From dfbdd7de3514b7b3fd830a1f7d400459b93c80a2 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 15 Jan 2008 00:00:00 -0500
Subject: [PATCH] postfix-2.5.0-RC1

---
 postfix/HISTORY                               |  13 +
 postfix/README_FILES/AAAREADME                |   2 +
 postfix/README_FILES/SASL_README              | 118 ++++-
 postfix/README_FILES/SOHO_README              | 276 ++++++++++
 .../STANDARD_CONFIGURATION_README             |   6 +-
 postfix/RELEASE_NOTES                         | 490 ++++++++++--------
 postfix/WISHLIST                              |   4 +
 postfix/html/SASL_README.html                 | 132 ++++-
 postfix/html/SOHO_README.html                 | 385 ++++++++++++++
 .../html/STANDARD_CONFIGURATION_README.html   |   8 +-
 postfix/html/index.html                       |  14 +-
 postfix/html/postconf.5.html                  |   6 +
 postfix/implementation-notes/MILTER           |   6 +-
 postfix/makedefs                              |   2 +-
 postfix/man/man5/postconf.5                   |   5 +
 postfix/mantools/make_soho_readme             |  84 +++
 postfix/proto/Makefile.in                     |  10 +
 postfix/proto/SASL_README.html                | 132 ++++-
 .../proto/STANDARD_CONFIGURATION_README.html  |   6 +-
 postfix/proto/postconf.proto                  |   6 +
 postfix/src/global/mail_version.h             |   2 +-
 postfix/src/smtp/smtp_sasl_auth_cache.c       |   4 +-
 22 files changed, 1391 insertions(+), 320 deletions(-)
 create mode 100644 postfix/README_FILES/SOHO_README
 create mode 100644 postfix/html/SOHO_README.html
 create mode 100755 postfix/mantools/make_soho_readme

diff --git a/postfix/HISTORY b/postfix/HISTORY
index b7a44cfaf..e0a09f1c8 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -14252,3 +14252,16 @@ Apologies for any names omitted.
 	Safety: the smtpd_client_new_tls_session_rate_limit setting
 	now also limits the number of failed TLS handshakes. This
 	limits the impact of broken configurations. File: smtpd/smtpd.c.
+
+20080115
+
+	Bugfix (introduced 20080112): Patrik Rak found two bugs
+	that largely canceled each other out, causing Postfix not
+	to complain about a missing "proxy:" prefix with the new
+	smtp_sasl_auth_cache_name parameter setting. File:
+	smtp/smtp_sasl_glue.c.
+
+	Documentation: new SOHO_README file for small/home offices.
+	The text is automatically generated from bits and pieces of
+	information that are scattered across other documents.
+	File: mantools/make_soho_readme.
diff --git a/postfix/README_FILES/AAAREADME b/postfix/README_FILES/AAAREADME
index fb5d0a1d0..31d9c0e58 100644
--- a/postfix/README_FILES/AAAREADME
+++ b/postfix/README_FILES/AAAREADME
@@ -4,6 +4,7 @@
 GGeenneerraall ccoonnffiigguurraattiioonn
 
   * BASIC_CONFIGURATION_README: Basic configuration
+  * SOHO_README: Small/home office hints and tips
   * STANDARD_CONFIGURATION_README: Standard configuration examples
   * ADDRESS_REWRITING_README: Address rewriting
   * VIRTUAL_README: Virtual domain hosting
@@ -25,6 +26,7 @@ CCoonntteenntt iinnssppeeccttiioonn
   * CONTENT_INSPECTION_README: Content inspection overview
   * BACKSCATTER_README: Stopping backscatter mail
   * BUILTIN_FILTER_README: Built-in content inspection
+
   * FILTER_README: After-queue content filter
   * SMTPD_PROXY_README: Before-queue content filter
   * MILTER_README: Before-queue Milter applications
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index 5266e9cb4..bc57d5025 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -39,6 +39,7 @@ This document covers the following topics:
   * Testing SASL authentication in the Postfix SMTP server
   * Trouble shooting the SASL internals
   * Enabling SASL authentication in the Postfix SMTP client
+  * Supporting multiple ISP accounts in the Postfix SMTP client
   * Credits
 
 WWhhaatt SSAASSLL iimmpplleemmeennttaattiioonnss aarree ssuuppppoorrtteedd
@@ -423,55 +424,116 @@ relayhost parameter or with a transport(5) table.
         smtp_sasl_auth_enable = yes
         smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
         smtp_sasl_type = cyrus
+        relayhost = [mail.myisp.net]
+        # Alternative form:
+        # relayhost = [mail.myisp.net]:submission
 
     /etc/postfix/sasl_passwd:
-        foo.com                     username:password
-        bar.com                     username
         [mail.myisp.net]            username:password
         [mail.myisp.net]:submission username:password
 
-The Postfix SMTP client opens the SASL client password file before entering the
-optional chroot jail, so you can keep the file in /etc/postfix and set
-permissions read / write only for root to keep the username:password
-combinations away from other system users.
+Notes:
 
-Postfix version 2.3 supports-per-sender SASL password information. To search
-the Postfix SASL password by sender before it searches by destination, specify:
+  * The "submission" destination port tells Postfix to send mail via TCP
+    network port 587, which is normally reserved for email clients. The default
+    is to send mail to the "smtp" destination port (TCP port 25), which is used
+    for receiving mail across the internet. If you use an explicit destination
+    port in main.cf, then you must use the same form also in the
+    smtp_sasl_password_maps file.
+
+  * Postfix does not deliver mail via TCP port 465 (the obsolete "wrappermode"
+    protocol). See TLS_README for a solution that uses the "stunnel" command.
+
+  * The "[" and "]" prevent Postfix from looking up the MX (mail exchanger)
+    records for the enclosed name. If you use this form in main.cf, then you
+    must use the same form also in the smtp_sasl_password_maps file.
+
+  * The Postfix SMTP client opens the SASL client password file before entering
+    the optional chroot jail, so you can keep the file in /etc/postfix and set
+    permissions read / write only for root to keep the username:password
+    combinations away from other system users.
+
+  * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
+    files. To find out what lookup tables Postfix supports, use the command
+    "ppoossttccoonnff --mm".
+
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
+    the sasl_passwd table.
+
+Workarounds:
+
+  * Some remote SMTP servers support PLAIN or LOGIN authentication only. By
+    default, the Postfix SMTP client does not use authentication methods that
+    send plaintext passwords, and defers delivery with the following error
+    message: "Authentication failed: cannot SASL authenticate to server". To
+    enable plaintext authentication specify, for example:
+
+        /etc/postfix/main.cf:
+            smtp_sasl_security_options = noanonymous
+
+  * Some remote SMTP servers announce authentication mechanisms that don't
+    actually work. It is possible via the smtp_sasl_mechanism_filter parameter
+    to restrict the list of server mechanisms that the Postfix SMTP client will
+    take into consideration:
+
+        /etc/postfix/main.cf:
+            smtp_sasl_mechanism_filter = !gssapi, !external, static:all
+
+    In the above example, the Postfix SMTP client will decline to use
+    mechanisms that require special infrastructure such as Kerberos or TLS.
+
+  * The Postfix SMTP client is backwards compatible with SMTP servers that use
+    the non-standard "AUTH=method..." syntax in response to the EHLO command;
+    there is no Postfix client configuration needed to work around it.
+
+SSuuppppoorrttiinngg mmuullttiippllee IISSPP aaccccoouunnttss iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
+
+Postfix version 2.3 supports multiple ISP accounts. This can be useful when one
+person uses the same machine for work and for personal use, or when people with
+different ISP accounts share the same Postfix server. To make this possible,
+Postfix 2.3 supports per-sender SASL passwords and per-sender relay hosts. In
+the example below, Postfix will search the SASL password file by sender before
+it searches that same file by destination. Likewise, Postfix will search the
+per-sender relayhost file, and use the default relayhost only as a final
+resort.
 
     /etc/postfix/main.cf:
         smtp_sender_dependent_authentication = yes
+        sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
         smtp_sasl_auth_enable = yes
         smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        relayhost = [mail.myisp.net]
+        # Alternative form:
+        # relayhost = [mail.myisp.net]:submission
 
     /etc/postfix/sasl_passwd:
-        user@example.com            username:password
-        bar.com                     username
+        # Per-sender authentication; see also /etc/postfix/sender_relay.
+        user1@example.com           username2:password2
+        user2@example.net           username2:password2
+        # Login information for the default relayhost.
         [mail.myisp.net]            username:password
         [mail.myisp.net]:submission username:password
 
-Note: some remote SMTP servers support PLAIN or LOGIN authentication only. By
-default, the Postfix SMTP client does not use authentication methods that send
-plaintext passwords, and defers delivery with the following error message:
-"Authentication failed: cannot SASL authenticate to server". To enable
-plaintext authentication specify, for example:
+    /etc/postfix/sender_relay:
+        # Per-sender provider; see also /etc/postfix/sasl_passwd.
+        user1@example.com           [mail.example.com]:submission
+        user2@example.net           [mail.example.net]
 
-    /etc/postfix/main.cf:
-        smtp_sasl_security_options = noanonymous
+Notes:
 
-Note: some remote SMTP servers announce authentication mechanisms that don't
-actually work. It is possible via the smtp_sasl_mechanism_filter parameter to
-restrict the list of server mechanisms that the Postfix SMTP client will take
-into consideration:
+  * If you are creative, then you can try to combine the two tables into one
+    single MySQL database, and configure different Postfix queries to extract
+    the appropriate information.
 
-    /etc/postfix/main.cf:
-        smtp_sasl_mechanism_filter = !gssapi, !external, static:all
+  * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
+    files. To find out what lookup tables Postfix supports, use the command
+    "ppoossttccoonnff --mm".
 
-In the above example, the Postfix SMTP client will decline to use mechanisms
-that require special infrastructure such as Kerberos or TLS.
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
+    the sasl_passwd table.
 
-The Postfix SMTP client is backwards compatible with SMTP servers that use the
-non-standard "AUTH=method..." syntax in response to the EHLO command; there is
-no Postfix client configuration needed to work around it.
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" whenever you change
+    the sender_relay table.
 
