD(8)
              fication request in progress.
       <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b>
-              The sender address to use in address verification probes;  prior
+              The  sender address to use in address verification probes; prior
              to Postfix 2.5 the default was "postmaster".
       <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
@ -1201,18 +1205,18 @@ SMTPD(8)                                                              SMTPD(8)
              address is rejected by the <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
       <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
-              The  numerical  Postfix  SMTP  server  response when a recipient
+              The numerical Postfix SMTP  server  response  when  a  recipient
-              address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>  restric-
+              address  is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> restric-
              tion.
       Available in Postfix version 2.6 and later:
       <b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b>
-              The  numerical  Postfix  SMTP server response code when a sender
+              The numerical Postfix SMTP server response code  when  a  sender
              address probe fails due to a temporary error condition.
       <b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b>
-              The numerical Postfix SMTP  server  response  when  a  recipient
+              The  numerical  Postfix  SMTP  server  response when a recipient
              address probe fails due to a temporary error condition.
       <b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b>
@ -1224,17 +1228,17 @@ SMTPD(8)                                                              SMTPD(8)
              <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>.
       <b><a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
-              The  Postfix  SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
+              The Postfix SMTP server's action  when  <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
              fails due to a temporary error condition.
       <b><a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
-              The Postfix SMTP server's action when  <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipi</a>-
+              The  Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipi</a>-
              <a href="postconf.5.html#reject_unverified_recipient">ent</a> fails due to a temporary error condition.
       Available with Postfix 2.9 and later:
       <b><a href="postconf.5.html#address_verify_sender_ttl">address_verify_sender_ttl</a> (0s)</b>
-              The  time  between  changes  in  the  time-dependent  portion of
+              The time  between  changes  in  the  time-dependent  portion  of
              address verification probe sender addresses.
 <b>ACCESS CONTROL RESPONSES</b>
@ -1246,36 +1250,36 @@ SMTPD(8)                                                              SMTPD(8)
              map "reject" action.
       <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
-              The numerical Postfix SMTP server response code  when  a  remote
+              The  numerical  Postfix  SMTP server response code when a remote
              SMTP client request is rejected by the "defer" restriction.
       <b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
-              The  numerical Postfix SMTP server response code when the client
+              The numerical Postfix SMTP server response code when the  client
-              HELO  or   EHLO   command   parameter   is   rejected   by   the
+              HELO   or   EHLO   command   parameter   is   rejected   by  the
              <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> restriction.
       <b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
-              The  numerical  Postfix  SMTP server response code when a remote
+              The numerical Postfix SMTP server response code  when  a  remote
-              SMTP  client  request  is  blocked  by  the   <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>,
+              SMTP   client  request  is  blocked  by  the  <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>,
              <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,                <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a>,
              <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction.
       <b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
-              The numerical Postfix SMTP  server  reply  code  when  a  client
+              The  numerical  Postfix  SMTP  server  reply  code when a client
-              request   is   rejected  by  the  <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
+              request  is  rejected  by   the   <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
              <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a> restriction.
       <b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b>
-              The  numerical  Postfix SMTP server response code when a request
+              The numerical Postfix SMTP server response code when  a  request
              is rejected by the <b><a href="postconf.5.html#reject_plaintext_session">reject_plaintext_session</a></b> restriction.
       <b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
-              The numerical Postfix SMTP server response code  when  a  remote
+              The  numerical  Postfix  SMTP server response code when a remote
              SMTP client request is rejected by the "reject" restriction.
       <b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
-              The  numerical  Postfix  SMTP server response code when a client
+              The numerical Postfix SMTP server response code  when  a  client
-              request is rejected by the  <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>  recipient
+              request  is  rejected by the <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient
              restriction.
       <b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
@ -1283,24 +1287,24 @@ SMTPD(8)                                                              SMTPD(8)
              a sender or recipient address because its domain is unknown.
       <b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
-              The numerical Postfix SMTP server response code  when  a  client
+              The  numerical  Postfix  SMTP server response code when a client
-              without  valid  address  &lt;=&gt;  name  mapping  is  rejected by the
+              without valid address  &lt;=&gt;  name  mapping  is  rejected  by  the
              <a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a> restriction.
