postfix-2.8-20101204

2025-08-23 02:17:44 +00:00 · 2010-12-04 00:00:00 -05:00 · 2010-12-04 00:00:00 -05:00 · e31ae1582b
commit e31ae1582b
parent 556b04bfed
28 changed files with 720 additions and 270 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -16205,3 +16205,30 @@ Apologies for any names omitted.
 	Workaround: BSD-ish mkdir() ignores the effective GID
 	and copies group ownership from the parent directory.
 	File: util/make_dirs.c.
 20101202
 	Feature: the LDAP client can now authenticate to LDAP servers
 	via SASL. This is tested with SASL GSSAPI and Kerberos 5.
 	Code by Victor Duchovni. Files: global/dict_ldap.c,
 	proto/LDAP_README.html, proto/ldap_table.
 	Cleanup: the cleanup server now reports a temporary delivery
 	error when it reaches the virtual_alias_expansion_limit or
 	virtual_alias_recursion_limit. Previously, it would silently
 	ignore the excess recipients and deliver the message.  File:
 	cleanup/cleanup_map1n.c.
 20101204
 	Cleanup: sache_clnt_create() had an unnecessary data
 	dependency on the non-library var_scache_service variable,
 	causing problems with shared library builds.  Instead, it
 	should use its service argument (which has the same value).
 	File: global/scache.c.
 	Cleanup: pipe_command.c had an unnecessary data dependency
 	on the non-library var_command_maxtime variable, causing
 	problems with shared library builds. The dependency was not
 	necessary because the callers already specify an explicit
 	time limit.  File: global/pipe_command.c.
--- a/postfix/README_FILES/LDAP_README
+++ b/postfix/README_FILES/LDAP_README
@ -81,6 +81,11 @@ AUXLIBS line to point to libldap10.so or libldapssl30.so or whatever you have,
 and you may need to use the appropriate linker option (e.g. '-R') so the
 executables can find it at runtime.
 If you are using OpenLDAP, and the libraries were built with SASL support, you
 can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support. For example:
         CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
 CCoonnffiigguurriinngg LLDDAAPP llooookkuuppss
 In order to use LDAP lookups, define an LDAP source as a table lookup in
@ -89,8 +94,8 @@ main.cf, for example:
    alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
 The file /etc/postfix/ldap-aliases.cf can specify a great number of parameters,
-including parameters that enable LDAP SSL and STARTTLS. For a complete
+including parameters that enable LDAP SSL or STARTTLS, and LDAP SASL. For a
-description, see the ldap_table(5) manual page.
+complete description, see the ldap_table(5) manual page.
 EExxaammppllee:: llooccaall((88)) aalliiaasseess
@ -440,6 +445,8 @@ CCrreeddiittss
  * Gunnar Wrobel provided a first implementation of a feature to limit LDAP
    search results to leaf nodes only. Victor generalized this into the Postfix
    2.4 "leaf_result_attribute" feature.
  * Quanah Gibson-Mount contributed support for advanced LDAP SASL mechanisms,
    beyond the password-based LDAP "simple" bind.
 And of course Wietse.
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@ -39,7 +39,9 @@ The main challenge for postscreen(8) is to make an is-it-a-zombie decision
 based on a single measurement. This is necessary because many zombies avoid
 spamming the same site repeatedly, in an attempt to fly under the radar. Once
 postscreen(8) decides that a client is not-a-zombie, it whitelists the client
-temporarily to avoid further delays for legitimate mail.
+temporarily to avoid further delays for legitimate mail. Clients that pass
 postscreen(8) are still subject to the checks that are built into Postfix smtpd
 (8), Postfix built-in content filters, and external content filters.
 Zombies have challenges too: they have only a limited amount of time to deliver
 spam before their IP address becomes blacklisted. To speed up spam deliveries,
@ -50,23 +52,22 @@ continue sending mail even when the server tells them to go away.
 postscreen(8) uses a variety of measurements to recognize zombies. First,
 postscreen(8) determines if the remote SMTP client IP address is blacklisted.
 Second, postscreen(8) looks for protocol compromises that are made to speed up
-delivery. The results of such measurements don't change with each delivery
+delivery. These are good indicators for making is-it-a-zombie decisions based
-attempt, and are therefore good for making an is-it-a-zombie decision based on
+on single measurements.
 a single measurement.
-postscreen(8) does not inspect message content. Message content can vary widely
+postscreen(8) does not inspect message content. Message content can vary from
-with each delivery attempt, especially with clients that (also) send legitimate
+one delivery to the next, especially with clients that (also) send legitimate
-email. Content is therefore not good for making an is-it-a-zombie decision
+email. Content is not a good indicator for making is-it-a-zombie decisions
-based on a single measurement, and that is the problem that postscreen(8) is
+based on single measurements, and that is the problem that postscreen(8) is
 focused on.
 GGeenneerraall ooppeerraattiioonn
 The postscreen(8) triage process involves a number of tests, in the order as
 described below. Some tests introduce a delay of a few seconds. Once a client
-passes all tests, its IP address is temporarily excluded from any tests,
+passes a test, its IP address is whitelisted from 24 hours for simple tests, to
-typically 24 hours for simple tests or 1 week for complex tests. This minimizes
+1 week for complex tests. Whitelisting minimizes the impact of postscreen(8)'s
-the impact of the tests on legitimate mail clients.
+tests on legitimate mail clients.
 After logging its findings, postscreen(8) by default hands off all connections
 to a Postfix SMTP server process. This mode is useful for non-destructive
@ -252,11 +253,12 @@ discussed next.
  * postscreen(8)'s built-in SMTP engine does not implement the AUTH, STARTTLS,
    XCLIENT, and XFORWARD features. STARTTLS and AUTH support may be added in a
-    future version.
+    future version. In the mean time, if you need to make these services
    available on port 25, then do not enable the tests after the 220 server
    greeting.
-End-user clients should connect directly to the submission service. Other
+End-user clients should connect directly to the submission service, so that
-systems that require the above features should directly connect to a Postfix
+they never have to deal with postscreen(8)'s tests.
 SMTP server, or they should be placed on the postscreen(8) whitelist.
  * Command pipelining test
  * Non-SMTP command test
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -33,6 +33,14 @@ This is supported only when the default value is stress-dependent
 postscreen parameters always evaluate as if the stress value is 
 equal to the empty string.
 Incompatibility with snapshot 20101202
 ======================================
 Postfix now reports a temporary delivery error when the result of
 virtual alias expansion would exceed the virtual_alias_recursion_limit
 or virtual_alias_expansion_limit. Previously, Postfix would silently
 drop the excess recipients and deliver the message.
