From e31ae1582b7cf33bae78a96a9a201b9f4f3fd658 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 4 Dec 2010 00:00:00 -0500
Subject: [PATCH] postfix-2.8-20101204

---
 postfix/HISTORY                           |  27 +++
 postfix/README_FILES/LDAP_README          |  11 +-
 postfix/README_FILES/POSTSCREEN_README    |  32 ++--
 postfix/RELEASE_NOTES                     |   8 +
 postfix/WISHLIST                          |  13 +-
 postfix/html/LDAP_README.html             |  19 ++-
 postfix/html/POSTSCREEN_README.html       |  35 ++--
 postfix/html/ldap_table.5.html            | 184 ++++++++++++++-------
 postfix/html/postscreen.8.html            | 171 ++++++++++---------
 postfix/man/man5/ldap_table.5             |  62 ++++++-
 postfix/man/man8/postscreen.8             |  17 +-
 postfix/proto/LDAP_README.html            |  19 ++-
 postfix/proto/POSTSCREEN_README.html      |  35 ++--
 postfix/proto/ldap_table                  |  60 ++++++-
 postfix/src/cleanup/cleanup_map1n.c       |  43 +++--
 postfix/src/global/dict_ldap.c            | 192 ++++++++++++++++++++--
 postfix/src/global/mail_version.h         |   2 +-
 postfix/src/global/mime_state.c           |   2 +-
 postfix/src/global/pipe_command.c         |   5 +-
 postfix/src/global/scache_clnt.c          |   2 +-
 postfix/src/local/local.c                 |   2 +-
 postfix/src/pickup/pickup.c               |   5 +-
 postfix/src/pipe/pipe.c                   |   2 +-
 postfix/src/postscreen/postscreen.c       |  19 +--
 postfix/src/postscreen/postscreen_early.c |   4 +-
 postfix/src/postscreen/postscreen_misc.c  |   4 +-
 postfix/src/postscreen/postscreen_send.c  |  13 +-
 postfix/src/smtp/smtp.c                   |   2 +-
 28 files changed, 720 insertions(+), 270 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 0268d42c1..759feb0cc 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16205,3 +16205,30 @@ Apologies for any names omitted.
 	Workaround: BSD-ish mkdir() ignores the effective GID
 	and copies group ownership from the parent directory.
 	File: util/make_dirs.c.
+
+20101202
+
+	Feature: the LDAP client can now authenticate to LDAP servers
+	via SASL. This is tested with SASL GSSAPI and Kerberos 5.
+	Code by Victor Duchovni. Files: global/dict_ldap.c,
+	proto/LDAP_README.html, proto/ldap_table.
+
+	Cleanup: the cleanup server now reports a temporary delivery
+	error when it reaches the virtual_alias_expansion_limit or
+	virtual_alias_recursion_limit. Previously, it would silently
+	ignore the excess recipients and deliver the message.  File:
+	cleanup/cleanup_map1n.c.
+
+20101204
+
+	Cleanup: sache_clnt_create() had an unnecessary data
+	dependency on the non-library var_scache_service variable,
+	causing problems with shared library builds.  Instead, it
+	should use its service argument (which has the same value).
+	File: global/scache.c.
+
+	Cleanup: pipe_command.c had an unnecessary data dependency
+	on the non-library var_command_maxtime variable, causing
+	problems with shared library builds. The dependency was not
+	necessary because the callers already specify an explicit
+	time limit.  File: global/pipe_command.c.
diff --git a/postfix/README_FILES/LDAP_README b/postfix/README_FILES/LDAP_README
index 12ae27530..bfcb7963a 100644
--- a/postfix/README_FILES/LDAP_README
+++ b/postfix/README_FILES/LDAP_README
@@ -81,6 +81,11 @@ AUXLIBS line to point to libldap10.so or libldapssl30.so or whatever you have,
 and you may need to use the appropriate linker option (e.g. '-R') so the
 executables can find it at runtime.
 
+If you are using OpenLDAP, and the libraries were built with SASL support, you
+can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support. For example:
+
+         CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
+
 CCoonnffiigguurriinngg LLDDAAPP llooookkuuppss
 
 In order to use LDAP lookups, define an LDAP source as a table lookup in
@@ -89,8 +94,8 @@ main.cf, for example:
     alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
 
 The file /etc/postfix/ldap-aliases.cf can specify a great number of parameters,
-including parameters that enable LDAP SSL and STARTTLS. For a complete
-description, see the ldap_table(5) manual page.
+including parameters that enable LDAP SSL or STARTTLS, and LDAP SASL. For a
+complete description, see the ldap_table(5) manual page.
 
 EExxaammppllee:: llooccaall((88)) aalliiaasseess
 
@@ -440,6 +445,8 @@ CCrreeddiittss
   * Gunnar Wrobel provided a first implementation of a feature to limit LDAP
     search results to leaf nodes only. Victor generalized this into the Postfix
     2.4 "leaf_result_attribute" feature.
+  * Quanah Gibson-Mount contributed support for advanced LDAP SASL mechanisms,
+    beyond the password-based LDAP "simple" bind.
 
 And of course Wietse.
 
diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README
index a03ebe34a..5e3e02271 100644
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@@ -39,7 +39,9 @@ The main challenge for postscreen(8) is to make an is-it-a-zombie decision
 based on a single measurement. This is necessary because many zombies avoid
 spamming the same site repeatedly, in an attempt to fly under the radar. Once
 postscreen(8) decides that a client is not-a-zombie, it whitelists the client
-temporarily to avoid further delays for legitimate mail.
+temporarily to avoid further delays for legitimate mail. Clients that pass
+postscreen(8) are still subject to the checks that are built into Postfix smtpd
+(8), Postfix built-in content filters, and external content filters.
 
 Zombies have challenges too: they have only a limited amount of time to deliver
 spam before their IP address becomes blacklisted. To speed up spam deliveries,
@@ -50,23 +52,22 @@ continue sending mail even when the server tells them to go away.
 postscreen(8) uses a variety of measurements to recognize zombies. First,
 postscreen(8) determines if the remote SMTP client IP address is blacklisted.
 Second, postscreen(8) looks for protocol compromises that are made to speed up
-delivery. The results of such measurements don't change with each delivery
-attempt, and are therefore good for making an is-it-a-zombie decision based on
-a single measurement.
+delivery. These are good indicators for making is-it-a-zombie decisions based
+on single measurements.
 
-postscreen(8) does not inspect message content. Message content can vary widely
-with each delivery attempt, especially with clients that (also) send legitimate
-email. Content is therefore not good for making an is-it-a-zombie decision
-based on a single measurement, and that is the problem that postscreen(8) is
+postscreen(8) does not inspect message content. Message content can vary from
+one delivery to the next, especially with clients that (also) send legitimate
+email. Content is not a good indicator for making is-it-a-zombie decisions
+based on single measurements, and that is the problem that postscreen(8) is
 focused on.
 
 GGeenneerraall ooppeerraattiioonn
 
 The postscreen(8) triage process involves a number of tests, in the order as
 described below. Some tests introduce a delay of a few seconds. Once a client
-passes all tests, its IP address is temporarily excluded from any tests,
-typically 24 hours for simple tests or 1 week for complex tests. This minimizes
-the impact of the tests on legitimate mail clients.
+passes a test, its IP address is whitelisted from 24 hours for simple tests, to
+1 week for complex tests. Whitelisting minimizes the impact of postscreen(8)'s
+tests on legitimate mail clients.
 
 After logging its findings, postscreen(8) by default hands off all connections
 to a Postfix SMTP server process. This mode is useful for non-destructive
@@ -252,11 +253,12 @@ discussed next.
 
   * postscreen(8)'s built-in SMTP engine does not implement the AUTH, STARTTLS,
     XCLIENT, and XFORWARD features. STARTTLS and AUTH support may be added in a
-    future version.
+    future version. In the mean time, if you need to make these services
+    available on port 25, then do not enable the tests after the 220 server
+    greeting.
 
-End-user clients should connect directly to the submission service. Other
-systems that require the above features should directly connect to a Postfix
-SMTP server, or they should be placed on the postscreen(8) whitelist.
+End-user clients should connect directly to the submission service, so that
+they never have to deal with postscreen(8)'s tests.
 
   * Command pipelining test
   * Non-SMTP command test
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 501e4baac..defa8bcd9 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -33,6 +33,14 @@ This is supported only when the default value is stress-dependent
 postscreen parameters always evaluate as if the stress value is 
 equal to the empty string.
 
+Incompatibility with snapshot 20101202
+======================================
+
+Postfix now reports a temporary delivery error when the result of
+virtual alias expansion would exceed the virtual_alias_recursion_limit
+or virtual_alias_expansion_limit. Previously, Postfix would silently
+drop the excess recipients and deliver the message.
+
 Incompatibility with snapshot 20101130
 ======================================
 
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index e9dd7ac95..0e31672da 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -6,9 +6,10 @@ Wish list:
 
 	smtpd xclient option for sasl_username.
 
-	Use different ipc_timeout settings for email message
-	transactions (smtpd, pickup)->cleanup and for quick query/reply
-	transactions such as address rewriting/resolution.
+	Use different ipc time limits for email message transactions
+	(smtpd, pickup)->cleanup and for quick query/reply transactions
+	such as address rewriting/resolution. Beware of large time
+	limits for local or virtual alias expansion.
 
 	permit_tempfail_action (default: defer_if_reject) to be
 	used as the default value for dnswl_tempfail_action and
@@ -22,9 +23,11 @@ Wish list:
 	Replace sscanf() numerical conversions by strto[dl]()
 	for better error reporting.
 