       <b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
-              The numerical Postfix SMTP server response code when  the  host-
+              The  numerical  Postfix SMTP server response code when the host-
-              name  specified with the HELO or EHLO command is rejected by the
+              name specified with the HELO or EHLO command is rejected by  the
              <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
       Available in Postfix version 2.0 and later:
       <b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
-              The default Postfix SMTP server response template for a  request
+              The  default Postfix SMTP server response template for a request
              that is rejected by an RBL-based restriction.
       <b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
-              The  numerical  Postfix  SMTP server response code when a remote
+              The numerical Postfix SMTP server response code  when  a  remote
-              SMTP client  request  is  blocked  by  the  <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipi</a>-
+              SMTP  client  request  is  blocked  by  the <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipi</a>-
              <a href="postconf.5.html#reject_multi_recipient_bounce">ent_bounce</a> restriction.
       <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b>
@ -1310,52 +1314,52 @@ SMTPD(8)                                                              SMTPD(8)
       <b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b>
              The numerical Postfix SMTP server response code for an <a href="access.5.html"><b>access</b>(5)</a>
-              map   "defer"    action,    including    "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>"    or
+              map    "defer"    action,    including    "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>"   or
              "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>".
       <b><a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a> (<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b>
-              The  Postfix SMTP server's action when a reject-type restriction
+              The Postfix SMTP server's action when a reject-type  restriction
              fails due to a temporary error condition.
       <b><a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
-              The Postfix SMTP server's action when  <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_host</a>-
+              The  Postfix SMTP server's action when <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_host</a>-
              <a href="postconf.5.html#reject_unknown_helo_hostname">name</a> fails due to a temporary error condition.
       <b><a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
-              The       Postfix       SMTP      server's      action      when
+              The      Postfix      SMTP      server's       action       when
-              <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or  <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
+              <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>  or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
              fail due to a temporary error condition.
 <b>MISCELLANEOUS CONTROLS</b>
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
              figuration files.
       <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process  may  take  to  handle  a
+              How  much  time  a  Postfix  daemon process may take to handle a
              request before it is terminated by a built-in watchdog timer.
       <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
              The location of all postfix administrative commands.
       <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
-              The  sender  address of postmaster notifications that are gener-
+              The sender address of postmaster notifications that  are  gener-
              ated by the mail system.
       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The time limit for sending  or  receiving  information  over  an
+              The  time  limit  for  sending  or receiving information over an
              internal communication channel.
       <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
-              The  mail system name that is displayed in Received: headers, in
+              The mail system name that is displayed in Received: headers,  in
              the SMTP greeting banner, and in bounced mail.
       <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
-              The UNIX system account that owns the  Postfix  queue  and  most
+              The  UNIX  system  account  that owns the Postfix queue and most
              Postfix daemon processes.
       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount of time that an idle Postfix daemon process
+              The maximum amount of time that an idle Postfix  daemon  process
              waits for an incoming connection before terminating voluntarily.
       <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1366,11 +1370,11 @@ SMTPD(8)                                                              SMTPD(8)
              The internet hostname of this mail system.
       <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
-              The list of "trusted" remote SMTP clients that have more  privi-
+              The  list of "trusted" remote SMTP clients that have more privi-
              leges than "strangers".
       <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The  domain  name that locally-posted mail appears to come from,
+              The domain name that locally-posted mail appears to  come  from,
              and that locally posted mail is delivered to.
       <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
@ -1383,24 +1387,24 @@ SMTPD(8)                                                              SMTPD(8)
              The location of the Postfix top-level queue directory.
       <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
-              The set of characters that can separate an email address  local-
+              The  set of characters that can separate an email address local-
              part, user name, or a .forward file name from its extension.
       <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
-              The  text  that follows the 220 status code in the SMTP greeting
+              The text that follows the 220 status code in the  SMTP  greeting
              banner.
       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A prefix that  is  prepended  to  the  process  name  in  syslog
+              A  prefix  that  is  prepended  to  the  process  name in syslog
              records, so that, for example, "smtpd" becomes "prefix/smtpd".