 Incompatibility with snapshot 20101130
 ======================================
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@ -6,9 +6,10 @@ Wish list:
 	smtpd xclient option for sasl_username.
-	Use different ipc_timeout settings for email message
+	Use different ipc time limits for email message transactions
-	transactions (smtpd, pickup)->cleanup and for quick query/reply
+	(smtpd, pickup)->cleanup and for quick query/reply transactions
-	transactions such as address rewriting/resolution.
+	such as address rewriting/resolution. Beware of large time
 	limits for local or virtual alias expansion.
 	permit_tempfail_action (default: defer_if_reject) to be
 	used as the default value for dnswl_tempfail_action and
@ -22,9 +23,11 @@ Wish list:
 	Replace sscanf() numerical conversions by strto[dl]()
 	for better error reporting.
-	Consistency: in postconf.proto make <dt>..</dt> tags bold.
+	As postscreen implements more ESMTP keywords, need to copy
 	inter-operability features from smtpd to filter keywords
 	and command syntax.
-	Milter addrcpt - use Sendmail-compatible default DSN settings.
+	Consistency: in postconf.proto make <dt>..</dt> tags bold.
 	postscreen(8): listen on multiple IP addresses and enforce
 	that the client contacts the primary MX address first (i.e.
--- a/postfix/html/LDAP_README.html
+++ b/postfix/html/LDAP_README.html
@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
 or whatever you have, and you may need to use the appropriate linker
 option (e.g. '-R') so the executables can find it at runtime. </p>
 <p> If you are using OpenLDAP, and the libraries were built with SASL
 support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
 For example: </p>
 <blockquote>
 <pre>
     CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
 </pre>
 </blockquote>
 <h2><a name="config">Configuring LDAP lookups</a></h2>
 <p> In order to use LDAP lookups, define an LDAP source
@ -140,9 +150,9 @@ as a table lookup in <a href="postconf.5.html">main.cf</a>, for example: </p>
 </blockquote>
 <p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
-STARTTLS. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a> manual
+and LDAP SASL. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a>
-page. </p>
+manual page. </p>
 <h2><a name="example_alias">Example: local(8) aliases</a></h2>
@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
 limit LDAP search results to leaf nodes only. Victor generalized
 this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
 <li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
 mechanisms, beyond the password-based LDAP "simple" bind. </li>
 </ul>
 And of course Wietse.
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
 many zombies avoid spamming the same site repeatedly, in an attempt
 to fly under the radar.  Once <a href="postscreen.8.html">postscreen(8)</a> decides that a client
 is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail.  </p>
+further delays for legitimate mail. Clients that pass <a href="postscreen.8.html">postscreen(8)</a>
 are still subject to the checks that are built into Postfix <a href="smtpd.8.html">smtpd(8)</a>,
 Postfix built-in content filters, and external content filters.
 </p>
 <p> Zombies have challenges too: they have only a limited amount
 of time to deliver spam before their IP address becomes blacklisted.
@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
 <p> <a href="postscreen.8.html">postscreen(8)</a> uses a variety of measurements to recognize
 zombies.  First, <a href="postscreen.8.html">postscreen(8)</a> determines if the remote SMTP client
 IP address is blacklisted.  Second, <a href="postscreen.8.html">postscreen(8)</a> looks for protocol
-compromises that are made to speed up delivery.  The results of
+compromises that are made to speed up delivery.  These are good
-such measurements don't change with each delivery attempt, and are
+indicators for making is-it-a-zombie decisions based on single
-therefore good for making an is-it-a-zombie decision based on a
+measurements.  </p>
 single measurement.  </p>
 <p> <a href="postscreen.8.html">postscreen(8)</a> does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
+can vary from one delivery to the next, especially with clients
-that (also) send legitimate email. Content is therefore not good
+that (also) send legitimate email.  Content is not a good indicator
-for making an is-it-a-zombie decision based on a single measurement,
+for making is-it-a-zombie decisions based on single measurements,
 and that is the problem that <a href="postscreen.8.html">postscreen(8)</a> is focused on.  </p>
 <h2> <a name="general"> General operation </a> </h2>
 <p> The <a href="postscreen.8.html">postscreen(8)</a> triage process involves a number of tests,
 in the order as described below.  Some tests introduce a delay of
-a few seconds.  Once a client passes all tests, its IP address is
+a few seconds.  Once a client passes a test, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
+whitelisted from 24 hours for simple tests, to 1 week for complex
-tests or 1 week for complex tests.  This minimizes the impact of
+tests.  Whitelisting minimizes the impact of <a href="postscreen.8.html">postscreen(8)</a>'s tests
-the tests on legitimate mail clients. </p>
+on legitimate mail clients. </p>
 <p> After logging its findings, <a href="postscreen.8.html">postscreen(8)</a> by default hands off
 all connections to a Postfix SMTP server process. This mode is
@ -340,14 +342,15 @@ a relatively long expiration time. </p>
 <li> <p> <a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP engine does not implement
 the AUTH, STARTTLS, XCLIENT, and XFORWARD features.  STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
 if you need to make these services available on port 25, then do
 not enable the tests after the 220 server greeting. </p>
 </ul>
 <p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
+service, so that they never have to deal with <a href="postscreen.8.html">postscreen(8)</a>'s tests.
-should directly connect to a Postfix SMTP server, or they
+</p>
 should be placed on the <a href="postscreen.8.html">postscreen(8)</a> whitelist. </p>
 <ul>
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@ -451,11 +451,26 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              and LDAP_SCOPE_ONELEVEL.
       <b>bind (default: yes)</b>
-              Whether or not to bind to the  LDAP  server.  Newer
+              Whether or how to bind to the  LDAP  server.  Newer
              LDAP implementations don't require clients to bind,
              which saves time. Example:
                  # Don't bind
                  bind = no
                  # Use SIMPLE bind
                  bind = yes
                  # Use SASL bind
                  bind = sasl
              Postfix versions prior to 2.8 only support "bind  =
              no"  which means don't bind, and "bind = yes" which
              means do a SIMPLE bind.  Postfix 2.8 and later also
              supports "bind = SASL" when compiled with LDAP SASL
              support as described in <a href="LDAP_README.html">LDAP_README</a>, it  also  adds
              the  synonyms "bind = none" and "bind = simple" for
              "bind = no" and "bind = yes" respectively. See  the
              SASL section below for additional parameters avail-
              able with "bind = sasl".
              If you do need to bind, you might consider  config-
              uring  Postfix to connect to the local machine on a
@ -470,6 +485,9 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              guished name. Example:
                  bind_dn = uid=postfix, dc=your, dc=com
              With "bind =  sasl"  (see  above)  the  DN  may  be
              optional  for some SASL mechanisms, don't specify a
              DN if not needed.