-	Consistency: in postconf.proto make <dt>..</dt> tags bold.
+	As postscreen implements more ESMTP keywords, need to copy
+	inter-operability features from smtpd to filter keywords
+	and command syntax.
 
-	Milter addrcpt - use Sendmail-compatible default DSN settings.
+	Consistency: in postconf.proto make <dt>..</dt> tags bold.
 
 	postscreen(8): listen on multiple IP addresses and enforce
 	that the client contacts the primary MX address first (i.e.
diff --git a/postfix/html/LDAP_README.html b/postfix/html/LDAP_README.html
index ac1239b8b..6a3539280 100644
--- a/postfix/html/LDAP_README.html
+++ b/postfix/html/LDAP_README.html
@@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
 or whatever you have, and you may need to use the appropriate linker
 option (e.g. '-R') so the executables can find it at runtime. </p>
 
+<p> If you are using OpenLDAP, and the libraries were built with SASL
+support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
+For example: </p>
+
+<blockquote>
+<pre>
+     CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
+</pre>
+</blockquote>
+
 <h2><a name="config">Configuring LDAP lookups</a></h2>
 
 <p> In order to use LDAP lookups, define an LDAP source
@@ -140,9 +150,9 @@ as a table lookup in <a href="postconf.5.html">main.cf</a>, for example: </p>
 </blockquote>
 
 <p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
-STARTTLS. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a> manual
-page. </p>
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
+and LDAP SASL. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a>
+manual page. </p>
 
 <h2><a name="example_alias">Example: local(8) aliases</a></h2>
 
@@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
 limit LDAP search results to leaf nodes only. Victor generalized
 this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
 
+<li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
+mechanisms, beyond the password-based LDAP "simple" bind. </li>
+
 </ul>
 
 And of course Wietse.
diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html
index b59eecd13..e5ef607a6 100644
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
 many zombies avoid spamming the same site repeatedly, in an attempt
 to fly under the radar.  Once <a href="postscreen.8.html">postscreen(8)</a> decides that a client
 is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail.  </p>
+further delays for legitimate mail. Clients that pass <a href="postscreen.8.html">postscreen(8)</a>
+are still subject to the checks that are built into Postfix <a href="smtpd.8.html">smtpd(8)</a>,
+Postfix built-in content filters, and external content filters.
+</p>
 
 <p> Zombies have challenges too: they have only a limited amount
 of time to deliver spam before their IP address becomes blacklisted.
@@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
 <p> <a href="postscreen.8.html">postscreen(8)</a> uses a variety of measurements to recognize
 zombies.  First, <a href="postscreen.8.html">postscreen(8)</a> determines if the remote SMTP client
 IP address is blacklisted.  Second, <a href="postscreen.8.html">postscreen(8)</a> looks for protocol
-compromises that are made to speed up delivery.  The results of
-such measurements don't change with each delivery attempt, and are
-therefore good for making an is-it-a-zombie decision based on a
-single measurement.  </p>
+compromises that are made to speed up delivery.  These are good
+indicators for making is-it-a-zombie decisions based on single
+measurements.  </p>
 
 <p> <a href="postscreen.8.html">postscreen(8)</a> does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
-that (also) send legitimate email. Content is therefore not good
-for making an is-it-a-zombie decision based on a single measurement,
+can vary from one delivery to the next, especially with clients
+that (also) send legitimate email.  Content is not a good indicator
+for making is-it-a-zombie decisions based on single measurements,
 and that is the problem that <a href="postscreen.8.html">postscreen(8)</a> is focused on.  </p>
 
 <h2> <a name="general"> General operation </a> </h2>
 
 <p> The <a href="postscreen.8.html">postscreen(8)</a> triage process involves a number of tests,
 in the order as described below.  Some tests introduce a delay of
-a few seconds.  Once a client passes all tests, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
-tests or 1 week for complex tests.  This minimizes the impact of
-the tests on legitimate mail clients. </p>
+a few seconds.  Once a client passes a test, its IP address is
+whitelisted from 24 hours for simple tests, to 1 week for complex
+tests.  Whitelisting minimizes the impact of <a href="postscreen.8.html">postscreen(8)</a>'s tests
+on legitimate mail clients. </p>
 
 <p> After logging its findings, <a href="postscreen.8.html">postscreen(8)</a> by default hands off
 all connections to a Postfix SMTP server process. This mode is
@@ -340,14 +342,15 @@ a relatively long expiration time. </p>
 
 <li> <p> <a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP engine does not implement
 the AUTH, STARTTLS, XCLIENT, and XFORWARD features.  STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
+if you need to make these services available on port 25, then do
+not enable the tests after the 220 server greeting. </p>
 
 </ul>
 
 <p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
-should directly connect to a Postfix SMTP server, or they
-should be placed on the <a href="postscreen.8.html">postscreen(8)</a> whitelist. </p>
+service, so that they never have to deal with <a href="postscreen.8.html">postscreen(8)</a>'s tests.
+</p>
 
 <ul>
 
diff --git a/postfix/html/ldap_table.5.html b/postfix/html/ldap_table.5.html
index d7d01d1a4..2c027b8bc 100644
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@@ -451,11 +451,26 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               and LDAP_SCOPE_ONELEVEL.
 
        <b>bind (default: yes)</b>
-              Whether or not to bind to the  LDAP  server.  Newer
+              Whether or how to bind to the  LDAP  server.  Newer
               LDAP implementations don't require clients to bind,
               which saves time. Example:
 
+                  # Don't bind
                   bind = no
+                  # Use SIMPLE bind
+                  bind = yes
+                  # Use SASL bind
+                  bind = sasl
+
+              Postfix versions prior to 2.8 only support "bind  =
+              no"  which means don't bind, and "bind = yes" which
+              means do a SIMPLE bind.  Postfix 2.8 and later also
+              supports "bind = SASL" when compiled with LDAP SASL
+              support as described in <a href="LDAP_README.html">LDAP_README</a>, it  also  adds
+              the  synonyms "bind = none" and "bind = simple" for
+              "bind = no" and "bind = yes" respectively. See  the
+              SASL section below for additional parameters avail-
+              able with "bind = sasl".
 
               If you do need to bind, you might consider  config-
               uring  Postfix to connect to the local machine on a
@@ -470,6 +485,9 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               guished name. Example:
 
                   bind_dn = uid=postfix, dc=your, dc=com
+              With "bind =  sasl"  (see  above)  the  DN  may  be
+              optional  for some SASL mechanisms, don't specify a
+              DN if not needed.
 
        <b>bind_pw (default: empty)</b>
               The password for the distinguished name  above.  If
@@ -483,6 +501,9 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               mand. Example:
 
                   bind_pw = postfixpw
+              With "bind = sasl" (see above) the password may  be
+              optional  for some SASL mechanisms, don't specify a
+              password if not needed.
 
        <b>cache (IGNORED with a warning)</b>
 
@@ -553,12 +574,63 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               What  level  to  set  for debugging in the OpenLDAP
               libraries.
 
+<b>LDAP SASL PARAMETERS</b>
+       If you're using the OpenLDAP libraries compiled with  SASL
+       support,  Postfix  2.8 and later built with LDAP SASL sup-
+       port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to  LDAP
+       servers via SASL.
+
+       This  enables authentication to the LDAP server via mecha-
+       nisms other than a simple password. The added  flexibility
+       has  a  cost: it is no longer practical to set an explicit
+       timeout on the duration of an LDAP bind  operation.  Under
+       adverse  conditions,  whether a SASL bind times out, or if
+       it does, the duration of the timeout is determined by  the
+       LDAP and SASL libraries.
+
+       It  is  best  to  use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>
+       <a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out  the
+       proxymap  request.  This  also lets you tailer the process
+       environment by overriding the <a href="proxymap.8.html">proxymap(8)</a>  import_environ-
+       ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings
+       may be needed to configure  GSSAPI  credential  caches  or
+       other  SASL mechanism specific options. The GSSAPI creden-
+       tials used for LDAP lookups may need to be different  than
+       say those used for the Postfix SMTP client to authenticate
+       to remote servers.
+
+       Using SASL mechanisms requires LDAP  protocol  version  3,
+       the  default  protocol version is 2 for backwards compati-
+       bility. You must set "version = 3" in addition to "bind  =
+       sasl".
+
+       The  following  parameters are relevant to using LDAP with
+       SASL
+
+       <b>sasl (default: no)</b>
+              Whether or not to use SASL  binds  to  the  server.
+              Can be yes or no.
+
+       <b>sasl_mechs (default: empty)</b>
+              Space separated list of SASL mechanism(s) to try.
+
+       <b>sasl_realm (default: empty)</b>
+              SASL Realm to use, if applicable.
+
+       <b>sasl_authz_id (default: empty)</b>
+              The  SASL  authorization  identity  to  assert,  if
+              applicable.
+
+       <b>sasl_minssf (default: 0)</b>
+              The minimum required sasl security factor  required
+              to establish a connection.
+
 <b>LDAP SSL AND STARTTLS PARAMETERS</b>
-       If you're using the OpenLDAP libraries compiled  with  SSL
-       support,  Postfix  can connect to LDAP SSL servers and can
+       If  you're  using the OpenLDAP libraries compiled with SSL
+       support, Postfix can connect to LDAP SSL servers  and  can
        issue the STARTTLS command.
 