 CCrreeddiittss
 
diff --git a/postfix/README_FILES/SOHO_README b/postfix/README_FILES/SOHO_README
new file mode 100644
index 000000000..191cffb53
--- /dev/null
+++ b/postfix/README_FILES/SOHO_README
@@ -0,0 +1,276 @@
+PPoossttffiixx SSmmaallll//HHoommee OOffffiiccee HHiinnttss aanndd TTiippss
+
+-------------------------------------------------------------------------------
+
+OOvveerrvviieeww
+
+This document combines hints and tips for "small office/home office"
+applications into one document so that they are easier to find. The text
+describes the mail sending side only. If your machine does not receive mail
+directly (i.e. it does not have its own Internet domain name and its own fixed
+IP address), then you will need a solution such as "fetchmail", which is
+outside the scope of the Postfix documentation.
+
+  * Selected topics from the STANDARD_CONFIGURATION_README document:
+
+      o Postfix on a stand-alone Internet host
+      o Postfix on hosts without a real Internet hostname
+
+    Selected topics from the SASL_README document:
+
+      o Enabling SASL authentication in the Postfix SMTP client
+      o Supporting multiple ISP accounts in the Postfix SMTP client
+
+See the SASL_README and STANDARD_CONFIGURATION_README documents for further
+information on these topics.
+
+PPoossttffiixx oonn aa ssttaanndd--aalloonnee IInntteerrnneett hhoosstt
+
+Postfix should work out of the box without change on a stand-alone machine that
+has direct Internet access. At least, that is how Postfix installs when you
+download the Postfix source code via http://www.postfix.org/.
+
+You can use the command "ppoossttccoonnff --nn" to find out what settings are overruled
+by your main.cf. Besides a few pathname settings, few parameters should be set
+on a stand-alone box, beyond what is covered in the BASIC_CONFIGURATION_README
+document:
+
+    /etc/postfix/main.cf:
+        # Optional: send mail as user@domainname instead of user@hostname.
+        #myorigin = $mydomain
+
+        # Optional: specify NAT/proxy external address.
+        #proxy_interfaces = 1.2.3.4
+
+        # Alternative 1: don't relay mail from other hosts.
+        mynetworks_style = host
+        relay_domains =
+
+        # Alternative 2: relay mail from local clients only.
+        # mynetworks = 192.168.1.0/28
+        # relay_domains =
+
+See also the section "Postfix on hosts without a real Internet hostname" if
+this is applicable to your configuration.
+
+PPoossttffiixx oonn hhoossttss wwiitthhoouutt aa rreeaall IInntteerrnneett hhoossttnnaammee
+
+This section is for hosts that don't have their own Internet hostname.
+Typically these are systems that get a dynamic IP address via DHCP or via
+dialup. Postfix will let you send and receive mail just fine between accounts
+on a machine with a fantasy name. However, you cannot use a fantasy hostname in
+your email address when sending mail into the Internet, because no-one would be
+able to reply to your mail. In fact, more and more sites refuse mail addresses
+with non-existent domain names.
+
+Note: the following information is Postfix version dependent. To find out what
+Postfix version you have, execute the command "ppoossttccoonnff mmaaiill__vveerrssiioonn".
+
+SSoolluuttiioonn 11:: PPoossttffiixx vveerrssiioonn 22..22 aanndd llaatteerr
+
+Postfix 2.2 uses the generic(5) address mapping to replace local fantasy email
+addresses by valid Internet addresses. This mapping happens ONLY when mail
+leaves the machine; not when you send mail between users on the same machine.
+
+The following example presents additional configuration. You need to combine
+this with basic configuration information as discussed the first half of this
+document.
+
+    1 /etc/postfix/main.cf:
+    2     smtp_generic_maps = hash:/etc/postfix/generic
+    3
+    4 /etc/postfix/generic:
+    5     his@localdomain.local             hisaccount@hisisp.example
+    6     her@localdomain.local             heraccount@herisp.example
+    7     @localdomain.local                hisaccount+local@hisisp.example
+
+When mail is sent to a remote host via SMTP:
+
+  * Line 5 replaces his@localdomain.local by his ISP mail address,
+
+  * Line 6 replaces her@localdomain.local by her ISP mail address, and
+
+  * Line 7 replaces other local addresses by his ISP account, with an address
+    extension of +local (this example assumes that the ISP supports "+" style
+    address extensions).
+
+Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files.
+To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm".
+
+Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ggeenneerriicc" whenever you change the
+generic table.
+
+SSoolluuttiioonn 22:: PPoossttffiixx vveerrssiioonn 22..11 aanndd eeaarrlliieerr
+
+The solution with older Postfix systems is to use valid Internet addresses
+where possible, and to let Postfix map valid Internet addresses to local
+fantasy addresses. With this, you can send mail to the Internet and to local
+fantasy addresses, including mail to local fantasy addresses that don't have a
+valid Internet address of their own.
+
+The following example presents additional configuration. You need to combine
+this with basic configuration information as discussed the first half of this
+document.
+
+     1 /etc/postfix/main.cf:
+     2     myhostname = hostname.localdomain
+     3     mydomain = localdomain
+     4
+     5     canonical_maps = hash:/etc/postfix/canonical
+     6
+     7     virtual_alias_maps = hash:/etc/postfix/virtual
+     8
+     9 /etc/postfix/canonical:
+    10     your-login-name    your-account@your-isp.com
+    11
+    12 /etc/postfix/virtual:
+    13     your-account@your-isp.com       your-login-name
+
+Translation:
+
+  * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name
+    that is already in use by real organizations on the Internet. See RFC 2606
+    for examples of domain names that are guaranteed not to be owned by anyone.
+
+  * Lines 5, 9, 10: This provides the mapping from "your-login-
+    name@hostname.localdomain" to "your-account@your-isp.com". This part is
+    required.
+
+  * Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally,
+    instead of sending it to the ISP. This part is not required but is
+    convenient.
+
+Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files.
+To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm".
+
+Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ccaannoonniiccaall" whenever you change the
+canonical table.
+
+Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" whenever you change the
+virtual table.
+
+EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
+
+Turn on client-side SASL authentication, and specify a table with per-host or
+per-destination username and password information. The Postfix SMTP client
+first searches the table for an entry with the remote SMTP server hostname; if
+no entry is found, then the Postfix SMTP client searches the table for an entry
+with the next-hop destination. Usually, that is the right-hand part of an email
+address, but it can also be the information that is specified with the
+relayhost parameter or with a transport(5) table.
+
+    /etc/postfix/main.cf:
+        smtp_sasl_auth_enable = yes
+        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        smtp_sasl_type = cyrus
+        relayhost = [mail.myisp.net]
+        # Alternative form:
+        # relayhost = [mail.myisp.net]:submission
+
+    /etc/postfix/sasl_passwd:
+        [mail.myisp.net]            username:password
+        [mail.myisp.net]:submission username:password
+
+Notes:
+
+  * The "submission" destination port tells Postfix to send mail via TCP
+    network port 587, which is normally reserved for email clients. The default
+    is to send mail to the "smtp" destination port (TCP port 25), which is used
+    for receiving mail across the internet. If you use an explicit destination
+    port in main.cf, then you must use the same form also in the
+    smtp_sasl_password_maps file.
+
+  * Postfix does not deliver mail via TCP port 465 (the obsolete "wrappermode"
+    protocol). See TLS_README for a solution that uses the "stunnel" command.
+
+  * The "[" and "]" prevent Postfix from looking up the MX (mail exchanger)
+    records for the enclosed name. If you use this form in main.cf, then you
+    must use the same form also in the smtp_sasl_password_maps file.
+
+  * The Postfix SMTP client opens the SASL client password file before entering
+    the optional chroot jail, so you can keep the file in /etc/postfix and set
+    permissions read / write only for root to keep the username:password
+    combinations away from other system users.
+
+  * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
+    files. To find out what lookup tables Postfix supports, use the command
+    "ppoossttccoonnff --mm".
+
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
+    the sasl_passwd table.
+
+Workarounds:
+
+  * Some remote SMTP servers support PLAIN or LOGIN authentication only. By
+    default, the Postfix SMTP client does not use authentication methods that
+    send plaintext passwords, and defers delivery with the following error
+    message: "Authentication failed: cannot SASL authenticate to server". To
+    enable plaintext authentication specify, for example:
+
+        /etc/postfix/main.cf:
+            smtp_sasl_security_options = noanonymous
+
+  * Some remote SMTP servers announce authentication mechanisms that don't
+    actually work. It is possible via the smtp_sasl_mechanism_filter parameter
+    to restrict the list of server mechanisms that the Postfix SMTP client will
+    take into consideration:
+
+        /etc/postfix/main.cf:
+            smtp_sasl_mechanism_filter = !gssapi, !external, static:all
+
+    In the above example, the Postfix SMTP client will decline to use
+    mechanisms that require special infrastructure such as Kerberos or TLS.
+
+  * The Postfix SMTP client is backwards compatible with SMTP servers that use
+    the non-standard "AUTH=method..." syntax in response to the EHLO command;
+    there is no Postfix client configuration needed to work around it.
+
+SSuuppppoorrttiinngg mmuullttiippllee IISSPP aaccccoouunnttss iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
+
+Postfix version 2.3 supports multiple ISP accounts. This can be useful when one
+person uses the same machine for work and for personal use, or when people with
+different ISP accounts share the same Postfix server. To make this possible,
+Postfix 2.3 supports per-sender SASL passwords and per-sender relay hosts. In
+the example below, Postfix will search the SASL password file by sender before
+it searches that same file by destination. Likewise, Postfix will search the
+per-sender relayhost file, and use the default relayhost only as a final
+resort.
+
+    /etc/postfix/main.cf:
+        smtp_sender_dependent_authentication = yes
+        sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+        smtp_sasl_auth_enable = yes
+        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        relayhost = [mail.myisp.net]
+        # Alternative form:
+        # relayhost = [mail.myisp.net]:submission
+
+    /etc/postfix/sasl_passwd:
+        # Per-sender authentication; see also /etc/postfix/sender_relay.
+        user1@example.com           username2:password2
+        user2@example.net           username2:password2
+        # Login information for the default relayhost.
+        [mail.myisp.net]            username:password
+        [mail.myisp.net]:submission username:password
+
+    /etc/postfix/sender_relay:
+        # Per-sender provider; see also /etc/postfix/sasl_passwd.
+        user1@example.com           [mail.example.com]:submission
+        user2@example.net           [mail.example.net]
+
+Notes:
+
+  * If you are creative, then you can try to combine the two tables into one
+    single MySQL database, and configure different Postfix queries to extract
+    the appropriate information.
+
+  * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
+    files. To find out what lookup tables Postfix supports, use the command
+    "ppoossttccoonnff --mm".
+
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
+    the sasl_passwd table.
+
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" whenever you change
+    the sender_relay table.
+
diff --git a/postfix/README_FILES/STANDARD_CONFIGURATION_README b/postfix/README_FILES/STANDARD_CONFIGURATION_README
index a1c8f6ae2..861f2dac9 100644
--- a/postfix/README_FILES/STANDARD_CONFIGURATION_README
+++ b/postfix/README_FILES/STANDARD_CONFIGURATION_README
@@ -45,10 +45,14 @@ document:
         # Optional: specify NAT/proxy external address.
         #proxy_interfaces = 1.2.3.4
 