       Available in Postfix version 2.2 and later:
       <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT GET POST <a href="regexp_table.5.html">regexp</a>:{{/^[^A-Z]/ Bogus}})</b>
-              List  of  commands that cause the Postfix SMTP server to immedi-
+              List of commands that cause the Postfix SMTP server  to  immedi-
              ately terminate the session with a 221 code.
       Available in Postfix version 2.5 and later:
@ -1417,7 +1421,7 @@ SMTPD(8)                                                              SMTPD(8)
       Available in Postfix 3.4 and later:
       <b><a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a> (empty)</b>
-              Lookup  tables,  indexed by the complete Postfix SMTP server 4xx
+              Lookup tables, indexed by the complete Postfix SMTP  server  4xx
              or 5xx response, with reject footer templates.
 <b>SEE ALSO</b>
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -11007,10 +11007,51 @@ This feature is available in Postfix 2.0 and later.
 Reply with "Error: bare <LF> received" and disconnect
 when a remote SMTP client sends a line ending in <LF>, violating
 the RFC 5321 requirement that lines must end in <CR><LF>.
-This feature is enabled by default with Postfix >= 3.9 but may
+This feature is enabled by default with Postfix >= 3.9. Use
-not work with non\-standard clients such as netcat. Specify
+smtpd_forbid_bare_newline_exclusions to exclude non\-standard clients
-"smtpd_forbid_bare_newline = no" to disable (not recommended for
+such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
-an Internet\-connected MTA).
+(not recommended for an Internet\-connected MTA).
 .PP
 Example:
 .sp
 .in +4
 .nf
 .na
 .ft C
 # Disconnect remote SMTP clients that send bare newlines, but allow
 # local clients with non\-standard SMTP implementations such as netcat,
 # fax machines, or load balancer health checks.
 #
 smtpd_forbid_bare_newline = yes
 smtpd_forbid_bare_newline_exclusions = $mynetworks
 .fi
 .ad
 .ft R
 .in -4
 .PP
 This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
 3.6.13, and 3.5.23.
 .SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks)
 Exclude the specified clients from smtpd_forbid_bare_newline
 enforcement. It uses the same syntax and parent\-domain matching
 behavior as mynetworks.
 .PP
 Example:
 .sp
 .in +4
 .nf
 .na
 .ft C
 # Disconnect remote SMTP clients that send bare newlines, but allow
 # local clients with non\-standard SMTP implementations such as netcat,
 # fax machines, or load balancer health checks.
 #
 smtpd_forbid_bare_newline = yes
 smtpd_forbid_bare_newline_exclusions = $mynetworks
 .fi
 .ad
 .ft R
 .in -4
 .PP
 This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
 3.6.13, and 3.5.23.
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@ -874,6 +874,9 @@ Available in Postfix 3.9, 3.8.3, 3.7.9, 3.6.13, 3.5.23 and later:
 Reply with "Error: bare <LF> received" and disconnect
 when a remote SMTP client sends a line ending in <LF>, violating
 the RFC 5321 requirement that lines must end in <CR><LF>.
 .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
 Exclude the specified clients from smtpd_forbid_bare_newline
 enforcement.
 .SH "TARPIT CONTROLS"
 .na
 .nf
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -562,6 +562,7 @@ while (<>) {
    s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
    s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
    s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g;
    s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline_exclusions\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">$&</a>;g;
    s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
    s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
    s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -19060,10 +19060,45 @@ MinProtocol = TLSv1