-       LDAP SSL service can be requested by using a LDAP SSL  URL
+       LDAP  SSL service can be requested by using a LDAP SSL URL
        in the server_host parameter:
 
            server_host = ldaps://ldap.example.com:636
@@ -567,82 +639,82 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
            start_tls = yes
 
-       Both  forms  require LDAP protocol version 3, which has to
+       Both forms require LDAP protocol version 3, which  has  to
        be set explicitly with:
 
            version = 3
 
        If any of the Postfix programs querying the map is config-
-       ured  in  <a href="master.5.html">master.cf</a>  to run chrooted, all the certificates
+       ured in <a href="master.5.html">master.cf</a> to run chrooted,  all  the  certificates
        and keys involved have to be copied to the chroot jail. Of
-       course,  the  private  keys should only be readable by the
+       course, the private keys should only be  readable  by  the
        user "postfix".
 
-       The following parameters are  relevant  to  LDAP  SSL  and
+       The  following  parameters  are  relevant  to LDAP SSL and
        STARTTLS:
 
        <b>start_tls (default: no)</b>
               Whether or not to issue STARTTLS upon connection to
-              the server.  Don't set this with LDAP SSL (the  SSL
+              the  server.  Don't set this with LDAP SSL (the SSL
               session is setup automatically when the TCP connec-
               tion is opened).
 
-       <b>tls_ca_cert_dir  (No   default;   set   either   this   or</b>
+       <b>tls_ca_cert_dir   (No   default;   set   either   this  or</b>
        <b>tls_ca_cert_file)</b>
               Directory  containing  X509  Certificate  Authority
-              certificates  in  PEM format which are to be recog-
-              nized by the client  in  SSL/TLS  connections.  The
-              files  each  contain one CA certificate.  The files
-              are looked up by the CA subject  name  hash  value,
-              which  must hence be available. If more than one CA
-              certificate with the same name  hash  value  exist,
-              the  extension  must be different (e.g. 9d66eef0.0,
-              9d66eef0.1 etc). The search  is  performed  in  the
-              ordering  of  the  extension  number, regardless of
+              certificates in PEM format which are to  be  recog-
+              nized  by  the  client  in SSL/TLS connections. The
+              files each contain one CA certificate.   The  files
+              are  looked  up  by the CA subject name hash value,
+              which must hence be available. If more than one  CA
+              certificate  with  the  same name hash value exist,
+              the extension must be different  (e.g.  9d66eef0.0,
+              9d66eef0.1  etc).  The  search  is performed in the
+              ordering of the  extension  number,  regardless  of
               other  properties  of  the  certificates.  Use  the
               c_rehash utility (from the OpenSSL distribution) to
               create the necessary links.
 
-       <b>tls_ca_cert_file  (No  default;   set   either   this   or</b>
+       <b>tls_ca_cert_file   (No   default;   set   either  this  or</b>
        <b>tls_ca_cert_dir)</b>
               File containing the X509 Certificate Authority cer-
-              tificates  in PEM format which are to be recognized
-              by the client in SSL/TLS connections. This  setting
+              tificates in PEM format which are to be  recognized
+              by  the client in SSL/TLS connections. This setting
               takes precedence over tls_ca_cert_dir.
 
        <b>tls_cert (No default; you must set this)</b>
-              File  containing  client's  X509  certificate to be
+              File containing client's  X509  certificate  to  be
               used by the client in SSL/ TLS connections.
 
        <b>tls_key (No default; you must set this)</b>
-              File containing the private  key  corresponding  to
+              File  containing  the  private key corresponding to
               the above tls_cert.
 
        <b>tls_require_cert (default: no)</b>
               Whether or not to request server's X509 certificate
-              and check its validity  when  establishing  SSL/TLS
-              connections.   The supported values are <b>no</b> and <b>yes</b>.
+              and  check  its  validity when establishing SSL/TLS
+              connections.  The supported values are <b>no</b> and  <b>yes</b>.
 
-              With <b>no</b>, the server certificate trust chain is  not
-              checked,  but  with  OpenLDAP  prior to 2.1.13, the
+              With  <b>no</b>, the server certificate trust chain is not
+              checked, but with OpenLDAP  prior  to  2.1.13,  the
               name in the server certificate must still match the
               LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
-              server name is not necessarily what you  specified,
-              rather  it  is  determined (by reverse lookup) from
-              the IP address of the LDAP server connection.  With
-              OpenLDAP  prior  to  2.0.13, subjectAlternativeName
+              server  name is not necessarily what you specified,
+              rather it is determined (by  reverse  lookup)  from
+              the  IP address of the LDAP server connection. With
+              OpenLDAP prior  to  2.0.13,  subjectAlternativeName
               extensions  in  the  LDAP  server  certificate  are
-              ignored:  the  server  name  must match the subject
+              ignored: the server name  must  match  the  subject
               CommonName. The <b>no</b> setting corresponds to the <b>never</b>
-              value  of  <b>TLS_REQCERT</b> in LDAP client configuration
+              value of <b>TLS_REQCERT</b> in LDAP  client  configuration
               files.
 
-              Don't use TLS with OpenLDAP 2.0.x  (and  especially
+              Don't  use  TLS with OpenLDAP 2.0.x (and especially
               with x &lt;= 11) if you can avoid it.
 
-              With  <b>yes</b>, the server certificate must be issued by
-              a trusted CA, and not be expired. The  LDAP  server
-              name  must  match  one  of the name(s) found in the
+              With <b>yes</b>, the server certificate must be issued  by
+              a  trusted  CA, and not be expired. The LDAP server
+              name must match one of the  name(s)  found  in  the
               certificate (see above for OpenLDAP library version
               dependent behavior). The <b>yes</b> setting corresponds to
               the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-
@@ -650,27 +722,27 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
               The "try" and "never" values of <b>TLS_REQCERT</b> have no
               equivalents  here.  They  are  not  available  with
-              OpenLDAP  2.0,  and  in  any case have questionable
-              security properties. Either you want  TLS  verified
+              OpenLDAP 2.0, and in  any  case  have  questionable
+              security  properties.  Either you want TLS verified
               LDAP connections, or you don't.
 
               The <b>yes</b> value only works correctly with Postfix 2.5
-              and later, or with OpenLDAP  2.0.  Earlier  Postfix
-              releases  or  later  OpenLDAP  releases  don't work
-              together with this setting. Support for  LDAP  over
-              TLS  was added to Postfix based on the OpenLDAP 2.0
+              and  later,  or  with OpenLDAP 2.0. Earlier Postfix
+              releases or  later  OpenLDAP  releases  don't  work
+              together  with  this setting. Support for LDAP over
+              TLS was added to Postfix based on the OpenLDAP  2.0
               API.
 
        <b>tls_random_file (No default)</b>
-              Path of a file to  obtain  random  bits  from  when
-              /dev/[u]random  is not available, to be used by the
+              Path  of  a  file  to  obtain random bits from when
+              /dev/[u]random is not available, to be used by  the
               client in SSL/TLS connections.
 
        <b>tls_cipher_suite (No default)</b>
               Cipher suite to use in SSL/TLS negotiations.
 
 <b>EXAMPLE</b>
-       Here's a basic example for using LDAP to look up  <a href="local.8.html">local(8)</a>
+       Here's  a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
        aliases.  Assume that in <a href="postconf.5.html">main.cf</a>, you have:
 
            <a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
@@ -681,14 +753,14 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
            server_host = ldap.example.com
            search_base = dc=example, dc=com
 
-       Upon  receiving  mail  for a local address "ldapuser" that
-       isn't found in the  /etc/aliases  database,  Postfix  will
+       Upon receiving mail for a local  address  "ldapuser"  that
+       isn't  found  in  the  /etc/aliases database, Postfix will
        search the LDAP server listening at port 389 on ldap.exam-
-       ple.com.  It will bind anonymously, search for any  direc-
-       tory  entries  whose  mailacceptinggeneralid  attribute is
+       ple.com.   It will bind anonymously, search for any direc-
+       tory entries  whose  mailacceptinggeneralid  attribute  is
        "ldapuser", read the "maildrop" attributes of those found,
        and build a list of their maildrops, which will be treated
-       as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message  will  be  deliv-
+       as  <a href="http://tools.ietf.org/html/rfc822">RFC822</a>  addresses  to which the message will be deliv-
        ered.
 
 <b>SEE ALSO</b>
@@ -702,13 +774,13 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
        <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
-       Carsten  Hoeger,  Hery  Rakotoarisoa,  John Hensley, Keith
-       Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon,  Mike
-       Mattice,  Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
+       Carsten Hoeger, Hery  Rakotoarisoa,  John  Hensley,  Keith
+       Stevenson,  LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
+       Mattice, Prabhat K Singh, Sami Haahtinen, Samuel  Tardieu,
        Victor Duchovni, and many others.
 
                                                                  LDAP_TABLE(5)
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index b3c71a8bf..f7d22359d 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -55,75 +55,74 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        Problems and transactions are logged to <b>syslogd</b>(8).
 
 <b>BUGS</b>
-       Some   of   the   non-default   protocol   tests   involve
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s  built-in SMTP protocol engine. When these
+       The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine  does  not
+       announce  support for STARTTLS, AUTH, XCLIENT or XFORWARD.
+       Support for STARTTLS and AUTH may be added in the  future.
+       In  the  mean  time,  if  you  need to make these services
+       available on port 25, then  do  not  enable  the  optional
+       "after 220 server greeting" tests.
+
+       The  optional  "after  220  server greeting" tests involve
+       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When  these
        tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
-       rary  whitelist but it cannot not hand off the "live" con-
-       nection to a Postfix SMTP server process in the middle  of
-       a  session.   Instead,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  defers  attempts to
-       deliver mail with a 4XX status, and waits for  the  client
-       to  disconnect.   The next time a good client connects, it
-       will be allowed to talk to a Postfix SMTP  server  process
-       to  deliver  mail.  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  mitigates the impact of
-       this limitation by giving such  tests  a  long  expiration
+       rary whitelist but it cannot not hand off the "live"  con-
+       nection  to a Postfix SMTP server process in the middle of
+       a session.   Instead,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  defers  attempts  to
+       deliver  mail  with a 4XX status, and waits for the client
+       to disconnect.  The next time a good client  connects,  it
+       will  be  allowed to talk to a Postfix SMTP server process
+       to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  mitigates  the  impact  of
+       this  limitation  by  giving  such tests a long expiration
        time.
 