-        # Don't relay mail from other hosts.
+        # Alternative 1: don't relay mail from other hosts.
         mynetworks_style = host
         relay_domains =
 
+        # Alternative 2: relay mail from local clients only.
+        # mynetworks = 192.168.1.0/28
+        # relay_domains =
+
 See also the section "Postfix on hosts without a real Internet hostname" if
 this is applicable to your configuration.
 
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index bee758dab..3f487f3e6 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,10 +1,10 @@
-The stable Postfix release is called postfix-2.4.x where 2=major
-release number, 4=minor release number, x=patchlevel.  The stable
+The stable Postfix release is called postfix-2.5.x where 2=major
+release number, 5=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-2.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-2.6-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
@@ -17,29 +17,110 @@ Incompatibility with Postfix 2.3 and earlier
 If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4
 before proceeding.
 
-Incompatibility with Postfix snapshot 20080114
-==============================================
+Major changes - critical
+------------------------
 
-The Postfix SMTP client now by default defers mail after a remote
-SMTP server rejects a SASL authentication attempt.  Specify
-"smtp_sasl_auth_soft_bounce = no" for the old behavior.
+[Incompat 20071224] The protocol to send Milter information from
+smtpd(8) to cleanup(8) processes was cleaned up. If you use the
+Milter feature, and upgrade a live Postfix system, you may see an
+"unexpected record type" warning from a cleanup(8) server process.
+To prevent this, execute the command "postfix reload".  The
+incompatibility affects only systems that use the Milter feature.
+It does not cause loss of mail, just a minor delay until the remote
+SMTP client retries.
 
-Major changes with Postfix snapshot 20080114
-============================================
+[Incompat 20071212] The allow_min_user feature now applies to both
+sender and recipient addresses in SMTP commands. With earlier Postfix
+versions, only recipients were subject to the allow_min_user feature,
+and the restriction took effect at mail delivery time, causing mail
+to be bounced later instead of being rejected immediately.
 
-The Postfix SMTP client can now avoid making repeated SASL login
-failures with the same server, username and password.  To enable
-this safety feature, specify for example "smtp_sasl_auth_cache_name
-= proxy:btree:/var/lib/postfix/sasl_auth_cache" (access through the
-proxy service is required). Instead of trying to SASL authenticate,
-the Postfix SMTP client defers or bounces mail as controlled with
-the new smtp_sasl_auth_soft_bounce configuration parameter.
+[Incompat 20071206] The "make install" and "make upgrade" procedures
+now create a Postfix-owned directory for Postfix-writable data files
+such as caches and random numbers. The location is specified with
+the "data_directory" parameter (default: "/var/lib/postfix"), and
+the ownership is specified with the "mail_owner" parameter.
 
-Incompatibility with Postfix snapshot 20080109
-==============================================
+[Incompat 20071206] The tlsmgr(8) and verify(8) servers no longer
+use root privileges when opening the address_verify_map,
+*_tls_session_cache_database, and tls_random_exchange_name cache
+files.  This avoids a potential security loophole where the ownership
+of a file (or directory) does not match the trust level of the
+content of that file (or directory).
 
-TLS logging output has changed to make it more useful. Existing
-logfile parser regular expressions may need adjustment.
+[Incompat 20071206] The tlsmgr(8) and verify(8) cache files should
+now be stored as Postfix-owned files under the Postfix-owned
+data_directory.  As a migration aid, attempts to open these files
+under a non-Postfix directory are redirected to the Postfix-owned
+data_directory, and a warning is logged.
+
+This is an example of the warning messages:
+
+    Dec  6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request
+	to update file /etc/postfix/prng_exch in non-postfix directory
+	/etc/postfix
+
+    Dec  6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting
+	the request to postfix-owned data_directory /var/lib/postfix
+
+If you wish to continue using a pre-existing tls_random_exchange_name
+or address_verify_map file, move it to the Postfix-owned data_directory
+and change ownership from root to Postfix (that is, change ownership
+to the account specified with the mail_owner configuration parameter).
+
+[Feature 20071205] The "make install" and "make upgrade" procedures
+now create a Postfix-owned directory for Postfix-writable data files
+such as caches and random numbers. The location is specified with
+the "data_directory" parameter (default: "/var/lib/postfix"), and
+the ownership is specified with the "mail_owner" parameter.
+
+[Incompat 20071203] The "make upgrade" procedure adds a new service
+"proxywrite" to the master.cf file, for read/write lookup table
+access. If you copy your old configuration file over the updated
+one, you may see warnings in the maillog file like this:
+
+   connect #xx to subsystem private/proxywrite: No such file or directory
+
+To recover, run "postfix upgrade-configuration" again.
+
+[Incompat 20070613] The pipe(8) delivery agent no longer allows
+delivery with the same group ID as the main.cf postdrop group.
+
+Major changes - malware defense
+-------------------------------
+
+[Feature 20080107] New "pass" service type in master.cf.  Written
+years ago, this allows future front-end daemons to accept all
+connections from the network, and to hand over connections from
+well-behaved clients to Postfix.  Since this feature uses file
+descriptor passing, it imposes no overhead once a connection is
+handed over to Postfix.  See master(5) for a few details.
+
+[Feature 20070911] Stress-adaptive behavior. When a "public" network
+service runs into an "all processes are busy" condition, the master(8)
+daemon logs a warning, restarts the service, and runs it with "-o
+stress=yes" on the command line (under normal conditions it runs
+the service with "-o stress=" on the command line).  This can be
+used to make main.cf parameter settings stress dependent, for
+example:
+
+/etc/postfix/main.cf:
+    smtpd_timeout = ${stress?10}${stress:300}
+    smtpd_hard_error_limit = ${stress?1}${stress:20}
+
+Translation: under conditions of stress, use an smtpd_timeout value
+of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1
+instead of 20. The syntax is explained in the postconf(5) manpage.
+
+The STRESS_README file gives examples of how to mitigate flooding
+problems.
+
+Major changes - tls support
+---------------------------
+
+[Incompat 20080109] TLS logging output has changed to make it more
+useful. Existing logfile parser regular expressions may need
+adjustment.
 
 - More log entries include the "hostnamename[ipaddress]" of the
   remote SMTP peer.
@@ -66,60 +147,133 @@ logfile parser regular expressions may need adjustment.
   (or flush) network I/O buffers.  This loglevel is for debugging
   only; use 0 or 1 in production configurations.
 
-Major changes with Postfix snapshot 20080109
-============================================
+[Feature 20080109] The Postfix SMTP client has a new "fingerprint"
+security level.  This avoids dependencies on CAs, and relies entirely
+on bi-lateral exchange of public keys (really self-signed or private
+CA signed X.509 public key certificates). Scalability is clearly
+limited. For details, see the fingerprint discussion in TLS_README.
 
-The Postfix SMTP client has a new "fingerprint" security level.
-This avoids dependencies on CAs, and relies entirely on bi-lateral
-exchange of public keys (really self-signed or private CA signed
-X.509 public key certificates). Scalability is clearly limited. For
-details, see the fingerprint discussion in TLS_README.
+[Feature 20080109] The Postfix SMTP server can now use SHA1 instead
+of MD5 to compute remote SMTP client certificate fingerprints. For
+backwards compatibility, the default algorithm is MD5.  For details,
+see the "smtpd_tls_fingerprint_digest" parameter in the postconf(5)
+manual.
 
-The Postfix SMTP server can now use SHA1 instead of MD5 to compute
-remote SMTP client certificate fingerprints. For backwards
-compatibility, the default algorithm is MD5.  For details, see the
-"smtpd_tls_fingerprint_digest" parameter in the postconf(5) manual.
-
-The maximum certificate trust chain depth (verifydepth) is finally
-implemented in the Postfix TLS library. Previously, the parameter
-had no effect. The default depth was changed to 9 (the OpenSSL
-default) for backwards compatibility.
+[Feature 20080109] The maximum certificate trust chain depth
+(verifydepth) is finally implemented in the Postfix TLS library.
+Previously, the parameter had no effect. The default depth was
+changed to 9 (the OpenSSL default) for backwards compatibility.
 
 If you have explicity limited the verification depth in main.cf,
 check that the configured limit meets your needs. See the
 "lmtp_tls_scert_verifydepth", "smtp_tls_scert_verifydepth" and
 "smtpd_tls_ccert_verifydepth" parameters in the postconf(5) manual.
 
-The selection of SSL/TLS protocols for mandatory TLS can now use
-exclusion rather than inclusion. Either form is acceptable; see the
-"lmtp_tls_mandatory_protocols", "smtp_tls_mandatory_protocols" and
-"smtpd_tls_mandatory_protocols" parameters in the postconf(5) manual.
+[Feature 20080109] The selection of SSL/TLS protocols for mandatory
+TLS can now use exclusion rather than inclusion. Either form is
+acceptable; see the "lmtp_tls_mandatory_protocols",
+"smtp_tls_mandatory_protocols" and "smtpd_tls_mandatory_protocols"
+parameters in the postconf(5) manual.
 