       <b>bind_pw (default: empty)</b>
              The password for the distinguished name  above.  If
@ -483,6 +501,9 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              mand. Example:
                  bind_pw = postfixpw
              With "bind = sasl" (see above) the password may  be
              optional  for some SASL mechanisms, don't specify a
              password if not needed.
       <b>cache (IGNORED with a warning)</b>
@ -553,6 +574,57 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              What  level  to  set  for debugging in the OpenLDAP
              libraries.
 <b>LDAP SASL PARAMETERS</b>
       If you're using the OpenLDAP libraries compiled with  SASL
       support,  Postfix  2.8 and later built with LDAP SASL sup-
       port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to  LDAP
       servers via SASL.
       This  enables authentication to the LDAP server via mecha-
       nisms other than a simple password. The added  flexibility
       has  a  cost: it is no longer practical to set an explicit
       timeout on the duration of an LDAP bind  operation.  Under
       adverse  conditions,  whether a SASL bind times out, or if
       it does, the duration of the timeout is determined by  the
       LDAP and SASL libraries.
       It  is  best  to  use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>
       <a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out  the
       proxymap  request.  This  also lets you tailer the process
       environment by overriding the <a href="proxymap.8.html">proxymap(8)</a>  import_environ-
       ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings
       may be needed to configure  GSSAPI  credential  caches  or
       other  SASL mechanism specific options. The GSSAPI creden-
       tials used for LDAP lookups may need to be different  than
       say those used for the Postfix SMTP client to authenticate
       to remote servers.
       Using SASL mechanisms requires LDAP  protocol  version  3,
       the  default  protocol version is 2 for backwards compati-
       bility. You must set "version = 3" in addition to "bind  =
       sasl".
       The  following  parameters are relevant to using LDAP with
       SASL
       <b>sasl (default: no)</b>
              Whether or not to use SASL  binds  to  the  server.
              Can be yes or no.
       <b>sasl_mechs (default: empty)</b>
              Space separated list of SASL mechanism(s) to try.
       <b>sasl_realm (default: empty)</b>
              SASL Realm to use, if applicable.
       <b>sasl_authz_id (default: empty)</b>
              The  SASL  authorization  identity  to  assert,  if
              applicable.
       <b>sasl_minssf (default: 0)</b>
              The minimum required sasl security factor  required
              to establish a connection.
 <b>LDAP SSL AND STARTTLS PARAMETERS</b>
       If  you're  using the OpenLDAP libraries compiled with SSL
       support, Postfix can connect to LDAP SSL servers  and  can
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@ -55,7 +55,14 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
       Problems and transactions are logged to <b>syslogd</b>(8).
 <b>BUGS</b>
-       Some   of   the   non-default   protocol   tests   involve
+       The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine  does  not
       announce  support for STARTTLS, AUTH, XCLIENT or XFORWARD.
       Support for STARTTLS and AUTH may be added in the  future.
       In  the  mean  time,  if  you  need to make these services
       available on port 25, then  do  not  enable  the  optional
       "after 220 server greeting" tests.
       The  optional  "after  220  server greeting" tests involve
       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When  these
       tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
       rary whitelist but it cannot not hand off the "live"  con-
@ -68,14 +75,6 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
       this  limitation  by  giving  such tests a long expiration
       time.
       The  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  built-in SMTP protocol engine does not
       announce support for STARTTLS, AUTH, XCLIENT  or  XFORWARD
       (support  for  STARTTLS  and  AUTH  may  be  added  in the
       future).  End-user clients should connect directly to  the
       submission  service;  other systems that require the above
       features should directly connect to a Postfix SMTP server,
       or they should be placed on the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> whitelist.
 <b>CONFIGURATION PARAMETERS</b>
       Changes to <a href="postconf.5.html">main.cf</a> are not  picked  up  automatically,  as
       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  processes  may  run for several hours.  Use
--- a/postfix/man/man5/ldap_table.5
+++ b/postfix/man/man5/ldap_table.5
@ -422,14 +422,27 @@ The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
 These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
 and LDAP_SCOPE_ONELEVEL.
 .IP "\fBbind (default: yes)\fR"
-Whether or not to bind to the LDAP server. Newer LDAP
+Whether or how to bind to the LDAP server. Newer LDAP
 implementations don't require clients to bind, which saves
 time. Example:
 .nf
    # Don't bind
    bind = no
    # Use SIMPLE bind
    bind = yes
    # Use SASL bind
    bind = sasl
 .fi
 Postfix versions prior to 2.8 only support "bind = no" which
 means don't bind, and "bind = yes" which means do a SIMPLE bind.
 Postfix 2.8 and later also supports "bind = SASL" when compiled
 with LDAP SASL support as described in LDAP_README, it also adds
 the synonyms "bind = none" and "bind = simple" for "bind = no"
 and "bind = yes" respectively. See the SASL section below for
 additional parameters available with "bind = sasl".
 If you do need to bind, you might consider configuring
 Postfix to connect to the local machine on a port that's
 an SSL tunnel to your LDAP server. If your LDAP server
@ -443,6 +456,8 @@ If you do have to bind, do it with this distinguished name. Example:
 .nf
    bind_dn = uid=postfix, dc=your, dc=com
 .fi
 With "bind = sasl" (see above) the DN may be optional for some SASL
 mechanisms, don't specify a DN if not needed.
 .IP "\fBbind_pw (default: empty)\fR"
 The password for the distinguished name above. If you have
 to use this, you probably want to make the map configuration
@ -456,6 +471,8 @@ command. Example:
 .nf
    bind_pw = postfixpw
 .fi
 With "bind = sasl" (see above) the password may be optional
 for some SASL mechanisms, don't specify a password if not needed.
 .IP "\fBcache (IGNORED with a warning)\fR"
 .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 .IP "\fBcache_size (IGNORED with a warning)\fR"
@ -512,6 +529,49 @@ Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
 Specifies the LDAP protocol version to use.
 .IP "\fBdebuglevel (default: 0)\fR"
 What level to set for debugging in the OpenLDAP libraries.
 .SH "LDAP SASL PARAMETERS"
 .na
 .nf
 .ad
 .fi
 If you're using the OpenLDAP libraries compiled with SASL
 support, Postfix 2.8 and later built with LDAP SASL support
 as described in LDAP_README can authenticate to LDAP servers
 via SASL.
 This enables authentication to the LDAP server via mechanisms
 other than a simple password. The added flexibility has a cost:
 it is no longer practical to set an explicit timeout on the duration
 of an LDAP bind operation. Under adverse conditions, whether a SASL
 bind times out, or if it does, the duration of the timeout is
 determined by the LDAP and SASL libraries.