-       The  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  built-in SMTP protocol engine does not
-       announce support for STARTTLS, AUTH, XCLIENT  or  XFORWARD
-       (support  for  STARTTLS  and  AUTH  may  be  added  in the
-       future).  End-user clients should connect directly to  the
-       submission  service;  other systems that require the above
-       features should directly connect to a Postfix SMTP server,
-       or they should be placed on the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> whitelist.
-
 <b>CONFIGURATION PARAMETERS</b>
-       Changes  to  <a href="postconf.5.html">main.cf</a>  are  not picked up automatically, as
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for  several  hours.   Use
+       Changes to <a href="postconf.5.html">main.cf</a> are not  picked  up  automatically,  as
+       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  processes  may  run for several hours.  Use
        the command "postfix reload" after a configuration change.
 
-       The text below provides  only  a  parameter  summary.  See
+       The  text  below  provides  only  a parameter summary. See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
-       NOTE:  Some  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>   parameters  implement stress-
-       dependent behavior.   This  is  supported  only  when  the
-       default  value is stress-dependent (that is, it looks like
+       NOTE: Some  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>   parameters  implement  stress-
+       dependent  behavior.   This  is  supported  only  when the
+       default value is stress-dependent (that is, it looks  like
        ${stress?X}${stress:Y}).  Other parameters always evaluate
        as if the stress value is the empty string.
 
 <b>TRIAGE PARAMETERS</b>
        <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
-              client sends a bare newline character, that  is,  a
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
+              client  sends  a bare newline character, that is, a
               newline not preceded by carriage return.
 
        <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
-              Enable  "bare  newline"  SMTP protocol tests in the
+              Enable "bare newline" SMTP protocol  tests  in  the
               <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
 
        <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
-              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
-              client   is   permanently   blacklisted   with  the
+              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              client  is   permanently   blacklisted   with   the
               <a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> parameter.
 
        <b><a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> (empty)</b>
               Network addresses that are permanently blacklisted;
-              see  the  <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter for
+              see the <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a>  parameter  for
               possible actions.
 
        <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
-              Disable the SMTP VRFY command in the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+              Disable  the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
               daemon.
 
        <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
               client's  combined  DNSBL  score  is  equal  to  or
-              greater  than  a  threshold  (as  defined  with the
+              greater than  a  threshold  (as  defined  with  the
               <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>-
               <a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters).
 
        <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
-              A  mapping  from  actual  DNSBL  domain  name which
-              includes a secret password,  to  the  DNSBL  domain
+              A mapping  from  actual  DNSBL  domain  name  which
+              includes  a  secret  password,  to the DNSBL domain
               name  that  postscreen  will  reply  with  when  it
               rejects mail.
 
@@ -132,16 +131,16 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               weight factors.
 
        <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
-              The  inclusive  lower  bound  for  blocking an SMTP
+              The inclusive lower  bound  for  blocking  an  SMTP
               client,  based  on  its  combined  DNSBL  score  as
-              defined  with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
+              defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>  parameter.
 
        <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
               List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server con-
               siders in violation of the SMTP protocol.
 
        <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
               client speaks before its turn within the time spec-
               ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
 
@@ -149,130 +148,130 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               The  <i>text</i>  in  the  optional  "220-<i>text</i>..."  server
               response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real
               Postfix SMTP server's "220 text..." response, in an
-              attempt to confuse bad SMTP clients  so  that  they
+              attempt  to  confuse  bad SMTP clients so that they
               speak before their turn (pre-greet).
 
        <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b>
               The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for
-              an SMTP client to send a command before  its  turn,
-              and  for  DNS  blocklist  lookup  results to arrive
-              (default: up to 2 seconds under  stress,  up  to  6
+              an  SMTP  client to send a command before its turn,
+              and for DNS  blocklist  lookup  results  to  arrive
+              (default:  up  to  2  seconds under stress, up to 6
               seconds otherwise).
 
        <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
-              Require  that  a  remote  SMTP client sends HELO or
+              Require that a remote SMTP  client  sends  HELO  or
               EHLO before commencing a MAIL transaction.
 
        <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
-              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
-              client  sends  non-SMTP  commands as specified with
+              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              client sends non-SMTP commands  as  specified  with
               the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter.
 
        <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
-              Enable   "non-SMTP   command"    tests    in    the
+              Enable    "non-SMTP    command"    tests   in   the
               <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
 
        <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
-              client sends multiple commands instead  of  sending
-              one  command and waiting for the server to respond.
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
+              client  sends  multiple commands instead of sending
+              one command and waiting for the server to  respond.
 
        <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
-              Enable "pipelining"  SMTP  protocol  tests  in  the
+              Enable  "pipelining"  SMTP  protocol  tests  in the
               <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
 
        <b><a href="postconf.5.html#postscreen_whitelist_networks">postscreen_whitelist_networks</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
               Network addresses that are permanently whitelisted,
-              and that will not  be  subjected  to  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+              and  that  will  not  be subjected to <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
               checks.
 
        <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
-              The  internal  service  that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
+              The internal service  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  forwards
               allowed connections to.
 
 <b>CACHE CONTROLS</b>
        <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
-              The amount  of  time  between  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  cache
+              The  amount  of  time  between  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
               cleanup runs.
 
        <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$<a href="postconf.5.html#data_directory">data_directory</a>/ps_cache)</b>
-              Persistent  storage  for  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
+              Persistent storage  for  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  server
               decisions.
 
        <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
               The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an
-              expired  temporary  whitelist  entry  before  it is
+              expired temporary  whitelist  entry  before  it  is
               removed.
 
        <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
-              results  from a successful "bare newline" SMTP pro-
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+              results from a successful "bare newline" SMTP  pro-
               tocol test.
 
        <b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
               results from a successful DNS blocklist test.
 
        <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
-              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
               results from a successful PREGREET test.
 
        <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
-              results  from  a successful "non_smtp_command" SMTP
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+              results from a successful  "non_smtp_command"  SMTP
               protocol test.
 
        <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
-              results  from a successful "pipelining" SMTP proto-
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+              results from a successful "pipelining" SMTP  proto-
               col test.
 
 <b>RESOURCE CONTROLS</b>
        <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
-              Upon input, long lines are chopped up  into  pieces
-              of  at  most this length; upon delivery, long lines
+              Upon  input,  long lines are chopped up into pieces
+              of at most this length; upon delivery,  long  lines
               are reconstructed.
 
        <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b>
        <b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b>
-              How many simultaneous  connections  any  client  is
+              How  many  simultaneous  connections  any client is
               allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
 
        <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
-              The  limit on the total number of commands per SMTP
-              session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP  protocol
+              The limit on the total number of commands per  SMTP
+              session  for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
               engine.
 
        <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b>
-              The  command  "read" time limit for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
+              The command "read" time limit  for  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
               built-in SMTP protocol engine.
 
        <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
-              The number of clients that can be waiting for  ser-
+              The  number of clients that can be waiting for ser-
               vice from a real SMTP server process.
 
        <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
-              The  number  of non-whitelisted clients that can be
-              waiting for a decision whether  they  will  receive
+              The number of non-whitelisted clients that  can  be
+              waiting  for  a  decision whether they will receive
               service from a real SMTP server process.
 
        <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
-              How  much  time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
-              respond to an SMTP client command or to  perform  a
+              How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may  take  to
+              respond  to  an SMTP client command or to perform a
               cache operation before it is terminated by a built-
               in watchdog timer.
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number  of  digits  after the decimal
+              The maximal number  of  digits  after  the  decimal
               point when logging sub-second delay values.
 
        <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
-              The location of  all  postfix  administrative  com-
+              The  location  of  all  postfix administrative com-
               mands.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@@ -280,24 +279,24 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               over an internal communication channel.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits  for  an incoming connection
+              The  maximum  amount  of  time that an idle Postfix
+              daemon process waits  for  an  incoming  connection
               before terminating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -309,12 +308,12 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>HISTORY</b>
-       Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier  work
-       by  Michael Tokarev, in OpenBSD spamd, and in MailChannels
+       Many  ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
+       by Michael Tokarev, in OpenBSD spamd, and in  MailChannels
        Traffic Control.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/man/man5/ldap_table.5 b/postfix/man/man5/ldap_table.5
index b9169bb5f..069e5d893 100644
--- a/postfix/man/man5/ldap_table.5
+++ b/postfix/man/man5/ldap_table.5
@@ -422,14 +422,27 @@ The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
 These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
 and LDAP_SCOPE_ONELEVEL.
 .IP "\fBbind (default: yes)\fR"
-Whether or not to bind to the LDAP server. Newer LDAP
+Whether or how to bind to the LDAP server. Newer LDAP
 implementations don't require clients to bind, which saves
 time. Example:
 
 .nf
+    # Don't bind
     bind = no
+    # Use SIMPLE bind
+    bind = yes
+    # Use SASL bind
+    bind = sasl
 .fi
 