-Major changes with Postfix snapshot 20080107
-============================================
+Major changes - scheduler
+-------------------------
 
-New "pass" service type in master.cf.  Written years ago, this
-allows a future front-end daemon to accept all connections from the
-network, and forward only those from well-behaved clients to Postfix.
-Since this uses file descriptor passing, it imposes no overhead
-once a connection is handed over to Postfix. See master(5) for a
-few details.
+[Feature 20071130] Revised queue manager with separate mechanisms
+for per-destination concurrency control and for dead destination
+detection.  The concurrency control supports less-than-1 feedback
+to allow for more gradual concurrency adjustments, and uses hysteresis
+to avoid rapid oscillations.  A destination is declared "dead" after
+a configurable number of pseudo-cohorts(*) reports connection or
+handshake failure.
 
-Incompatibility with Postfix snapshot 20071224
-==============================================
+(*) A pseudo-cohort is a number of delivery requests equal to a
+    destination's delivery concurrency.
 
-The protocol to send Milter information from smtpd(8) to cleanup(8)
-processes was cleaned up. If you use the Milter feature, and upgrade
-a live Postfix system, you may see an "unexpected record type"
-warning from a cleanup(8) server process.  To prevent this, execute
-the command "postfix reload".  The incompatibility affects only
-systems that use the Milter feature. It does not cause loss of mail,
-just a minor delay until the remote SMTP client retries.
+The drawbacks of the old +/-1 feedback scheduler are a) overshoot
+due to exponential delivery concurrency growth with each pseudo-cohort(*)
+(5-10-20...); b) throttling down to zero concurrency after a single
+pseudo-cohort(*) failure. The latter was especially an issue with
+low-concurrency channels where a single failure could be sufficient
+to mark a destination as "dead", and suspend further deliveries.
 
-Major changes with Postfix snapshot 20071221
-============================================
+New configuration parameters: destination_concurrency_feedback_debug,
+default_destination_concurrency_positive_feedback,
+default_destination_concurrency_negative_feedback,
+default_destination_concurrency_failed_cohort_limit, as well as
+transport-specific versions of the same.  See postconf(5) for
+extensive descriptions, and SCHEDULER_README for background information
+on the theory and practice of how these settings work.
 
-Support for most of the Sendmail 8.14 Milter protocol features.
+The default parameter settings are backwards compatible with older
+Postfix versions. This may change after better defaults are field
+tested.
+
+The SCHEDULER_README document describes the new concurrency scheduler,
+as well as Patrik Rak's preemptive job scheduler.
+
+Major changes - small/home office
+---------------------------------
+
+[Feature 20080115] Preliminary SOHO_README document that combines
+bits and pieces from other document in one place, so that it is
+easier to find. This document describes the "mail sending" side
+only.
+
+[Feature 20071202] Output rate control in the queue manager. For
+example, specify "smtp_delivery_rate_delay = 5m", to pause five
+minutes between message deliveries. More information in the postconf(5)
+manual under "default_delivery_rate_delay".
+
+Major changes - smtp client
+---------------------------
+
+[Incompat 20080114] The Postfix SMTP client now by default defers
+mail after a remote SMTP server rejects a SASL authentication
+attempt.  Specify "smtp_sasl_auth_soft_bounce = no" for the old
+behavior.
+
+[Feature 20080114] The Postfix SMTP client can now avoid making
+repeated SASL login failures with the same server, username and
+password.  To enable this safety feature, specify for example
+"smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache"
+(access through the proxy service is required). Instead of trying
+to SASL authenticate, the Postfix SMTP client defers or bounces
+mail as controlled with the new smtp_sasl_auth_soft_bounce configuration
+parameter.
+
+[Feature 20071111] Header/body checks are now available in the SMTP
+client, after the implementation was moved from the cleanup server
+to a library module.  The SMTP client provides only actions that
+don't change the message delivery time or destination: warn, replace,
+prepend, ignore, dunno, ok.
+
+[Incompat 20070614] By default, the Postfix Cyrus SASL client no
+longer sends a SASL authoriZation ID (authzid); it sends only the
+SASL authentiCation ID (authcid) plus the authcid's password. Specify
+"send_cyrus_sasl_authzid = yes" to get the old behavior.
+
+Major changes - smtp server
+---------------------------
+
+[Feature 20070724] Not really major. New support for RFC 3848
+(Received: headers with ESMTPS, ESMTPA, or ESMTPSA); updated SASL
+support according to RFC 4954, resulting in small changes to SMTP
+reply codes and (DSN) enhanced status codes.
+
+Major changes - milter
+----------------------
+
+[Incompat 20071224] The protocol to send Milter information from
+smtpd(8) to cleanup(8) processes was cleaned up. If you use the
+Milter feature, and upgrade a live Postfix system, you may see an
+"unexpected record type" warning from a cleanup(8) server process.
+To prevent this, execute the command "postfix reload".  The
+incompatibility affects only systems that use the Milter feature.
+It does not cause loss of mail, just a minor delay until the remote
+SMTP client retries.
+
+[Feature 20071221] Support for most of the Sendmail 8.14 Milter
+protocol features.
 
 To enable the new features specify "milter_protocol = 6" and link
 the filter application with a libmilter library from Sendmail 8.14
@@ -160,181 +314,63 @@ require ESMTP command-line parsing in the cleanup server. Unfortunately,
 Sendmail's documentation does not specify what ESMTP options are
 supported, but only discusses examples of things that don't work.
 
-Incompatibility with Postfix snapshot 20071216
-==============================================
+Major changes - address verification
+------------------------------------
 
-Due to an incompatible API change between OpenLDAP 2.0.11 and 2.0.12,
-an LDAP client compiled for OpenLDAP version <= 2.0.11 will refuse
-to work with an OpenLDAP library version >= 2.0.12 and vice versa.
+[Incompat 20070514] The default sender address for address verification
+probes was changed from "postmaster" to "double-bounce", so that
+the Postfix SMTP server no longer causes surprising behavior by
+excluding "postmaster" from SMTP server access controls.
 
-The SMTP "transcript of session" email now includes the remote SMTP
-server TCP port number.
+Major changes - ldap
+--------------------
 
-Incompatibility with Postfix snapshot 20071212
-==============================================
+[Incompat 20071216] Due to an incompatible API change between
+OpenLDAP 2.0.11 and 2.0.12, an LDAP client compiled for OpenLDAP
+version <= 2.0.11 will refuse to work with an OpenLDAP library
+version >= 2.0.12 and vice versa.
 
-The allow_min_user feature now applies to both sender and recipient
-addresses in SMTP commands. With earlier Postfix versions, only
-recipients were subject to the allow_min_user feature, and the
-restriction took effect at mail delivery time, causing mail to be
-bounced later instead of being rejected immediately.
+Major changes - logging
+-----------------------
 
-Incompatibility with Postfix snapshot 20071206
-==============================================
+[Incompat 20080109] TLS logging output has changed to make it more
+useful. Existing logfile parser regular expressions may need
+adjustment.
 
-The "make install" and "make upgrade" procedures now create a
-Postfix-owned directory for Postfix-writable data files such as
-caches and random numbers. The location is specified with the
-"data_directory" parameter (default: "/var/lib/postfix"), and the
-ownership is specified with the "mail_owner" parameter.
+- More log entries include the "hostnamename[ipaddress]" of the
+  remote SMTP peer.
 
-The tlsmgr(8) and verify(8) servers no longer use root privileges
-when opening the address_verify_map, *_tls_session_cache_database,
-and tls_random_exchange_name cache files.  This avoids a potential
-security loophole where the ownership of a file (or directory) does
-not match the trust level of the content of that file (or directory).
+- Certificate trust chain error reports show only the first
+  error certificate (closest to the trust chain root), and the
+  reporting is more human-readable for the most likely errors.
 
-The tlsmgr(8) and verify(8) cache files should now be stored under
-the Postfix-owned data_directory.  As a migration aid, attempts to
-open these files under a non-Postfix directory are redirected to
-the Postfix-owned data_directory, and a warning is logged.
+- After the completion of the TLS handshake, the session is logged
+  with TLS loglevel >= 1 as either "Untrusted", "Trusted" or
+  "Verified" (SMTP client only).
+  - "Untrusted" means that the certificate trust chain is invalid,
+    or that the root CA is not trusted.
+  - "Trusted" means that the certificate trust chain is valid, and
+    that the root CA is trusted.
+  - "Verified" means that the certificate meets the SMTP client's
+    matching criteria for the destination:
+    - In the case of a destination name match, "Verified" also
+      implies "Trusted".
+    - In the case of a fingerprint match, CA trust is not applicable.
 
-This is an example of the warning messages:
+- The logging of protocol states with TLS loglevel >= 2 no longer
+  reports bogus error conditions when OpenSSL asks Postfix to refill
+  (or flush) network I/O buffers.  This loglevel is for debugging
+  only; use 0 or 1 in production configurations.
 
-    Dec  6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request
-	to update file /etc/postfix/prng_exch in non-postfix directory
-	/etc/postfix
+[Incompat 20071216] The SMTP "transcript of session" email now
+includes the remote SMTP server TCP port number.
 
