postfix-2.8-20101204

2025-08-22 09:57:34 +00:00 · 2010-12-04 00:00:00 -05:00 · 2010-12-04 00:00:00 -05:00 · e31ae1582b
commit e31ae1582b
parent 556b04bfed
28 changed files with 720 additions and 270 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -16205,3 +16205,30 @@ Apologies for any names omitted.
 	Workaround: BSD-ish mkdir() ignores the effective GID
 	and copies group ownership from the parent directory.
 	File: util/make_dirs.c.
 20101202
 	Feature: the LDAP client can now authenticate to LDAP servers
 	via SASL. This is tested with SASL GSSAPI and Kerberos 5.
 	Code by Victor Duchovni. Files: global/dict_ldap.c,
 	proto/LDAP_README.html, proto/ldap_table.
 	Cleanup: the cleanup server now reports a temporary delivery
 	error when it reaches the virtual_alias_expansion_limit or
 	virtual_alias_recursion_limit. Previously, it would silently
 	ignore the excess recipients and deliver the message.  File:
 	cleanup/cleanup_map1n.c.
 20101204
 	Cleanup: sache_clnt_create() had an unnecessary data
 	dependency on the non-library var_scache_service variable,
 	causing problems with shared library builds.  Instead, it
 	should use its service argument (which has the same value).
 	File: global/scache.c.
 	Cleanup: pipe_command.c had an unnecessary data dependency
 	on the non-library var_command_maxtime variable, causing
 	problems with shared library builds. The dependency was not
 	necessary because the callers already specify an explicit
 	time limit.  File: global/pipe_command.c.
--- a/postfix/README_FILES/LDAP_README
+++ b/postfix/README_FILES/LDAP_README
@ -81,6 +81,11 @@ AUXLIBS line to point to libldap10.so or libldapssl30.so or whatever you have,
 and you may need to use the appropriate linker option (e.g. '-R') so the
 executables can find it at runtime.
 If you are using OpenLDAP, and the libraries were built with SASL support, you
 can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support. For example:
         CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
 CCoonnffiigguurriinngg LLDDAAPP llooookkuuppss
 In order to use LDAP lookups, define an LDAP source as a table lookup in
@ -89,8 +94,8 @@ main.cf, for example:
    alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
 The file /etc/postfix/ldap-aliases.cf can specify a great number of parameters,
-including parameters that enable LDAP SSL and STARTTLS. For a complete
+including parameters that enable LDAP SSL or STARTTLS, and LDAP SASL. For a
-description, see the ldap_table(5) manual page.
+complete description, see the ldap_table(5) manual page.
 EExxaammppllee:: llooccaall((88)) aalliiaasseess
@ -440,6 +445,8 @@ CCrreeddiittss
  * Gunnar Wrobel provided a first implementation of a feature to limit LDAP
    search results to leaf nodes only. Victor generalized this into the Postfix
    2.4 "leaf_result_attribute" feature.
  * Quanah Gibson-Mount contributed support for advanced LDAP SASL mechanisms,
    beyond the password-based LDAP "simple" bind.
 And of course Wietse.
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@ -39,7 +39,9 @@ The main challenge for postscreen(8) is to make an is-it-a-zombie decision
 based on a single measurement. This is necessary because many zombies avoid
 spamming the same site repeatedly, in an attempt to fly under the radar. Once
 postscreen(8) decides that a client is not-a-zombie, it whitelists the client
-temporarily to avoid further delays for legitimate mail.
+temporarily to avoid further delays for legitimate mail. Clients that pass
 postscreen(8) are still subject to the checks that are built into Postfix smtpd
 (8), Postfix built-in content filters, and external content filters.
 Zombies have challenges too: they have only a limited amount of time to deliver
 spam before their IP address becomes blacklisted. To speed up spam deliveries,
@ -50,23 +52,22 @@ continue sending mail even when the server tells them to go away.
 postscreen(8) uses a variety of measurements to recognize zombies. First,
 postscreen(8) determines if the remote SMTP client IP address is blacklisted.
 Second, postscreen(8) looks for protocol compromises that are made to speed up
-delivery. The results of such measurements don't change with each delivery
+delivery. These are good indicators for making is-it-a-zombie decisions based
-attempt, and are therefore good for making an is-it-a-zombie decision based on
+on single measurements.
 a single measurement.
-postscreen(8) does not inspect message content. Message content can vary widely
+postscreen(8) does not inspect message content. Message content can vary from
-with each delivery attempt, especially with clients that (also) send legitimate
+one delivery to the next, especially with clients that (also) send legitimate
-email. Content is therefore not good for making an is-it-a-zombie decision
+email. Content is not a good indicator for making is-it-a-zombie decisions
-based on a single measurement, and that is the problem that postscreen(8) is
+based on single measurements, and that is the problem that postscreen(8) is
 focused on.
 GGeenneerraall ooppeerraattiioonn
 The postscreen(8) triage process involves a number of tests, in the order as
 described below. Some tests introduce a delay of a few seconds. Once a client
-passes all tests, its IP address is temporarily excluded from any tests,
+passes a test, its IP address is whitelisted from 24 hours for simple tests, to
-typically 24 hours for simple tests or 1 week for complex tests. This minimizes
+1 week for complex tests. Whitelisting minimizes the impact of postscreen(8)'s
-the impact of the tests on legitimate mail clients.
+tests on legitimate mail clients.
 After logging its findings, postscreen(8) by default hands off all connections
 to a Postfix SMTP server process. This mode is useful for non-destructive
@ -252,11 +253,12 @@ discussed next.