 <p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
 when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
 the RFC 5321 requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
-This feature is enabled by default with Postfix &ge; 3.9 but may
+This feature is enabled by default with Postfix &ge; 3.9. Use
-not work with non-standard clients such as netcat. Specify
+smtpd_forbid_bare_newline_exclusions to exclude non-standard clients
-"smtpd_forbid_bare_newline = no" to disable (not recommended for
+such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
-an Internet-connected MTA). </p>
+(not recommended for an Internet-connected MTA). </p>
 <p> Example: </p>
 <blockquote>
 <pre>
 # Disconnect remote SMTP clients that send bare newlines, but allow
 # local clients with non-standard SMTP implementations such as netcat,
 # fax machines, or load balancer health checks.
 #
 smtpd_forbid_bare_newline = yes
 smtpd_forbid_bare_newline_exclusions = $mynetworks
 </pre>
 </blockquote>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
 3.6.13, and 3.5.23. </p>
 %PARAM smtpd_forbid_bare_newline_exclusions $mynetworks
 <p> Exclude the specified clients from smtpd_forbid_bare_newline
 enforcement. It uses the same syntax and parent-domain matching 
 behavior as mynetworks. </p>
 <p> Example: </p>
 <blockquote>
 <pre>
 # Disconnect remote SMTP clients that send bare newlines, but allow
 # local clients with non-standard SMTP implementations such as netcat,
 # fax machines, or load balancer health checks.
 #
 smtpd_forbid_bare_newline = yes
 smtpd_forbid_bare_newline_exclusions = $mynetworks
 </pre>
 </blockquote>
 <p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
 3.6.13, and 3.5.23. </p>
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@ -4308,6 +4308,9 @@ extern char *var_smtpd_dns_re_filter;
 #define VAR_SMTPD_FORBID_BARE_LF	"smtpd_forbid_bare_newline"
 #define DEF_SMTPD_FORBID_BARE_LF	1
 #define VAR_SMTPD_FORBID_BARE_LF_EXCL	"smtpd_forbid_bare_newline_exclusions"
 #define DEF_SMTPD_FORBID_BARE_LF_EXCL	"$" VAR_MYNETWORKS
 /*
  * Share TLS sessions through tlsproxy(8).
  */
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20231219"
+#define MAIL_RELEASE_DATE	"20231221"
 #define MAIL_VERSION_NUMBER	"3.9"
 #ifdef SNAPSHOT
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@ -828,6 +828,9 @@
 /*	Reply with "Error: bare <LF> received" and disconnect
 /*	when a remote SMTP client sends a line ending in <LF>, violating
 /*	the RFC 5321 requirement that lines must end in <CR><LF>.
 /* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
 /*	Exclude the specified clients from smtpd_forbid_bare_newline
 /*	enforcement.
 /* TARPIT CONTROLS
 /* .ad
 /* .fi
@ -1539,6 +1542,9 @@ bool    var_relay_before_rcpt_checks;
 bool    var_smtpd_req_deadline;
 int     var_smtpd_min_data_rate;
 char   *var_hfrom_format;
 bool    var_smtpd_forbid_bare_lf;
 char   *var_smtpd_forbid_bare_lf_excl;
 static NAMADR_LIST *bare_lf_excl;
 /*
  * Silly little macros.
@ -6163,6 +6169,13 @@ static void smtpd_service(VSTREAM *stream, char *service, char **argv)
    xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
 	namadr_list_match(xforward_hosts, state.name, state.addr);
    /*
     * Enforce strict SMTP line endings, with compatibility exclusions.
     */
    smtp_forbid_bare_lf = SMTPD_STAND_ALONE((&state)) == 0
 	&& var_smtpd_forbid_bare_lf
 	&& !namadr_list_match(bare_lf_excl, state.name, state.addr);
    /*
     * See if we need to turn on verbose logging for this client.
     */
@ -6224,6 +6237,10 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
    hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN
 				   | match_parent_style(VAR_SMTPD_HOGGERS),
 				   var_smtpd_hoggers);
    bare_lf_excl = namadr_list_init(VAR_SMTPD_FORBID_BARE_LF_EXCL,
 				    MATCH_FLAG_RETURN
 				    | match_parent_style(VAR_MYNETWORKS),
 				    var_smtpd_forbid_bare_lf_excl);
    /*
     * Open maps before dropping privileges so we can read passwords etc.
@ -6590,7 +6607,7 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
 	VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
 	VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
-	VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &smtp_forbid_bare_lf,
+	VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf,
 	0,
    };
    static const CONFIG_NBOOL_TABLE nbool_table[] = {
@ -6707,6 +6724,7 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
 	VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0,
 	VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0,
 	VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0,
 	0,
    };
    static const CONFIG_RAW_TABLE raw_table[] = {