-    Dec  6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting
-	the request to postfix-owned data_directory /var/lib/postfix
+Major changes - loop detection
+------------------------------
 
-If you wish to continue using a pre-existing tls_random_exchange_name
-or address_verify_map file, move it to the Postfix-owned data_directory
-and change ownership to the account specified with the mail_owner
-configuration parameter.
-
-Major changes with Postfix snapshot 20071205
-============================================
-
-The "make install" and "make upgrade" procedures now create a
-Postfix-owned directory for Postfix-writable data files such as
-caches and random numbers. The location is specified with the
-"data_directory" parameter (default: "/var/lib/postfix"), and the
-ownership is specified with the "mail_owner" parameter.
-
-Incompatibility with Postfix snapshot 20071203
-==============================================
-
-The "make upgrade" procedure adds a new service "proxywrite" to the
-master.cf file, for read/write lookup table access. If you copy
-your old configuration file over the updated one, you will have
-to run "postfix upgrade-configuration" again.
-
-Major changes with Postfix snapshot 20071202
-============================================
-
-Output rate control in the queue manager. For example, specify
-"smtp_delivery_rate_delay = 5m", to pause five minutes between
-message deliveries. More information in the postconf(5) manual
-under "default_delivery_rate_delay".
-
-Major changes with Postfix snapshot 20071130
-============================================
-
-Revised queue manager with separate mechanisms for per-destination
-concurrency control and for dead destination detection.  The
-concurrency control supports less-than-1 feedback to allow for more
-gradual concurrency adjustments, and uses hysteresis to avoid rapid
-oscillations.  A destination is declared "dead" after a configurable
-number of pseudo-cohorts(*) reports connection or handshake failure.
-
-(*) A pseudo-cohort is a number of delivery requests equal to a
-    destination's delivery concurrency.
-
-The drawbacks of the old +/-1 feedback scheduler are a) overshoot
-due to exponential delivery concurrency growth with each pseudo-cohort(*)
-(5-10-20...); b) throttling down to zero concurrency after a single
-pseudo-cohort(*) failure. The latter was especially an issue with
-low-concurrency channels where a single failure could be sufficient
-to mark a destination as "dead", and suspend further deliveries.
-
-New configuration parameters: destination_concurrency_feedback_debug,
-default_destination_concurrency_positive_feedback,
-default_destination_concurrency_negative_feedback,
-default_destination_concurrency_failed_cohort_limit, as well as
-transport-specific versions of the same.  See postconf(5) for
-extensive descriptions, and SCHEDULER_README for background information
-on the theory and practice of how these settings work.
-
-The default parameter settings are backwards compatible with older
-Postfix versions. This may change after better defaults are field
-tested.
-
-Major changes with Postfix snapshot 20071111
-============================================
-
-Header/body checks are now available in the SMTP client, after the
-implementation was moved from the cleanup server to a library module.
-The SMTP client provides only actions that don't change the message
-delivery time or destination: warn, replace, prepend, ignore, dunno,
-ok.
-
-Major changes with Postfix snapshot 20070911
-============================================
-
-Stress-adaptive behavior. When a "public" network service runs into
-an "all processes are busy" condition, the master(8) daemon logs a
-warning, restarts the service, and runs it with "-o stress=yes" on
-the command line (under normal conditions it runs the service with
-"-o stress=" on the command line).  This can be used to make main.cf
-parameter settings stress dependent, for example:
-
-/etc/postfix/main.cf:
-    smtpd_timeout = ${stress?10}${stress:300}
-    smtpd_hard_error_limit = ${stress?1}${stress:20}
-
-Translation: under conditions of stress, use an smtpd_timeout value
-of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1
-instead of 20. The syntax is explained in the postconf(5) manpage.
-
-This feature needs further configuration and documentation, but is
-already useful in its present form.
-
-Major changes with Postfix snapshot 20070724
-============================================
-
-Not really major. New support for RFC 3848 (Received: headers with
-ESMTPS, ESMTPA, or ESMTPSA); updated SASL support according to RFC
-4954, resulting in small changes to SMTP reply codes and (DSN)
-enhanced status codes.
-
-Incompatibility with Postfix snapshot 20070614
-==============================================
-
-By default, the Postfix Cyrus SASL client no longer sends a SASL
-authoriZation ID (authzid); it sends only the SASL authentiCation
-ID (authcid) plus the authcid's password. Specify "send_cyrus_sasl_authzid
-= yes" to get the old behavior.
-
-Incompatibility with Postfix snapshot 20070613
-==============================================
-
-The pipe(8) delivery agent no longer allows delivery with the same
-group ID as the main.cf postdrop group.
-
-Incompatibility with Postfix snapshot 20070514
-==============================================
-
-The default sender address for address verification probes was
-changed from "postmaster" to "double-bounce", so that the Postfix
-SMTP server no longer causes surprising behavior by excluding
-"postmaster" from SMTP server access controls.
-
-Incompatibility with Postfix snapshot 20070422
-==============================================
-
-When the pipe(8) delivery agent is configured to create the optional
-Delivered-To: header, it now first checks if that same header is
-already present in the message. If so, the message is returned as
-undeliverable. This test should have been included with Postfix 2.0
-when Delivered-To: support was added to the pipe(8) delivery agent.
+[Incompat 20070422] [Incompat 20070422] When the pipe(8) delivery
+agent is configured to create the optional Delivered-To: header,
+it now first checks if that same header is already present in the
+message. If so, the message is returned as undeliverable. This test
+should have been included with Postfix 2.0 when Delivered-To: support
+was added to the pipe(8) delivery agent.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index b8855e96f..51524c890 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -1,5 +1,9 @@
 Wish list:
 
+	Collect random bits and pieces in one SOHO_README document:
+	smtp_generic_maps, sender_dependent_mumble,
+	smtp_sasl_auth_cache_name/time.
+
 	See if "pickup =o content_filter=smtp:127.0.0.1" can be
 	made a viable alternative to the use of non_smtpd_milters.
 
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index a1a5de269..7d314e901 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -79,6 +79,9 @@ Postfix SMTP server</a></li>
 <li><a href="#client_sasl">Enabling SASL authentication in the
 Postfix SMTP client</a></li>
 
+<li><a href="#client_sasl_sender">Supporting multiple ISP accounts
+in the Postfix SMTP client</a></li>
+
 <li><a href="#credits">Credits</a>
 
 </ul>
@@ -636,42 +639,57 @@ table. </p>
     <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
     <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd
     <a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> = cyrus
+    <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]
+    # Alternative form:
+    # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]:submission
 
 /etc/postfix/sasl_passwd:
-    foo.com                     username:password
-    bar.com                     username
     [mail.myisp.net]            username:password
     [mail.myisp.net]:submission username:password
 </pre>
 </blockquote>
 
-<p> The Postfix SMTP client opens the SASL client password file
-before entering the optional chroot jail, so you can keep the file
-in /etc/postfix and set permissions read / write only for root to
-keep the username:password combinations away from other system
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "submission" destination port tells Postfix to send
+mail via TCP network port 587, which is normally reserved for email
+clients. The default is to send mail to the "smtp" destination port
+(TCP port 25), which is used for receiving mail across the internet.
+If you use an explicit destination port in <a href="postconf.5.html">main.cf</a>, then you must
+use the same form also in the <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> file.  </p>
+
+<li> <p> Postfix does not deliver mail via TCP port 465 (the obsolete
+"wrappermode" protocol). See <a href="TLS_README.html">TLS_README</a> for a solution that uses the
+"stunnel" command. </p>
+
+<li> <p> The "[" and "]" prevent Postfix from looking up the MX
+(mail exchanger) records for the enclosed name.  If you use this
+form in <a href="postconf.5.html">main.cf</a>, then you must use the same form also in the
+<a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> file. </p>
+
+<li> <p> The Postfix SMTP client opens the SASL client password
+file before entering the optional chroot jail, so you can keep the
+file in /etc/postfix and set permissions read / write only for root
+to keep the username:password combinations away from other system
 users. </p>
 
-<p> Postfix version 2.3 supports-per-sender SASL password
-information. To search the Postfix SASL password by sender 
-before it searches by destination, specify: </p>
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system
+uses <b>dbm</b> files instead of <b>db</b> files. To find out what
+lookup tables Postfix supports, use the command "<b>postconf -m</b>".
+</p>
 
-<blockquote>
-<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes
-    <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
-    <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
+whenever you change the sasl_passwd table. </p>
 
-/etc/postfix/sasl_passwd:
-    user@example.com            username:password
-    bar.com                     username
-    [mail.myisp.net]            username:password
-    [mail.myisp.net]:submission username:password
-</pre>
-</blockquote>
+</ul>
 
-<p> Note: some remote SMTP servers support PLAIN or LOGIN authentication
-only.
+<p> Workarounds: </p>
+
+<ul>
+
+<li> <p> Some remote SMTP servers support PLAIN or LOGIN authentication only.
 By default, the Postfix SMTP client does not use authentication
 methods that send plaintext passwords, and defers delivery with
 the following error message:  "Authentication failed: cannot SASL
@@ -685,7 +703,7 @@ for example: </p>
 </pre>
 </blockquote>
 
-<p> Note: some remote SMTP servers announce authentication mechanisms
+<li> <p> Some remote SMTP servers announce authentication mechanisms
 that don't actually work. It is possible via the <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
 parameter to restrict the list of server mechanisms that the Postfix
 SMTP client will take into consideration:  </p>
@@ -701,11 +719,73 @@ SMTP client will take into consideration:  </p>
 use mechanisms
 that require special infrastructure such as Kerberos or TLS. </p>
 
-<p> The Postfix SMTP client is backwards compatible with SMTP
+<li> <p> The Postfix SMTP client is backwards compatible with SMTP
 servers that use the non-standard "AUTH=method..." syntax in response
 to the EHLO command; there is no Postfix client configuration needed
 to work around it. </p>
 
+</ul>
+
+<h2><a name="client_sasl_sender">Supporting multiple ISP accounts
+in the Postfix SMTP client</a></h2>
+
+<p> Postfix version 2.3 supports multiple ISP accounts. This can
+be useful when one person uses the same machine for work and for
+personal use, or when people with different ISP accounts share the
+same Postfix server.  To make this possible, Postfix 2.3 supports
+per-sender SASL passwords and per-sender relay hosts. In the example
+below, Postfix will search the SASL password file by sender before
+it searches that same file by destination. Likewise, Postfix will
+search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file, and use the default <a href="postconf.5.html#relayhost">relayhost</a>
+only as a final resort.  </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes
+    <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = hash:/etc/postfix/sender_relay
+    <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
+    <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd
+    <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]
+    # Alternative form:
+    # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]:submission
+
+/etc/postfix/sasl_passwd:
+    # Per-sender authentication; see also /etc/postfix/sender_relay.
+    user1@example.com           username2:password2
+    user2@example.net           username2:password2
+    # Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>.
+    [mail.myisp.net]            username:password
+    [mail.myisp.net]:submission username:password
+
+/etc/postfix/sender_relay:
+    # Per-sender provider; see also /etc/postfix/sasl_passwd.
+    user1@example.com           [mail.example.com]:submission
+    user2@example.net           [mail.example.net]
+</pre>
+</blockquote>
+
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> If you are creative, then you can try to combine the two
+tables into one single MySQL database, and configure different
+Postfix queries to extract the appropriate information. </p>
+
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system
+uses <b>dbm</b> files instead of <b>db</b> files. To find out what
+lookup tables Postfix supports, use the command "<b>postconf -m</b>".
+</p>
+
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
+whenever you change the sasl_passwd table. </p>
+
+<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>"
+whenever you change the sender_relay table. </p>
+
+</ul>
+
 <h2><a name="credits">Credits</a></h2>
 