+Postfix versions prior to 2.8 only support "bind = no" which
+means don't bind, and "bind = yes" which means do a SIMPLE bind.
+Postfix 2.8 and later also supports "bind = SASL" when compiled
+with LDAP SASL support as described in LDAP_README, it also adds
+the synonyms "bind = none" and "bind = simple" for "bind = no"
+and "bind = yes" respectively. See the SASL section below for
+additional parameters available with "bind = sasl".
+
 If you do need to bind, you might consider configuring
 Postfix to connect to the local machine on a port that's
 an SSL tunnel to your LDAP server. If your LDAP server
@@ -443,6 +456,8 @@ If you do have to bind, do it with this distinguished name. Example:
 .nf
     bind_dn = uid=postfix, dc=your, dc=com
 .fi
+With "bind = sasl" (see above) the DN may be optional for some SASL
+mechanisms, don't specify a DN if not needed.
 .IP "\fBbind_pw (default: empty)\fR"
 The password for the distinguished name above. If you have
 to use this, you probably want to make the map configuration
@@ -456,6 +471,8 @@ command. Example:
 .nf
     bind_pw = postfixpw
 .fi
+With "bind = sasl" (see above) the password may be optional
+for some SASL mechanisms, don't specify a password if not needed.
 .IP "\fBcache (IGNORED with a warning)\fR"
 .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 .IP "\fBcache_size (IGNORED with a warning)\fR"
@@ -512,6 +529,49 @@ Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
 Specifies the LDAP protocol version to use.
 .IP "\fBdebuglevel (default: 0)\fR"
 What level to set for debugging in the OpenLDAP libraries.
+.SH "LDAP SASL PARAMETERS"
+.na
+.nf
+.ad
+.fi
+If you're using the OpenLDAP libraries compiled with SASL
+support, Postfix 2.8 and later built with LDAP SASL support
+as described in LDAP_README can authenticate to LDAP servers
+via SASL.
+
+This enables authentication to the LDAP server via mechanisms
+other than a simple password. The added flexibility has a cost:
+it is no longer practical to set an explicit timeout on the duration
+of an LDAP bind operation. Under adverse conditions, whether a SASL
+bind times out, or if it does, the duration of the timeout is
+determined by the LDAP and SASL libraries.
+
+It is best to use tables that use SASL binds via proxymap(8), this
+way the requesting process can time-out the proxymap request. This
+also lets you tailer the process environment by overriding the
+proxymap(8) import_environment setting in master.cf(5). Special
+environment settings may be needed to configure GSSAPI credential
+caches or other SASL mechanism specific options. The GSSAPI
+credentials used for LDAP lookups may need to be different than
+say those used for the Postfix SMTP client to authenticate to remote
+servers.
+
+Using SASL mechanisms requires LDAP protocol version 3, the default
+protocol version is 2 for backwards compatibility. You must set
+"version = 3" in addition to "bind = sasl".
+
+The following parameters are relevant to using LDAP with SASL
+.IP "\fBsasl (default: no)\fR"
+Whether or not to use SASL binds to the server.  Can be yes or no.
+.IP "\fBsasl_mechs (default: empty)\fR"
+Space separated list of SASL mechanism(s) to try.
+.IP "\fBsasl_realm (default: empty)\fR"
+SASL Realm to use, if applicable.
+.IP "\fBsasl_authz_id (default: empty)\fR"
+The SASL authorization identity to assert, if applicable.
+.IP "\fBsasl_minssf (default: 0)\fR"
+The minimum required sasl security factor required to establish a
+connection.
 .SH "LDAP SSL AND STARTTLS PARAMETERS"
 .na
 .nf
diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8
index 09ed7de90..b4cebec67 100644
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@@ -60,7 +60,14 @@ Problems and transactions are logged to \fBsyslogd\fR(8).
 .SH BUGS
 .ad
 .fi
-Some of the non-default protocol tests involve
+The \fBpostscreen\fR(8) built-in SMTP protocol engine does
+not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
+Support for STARTTLS and AUTH may be added in the future.
+In the mean time, if you need to make these services available
+on port 25, then do not enable the optional "after 220
+server greeting" tests.
+
+The optional "after 220 server greeting" tests involve
 \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
 these tests succeed, \fBpostscreen\fR(8) adds the client
 to the temporary whitelist but it cannot not hand off the
@@ -72,14 +79,6 @@ connects, it will be allowed to talk to a Postfix SMTP
 server process to deliver mail. \fBpostscreen\fR(8) mitigates
 the impact of this limitation by giving such tests a long
 expiration time.
-
-The \fBpostscreen\fR(8) built-in SMTP protocol engine does
-not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
-(support for STARTTLS and AUTH may be added in the future).
-End-user clients should connect directly to the submission
-service; other systems that require the above features
-should directly connect to a Postfix SMTP server, or they
-should be placed on the \fBpostscreen\fR(8) whitelist.
 .SH "CONFIGURATION PARAMETERS"
 .na
 .nf
diff --git a/postfix/proto/LDAP_README.html b/postfix/proto/LDAP_README.html
index a7d351386..62905a7f1 100644
--- a/postfix/proto/LDAP_README.html
+++ b/postfix/proto/LDAP_README.html
@@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
 or whatever you have, and you may need to use the appropriate linker
 option (e.g. '-R') so the executables can find it at runtime. </p>
 
+<p> If you are using OpenLDAP, and the libraries were built with SASL
+support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
+For example: </p>
+
+<blockquote>
+<pre>
+     CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
+</pre>
+</blockquote>
+
 <h2><a name="config">Configuring LDAP lookups</a></h2>
 
 <p> In order to use LDAP lookups, define an LDAP source
@@ -140,9 +150,9 @@ alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
 </blockquote>
 
 <p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
-STARTTLS. For a complete description, see the ldap_table(5) manual
-page. </p>
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
+and LDAP SASL. For a complete description, see the ldap_table(5)
+manual page. </p>
 
 <h2><a name="example_alias">Example: local(8) aliases</a></h2>
 
@@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
 limit LDAP search results to leaf nodes only. Victor generalized
 this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
 
+<li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
+mechanisms, beyond the password-based LDAP "simple" bind. </li>
+
 </ul>
 
 And of course Wietse.
diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html
index 6d0c7e166..f590a5fe9 100644
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
 many zombies avoid spamming the same site repeatedly, in an attempt
 to fly under the radar.  Once postscreen(8) decides that a client
 is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail.  </p>
+further delays for legitimate mail. Clients that pass postscreen(8)
+are still subject to the checks that are built into Postfix smtpd(8),
+Postfix built-in content filters, and external content filters.
+</p>
 
 <p> Zombies have challenges too: they have only a limited amount
 of time to deliver spam before their IP address becomes blacklisted.
@@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
 <p> postscreen(8) uses a variety of measurements to recognize
 zombies.  First, postscreen(8) determines if the remote SMTP client
 IP address is blacklisted.  Second, postscreen(8) looks for protocol
-compromises that are made to speed up delivery.  The results of
-such measurements don't change with each delivery attempt, and are
-therefore good for making an is-it-a-zombie decision based on a
-single measurement.  </p>
+compromises that are made to speed up delivery.  These are good
+indicators for making is-it-a-zombie decisions based on single
+measurements.  </p>
 
 <p> postscreen(8) does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
-that (also) send legitimate email. Content is therefore not good
-for making an is-it-a-zombie decision based on a single measurement,
+can vary from one delivery to the next, especially with clients
+that (also) send legitimate email.  Content is not a good indicator
+for making is-it-a-zombie decisions based on single measurements,
 and that is the problem that postscreen(8) is focused on.  </p>
 
 <h2> <a name="general"> General operation </a> </h2>
 
 <p> The postscreen(8) triage process involves a number of tests,
 in the order as described below.  Some tests introduce a delay of
-a few seconds.  Once a client passes all tests, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
-tests or 1 week for complex tests.  This minimizes the impact of
-the tests on legitimate mail clients. </p>
+a few seconds.  Once a client passes a test, its IP address is
+whitelisted from 24 hours for simple tests, to 1 week for complex
+tests.  Whitelisting minimizes the impact of postscreen(8)'s tests
+on legitimate mail clients. </p>
 
 <p> After logging its findings, postscreen(8) by default hands off
 all connections to a Postfix SMTP server process. This mode is
@@ -340,14 +342,15 @@ a relatively long expiration time. </p>
 
 <li> <p> postscreen(8)'s built-in SMTP engine does not implement
 the AUTH, STARTTLS, XCLIENT, and XFORWARD features.  STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
+if you need to make these services available on port 25, then do
+not enable the tests after the 220 server greeting. </p>
 
 </ul>
 
 <p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
-should directly connect to a Postfix SMTP server, or they
-should be placed on the postscreen(8) whitelist. </p>
+service, so that they never have to deal with postscreen(8)'s tests.
+</p>
 