 It is best to use tables that use SASL binds via proxymap(8), this
 way the requesting process can time-out the proxymap request. This
 also lets you tailer the process environment by overriding the
 proxymap(8) import_environment setting in master.cf(5). Special
 environment settings may be needed to configure GSSAPI credential
 caches or other SASL mechanism specific options. The GSSAPI
 credentials used for LDAP lookups may need to be different than
 say those used for the Postfix SMTP client to authenticate to remote
 servers.
 Using SASL mechanisms requires LDAP protocol version 3, the default
 protocol version is 2 for backwards compatibility. You must set
 "version = 3" in addition to "bind = sasl".
 The following parameters are relevant to using LDAP with SASL
 .IP "\fBsasl (default: no)\fR"
 Whether or not to use SASL binds to the server.  Can be yes or no.
 .IP "\fBsasl_mechs (default: empty)\fR"
 Space separated list of SASL mechanism(s) to try.
 .IP "\fBsasl_realm (default: empty)\fR"
 SASL Realm to use, if applicable.
 .IP "\fBsasl_authz_id (default: empty)\fR"
 The SASL authorization identity to assert, if applicable.
 .IP "\fBsasl_minssf (default: 0)\fR"
 The minimum required sasl security factor required to establish a
 connection.
 .SH "LDAP SSL AND STARTTLS PARAMETERS"
 .na
 .nf
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@ -60,7 +60,14 @@ Problems and transactions are logged to \fBsyslogd\fR(8).
 .SH BUGS
 .ad
 .fi
-Some of the non-default protocol tests involve
+The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
 Support for STARTTLS and AUTH may be added in the future.
 In the mean time, if you need to make these services available
 on port 25, then do not enable the optional "after 220
 server greeting" tests.
 The optional "after 220 server greeting" tests involve
 \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
 these tests succeed, \fBpostscreen\fR(8) adds the client
 to the temporary whitelist but it cannot not hand off the
@ -72,14 +79,6 @@ connects, it will be allowed to talk to a Postfix SMTP
 server process to deliver mail. \fBpostscreen\fR(8) mitigates
 the impact of this limitation by giving such tests a long
 expiration time.
 The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
 (support for STARTTLS and AUTH may be added in the future).
 End-user clients should connect directly to the submission
 service; other systems that require the above features
 should directly connect to a Postfix SMTP server, or they
 should be placed on the \fBpostscreen\fR(8) whitelist.
 .SH "CONFIGURATION PARAMETERS"
 .na
 .nf
--- a/postfix/proto/LDAP_README.html
+++ b/postfix/proto/LDAP_README.html
@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
 or whatever you have, and you may need to use the appropriate linker
 option (e.g. '-R') so the executables can find it at runtime. </p>
 <p> If you are using OpenLDAP, and the libraries were built with SASL
 support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
 For example: </p>
 <blockquote>
 <pre>
     CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
 </pre>
 </blockquote>
 <h2><a name="config">Configuring LDAP lookups</a></h2>
 <p> In order to use LDAP lookups, define an LDAP source
@ -140,9 +150,9 @@ alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
 </blockquote>
 <p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
-STARTTLS. For a complete description, see the ldap_table(5) manual
+and LDAP SASL. For a complete description, see the ldap_table(5)
-page. </p>
+manual page. </p>
 <h2><a name="example_alias">Example: local(8) aliases</a></h2>
@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
 limit LDAP search results to leaf nodes only. Victor generalized
 this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
 <li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
 mechanisms, beyond the password-based LDAP "simple" bind. </li>
 </ul>
 And of course Wietse.
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
 many zombies avoid spamming the same site repeatedly, in an attempt
 to fly under the radar.  Once postscreen(8) decides that a client
 is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail.  </p>
+further delays for legitimate mail. Clients that pass postscreen(8)
 are still subject to the checks that are built into Postfix smtpd(8),
 Postfix built-in content filters, and external content filters.
 </p>
 <p> Zombies have challenges too: they have only a limited amount
 of time to deliver spam before their IP address becomes blacklisted.
@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
 <p> postscreen(8) uses a variety of measurements to recognize
 zombies.  First, postscreen(8) determines if the remote SMTP client
 IP address is blacklisted.  Second, postscreen(8) looks for protocol
-compromises that are made to speed up delivery.  The results of
+compromises that are made to speed up delivery.  These are good
-such measurements don't change with each delivery attempt, and are
+indicators for making is-it-a-zombie decisions based on single
-therefore good for making an is-it-a-zombie decision based on a
+measurements.  </p>
 single measurement.  </p>
 <p> postscreen(8) does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
+can vary from one delivery to the next, especially with clients
-that (also) send legitimate email. Content is therefore not good
+that (also) send legitimate email.  Content is not a good indicator
-for making an is-it-a-zombie decision based on a single measurement,
+for making is-it-a-zombie decisions based on single measurements,
 and that is the problem that postscreen(8) is focused on.  </p>
 <h2> <a name="general"> General operation </a> </h2>
 <p> The postscreen(8) triage process involves a number of tests,
 in the order as described below.  Some tests introduce a delay of
-a few seconds.  Once a client passes all tests, its IP address is
+a few seconds.  Once a client passes a test, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
+whitelisted from 24 hours for simple tests, to 1 week for complex
-tests or 1 week for complex tests.  This minimizes the impact of
+tests.  Whitelisting minimizes the impact of postscreen(8)'s tests
-the tests on legitimate mail clients. </p>
+on legitimate mail clients. </p>
 <p> After logging its findings, postscreen(8) by default hands off
 all connections to a Postfix SMTP server process. This mode is
@ -340,14 +342,15 @@ a relatively long expiration time. </p>
 <li> <p> postscreen(8)'s built-in SMTP engine does not implement
 the AUTH, STARTTLS, XCLIENT, and XFORWARD features.  STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
 if you need to make these services available on port 25, then do
 not enable the tests after the 220 server greeting. </p>
 </ul>
 <p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
+service, so that they never have to deal with postscreen(8)'s tests.