 <ul>
diff --git a/postfix/html/SOHO_README.html b/postfix/html/SOHO_README.html
new file mode 100644
index 000000000..2e22103b4
--- /dev/null
+++ b/postfix/html/SOHO_README.html
@@ -0,0 +1,385 @@
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix Small/Home Office Hints and Tips</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1>
+
+<hr>
+
+<h2>Overview</h2>
+
+<p> This document combines hints and tips for "small office/home
+office" applications into one document so that they are easier to
+find. The text describes the mail sending side only. If your machine
+does not receive mail directly (i.e. it does not have its own
+Internet domain name and its own fixed IP address), then you will
+need a solution such as "fetchmail", which is outside the scope of
+the Postfix documentation.  </p>
+
+<ul>
+
+<li> <p> Selected topics from the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> document: </p>
+
+<ul>
+
+<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a>
+
+<li><a href="#fantasy">Postfix on hosts without a real
+Internet hostname</a>
+
+</ul>
+
+<p> Selected topics from the <a href="SASL_README.html">SASL_README</a> document: </p>
+
+<ul>
+
+<li><a href="#client_sasl">Enabling SASL authentication in the
+Postfix SMTP client</a></li>
+
+<li><a href="#client_sasl_sender">Supporting multiple ISP accounts
+in the Postfix SMTP client</a></li>
+
+</ul>
+
+</ul>
+
+<p> See the <a href="SASL_README.html">SASL_README</a> and <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents for
+further information on these topics. </p>
+
+<h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2>
+
+<p> Postfix should work out of the box without change on a stand-alone
+machine that has direct Internet access.  At least, that is how
+Postfix installs when you download the Postfix source code via
+<a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p>
+
+<p> You can use the command "<b>postconf -n</b>" to find out what
+settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname
+settings, few parameters should be set on a stand-alone box, beyond
+what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    # Optional: send mail as user@domainname instead of user@hostname.
+    #<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
+
+    # Optional: specify NAT/proxy external address.
+    #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4
+
+    # Alternative 1: don't relay mail from other hosts.
+    <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host
+    <a href="postconf.5.html#relay_domains">relay_domains</a> =
+
+    # Alternative 2: relay mail from local clients only.
+    # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28
+    # <a href="postconf.5.html#relay_domains">relay_domains</a> =
+</pre>
+</blockquote>
+
+<p> See also the section "<a href="#fantasy">Postfix on hosts without
+a real Internet hostname</a>" if this is applicable to your configuration.
+</p>
+
+<h2><a name="fantasy">Postfix on hosts without a real Internet
+hostname</a></h2>
+
+<p> This section is for hosts that don't have their own Internet
+hostname.  Typically these are systems that get a dynamic IP address
+via DHCP or via dialup. Postfix will let you send and receive mail
+just fine between accounts on a machine with a fantasy name. However,
+you cannot use a fantasy hostname in your email address when sending
+mail into the Internet, because no-one would be able to reply to
+your mail. In fact, more and more sites refuse mail addresses with
+non-existent domain names. </p>
+
+<p> Note: the following information is Postfix version dependent.
+To find out what Postfix version you have, execute the command
+"<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p>
+
+<h3>Solution 1: Postfix version 2.2 and later </h3>
+
+<p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace
+local fantasy email addresses by valid Internet addresses.  This
+mapping happens ONLY when mail leaves the machine; not when you
+send mail between users on the same machine. </p>
+
+<p> The following example presents additional configuration. You
+need to combine this with basic configuration information as
+discussed the first half of this document. </p>
+
+<blockquote>
+<pre>
+1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+2     <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = hash:/etc/postfix/generic
+3 
+4 /etc/postfix/generic:
+5     his@localdomain.local             hisaccount@hisisp.example
+6     her@localdomain.local             heraccount@herisp.example
+7     @localdomain.local                hisaccount+local@hisisp.example
+</pre>
+</blockquote>
+
+<p> When mail is sent to a remote host via SMTP: </p>
+
+<ul>
+
+<li> <p> Line 5 replaces <i>his@localdomain.local</i> by his ISP
+mail address, </p>
+
+<li> <p> Line 6 replaces <i>her@localdomain.local</i> by her ISP
+mail address, and </p>
+
+<li> <p> Line 7 replaces other local addresses by his ISP account,
+with an address extension of +<i>local</i> (this example assumes
+that the ISP supports "+" style address extensions). </p>
+
+</ul>
+
+<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses
+<b>dbm</b> files instead of <b>db</b> files. To find out what lookup
+tables Postfix supports, use the command "<b>postconf -m</b>".  </p>
+
+<p> Execute the command "<b>postmap /etc/postfix/generic</b>"
+whenever you change the generic table. </p>
+
+<h3>Solution 2: Postfix version 2.1 and earlier </h3>
+
+<p> The solution with older Postfix systems is to use valid
+Internet addresses where possible, and to let Postfix map valid
+Internet addresses to local fantasy addresses. With this, you can
+send mail to the Internet and to local fantasy addresses, including
+mail to local fantasy addresses that don't have a valid Internet
+address of their own.</p>
+
+<p> The following example presents additional configuration. You
+need to combine this with basic configuration information as
+discussed the first half of this document. </p>
+
+<blockquote>
+<pre>
+ 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ 2     <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain
+ 3     <a href="postconf.5.html#mydomain">mydomain</a> = localdomain
+ 4 
+ 5     <a href="postconf.5.html#canonical_maps">canonical_maps</a> = hash:/etc/postfix/canonical
+ 6 
+ 7     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
+ 8 
+ 9 /etc/postfix/canonical:
+10     your-login-name    your-account@your-isp.com
+11 
+12 /etc/postfix/<a href="virtual.8.html">virtual</a>:
+13     your-account@your-isp.com       your-login-name
+</pre>
+</blockquote>
+
+<p> Translation: </p>
+
+<ul>
+
+<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
+use a domain name that is already in use by real organizations
+on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
+names that are guaranteed not to be owned by anyone. </p>
+
+<li> <p> Lines 5, 9, 10: This provides the mapping from
+"your-login-name@hostname.localdomain" to "your-account@your-isp.com".
+This part is required. </p>
+
+<li> <p> Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com"
+locally, instead of sending it to the ISP. This part is not required
+but is convenient.
+
+</ul>
+
+<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses
+<b>dbm</b> files instead of <b>db</b> files. To find out what lookup
+tables Postfix supports, use the command "<b>postconf -m</b>".  </p>
+
+<p> Execute the command "<b>postmap /etc/postfix/canonical</b>"
+whenever you change the canonical table. </p>
+
+<p> Execute the command "<b>postmap /etc/postfix/virtual</b>"
+whenever you change the virtual table. </p>
+
+<h2><a name="client_sasl">Enabling SASL authentication in the
+Postfix SMTP client</a></h2>
+
+<p> Turn on client-side SASL authentication, and specify a table
+with per-host or per-destination username and password information.
+The Postfix SMTP client first searches the table for an entry with
+the remote SMTP server hostname; if no entry is found, then the
+Postfix SMTP client searches the table for
+an entry with the next-hop destination.  Usually, that is the
+right-hand part of an email address, but it can also be the information
+that is specified with the <a href="postconf.5.html#relayhost">relayhost</a> parameter or with a <a href="transport.5.html">transport(5)</a>
+table. </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
+    <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd
+    <a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> = cyrus
+    <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]
+    # Alternative form:
+    # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]:submission
+
+/etc/postfix/sasl_passwd:
+    [mail.myisp.net]            username:password
+    [mail.myisp.net]:submission username:password
+</pre>
+</blockquote>
+
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "submission" destination port tells Postfix to send
+mail via TCP network port 587, which is normally reserved for email
+clients. The default is to send mail to the "smtp" destination port
+(TCP port 25), which is used for receiving mail across the internet.
+If you use an explicit destination port in <a href="postconf.5.html">main.cf</a>, then you must
+use the same form also in the <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> file.  </p>
+
+<li> <p> Postfix does not deliver mail via TCP port 465 (the obsolete
+"wrappermode" protocol). See <a href="TLS_README.html">TLS_README</a> for a solution that uses the
+"stunnel" command. </p>
+
+<li> <p> The "[" and "]" prevent Postfix from looking up the MX
+(mail exchanger) records for the enclosed name.  If you use this
+form in <a href="postconf.5.html">main.cf</a>, then you must use the same form also in the
+<a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> file. </p>
+
+<li> <p> The Postfix SMTP client opens the SASL client password
+file before entering the optional chroot jail, so you can keep the
+file in /etc/postfix and set permissions read / write only for root
+to keep the username:password combinations away from other system
+users. </p>
+
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system
+uses <b>dbm</b> files instead of <b>db</b> files. To find out what
+lookup tables Postfix supports, use the command "<b>postconf -m</b>".
+</p>
+
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
+whenever you change the sasl_passwd table. </p>
+
+</ul>
+
+<p> Workarounds: </p>
+
+<ul>
+
+<li> <p> Some remote SMTP servers support PLAIN or LOGIN authentication only.
+By default, the Postfix SMTP client does not use authentication
+methods that send plaintext passwords, and defers delivery with
+the following error message:  "Authentication failed: cannot SASL
+authenticate to server". To enable plaintext authentication specify,
+for example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> = noanonymous
+</pre>
+</blockquote>
+
+<li> <p> Some remote SMTP servers announce authentication mechanisms
+that don't actually work. It is possible via the <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
+parameter to restrict the list of server mechanisms that the Postfix
+SMTP client will take into consideration:  </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = !gssapi, !external, static:all
+</pre>
+</blockquote>
+
+<p> In the above example, the Postfix SMTP client will decline to
+use mechanisms
+that require special infrastructure such as Kerberos or TLS. </p>
+
+<li> <p> The Postfix SMTP client is backwards compatible with SMTP
+servers that use the non-standard "AUTH=method..." syntax in response
+to the EHLO command; there is no Postfix client configuration needed
+to work around it. </p>
+
+</ul>
+
+<h2><a name="client_sasl_sender">Supporting multiple ISP accounts
+in the Postfix SMTP client</a></h2>
+
+<p> Postfix version 2.3 supports multiple ISP accounts. This can
+be useful when one person uses the same machine for work and for
+personal use, or when people with different ISP accounts share the
+same Postfix server.  To make this possible, Postfix 2.3 supports
+per-sender SASL passwords and per-sender relay hosts. In the example
+below, Postfix will search the SASL password file by sender before
+it searches that same file by destination. Likewise, Postfix will
+search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file, and use the default <a href="postconf.5.html#relayhost">relayhost</a>
+only as a final resort.  </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes
+    <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = hash:/etc/postfix/sender_relay
+    <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
+    <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd
+    <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]
+    # Alternative form:
+    # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.myisp.net]:submission
+
+/etc/postfix/sasl_passwd:
+    # Per-sender authentication; see also /etc/postfix/sender_relay.
+    user1@example.com           username2:password2
+    user2@example.net           username2:password2
+    # Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>.
+    [mail.myisp.net]            username:password
+    [mail.myisp.net]:submission username:password
+
+/etc/postfix/sender_relay:
+    # Per-sender provider; see also /etc/postfix/sasl_passwd.
+    user1@example.com           [mail.example.com]:submission
+    user2@example.net           [mail.example.net]
+</pre>
+</blockquote>
+
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> If you are creative, then you can try to combine the two
+tables into one single MySQL database, and configure different
+Postfix queries to extract the appropriate information. </p>
+
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system
+uses <b>dbm</b> files instead of <b>db</b> files. To find out what
+lookup tables Postfix supports, use the command "<b>postconf -m</b>".
+</p>
+
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
+whenever you change the sasl_passwd table. </p>
+
+<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>"
+whenever you change the sender_relay table. </p>
+
+</ul>
+
+</body>
+
+</html>
diff --git a/postfix/html/STANDARD_CONFIGURATION_README.html b/postfix/html/STANDARD_CONFIGURATION_README.html
index e2163568d..ef7365d86 100644
--- a/postfix/html/STANDARD_CONFIGURATION_README.html
+++ b/postfix/html/STANDARD_CONFIGURATION_README.html
@@ -81,9 +81,13 @@ what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURA
     # Optional: specify NAT/proxy external address.
     #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4
 