 <ul>
 
diff --git a/postfix/proto/ldap_table b/postfix/proto/ldap_table
index e9cd373f5..c6bd42a88 100644
--- a/postfix/proto/ldap_table
+++ b/postfix/proto/ldap_table
@@ -410,14 +410,27 @@
 #	These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
 #	and LDAP_SCOPE_ONELEVEL.
 # .IP "\fBbind (default: yes)\fR"
-#	Whether or not to bind to the LDAP server. Newer LDAP
+#	Whether or how to bind to the LDAP server. Newer LDAP
 #	implementations don't require clients to bind, which saves
 #	time. Example:
 #
 # .nf
+#	    # Don't bind
 #	    bind = no
+#	    # Use SIMPLE bind
+#	    bind = yes
+#	    # Use SASL bind
+#	    bind = sasl
 # .fi
 #
+#	Postfix versions prior to 2.8 only support "bind = no" which
+#	means don't bind, and "bind = yes" which means do a SIMPLE bind.
+#	Postfix 2.8 and later also supports "bind = SASL" when compiled
+#	with LDAP SASL support as described in LDAP_README, it also adds
+#	the synonyms "bind = none" and "bind = simple" for "bind = no"
+#	and "bind = yes" respectively. See the SASL section below for
+#	additional parameters available with "bind = sasl".
+#
 #	If you do need to bind, you might consider configuring
 #	Postfix to connect to the local machine on a port that's
 #	an SSL tunnel to your LDAP server. If your LDAP server
@@ -431,6 +444,8 @@
 # .nf
 #	    bind_dn = uid=postfix, dc=your, dc=com
 # .fi
+#	With "bind = sasl" (see above) the DN may be optional for some SASL
+#	mechanisms, don't specify a DN if not needed.
 # .IP "\fBbind_pw (default: empty)\fR"
 #	The password for the distinguished name above. If you have
 #	to use this, you probably want to make the map configuration
@@ -444,6 +459,8 @@
 # .nf
 #	    bind_pw = postfixpw
 # .fi
+#	With "bind = sasl" (see above) the password may be optional
+#	for some SASL mechanisms, don't specify a password if not needed.
 # .IP "\fBcache (IGNORED with a warning)\fR"
 # .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 # .IP "\fBcache_size (IGNORED with a warning)\fR"
@@ -500,6 +517,47 @@
 #	Specifies the LDAP protocol version to use.
 # .IP "\fBdebuglevel (default: 0)\fR"
 #	What level to set for debugging in the OpenLDAP libraries.
+# LDAP SASL PARAMETERS
+# .ad
+# .fi
+#	If you're using the OpenLDAP libraries compiled with SASL
+#	support, Postfix 2.8 and later built with LDAP SASL support
+#	as described in LDAP_README can authenticate to LDAP servers
+#	via SASL.
+#
+#	This enables authentication to the LDAP server via mechanisms
+#	other than a simple password. The added flexibility has a cost:
+#	it is no longer practical to set an explicit timeout on the duration
+#	of an LDAP bind operation. Under adverse conditions, whether a SASL
+#	bind times out, or if it does, the duration of the timeout is
+#	determined by the LDAP and SASL libraries.
+#
+# 	It is best to use tables that use SASL binds via proxymap(8), this
+#	way the requesting process can time-out the proxymap request. This
+#	also lets you tailer the process environment by overriding the
+#	proxymap(8) import_environment setting in master.cf(5). Special
+#	environment settings may be needed to configure GSSAPI credential
+#	caches or other SASL mechanism specific options. The GSSAPI
+#	credentials used for LDAP lookups may need to be different than
+#	say those used for the Postfix SMTP client to authenticate to remote
+#	servers.
+#
+#	Using SASL mechanisms requires LDAP protocol version 3, the default
+#	protocol version is 2 for backwards compatibility. You must set
+#	"version = 3" in addition to "bind = sasl".
+#
+#	The following parameters are relevant to using LDAP with SASL
+# .IP "\fBsasl (default: no)\fR"
+#	Whether or not to use SASL binds to the server.  Can be yes or no.
+# .IP "\fBsasl_mechs (default: empty)\fR"
+#	Space separated list of SASL mechanism(s) to try. 
+# .IP "\fBsasl_realm (default: empty)\fR"
+#	SASL Realm to use, if applicable.
+# .IP "\fBsasl_authz_id (default: empty)\fR"
+#	The SASL authorization identity to assert, if applicable.
+# .IP "\fBsasl_minssf (default: 0)\fR"
+#	The minimum required sasl security factor required to establish a
+#	connection.
 # LDAP SSL AND STARTTLS PARAMETERS
 # .ad
 # .fi
diff --git a/postfix/src/cleanup/cleanup_map1n.c b/postfix/src/cleanup/cleanup_map1n.c
index e69ec190f..b806a6017 100644
--- a/postfix/src/cleanup/cleanup_map1n.c
+++ b/postfix/src/cleanup/cleanup_map1n.c
@@ -15,13 +15,18 @@
 /*	This module implements one-to-many table mapping via table lookup.
 /*	Table lookups are done with quoted (externalized) address forms.
 /*	The process is recursive. The recursion terminates when the
-/*	left-hand side appears in its own expansion, or when a maximal
-/*	nesting level is reached.
+/*	left-hand side appears in its own expansion.
 /*
 /*	cleanup_map1n_internal() is the interface for addresses in
 /*	internal (unquoted) form.
 /* DIAGNOSTICS
-/*	Recoverable errors: the global \fIcleanup_errs\fR flag is updated.
+/*	When the maximal expansion or recursion limit is reached,
+/*	the alias is not expanded and the CLEANUP_STAT_DEFER error
+/*	is raised with reason "4.6.0 Alias expansion error".
+/*
+/*	When table lookup fails, the alias is not expanded and the
+/*	CLEANUP_STAT_WRITE error is raised with reason "4.6.0 Alias
+/*	expansion error".
 /* SEE ALSO
 /*	mail_addr_map(3) address mappings
 /*	mail_addr_find(3) address lookups
@@ -93,15 +98,26 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
      * must index the array explicitly, instead of running along it with a
      * pointer.
      */
-#define UPDATE(ptr,new)	{ myfree(ptr); ptr = mystrdup(new); }
+#define UPDATE(ptr,new)	do { \
+	if (ptr) myfree(ptr); ptr = mystrdup(new); \
+    } while (0)
 #define STR	vstring_str
-#define RETURN(x) { been_here_free(been_here); return (x); }
+#define RETURN(x) do { \
+	been_here_free(been_here); return (x); \
+    } while (0)
+#define UNEXPAND(argv, addr) do { \
+	argv_truncate((argv), 0); argv_add((argv), (addr), (char *) 0); \
+    } while (0)
 
     for (arg = 0; arg < argv->argc; arg++) {
 	if (argv->argc > var_virt_expan_limit) {
-	    msg_warn("%s: unreasonable %s map expansion size for %s",
+	    msg_warn("%s: unreasonable %s map expansion size for %s -- "
+		     "deferring delivery",
 		     state->queue_id, maps->title, addr);
-	    break;
+	    state->errs |= CLEANUP_STAT_DEFER;
+	    UPDATE(state->reason, "4.6.0 Alias expansion error");
+	    UNEXPAND(argv, addr);
+	    RETURN(argv);
 	}
 	for (count = 0; /* void */ ; count++) {
 
@@ -111,9 +127,13 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
 	    if (been_here_check_fixed(been_here, argv->argv[arg]) != 0)
 		break;
 	    if (count >= var_virt_recur_limit) {
-		msg_warn("%s: unreasonable %s map nesting for %s",
+		msg_warn("%s: unreasonable %s map nesting for %s -- "
+			 "deferring delivery",
 			 state->queue_id, maps->title, addr);
-		break;
+		state->errs |= CLEANUP_STAT_DEFER;
+		UPDATE(state->reason, "4.6.0 Alias expansion error");
+		UNEXPAND(argv, addr);
+		RETURN(argv);
 	    }
 	    quote_822_local(state->temp1, argv->argv[arg]);
 	    if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) {
@@ -136,9 +156,12 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
 		myfree(saved_lhs);
 		argv_free(lookup);
 	    } else if (dict_errno != 0) {
-		msg_warn("%s: %s map lookup problem for %s",
+		msg_warn("%s: %s map lookup problem for %s -- "
+			 "deferring delivery",
 			 state->queue_id, maps->title, addr);
 		state->errs |= CLEANUP_STAT_WRITE;
+		UPDATE(state->reason, "4.6.0 Alias expansion error");
+		UNEXPAND(argv, addr);
 		RETURN(argv);
 	    } else {
 		break;
diff --git a/postfix/src/global/dict_ldap.c b/postfix/src/global/dict_ldap.c
index 95bc1f655..bf6ed2ee0 100644
--- a/postfix/src/global/dict_ldap.c
+++ b/postfix/src/global/dict_ldap.c
@@ -103,6 +103,16 @@
 /* .IP version
 /*	Specifies the LDAP protocol version to use.  Default is version
 /*	\fI2\fR.
+/* .IP "\fBsasl (no)\fR"
+/*	Whether or not to use SASL binds with the server.
+/* .IP "\fBsasl_mechs (empty)\fR"
+/*	Specifies a space-separated list of LDAP SASL Mechanisms.
+/* .IP "\fBsasl_realm (empty)\fR"
+/*	The realm to use for SASL binds.
+/* .IP "\fBsasl_authz_id (empty)\fR"
+/*	The SASL Authorization Identity to assert.
+/* .IP "\fBsasl_minssf (0)\fR"
+/*	The minimum SASL SSF to allow.
 /* .IP start_tls
 /*	Whether or not to issue STARTTLS upon connection to the server.
 /*	At this time, STARTTLS and LDAP SSL are only available if the
@@ -208,16 +218,44 @@
 #include <dict.h>
 #include <stringops.h>
 #include <binhash.h>
+#include <name_code.h>
 
 /* Global library. */
 
 #include "cfg_parser.h"
 #include "db_common.h"
+#include "mail_conf.h"
+
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+ /*
+  * SASL headers, for sasl_interact_t. Either SASL v1 or v2 should be fine.
+  */
+#include <sasl.h>
+#endif
 
 /* Application-specific. */
 
 #include "dict_ldap.h"
 