-should directly connect to a Postfix SMTP server, or they
+</p>
 should be placed on the postscreen(8) whitelist. </p>
 <ul>
--- a/postfix/proto/ldap_table
+++ b/postfix/proto/ldap_table
@ -410,14 +410,27 @@
 #	These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
 #	and LDAP_SCOPE_ONELEVEL.
 # .IP "\fBbind (default: yes)\fR"
-#	Whether or not to bind to the LDAP server. Newer LDAP
+#	Whether or how to bind to the LDAP server. Newer LDAP
 #	implementations don't require clients to bind, which saves
 #	time. Example:
 #
 # .nf
 #	    # Don't bind
 #	    bind = no
 #	    # Use SIMPLE bind
 #	    bind = yes
 #	    # Use SASL bind
 #	    bind = sasl
 # .fi
 #
 #	Postfix versions prior to 2.8 only support "bind = no" which
 #	means don't bind, and "bind = yes" which means do a SIMPLE bind.
 #	Postfix 2.8 and later also supports "bind = SASL" when compiled
 #	with LDAP SASL support as described in LDAP_README, it also adds
 #	the synonyms "bind = none" and "bind = simple" for "bind = no"
 #	and "bind = yes" respectively. See the SASL section below for
 #	additional parameters available with "bind = sasl".
 #
 #	If you do need to bind, you might consider configuring
 #	Postfix to connect to the local machine on a port that's
 #	an SSL tunnel to your LDAP server. If your LDAP server
@ -431,6 +444,8 @@
 # .nf
 #	    bind_dn = uid=postfix, dc=your, dc=com
 # .fi
 #	With "bind = sasl" (see above) the DN may be optional for some SASL
 #	mechanisms, don't specify a DN if not needed.
 # .IP "\fBbind_pw (default: empty)\fR"
 #	The password for the distinguished name above. If you have
 #	to use this, you probably want to make the map configuration
@ -444,6 +459,8 @@
 # .nf
 #	    bind_pw = postfixpw
 # .fi
 #	With "bind = sasl" (see above) the password may be optional
 #	for some SASL mechanisms, don't specify a password if not needed.
 # .IP "\fBcache (IGNORED with a warning)\fR"
 # .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 # .IP "\fBcache_size (IGNORED with a warning)\fR"
@ -500,6 +517,47 @@
 #	Specifies the LDAP protocol version to use.
 # .IP "\fBdebuglevel (default: 0)\fR"
 #	What level to set for debugging in the OpenLDAP libraries.
 # LDAP SASL PARAMETERS
 # .ad
 # .fi
 #	If you're using the OpenLDAP libraries compiled with SASL
 #	support, Postfix 2.8 and later built with LDAP SASL support
 #	as described in LDAP_README can authenticate to LDAP servers
 #	via SASL.
 #
 #	This enables authentication to the LDAP server via mechanisms
 #	other than a simple password. The added flexibility has a cost:
 #	it is no longer practical to set an explicit timeout on the duration
 #	of an LDAP bind operation. Under adverse conditions, whether a SASL
 #	bind times out, or if it does, the duration of the timeout is
 #	determined by the LDAP and SASL libraries.
 #
 # 	It is best to use tables that use SASL binds via proxymap(8), this
 #	way the requesting process can time-out the proxymap request. This
 #	also lets you tailer the process environment by overriding the
 #	proxymap(8) import_environment setting in master.cf(5). Special
 #	environment settings may be needed to configure GSSAPI credential
 #	caches or other SASL mechanism specific options. The GSSAPI
 #	credentials used for LDAP lookups may need to be different than
 #	say those used for the Postfix SMTP client to authenticate to remote
 #	servers.
 #
 #	Using SASL mechanisms requires LDAP protocol version 3, the default
 #	protocol version is 2 for backwards compatibility. You must set
 #	"version = 3" in addition to "bind = sasl".
 #
 #	The following parameters are relevant to using LDAP with SASL
 # .IP "\fBsasl (default: no)\fR"
 #	Whether or not to use SASL binds to the server.  Can be yes or no.
 # .IP "\fBsasl_mechs (default: empty)\fR"
 #	Space separated list of SASL mechanism(s) to try. 
 # .IP "\fBsasl_realm (default: empty)\fR"
 #	SASL Realm to use, if applicable.
 # .IP "\fBsasl_authz_id (default: empty)\fR"
 #	The SASL authorization identity to assert, if applicable.
 # .IP "\fBsasl_minssf (default: 0)\fR"
 #	The minimum required sasl security factor required to establish a
 #	connection.
 # LDAP SSL AND STARTTLS PARAMETERS
 # .ad
 # .fi
--- a/postfix/src/cleanup/cleanup_map1n.c
+++ b/postfix/src/cleanup/cleanup_map1n.c
@ -15,13 +15,18 @@
 /*	This module implements one-to-many table mapping via table lookup.
 /*	Table lookups are done with quoted (externalized) address forms.
 /*	The process is recursive. The recursion terminates when the
-/*	left-hand side appears in its own expansion, or when a maximal
+/*	left-hand side appears in its own expansion.
 /*	nesting level is reached.
 /*
 /*	cleanup_map1n_internal() is the interface for addresses in
 /*	internal (unquoted) form.
 /* DIAGNOSTICS
-/*	Recoverable errors: the global \fIcleanup_errs\fR flag is updated.
+/*	When the maximal expansion or recursion limit is reached,
 /*	the alias is not expanded and the CLEANUP_STAT_DEFER error
 /*	is raised with reason "4.6.0 Alias expansion error".
 /*
 /*	When table lookup fails, the alias is not expanded and the
 /*	CLEANUP_STAT_WRITE error is raised with reason "4.6.0 Alias
 /*	expansion error".
 /* SEE ALSO
 /*	mail_addr_map(3) address mappings
 /*	mail_addr_find(3) address lookups
@ -93,15 +98,26 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
     * must index the array explicitly, instead of running along it with a
     * pointer.