-    # Don't relay mail from other hosts.
+    # Alternative 1: don't relay mail from other hosts.
     <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host
     <a href="postconf.5.html#relay_domains">relay_domains</a> =
+
+    # Alternative 2: relay mail from local clients only.
+    # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28
+    # <a href="postconf.5.html#relay_domains">relay_domains</a> =
 </pre>
 </blockquote>
 
@@ -789,7 +793,7 @@ discussed the first half of this document. </p>
 
 <li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
 use a domain name that is already in use by real organizations
-on the Internet. See <a href="http://www.faqs.org/rfcs/rfc2606.html">RFC 2606</a> for examples of domain
+on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
 names that are guaranteed not to be owned by anyone. </p>
 
 <li> <p> Lines 5, 9, 10: This provides the mapping from
diff --git a/postfix/html/index.html b/postfix/html/index.html
index b2e51c61e..9b7d128be 100644
--- a/postfix/html/index.html
+++ b/postfix/html/index.html
@@ -28,6 +28,8 @@
 <li> <a href="BASIC_CONFIGURATION_README.html"> Basic configuration
 </a>
 
+<li> <a href="SOHO_README.html"> Small/home office hints and tips </a>
+
 <li> <a href="STANDARD_CONFIGURATION_README.html"> Standard
 configuration examples </a>
 
@@ -74,6 +76,14 @@ overview </a>
 
 <li> <a href="BUILTIN_FILTER_README.html"> Built-in content inspection </a>
 
+</ul>
+
+</td>
+
+<td width="30%" align="left" valign="top">
+
+<ul>
+
 <li> <a href="FILTER_README.html"> After-queue content filter </a>
 
 <li> <a href="SMTPD_PROXY_README.html"> Before-queue content
@@ -84,10 +94,6 @@ filter  </a>
 
 </ul>
 
-</td>
-
-<td width="30%" align="left" valign="top">
-
 <p><strong>SMTP Relay and access control </strong></p>
 
 <ul>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index a6fc25003..f3ae20f90 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -8205,6 +8205,12 @@ same server, username and password, and instead bounces or defers
 mail as controlled with the <a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> configuration
 parameter.  </p>
 
+<p> Use a per-destination delivery concurrency of 1 (for example,
+"<a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> = 1",
+"<a href="postconf.5.html#relay_destination_concurrency_limit">relay_destination_concurrency_limit</a> = 1", etc.), otherwise multiple
+delivery agents may experience a login failure at the same time.
+</p>
+
 <p> The table must be accessed via the proxywrite service, i.e. the
 map name must start with "<a href="proxymap.8.html">proxy</a>:". The table should be stored under
 the directory specified with the <a href="postconf.5.html#data_directory">data_directory</a> parameter. </p>
diff --git a/postfix/implementation-notes/MILTER b/postfix/implementation-notes/MILTER
index 0da7cc5db..f67fb90c5 100644
--- a/postfix/implementation-notes/MILTER
+++ b/postfix/implementation-notes/MILTER
@@ -247,4 +247,8 @@ or backward compatibility.
 
 It does mean, however, that a pointer record can easily exceed the
 length of a header record. This is why we go through the trouble
-of record relocation and dummy records.
+of record relocation and dummy records. 
+
+In Postfix 2.4 we fixed this by adding padding to short message
+header records so that we can always write a pointer record over a
+message header.  This immensly simplifies the code.
diff --git a/postfix/makedefs b/postfix/makedefs
index df3e7717c..0585fa055 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -484,7 +484,7 @@ ${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
 export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
 
 # Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
 
 # Non-production: needs thorough testing, or major changes are still
 # needed before the code stabilizes.
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 141e5e04d..b8bac10b3 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -4616,6 +4616,11 @@ same server, username and password, and instead bounces or defers
 mail as controlled with the smtp_sasl_auth_soft_bounce configuration
 parameter.
 .PP
+Use a per-destination delivery concurrency of 1 (for example,
+"smtp_destination_concurrency_limit = 1",
+"relay_destination_concurrency_limit = 1", etc.), otherwise multiple
+delivery agents may experience a login failure at the same time.
+.PP
 The table must be accessed via the proxywrite service, i.e. the
 map name must start with "proxy:". The table should be stored under
 the directory specified with the data_directory parameter.
diff --git a/postfix/mantools/make_soho_readme b/postfix/mantools/make_soho_readme
new file mode 100755
index 000000000..3d018dbb2
--- /dev/null
+++ b/postfix/mantools/make_soho_readme
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+cat <<'EOF'
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix Small/Home Office Hints and Tips</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1>
+
+<hr>
+
+<h2>Overview</h2>
+
+<p> This document combines hints and tips for "small office/home
+office" applications into one document so that they are easier to
+find. The text describes the mail sending side only. If your machine
+does not receive mail directly (i.e. it does not have its own
+Internet domain name and its own fixed IP address), then you will
+need a solution such as "fetchmail", which is outside the scope of
+the Postfix documentation.  </p>
+
+<ul>
+
+<li> <p> Selected topics from the STANDARD_CONFIGURATION_README document: </p>
+
+<ul>
+
+<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a>
+
+<li><a href="#fantasy">Postfix on hosts without a real
+Internet hostname</a>
+
+</ul>
+
+<p> Selected topics from the SASL_README document: </p>
+
+<ul>
+
+<li><a href="#client_sasl">Enabling SASL authentication in the
+Postfix SMTP client</a></li>
+
+<li><a href="#client_sasl_sender">Supporting multiple ISP accounts
+in the Postfix SMTP client</a></li>
+
+</ul>
+
+</ul>
+
+<p> See the SASL_README and STANDARD_CONFIGURATION_README documents for
+further information on these topics. </p>
+
+EOF
+
+sed -n '/^<h2><a name="stand_alone">/,${
+        /^<h2><a name="null_client">/q
+        p
+}' STANDARD_CONFIGURATION_README.html
+
+sed -n '/^<h2><a name="fantasy">/,${
+	/^<\/body>/q
+	p
+}' STANDARD_CONFIGURATION_README.html
+
+sed -n '/^<h2><a name="client_sasl">/,${
+	/^<h2><a name="credits/q
+	p
+}' SASL_README.html
+
+cat <<'EOF'
+</body>
+
+</html>
+EOF
diff --git a/postfix/proto/Makefile.in b/postfix/proto/Makefile.in
index d2ffd2416..9b1398ce6 100644
--- a/postfix/proto/Makefile.in
+++ b/postfix/proto/Makefile.in
@@ -33,6 +33,7 @@ HTML	= ../html/ADDRESS_CLASS_README.html \
 	../html/SCHEDULER_README.html ../html/SMTPD_ACCESS_README.html \
 	../html/SMTPD_POLICY_README.html \
 	../html/SMTPD_PROXY_README.html \
+	../html/SOHO_README.html \
 	../html/STANDARD_CONFIGURATION_README.html \
 	../html/STRESS_README.html \
 	../html/TLS_README.html ../html/TLS_LEGACY_README.html \
@@ -69,6 +70,7 @@ README	= ../README_FILES/ADDRESS_CLASS_README \
 	../README_FILES/SASL_README ../README_FILES/SCHEDULER_README \
 	../README_FILES/SMTPD_ACCESS_README \
 	../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
+	../README_FILES/SOHO_README \
 	../README_FILES/STANDARD_CONFIGURATION_README \
 	../README_FILES/STRESS_README \
 	../README_FILES/TLS_README ../README_FILES/TLS_LEGACY_README \
@@ -85,6 +87,8 @@ SRCTOMAN= ../mantools/srctoman
 POSTLINK= ../mantools/postlink
 HT2READ	= ../mantools/html2readme
 MAKEAAA	= ../mantools/makereadme
+MAKESOHO= ../mantools/make_soho_readme
+DEPSOHO	= SASL_README.html STANDARD_CONFIGURATION_README.html
 
 update:	$(CONFIG) $(HTML) $(README) $(MAN)
 