+#define DICT_LDAP_BIND_NONE	0
+#define DICT_LDAP_BIND_SIMPLE	1
+#define DICT_LDAP_BIND_SASL	2
+#define DICT_LDAP_DO_BIND(d)	((d)->bind != DICT_LDAP_BIND_NONE)
+#define DICT_LDAP_DO_SASL(d)	((d)->bind == DICT_LDAP_BIND_SASL)
+
+static const NAME_CODE bindopt_table[] = {
+    CONFIG_BOOL_NO,	DICT_LDAP_BIND_NONE,
+    "none",		DICT_LDAP_BIND_NONE,
+    CONFIG_BOOL_YES,	DICT_LDAP_BIND_SIMPLE,
+    "simple",		DICT_LDAP_BIND_SIMPLE,
+#ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+    "sasl", 		DICT_LDAP_BIND_SASL,
+#endif
+#endif
+    0, -1,
+};
+
 typedef struct {
     LDAP   *conn_ld;
     int     conn_refcount;
@@ -254,6 +292,13 @@ typedef struct {
     int     debuglevel;
     int     version;
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+    int     sasl;
+    char    *sasl_mechs;
+    char    *sasl_realm;
+    char    *sasl_authz;
+    int     sasl_minssf;
+#endif
     int     ldap_ssl;
     int     start_tls;
     int     tls_require_cert;
@@ -407,6 +452,49 @@ static int dict_ldap_set_errno(LDAP *ld, int rc)
     return rc;
 }
 
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+ /*
+  * Context structure for SASL property callback.
+  */
+typedef struct bind_props {
+    char *authcid;
+    char *passwd;
+    char *realm;
+    char *authzid;
+} bind_props;
+
+static int
+ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter)
+{
+
+    sasl_interact_t *in;
+    bind_props *ctx = (bind_props *)props;
+
+    for (in = inter; in->id != SASL_CB_LIST_END; in++)
+    {
+	in->result = NULL;
+	switch(in->id)
+	{
+	case SASL_CB_GETREALM:
+	    in->result = ctx->realm;
+	    break;
+	case SASL_CB_AUTHNAME:
+	    in->result = ctx->authcid;
+	    break;
+	case SASL_CB_USER:
+	    in->result = ctx->authzid;
+	    break;
+	case SASL_CB_PASS:
+	    in->result = ctx->passwd;
+	    break;
+	}
+	if (in->result)
+	    in->len = strlen(in->result);
+    }
+    return LDAP_SUCCESS;
+}
+#endif
+
 /* dict_ldap_result - Read and parse LDAP result */
 
 static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
@@ -427,6 +515,40 @@ static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
     return LDAP_SUCCESS;
 }
 
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+
+/* Asynchronous SASL auth if SASL is enabled */
+
+static int dict_ldap_bind_sasl(DICT_LDAP *dict_ldap)
+{
+    int     rc;
+    bind_props props;
+    static VSTRING *minssf = 0;
+
+    if (minssf == 0)
+	minssf = vstring_alloc(12);
+
+    vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf);
+
+    if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS,
+			       (char *) minssf)) != LDAP_OPT_SUCCESS)
+	return (rc);
+
+    props.authcid = dict_ldap->bind_dn;
+    props.passwd = dict_ldap->bind_pw;
+    props.realm = dict_ldap->sasl_realm;
+    props.authzid = dict_ldap->sasl_authz;
+
+    if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL,
+					    dict_ldap->sasl_mechs, NULL, NULL,
+					    LDAP_SASL_QUIET, ldap_b2_interact,
+					    &props)) != LDAP_SUCCESS)
+	return (rc);
+
+    return (LDAP_SUCCESS);
+}
+#endif
+
 /* dict_ldap_bind_st - Synchronous simple auth with timeout */
 
 static int dict_ldap_bind_st(DICT_LDAP *dict_ldap)
@@ -746,26 +868,36 @@ static int dict_ldap_connect(DICT_LDAP *dict_ldap)
     }
 #endif
 
+#define DN_LOG_VAL(dict_ldap) \
+	((dict_ldap)->bind_dn[0] ? (dict_ldap)->bind_dn : "empty or implicit")
     /*
      * If this server requires a bind, do so. Thanks to Sam Tardieu for
      * noticing that the original bind call was broken.
      */
-    if (dict_ldap->bind) {
+    if (DICT_LDAP_DO_BIND(dict_ldap)) {
 	if (msg_verbose)
-	    msg_info("%s: Binding to server %s as dn %s",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn);
+	    msg_info("%s: Binding to server %s with dn %s",
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
 
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+	if (DICT_LDAP_DO_SASL(dict_ldap)) {
+	    rc = dict_ldap_bind_sasl(dict_ldap);
+	} else {
+	    rc = dict_ldap_bind_st(dict_ldap);
+	}
+#else
 	rc = dict_ldap_bind_st(dict_ldap);
+#endif
 
 	if (rc != LDAP_SUCCESS) {
-	    msg_warn("%s: Unable to bind to server %s as %s: %d (%s)",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn,
+	    msg_warn("%s: Unable to bind to server %s with dn %s: %d (%s)",
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap),
 		     rc, ldap_err2string(rc));
 	    DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
 	}
 	if (msg_verbose)
-	    msg_info("%s: Successful bind to server %s as %s ",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn);
+	    msg_info("%s: Successful bind to server %s with dn %s",
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
     }
     /* Save connection handle in shared container */
     DICT_LDAP_CONN(dict_ldap)->conn_ld = dict_ldap->ld;
@@ -798,13 +930,19 @@ static void dict_ldap_conn_find(DICT_LDAP *dict_ldap)
     ADDSTR(keybuf, dict_ldap->server_host);
     ADDINT(keybuf, dict_ldap->server_port);
     ADDINT(keybuf, dict_ldap->bind);
-    ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_dn : "");
-    ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_pw : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_dn : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_pw : "");
     ADDINT(keybuf, dict_ldap->dereference);
     ADDINT(keybuf, dict_ldap->chase_referrals);
     ADDINT(keybuf, dict_ldap->debuglevel);
     ADDINT(keybuf, dict_ldap->version);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_mechs : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_realm : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_authz : "");
+    ADDINT(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_minssf : 0);
+#endif
     ADDINT(keybuf, dict_ldap->ldap_ssl);
     ADDINT(keybuf, dict_ldap->start_tls);
     ADDINT(keybuf, sslon ? dict_ldap->tls_require_cert : 0);
@@ -1437,6 +1575,13 @@ static void dict_ldap_close(DICT *dict)
     if (dict_ldap->ctx)
 	db_common_free_ctx(dict_ldap->ctx);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+    if (DICT_LDAP_DO_SASL(dict_ldap)) {
+	myfree(dict_ldap->sasl_mechs);
+	myfree(dict_ldap->sasl_realm);
+	myfree(dict_ldap->sasl_authz);
+    }
+#endif
     myfree(dict_ldap->tls_ca_cert_file);
     myfree(dict_ldap->tls_ca_cert_dir);
     myfree(dict_ldap->tls_cert);
@@ -1461,6 +1606,7 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
     char   *server_host;
     char   *scope;
     char   *attr;
+    char   *bindopt;
     int     tmp;
     int     vendor_version = dict_ldap_vendor_version();
 
@@ -1666,9 +1812,14 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
     myfree(attr);
 
     /*
-     * get configured value of "bind"; default to true
+     * get configured value of "bind"; default to simple bind
      */
-    dict_ldap->bind = cfg_get_bool(dict_ldap->parser, "bind", 1);
+    bindopt = cfg_get_str(dict_ldap->parser, "bind", CONFIG_BOOL_YES, 1, 0);
+    dict_ldap->bind = name_code(bindopt_table, NAME_CODE_FLAG_NONE, bindopt);
+    if (dict_ldap->bind < 0)
+	msg_fatal("%s: unsupported parameter value: %s = %s",
+		  dict_ldap->parser->name, "bind", bindopt);
+    myfree(bindopt);
 
     /*
      * get configured value of "bind_dn"; default to ""
@@ -1723,6 +1874,25 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
 					      "chase_referrals", 0);
 
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+    /*
+     * SASL options
+     */
+    if (DICT_LDAP_DO_SASL(dict_ldap)) {
+	dict_ldap->sasl_mechs =
+	    cfg_get_str(dict_ldap->parser, "sasl_mechs", "", 0, 0);
+	dict_ldap->sasl_realm =
+	    cfg_get_str(dict_ldap->parser, "sasl_realm", "", 0, 0);
+	dict_ldap->sasl_authz =
+	    cfg_get_str(dict_ldap->parser, "sasl_authz_id", "", 0, 0);
+	dict_ldap->sasl_minssf =
+	    cfg_get_int(dict_ldap->parser, "sasl_minssf", 0, 0, 4096);
+    } else {
+	dict_ldap->sasl_mechs = 0;
+	dict_ldap->sasl_realm = 0;
+	dict_ldap->sasl_authz = 0;
+    }
+#endif
 
     /*
      * TLS options
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 652a4e712..f38f595b0 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20101201"
+#define MAIL_RELEASE_DATE	"20101204"
 #define MAIL_VERSION_NUMBER	"2.8"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/mime_state.c b/postfix/src/global/mime_state.c
index ac754c0a3..b807844e4 100644
--- a/postfix/src/global/mime_state.c
+++ b/postfix/src/global/mime_state.c
@@ -49,7 +49,7 @@
 /*
 /*	In order to fend off denial of service attacks, message headers
 /*	are truncated at or above var_header_limit bytes, message boundary
-/*	strings are truncated at var_boundary_len bytes, and the multipart
+/*	strings are truncated at var_mime_bound_len bytes, and the multipart
 /*	nesting level is limited to var_mime_maxdepth levels.
 /*
 /*	mime_state_alloc() creates a MIME state machine. The machine
diff --git a/postfix/src/global/pipe_command.c b/postfix/src/global/pipe_command.c
index 6cd4100ed..9b5565bf7 100644
--- a/postfix/src/global/pipe_command.c
+++ b/postfix/src/global/pipe_command.c
@@ -85,8 +85,7 @@
 /*	configuration parameter. The group ID must be non-zero.
 /* .IP "PIPE_CMD_TIME_LIMIT (int)"
 /*	The amount of time the command is allowed to run before it
-/*	is terminated with SIGKILL. The default is the limit given
-/*	with the \fIcommand_time_limit\fR configuration parameter.
+/*	is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME.
 /* .IP "PIPE_CMD_SHELL (char *)"
 /*	The shell to use when executing the command specified with
 /*	PIPE_CMD_COMMAND. This shell is invoked regardless of the
@@ -211,7 +210,7 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
     args->cwd = 0;
     args->chroot = 0;
 