     */
-#define UPDATE(ptr,new)	{ myfree(ptr); ptr = mystrdup(new); }
+#define UPDATE(ptr,new)	do { \
 	if (ptr) myfree(ptr); ptr = mystrdup(new); \
    } while (0)
 #define STR	vstring_str
-#define RETURN(x) { been_here_free(been_here); return (x); }
+#define RETURN(x) do { \
 	been_here_free(been_here); return (x); \
    } while (0)
 #define UNEXPAND(argv, addr) do { \
 	argv_truncate((argv), 0); argv_add((argv), (addr), (char *) 0); \
    } while (0)
    for (arg = 0; arg < argv->argc; arg++) {
 	if (argv->argc > var_virt_expan_limit) {
-	    msg_warn("%s: unreasonable %s map expansion size for %s",
+	    msg_warn("%s: unreasonable %s map expansion size for %s -- "
 		     "deferring delivery",
 		     state->queue_id, maps->title, addr);
-	    break;
+	    state->errs |= CLEANUP_STAT_DEFER;
 	    UPDATE(state->reason, "4.6.0 Alias expansion error");
 	    UNEXPAND(argv, addr);
 	    RETURN(argv);
 	}
 	for (count = 0; /* void */ ; count++) {
@ -111,9 +127,13 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
 	    if (been_here_check_fixed(been_here, argv->argv[arg]) != 0)
 		break;
 	    if (count >= var_virt_recur_limit) {
-		msg_warn("%s: unreasonable %s map nesting for %s",
+		msg_warn("%s: unreasonable %s map nesting for %s -- "
 			 "deferring delivery",
 			 state->queue_id, maps->title, addr);
-		break;
+		state->errs |= CLEANUP_STAT_DEFER;
 		UPDATE(state->reason, "4.6.0 Alias expansion error");
 		UNEXPAND(argv, addr);
 		RETURN(argv);
 	    }
 	    quote_822_local(state->temp1, argv->argv[arg]);
 	    if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) {
@ -136,9 +156,12 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
 		myfree(saved_lhs);
 		argv_free(lookup);
 	    } else if (dict_errno != 0) {
-		msg_warn("%s: %s map lookup problem for %s",
+		msg_warn("%s: %s map lookup problem for %s -- "
 			 "deferring delivery",
 			 state->queue_id, maps->title, addr);
 		state->errs |= CLEANUP_STAT_WRITE;
 		UPDATE(state->reason, "4.6.0 Alias expansion error");
 		UNEXPAND(argv, addr);
 		RETURN(argv);
 	    } else {
 		break;
--- a/postfix/src/global/dict_ldap.c
+++ b/postfix/src/global/dict_ldap.c
@ -103,6 +103,16 @@
 /* .IP version
 /*	Specifies the LDAP protocol version to use.  Default is version
 /*	\fI2\fR.
 /* .IP "\fBsasl (no)\fR"
 /*	Whether or not to use SASL binds with the server.
 /* .IP "\fBsasl_mechs (empty)\fR"
 /*	Specifies a space-separated list of LDAP SASL Mechanisms.
 /* .IP "\fBsasl_realm (empty)\fR"
 /*	The realm to use for SASL binds.
 /* .IP "\fBsasl_authz_id (empty)\fR"
 /*	The SASL Authorization Identity to assert.
 /* .IP "\fBsasl_minssf (0)\fR"
 /*	The minimum SASL SSF to allow.
 /* .IP start_tls
 /*	Whether or not to issue STARTTLS upon connection to the server.
 /*	At this time, STARTTLS and LDAP SSL are only available if the
@ -208,16 +218,44 @@
 #include <dict.h>
 #include <stringops.h>
 #include <binhash.h>
 #include <name_code.h>
 /* Global library. */
 #include "cfg_parser.h"
 #include "db_common.h"
 #include "mail_conf.h"
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 /*
  * SASL headers, for sasl_interact_t. Either SASL v1 or v2 should be fine.
  */
 #include <sasl.h>
 #endif
 /* Application-specific. */
 #include "dict_ldap.h"
 #define DICT_LDAP_BIND_NONE	0
 #define DICT_LDAP_BIND_SIMPLE	1
 #define DICT_LDAP_BIND_SASL	2
 #define DICT_LDAP_DO_BIND(d)	((d)->bind != DICT_LDAP_BIND_NONE)
 #define DICT_LDAP_DO_SASL(d)	((d)->bind == DICT_LDAP_BIND_SASL)
 static const NAME_CODE bindopt_table[] = {
    CONFIG_BOOL_NO,	DICT_LDAP_BIND_NONE,
    "none",		DICT_LDAP_BIND_NONE,
    CONFIG_BOOL_YES,	DICT_LDAP_BIND_SIMPLE,
    "simple",		DICT_LDAP_BIND_SIMPLE,
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    "sasl", 		DICT_LDAP_BIND_SASL,
 #endif
 #endif
    0, -1,
 };
 typedef struct {
    LDAP   *conn_ld;
    int     conn_refcount;
@ -254,6 +292,13 @@ typedef struct {
    int     debuglevel;
    int     version;
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    int     sasl;
    char    *sasl_mechs;
    char    *sasl_realm;
    char    *sasl_authz;
    int     sasl_minssf;
 #endif
    int     ldap_ssl;
    int     start_tls;
    int     tls_require_cert;
@ -407,6 +452,49 @@ static int dict_ldap_set_errno(LDAP *ld, int rc)
    return rc;
 }
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 /*
  * Context structure for SASL property callback.
  */
 typedef struct bind_props {
    char *authcid;
    char *passwd;
    char *realm;
    char *authzid;
 } bind_props;
 static int
 ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter)
 {
    sasl_interact_t *in;
    bind_props *ctx = (bind_props *)props;
    for (in = inter; in->id != SASL_CB_LIST_END; in++)
    {
 	in->result = NULL;
 	switch(in->id)
 	{
 	case SASL_CB_GETREALM:
 	    in->result = ctx->realm;
 	    break;
 	case SASL_CB_AUTHNAME:
 	    in->result = ctx->authcid;
 	    break;
 	case SASL_CB_USER:
 	    in->result = ctx->authzid;
 	    break;
 	case SASL_CB_PASS:
 	    in->result = ctx->passwd;
 	    break;
 	}
 	if (in->result)
 	    in->len = strlen(in->result);
    }
    return LDAP_SUCCESS;
 }
 #endif
 /* dict_ldap_result - Read and parse LDAP result */
 static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
@ -427,6 +515,40 @@ static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
    return LDAP_SUCCESS;
 }
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 /* Asynchronous SASL auth if SASL is enabled */
 static int dict_ldap_bind_sasl(DICT_LDAP *dict_ldap)
 {
    int     rc;
    bind_props props;
    static VSTRING *minssf = 0;
    if (minssf == 0)
 	minssf = vstring_alloc(12);
    vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf);
    if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS,
 			       (char *) minssf)) != LDAP_OPT_SUCCESS)
 	return (rc);
    props.authcid = dict_ldap->bind_dn;
    props.passwd = dict_ldap->bind_pw;
    props.realm = dict_ldap->sasl_realm;
    props.authzid = dict_ldap->sasl_authz;
    if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL,
 					    dict_ldap->sasl_mechs, NULL, NULL,
 					    LDAP_SASL_QUIET, ldap_b2_interact,
 					    &props)) != LDAP_SUCCESS)
 	return (rc);
    return (LDAP_SUCCESS);
 }
 #endif
 /* dict_ldap_bind_st - Synchronous simple auth with timeout */
 static int dict_ldap_bind_st(DICT_LDAP *dict_ldap)
@ -746,26 +868,36 @@ static int dict_ldap_connect(DICT_LDAP *dict_ldap)
    }
 #endif
 #define DN_LOG_VAL(dict_ldap) \
 	((dict_ldap)->bind_dn[0] ? (dict_ldap)->bind_dn : "empty or implicit")
    /*
     * If this server requires a bind, do so. Thanks to Sam Tardieu for
     * noticing that the original bind call was broken.