@@ -234,6 +238,9 @@ clobber:
 ../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
 	$(POSTLINK) $? >$@
 
+../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
+	$(MAKESOHO) | $(POSTLINK) >$@
+
 ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
 	$(POSTLINK) $? >$@
 
@@ -378,6 +385,9 @@ clobber:
 ../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
 	$(HT2READ) $? >$@
 
+../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
+	$(MAKESOHO) | $(HT2READ) >$@
+
 ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
 	$(HT2READ) $? >$@
 
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index b0a88534f..f62692288 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -79,6 +79,9 @@ Postfix SMTP server</a></li>
 <li><a href="#client_sasl">Enabling SASL authentication in the
 Postfix SMTP client</a></li>
 
+<li><a href="#client_sasl_sender">Supporting multiple ISP accounts
+in the Postfix SMTP client</a></li>
+
 <li><a href="#credits">Credits</a>
 
 </ul>
@@ -636,42 +639,57 @@ table. </p>
     smtp_sasl_auth_enable = yes
     smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
     smtp_sasl_type = cyrus
+    relayhost = [mail.myisp.net]
+    # Alternative form:
+    # relayhost = [mail.myisp.net]:submission
 
 /etc/postfix/sasl_passwd:
-    foo.com                     username:password
-    bar.com                     username
     [mail.myisp.net]            username:password
     [mail.myisp.net]:submission username:password
 </pre>
 </blockquote>
 
-<p> The Postfix SMTP client opens the SASL client password file
-before entering the optional chroot jail, so you can keep the file
-in /etc/postfix and set permissions read / write only for root to
-keep the username:password combinations away from other system
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "submission" destination port tells Postfix to send
+mail via TCP network port 587, which is normally reserved for email
+clients. The default is to send mail to the "smtp" destination port
+(TCP port 25), which is used for receiving mail across the internet.
+If you use an explicit destination port in main.cf, then you must
+use the same form also in the smtp_sasl_password_maps file.  </p>
+
+<li> <p> Postfix does not deliver mail via TCP port 465 (the obsolete
+"wrappermode" protocol). See TLS_README for a solution that uses the
+"stunnel" command. </p>
+
+<li> <p> The "[" and "]" prevent Postfix from looking up the MX
+(mail exchanger) records for the enclosed name.  If you use this
+form in main.cf, then you must use the same form also in the
+smtp_sasl_password_maps file. </p>
+
+<li> <p> The Postfix SMTP client opens the SASL client password
+file before entering the optional chroot jail, so you can keep the
+file in /etc/postfix and set permissions read / write only for root
+to keep the username:password combinations away from other system
 users. </p>
 
-<p> Postfix version 2.3 supports-per-sender SASL password
-information. To search the Postfix SASL password by sender 
-before it searches by destination, specify: </p>
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system
+uses <b>dbm</b> files instead of <b>db</b> files. To find out what
+lookup tables Postfix supports, use the command "<b>postconf -m</b>".
+</p>
 
-<blockquote>
-<pre>
-/etc/postfix/main.cf:
-    smtp_sender_dependent_authentication = yes
-    smtp_sasl_auth_enable = yes
-    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
+whenever you change the sasl_passwd table. </p>
 
-/etc/postfix/sasl_passwd:
-    user@example.com            username:password
-    bar.com                     username
-    [mail.myisp.net]            username:password
-    [mail.myisp.net]:submission username:password
-</pre>
-</blockquote>
+</ul>
 
-<p> Note: some remote SMTP servers support PLAIN or LOGIN authentication
-only.
+<p> Workarounds: </p>
+
+<ul>
+
+<li> <p> Some remote SMTP servers support PLAIN or LOGIN authentication only.
 By default, the Postfix SMTP client does not use authentication
 methods that send plaintext passwords, and defers delivery with
 the following error message:  "Authentication failed: cannot SASL
@@ -685,7 +703,7 @@ for example: </p>
 </pre>
 </blockquote>
 
-<p> Note: some remote SMTP servers announce authentication mechanisms
+<li> <p> Some remote SMTP servers announce authentication mechanisms
 that don't actually work. It is possible via the smtp_sasl_mechanism_filter
 parameter to restrict the list of server mechanisms that the Postfix
 SMTP client will take into consideration:  </p>
@@ -701,11 +719,73 @@ SMTP client will take into consideration:  </p>
 use mechanisms
 that require special infrastructure such as Kerberos or TLS. </p>
 
-<p> The Postfix SMTP client is backwards compatible with SMTP
+<li> <p> The Postfix SMTP client is backwards compatible with SMTP
 servers that use the non-standard "AUTH=method..." syntax in response
 to the EHLO command; there is no Postfix client configuration needed
 to work around it. </p>
 
+</ul>
+
+<h2><a name="client_sasl_sender">Supporting multiple ISP accounts
+in the Postfix SMTP client</a></h2>
+
+<p> Postfix version 2.3 supports multiple ISP accounts. This can
+be useful when one person uses the same machine for work and for
+personal use, or when people with different ISP accounts share the
+same Postfix server.  To make this possible, Postfix 2.3 supports
+per-sender SASL passwords and per-sender relay hosts. In the example
+below, Postfix will search the SASL password file by sender before
+it searches that same file by destination. Likewise, Postfix will
+search the per-sender relayhost file, and use the default relayhost
+only as a final resort.  </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    smtp_sender_dependent_authentication = yes
+    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+    smtp_sasl_auth_enable = yes
+    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+    relayhost = [mail.myisp.net]
+    # Alternative form:
+    # relayhost = [mail.myisp.net]:submission
+
+/etc/postfix/sasl_passwd:
+    # Per-sender authentication; see also /etc/postfix/sender_relay.
+    user1@example.com           username2:password2
+    user2@example.net           username2:password2
+    # Login information for the default relayhost.
+    [mail.myisp.net]            username:password
+    [mail.myisp.net]:submission username:password
+
+/etc/postfix/sender_relay:
+    # Per-sender provider; see also /etc/postfix/sasl_passwd.
+    user1@example.com           [mail.example.com]:submission
+    user2@example.net           [mail.example.net]
+</pre>
+</blockquote>
+
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> If you are creative, then you can try to combine the two
+tables into one single MySQL database, and configure different
+Postfix queries to extract the appropriate information. </p>
+
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system
+uses <b>dbm</b> files instead of <b>db</b> files. To find out what
+lookup tables Postfix supports, use the command "<b>postconf -m</b>".
+</p>
+
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
+whenever you change the sasl_passwd table. </p>
+
+<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>"
+whenever you change the sender_relay table. </p>
+
+</ul>
+
 <h2><a name="credits">Credits</a></h2>
 
 <ul>
diff --git a/postfix/proto/STANDARD_CONFIGURATION_README.html b/postfix/proto/STANDARD_CONFIGURATION_README.html
index ececbf902..ff5b64f56 100644
--- a/postfix/proto/STANDARD_CONFIGURATION_README.html
+++ b/postfix/proto/STANDARD_CONFIGURATION_README.html
@@ -81,9 +81,13 @@ what is covered in the BASIC_CONFIGURATION_README document: </p>
     # Optional: specify NAT/proxy external address.
     #proxy_interfaces = 1.2.3.4
 
-    # Don't relay mail from other hosts.
+    # Alternative 1: don't relay mail from other hosts.
     mynetworks_style = host
     relay_domains =
+
+    # Alternative 2: relay mail from local clients only.
+    # mynetworks = 192.168.1.0/28
+    # relay_domains =
 </pre>
 </blockquote>
 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 2289fb2cd..21c82d2e5 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -11466,6 +11466,12 @@ same server, username and password, and instead bounces or defers
 mail as controlled with the smtp_sasl_auth_soft_bounce configuration
 parameter.  </p>
 
+<p> Use a per-destination delivery concurrency of 1 (for example,
+"smtp_destination_concurrency_limit = 1",
+"relay_destination_concurrency_limit = 1", etc.), otherwise multiple
+delivery agents may experience a login failure at the same time.
+</p>
+
 <p> The table must be accessed via the proxywrite service, i.e. the
 map name must start with "proxy:". The table should be stored under
 the directory specified with the data_directory parameter. </p>
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 32550eb9d..70761f178 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20080114"
+#define MAIL_RELEASE_DATE	"20080115"
 #define MAIL_VERSION_NUMBER	"2.5"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtp/smtp_sasl_auth_cache.c b/postfix/src/smtp/smtp_sasl_auth_cache.c
index ed9821756..33f308f1e 100644
--- a/postfix/src/smtp/smtp_sasl_auth_cache.c
+++ b/postfix/src/smtp/smtp_sasl_auth_cache.c
@@ -133,8 +133,8 @@ SMTP_SASL_AUTH_CACHE *smtp_sasl_auth_cache_init(const char *map, int ttl)
 #define CACHE_DICT_OPEN_FLAGS \
 	(DICT_FLAG_DUP_REPLACE | DICT_FLAG_SYNC_UPDATE)
 
-    if (strncmp(map, DICT_TYPE_PROXY, sizeof(DICT_TYPE_PROXY)) - 1 != 0
-	&& map[sizeof(DICT_TYPE_PROXY) - 1] != ':')
+    if (strncmp(map, DICT_TYPE_PROXY, sizeof(DICT_TYPE_PROXY) - 1) != 0
+	|| map[sizeof(DICT_TYPE_PROXY) - 1] != ':')
 	msg_fatal("SASL authentication cache name \"%s\" must start with \""
 		  DICT_TYPE_PROXY "\":", map);