-    pipe_command_maxtime = var_command_maxtime;
+    pipe_command_maxtime = DEF_COMMAND_MAXTIME;
 
     /*
      * Then, override the defaults with user-supplied inputs.
diff --git a/postfix/src/global/scache_clnt.c b/postfix/src/global/scache_clnt.c
index 658e88f75..05137a7a8 100644
--- a/postfix/src/global/scache_clnt.c
+++ b/postfix/src/global/scache_clnt.c
@@ -414,7 +414,7 @@ SCACHE *scache_clnt_create(const char *server, int timeout,
     sp->scache->size = scache_clnt_size;
     sp->scache->free = scache_clnt_free;
 
-    service = concatenate("local:private/", var_scache_service, (char *) 0);
+    service = concatenate("local:private/", server, (char *) 0);
     sp->auto_clnt = auto_clnt_create(service, timeout, idle_limit, ttl_limit);
     myfree(service);
 
diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c
index 43e5c271c..92ccca898 100644
--- a/postfix/src/local/local.c
+++ b/postfix/src/local/local.c
@@ -626,7 +626,7 @@ char   *var_allow_commands;
 char   *var_allow_files;
 char   *var_alias_maps;
 int     var_dup_filter_limit;
-int     var_command_maxtime;
+int     var_command_maxtime;		/* You can now leave this here. */
 char   *var_home_mailbox;
 char   *var_mailbox_command;
 char   *var_mailbox_cmd_maps;
diff --git a/postfix/src/pickup/pickup.c b/postfix/src/pickup/pickup.c
index 5d9d78c24..5fc5c1ca3 100644
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@@ -196,8 +196,9 @@ static int cleanup_service_error_reason(PICKUP_INFO *info, int status,
      * -r" when a message is already delivered (or bounced). The Postfix
      * sendmail command rejects submissions without recipients.
      */
-    if (reason == 0)
-	msg_warn("%s: %s", info->path, cleanup_strerror(status));
+    if (reason == 0 || *reason == 0)
+	msg_warn("%s: error writing %s: %s",
+		  info->path, info->id, cleanup_strerror(status));
     return ((status & (CLEANUP_STAT_BAD | CLEANUP_STAT_RCPT)) ?
 	    REMOVE_MESSAGE_FILE : KEEP_MESSAGE_FILE);
 }
diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c
index 951222bbc..73e9978bb 100644
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@@ -530,7 +530,7 @@
   * Tunable parameters. Values are taken from the config file, after
   * prepending the service name to _name, and so on.
   */
-int     var_command_maxtime;		/* system-wide */
+int     var_command_maxtime;		/* You can now leave this here. */
 
  /*
   * For convenience. Instead of passing around lists of parameters, bundle
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index 2667acf1e..88d513343 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -46,7 +46,14 @@
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /* BUGS
-/*	Some of the non-default protocol tests involve
+/*	The \fBpostscreen\fR(8) built-in SMTP protocol engine does
+/*	not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
+/*	Support for STARTTLS and AUTH may be added in the future.
+/*	In the mean time, if you need to make these services available
+/*	on port 25, then do not enable the optional "after 220
+/*	server greeting" tests.
+/*
+/*	The optional "after 220 server greeting" tests involve
 /*	\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
 /*	these tests succeed, \fBpostscreen\fR(8) adds the client
 /*	to the temporary whitelist but it cannot not hand off the
@@ -58,14 +65,6 @@
 /*	server process to deliver mail. \fBpostscreen\fR(8) mitigates
 /*	the impact of this limitation by giving such tests a long
 /*	expiration time.
-/*
-/*	The \fBpostscreen\fR(8) built-in SMTP protocol engine does
-/*	not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
-/*	(support for STARTTLS and AUTH may be added in the future).
-/*	End-user clients should connect directly to the submission
-/*	service; other systems that require the above features
-/*	should directly connect to a Postfix SMTP server, or they
-/*	should be placed on the \fBpostscreen\fR(8) whitelist.
 /* CONFIGURATION PARAMETERS
 /* .ad
 /* .fi
@@ -525,7 +524,7 @@ static void ps_service(VSTREAM *smtp_client_stream,
      * Reply with 421 when the client has too many open connections.
      */
     if (var_ps_cconn_limit > 0
-	&& state->client_concurrency  > var_ps_cconn_limit) {
+	&& state->client_concurrency > var_ps_cconn_limit) {
 	msg_info("NOQUEUE: reject: CONNECT from [%s]:%s: too many connections",
 		 state->smtp_client_addr, state->smtp_client_port);
 	PS_DROP_SESSION_STATE(state,
diff --git a/postfix/src/postscreen/postscreen_early.c b/postfix/src/postscreen/postscreen_early.c
index 54e27bc71..56844b91d 100644
--- a/postfix/src/postscreen/postscreen_early.c
+++ b/postfix/src/postscreen/postscreen_early.c
@@ -258,9 +258,7 @@ void    ps_early_tests(PS_STATE *state)
      */
     if ((state->flags & PS_STATE_FLAG_PREGR_TODO) != 0
 	&& ps_teaser_greeting != 0
-	&& ps_send_reply(vstream_fileno(state->smtp_client_stream),
-			 state->smtp_client_addr, state->smtp_client_port,
-			 ps_teaser_greeting) != 0) {
+	&& PS_SEND_REPLY(state, ps_teaser_greeting) != 0) {
 	ps_hangup_event(state);
 	return;
     }
diff --git a/postfix/src/postscreen/postscreen_misc.c b/postfix/src/postscreen/postscreen_misc.c
index f077a57e6..075b0d203 100644
--- a/postfix/src/postscreen/postscreen_misc.c
+++ b/postfix/src/postscreen/postscreen_misc.c
@@ -125,9 +125,7 @@ void    ps_conclude(PS_STATE *state)
 	ps_send_socket(state);
     } else {
 	if ((state->flags & PS_STATE_FLAG_HANGUP) == 0)
-	    (void) ps_send_reply(vstream_fileno(state->smtp_client_stream),
-			   state->smtp_client_addr, state->smtp_client_port,
-				 state->final_reply);
+	    (void) PS_SEND_REPLY(state, state->final_reply);
 	msg_info("DISCONNECT [%s]:%s", PS_CLIENT_ADDR_PORT(state));
 	ps_free_session_state(state);
     }
diff --git a/postfix/src/postscreen/postscreen_send.c b/postfix/src/postscreen/postscreen_send.c
index 9a47e4fe8..4c6df1066 100644
--- a/postfix/src/postscreen/postscreen_send.c
+++ b/postfix/src/postscreen/postscreen_send.c
@@ -85,9 +85,8 @@ int     ps_send_reply(int smtp_client_fd, const char *smtp_client_addr,
      * XXX Need to make sure that the TCP send buffer is large enough for any
      * response, so that a nasty client can't cause this process to block.
      */
-    ret = (write_buf(smtp_client_fd, text, strlen(text),
-		     PS_SEND_TEXT_TIMEOUT) < 0);
-    if (ret != 0 && errno != EPIPE)
+    ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT);
+    if (ret < 0 && errno != EPIPE)
 	msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port);
     return (ret);
 }
@@ -164,9 +163,7 @@ void    ps_send_socket(PS_STATE *state)
 	 LOCAL_CONNECT(ps_smtpd_service_name, NON_BLOCKING,
 		       PS_SEND_SOCK_CONNECT_TIMEOUT)) < 0) {
 	msg_warn("cannot connect to service %s: %m", ps_smtpd_service_name);
-	ps_send_reply(vstream_fileno(state->smtp_client_stream),
-		      state->smtp_client_addr, state->smtp_client_port,
-		      "421 4.3.2 All server ports are busy\r\n");
+	PS_SEND_REPLY(state, "421 4.3.2 All server ports are busy\r\n");
 	ps_free_session_state(state);
 	return;
     }
@@ -175,9 +172,7 @@ void    ps_send_socket(PS_STATE *state)
 		      vstream_fileno(state->smtp_client_stream)) < 0) {
 	msg_warn("cannot pass connection to service %s: %m",
 		 ps_smtpd_service_name);
-	ps_send_reply(vstream_fileno(state->smtp_client_stream),
-		      state->smtp_client_addr, state->smtp_client_port,
-		      "421 4.3.2 No system resources\r\n");
+	PS_SEND_REPLY(state, "421 4.3.2 No system resources\r\n");
 	ps_free_session_state(state);
 	return;
     } else {
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index b58ad8436..c08a28a3e 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -753,7 +753,7 @@ int     var_smtp_mxsess_limit;
 int     var_smtp_cache_conn;
 int     var_smtp_reuse_time;
 char   *var_smtp_cache_dest;
-char   *var_scache_service;
+char   *var_scache_service;		/* You can now leave this here. */
 bool    var_smtp_cache_demand;
 char   *var_smtp_ehlo_dis_words;
 char   *var_smtp_ehlo_dis_maps;