     */
-    if (dict_ldap->bind) {
+    if (DICT_LDAP_DO_BIND(dict_ldap)) {
 	if (msg_verbose)
-	    msg_info("%s: Binding to server %s as dn %s",
+	    msg_info("%s: Binding to server %s with dn %s",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn);
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 	if (DICT_LDAP_DO_SASL(dict_ldap)) {
 	    rc = dict_ldap_bind_sasl(dict_ldap);
 	} else {
 	    rc = dict_ldap_bind_st(dict_ldap);
 	}
 #else
 	rc = dict_ldap_bind_st(dict_ldap);
 #endif
 	if (rc != LDAP_SUCCESS) {
-	    msg_warn("%s: Unable to bind to server %s as %s: %d (%s)",
+	    msg_warn("%s: Unable to bind to server %s with dn %s: %d (%s)",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn,
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap),
 		     rc, ldap_err2string(rc));
 	    DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
 	}
 	if (msg_verbose)
-	    msg_info("%s: Successful bind to server %s as %s ",
+	    msg_info("%s: Successful bind to server %s with dn %s",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn);
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
    }
    /* Save connection handle in shared container */
    DICT_LDAP_CONN(dict_ldap)->conn_ld = dict_ldap->ld;
@ -798,13 +930,19 @@ static void dict_ldap_conn_find(DICT_LDAP *dict_ldap)
    ADDSTR(keybuf, dict_ldap->server_host);
    ADDINT(keybuf, dict_ldap->server_port);
    ADDINT(keybuf, dict_ldap->bind);
-    ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_dn : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_dn : "");
-    ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_pw : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_pw : "");
    ADDINT(keybuf, dict_ldap->dereference);
    ADDINT(keybuf, dict_ldap->chase_referrals);
    ADDINT(keybuf, dict_ldap->debuglevel);
    ADDINT(keybuf, dict_ldap->version);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_mechs : "");
    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_realm : "");
    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_authz : "");
    ADDINT(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_minssf : 0);
 #endif
    ADDINT(keybuf, dict_ldap->ldap_ssl);
    ADDINT(keybuf, dict_ldap->start_tls);
    ADDINT(keybuf, sslon ? dict_ldap->tls_require_cert : 0);
@ -1437,6 +1575,13 @@ static void dict_ldap_close(DICT *dict)
    if (dict_ldap->ctx)
 	db_common_free_ctx(dict_ldap->ctx);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    if (DICT_LDAP_DO_SASL(dict_ldap)) {
 	myfree(dict_ldap->sasl_mechs);
 	myfree(dict_ldap->sasl_realm);
 	myfree(dict_ldap->sasl_authz);
    }
 #endif
    myfree(dict_ldap->tls_ca_cert_file);
    myfree(dict_ldap->tls_ca_cert_dir);
    myfree(dict_ldap->tls_cert);
@ -1461,6 +1606,7 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
    char   *server_host;
    char   *scope;
    char   *attr;
    char   *bindopt;
    int     tmp;
    int     vendor_version = dict_ldap_vendor_version();
@ -1666,9 +1812,14 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
    myfree(attr);
    /*
-     * get configured value of "bind"; default to true
+     * get configured value of "bind"; default to simple bind
     */
-    dict_ldap->bind = cfg_get_bool(dict_ldap->parser, "bind", 1);
+    bindopt = cfg_get_str(dict_ldap->parser, "bind", CONFIG_BOOL_YES, 1, 0);
    dict_ldap->bind = name_code(bindopt_table, NAME_CODE_FLAG_NONE, bindopt);
    if (dict_ldap->bind < 0)
 	msg_fatal("%s: unsupported parameter value: %s = %s",
 		  dict_ldap->parser->name, "bind", bindopt);
    myfree(bindopt);
    /*
     * get configured value of "bind_dn"; default to ""
@ -1723,6 +1874,25 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
 					      "chase_referrals", 0);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    /*
     * SASL options
     */
    if (DICT_LDAP_DO_SASL(dict_ldap)) {
 	dict_ldap->sasl_mechs =
 	    cfg_get_str(dict_ldap->parser, "sasl_mechs", "", 0, 0);
 	dict_ldap->sasl_realm =
 	    cfg_get_str(dict_ldap->parser, "sasl_realm", "", 0, 0);
 	dict_ldap->sasl_authz =
 	    cfg_get_str(dict_ldap->parser, "sasl_authz_id", "", 0, 0);
 	dict_ldap->sasl_minssf =
 	    cfg_get_int(dict_ldap->parser, "sasl_minssf", 0, 0, 4096);
    } else {
 	dict_ldap->sasl_mechs = 0;
 	dict_ldap->sasl_realm = 0;
 	dict_ldap->sasl_authz = 0;
    }
 #endif
    /*
     * TLS options
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20101201"
+#define MAIL_RELEASE_DATE	"20101204"
 #define MAIL_VERSION_NUMBER	"2.8"
 #ifdef SNAPSHOT
--- a/postfix/src/global/mime_state.c
+++ b/postfix/src/global/mime_state.c
@ -49,7 +49,7 @@
 /*
 /*	In order to fend off denial of service attacks, message headers
 /*	are truncated at or above var_header_limit bytes, message boundary
-/*	strings are truncated at var_boundary_len bytes, and the multipart
+/*	strings are truncated at var_mime_bound_len bytes, and the multipart
 /*	nesting level is limited to var_mime_maxdepth levels.
 /*
 /*	mime_state_alloc() creates a MIME state machine. The machine
--- a/postfix/src/global/pipe_command.c
+++ b/postfix/src/global/pipe_command.c
@ -85,8 +85,7 @@
 /*	configuration parameter. The group ID must be non-zero.
 /* .IP "PIPE_CMD_TIME_LIMIT (int)"
 /*	The amount of time the command is allowed to run before it
-/*	is terminated with SIGKILL. The default is the limit given
+/*	is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME.
 /*	with the \fIcommand_time_limit\fR configuration parameter.
 /* .IP "PIPE_CMD_SHELL (char *)"
 /*	The shell to use when executing the command specified with
 /*	PIPE_CMD_COMMAND. This shell is invoked regardless of the
@ -211,7 +210,7 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
    args->cwd = 0;
    args->chroot = 0;
-    pipe_command_maxtime = var_command_maxtime;
+    pipe_command_maxtime = DEF_COMMAND_MAXTIME;
    /*
     * Then, override the defaults with user-supplied inputs.
--- a/postfix/src/global/scache_clnt.c
+++ b/postfix/src/global/scache_clnt.c
@ -414,7 +414,7 @@ SCACHE *scache_clnt_create(const char *server, int timeout,
    sp->scache->size = scache_clnt_size;
    sp->scache->free = scache_clnt_free;
-    service = concatenate("local:private/", var_scache_service, (char *) 0);
+    service = concatenate("local:private/", server, (char *) 0);
    sp->auto_clnt = auto_clnt_create(service, timeout, idle_limit, ttl_limit);
    myfree(service);
--- a/postfix/src/local/local.c
+++ b/postfix/src/local/local.c
@ -626,7 +626,7 @@ char   *var_allow_commands;
 char   *var_allow_files;
 char   *var_alias_maps;
 int     var_dup_filter_limit;
-int     var_command_maxtime;
+int     var_command_maxtime;		/* You can now leave this here. */
 char   *var_home_mailbox;
 char   *var_mailbox_command;
 char   *var_mailbox_cmd_maps;
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@ -196,8 +196,9 @@ static int cleanup_service_error_reason(PICKUP_INFO *info, int status,
     * -r" when a message is already delivered (or bounced). The Postfix
     * sendmail command rejects submissions without recipients.
     */
-    if (reason == 0)
+    if (reason == 0 || *reason == 0)
-	msg_warn("%s: %s", info->path, cleanup_strerror(status));
+	msg_warn("%s: error writing %s: %s",
 		  info->path, info->id, cleanup_strerror(status));
    return ((status & (CLEANUP_STAT_BAD | CLEANUP_STAT_RCPT)) ?
 	    REMOVE_MESSAGE_FILE : KEEP_MESSAGE_FILE);
 }
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@ -530,7 +530,7 @@
  * Tunable parameters. Values are taken from the config file, after
  * prepending the service name to _name, and so on.
  */
-int     var_command_maxtime;		/* system-wide */
+int     var_command_maxtime;		/* You can now leave this here. */
 /*
  * For convenience. Instead of passing around lists of parameters, bundle
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@ -46,7 +46,14 @@
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /* BUGS
-/*	Some of the non-default protocol tests involve
+/*	The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 /*	not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
 /*	Support for STARTTLS and AUTH may be added in the future.
 /*	In the mean time, if you need to make these services available
 /*	on port 25, then do not enable the optional "after 220
 /*	server greeting" tests.
 /*
 /*	The optional "after 220 server greeting" tests involve
 /*	\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
 /*	these tests succeed, \fBpostscreen\fR(8) adds the client
 /*	to the temporary whitelist but it cannot not hand off the
@ -58,14 +65,6 @@
 /*	server process to deliver mail. \fBpostscreen\fR(8) mitigates
 /*	the impact of this limitation by giving such tests a long
 /*	expiration time.
 /*
 /*	The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 /*	not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
 /*	(support for STARTTLS and AUTH may be added in the future).
 /*	End-user clients should connect directly to the submission
 /*	service; other systems that require the above features
 /*	should directly connect to a Postfix SMTP server, or they
 /*	should be placed on the \fBpostscreen\fR(8) whitelist.
 /* CONFIGURATION PARAMETERS
 /* .ad
 /* .fi
--- a/postfix/src/postscreen/postscreen_early.c
+++ b/postfix/src/postscreen/postscreen_early.c
@ -258,9 +258,7 @@ void    ps_early_tests(PS_STATE *state)
     */
    if ((state->flags & PS_STATE_FLAG_PREGR_TODO) != 0
 	&& ps_teaser_greeting != 0
-	&& ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	&& PS_SEND_REPLY(state, ps_teaser_greeting) != 0) {
 			 state->smtp_client_addr, state->smtp_client_port,
 			 ps_teaser_greeting) != 0) {
 	ps_hangup_event(state);
 	return;
    }
--- a/postfix/src/postscreen/postscreen_misc.c
+++ b/postfix/src/postscreen/postscreen_misc.c
@ -125,9 +125,7 @@ void    ps_conclude(PS_STATE *state)
 	ps_send_socket(state);
    } else {
 	if ((state->flags & PS_STATE_FLAG_HANGUP) == 0)
-	    (void) ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	    (void) PS_SEND_REPLY(state, state->final_reply);
 			   state->smtp_client_addr, state->smtp_client_port,
 				 state->final_reply);
 	msg_info("DISCONNECT [%s]:%s", PS_CLIENT_ADDR_PORT(state));
 	ps_free_session_state(state);
    }
--- a/postfix/src/postscreen/postscreen_send.c
+++ b/postfix/src/postscreen/postscreen_send.c
@ -85,9 +85,8 @@ int     ps_send_reply(int smtp_client_fd, const char *smtp_client_addr,
     * XXX Need to make sure that the TCP send buffer is large enough for any
     * response, so that a nasty client can't cause this process to block.
     */
-    ret = (write_buf(smtp_client_fd, text, strlen(text),
+    ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT);
-		     PS_SEND_TEXT_TIMEOUT) < 0);
+    if (ret < 0 && errno != EPIPE)
    if (ret != 0 && errno != EPIPE)
 	msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port);
    return (ret);
 }
@ -164,9 +163,7 @@ void    ps_send_socket(PS_STATE *state)
 	 LOCAL_CONNECT(ps_smtpd_service_name, NON_BLOCKING,
 		       PS_SEND_SOCK_CONNECT_TIMEOUT)) < 0) {
 	msg_warn("cannot connect to service %s: %m", ps_smtpd_service_name);
-	ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	PS_SEND_REPLY(state, "421 4.3.2 All server ports are busy\r\n");
 		      state->smtp_client_addr, state->smtp_client_port,
 		      "421 4.3.2 All server ports are busy\r\n");
 	ps_free_session_state(state);
 	return;
    }
@ -175,9 +172,7 @@ void    ps_send_socket(PS_STATE *state)
 		      vstream_fileno(state->smtp_client_stream)) < 0) {
 	msg_warn("cannot pass connection to service %s: %m",
 		 ps_smtpd_service_name);
-	ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	PS_SEND_REPLY(state, "421 4.3.2 No system resources\r\n");
 		      state->smtp_client_addr, state->smtp_client_port,
 		      "421 4.3.2 No system resources\r\n");
 	ps_free_session_state(state);
 	return;
    } else {
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@ -753,7 +753,7 @@ int     var_smtp_mxsess_limit;
 int     var_smtp_cache_conn;
 int     var_smtp_reuse_time;
 char   *var_smtp_cache_dest;
-char   *var_scache_service;
+char   *var_scache_service;		/* You can now leave this here. */
 bool    var_smtp_cache_demand;
 char   *var_smtp_ehlo_dis_words;
 char   *var_smtp_ehlo_dis_maps;