  * postscreen(8)'s built-in SMTP engine does not implement the AUTH, STARTTLS,
    XCLIENT, and XFORWARD features. STARTTLS and AUTH support may be added in a
-    future version.
+    future version. In the mean time, if you need to make these services
    available on port 25, then do not enable the tests after the 220 server
    greeting.
-End-user clients should connect directly to the submission service. Other
+End-user clients should connect directly to the submission service, so that
-systems that require the above features should directly connect to a Postfix
+they never have to deal with postscreen(8)'s tests.
 SMTP server, or they should be placed on the postscreen(8) whitelist.
  * Command pipelining test
  * Non-SMTP command test
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -33,6 +33,14 @@ This is supported only when the default value is stress-dependent
 postscreen parameters always evaluate as if the stress value is 
 equal to the empty string.
 Incompatibility with snapshot 20101202
 ======================================
 Postfix now reports a temporary delivery error when the result of
 virtual alias expansion would exceed the virtual_alias_recursion_limit
 or virtual_alias_expansion_limit. Previously, Postfix would silently
 drop the excess recipients and deliver the message.
 Incompatibility with snapshot 20101130
 ======================================
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@ -6,9 +6,10 @@ Wish list:
 	smtpd xclient option for sasl_username.
-	Use different ipc_timeout settings for email message
+	Use different ipc time limits for email message transactions
-	transactions (smtpd, pickup)->cleanup and for quick query/reply
+	(smtpd, pickup)->cleanup and for quick query/reply transactions
-	transactions such as address rewriting/resolution.
+	such as address rewriting/resolution. Beware of large time
 	limits for local or virtual alias expansion.
 	permit_tempfail_action (default: defer_if_reject) to be
 	used as the default value for dnswl_tempfail_action and
@ -22,9 +23,11 @@ Wish list:
 	Replace sscanf() numerical conversions by strto[dl]()
 	for better error reporting.
-	Consistency: in postconf.proto make <dt>..</dt> tags bold.
+	As postscreen implements more ESMTP keywords, need to copy
 	inter-operability features from smtpd to filter keywords
 	and command syntax.
-	Milter addrcpt - use Sendmail-compatible default DSN settings.
+	Consistency: in postconf.proto make <dt>..</dt> tags bold.
 	postscreen(8): listen on multiple IP addresses and enforce
 	that the client contacts the primary MX address first (i.e.
--- a/postfix/html/LDAP_README.html
+++ b/postfix/html/LDAP_README.html
@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
 or whatever you have, and you may need to use the appropriate linker
 option (e.g. '-R') so the executables can find it at runtime. </p>
 <p> If you are using OpenLDAP, and the libraries were built with SASL
 support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
 For example: </p>
 <blockquote>
 <pre>
     CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
 </pre>
 </blockquote>
 <h2><a name="config">Configuring LDAP lookups</a></h2>
 <p> In order to use LDAP lookups, define an LDAP source
@ -140,9 +150,9 @@ as a table lookup in <a href="postconf.5.html">main.cf</a>, for example: </p>
 </blockquote>
 <p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
-STARTTLS. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a> manual
+and LDAP SASL. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a>
-page. </p>
+manual page. </p>
 <h2><a name="example_alias">Example: local(8) aliases</a></h2>
@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
 limit LDAP search results to leaf nodes only. Victor generalized
 this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
 <li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
 mechanisms, beyond the password-based LDAP "simple" bind. </li>
 </ul>
 And of course Wietse.
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
 many zombies avoid spamming the same site repeatedly, in an attempt
 to fly under the radar.  Once <a href="postscreen.8.html">postscreen(8)</a> decides that a client
 is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail.  </p>
+further delays for legitimate mail. Clients that pass <a href="postscreen.8.html">postscreen(8)</a>
 are still subject to the checks that are built into Postfix <a href="smtpd.8.html">smtpd(8)</a>,
 Postfix built-in content filters, and external content filters.
 </p>
 <p> Zombies have challenges too: they have only a limited amount
 of time to deliver spam before their IP address becomes blacklisted.
@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
 <p> <a href="postscreen.8.html">postscreen(8)</a> uses a variety of measurements to recognize
 zombies.  First, <a href="postscreen.8.html">postscreen(8)</a> determines if the remote SMTP client
 IP address is blacklisted.  Second, <a href="postscreen.8.html">postscreen(8)</a> looks for protocol
-compromises that are made to speed up delivery.  The results of
+compromises that are made to speed up delivery.  These are good
-such measurements don't change with each delivery attempt, and are
+indicators for making is-it-a-zombie decisions based on single
-therefore good for making an is-it-a-zombie decision based on a
+measurements.  </p>
 single measurement.  </p>
 <p> <a href="postscreen.8.html">postscreen(8)</a> does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
+can vary from one delivery to the next, especially with clients
-that (also) send legitimate email. Content is therefore not good
+that (also) send legitimate email.  Content is not a good indicator
-for making an is-it-a-zombie decision based on a single measurement,
+for making is-it-a-zombie decisions based on single measurements,
 and that is the problem that <a href="postscreen.8.html">postscreen(8)</a> is focused on.  </p>
 <h2> <a name="general"> General operation </a> </h2>
 <p> The <a href="postscreen.8.html">postscreen(8)</a> triage process involves a number of tests,
 in the order as described below.  Some tests introduce a delay of
-a few seconds.  Once a client passes all tests, its IP address is
+a few seconds.  Once a client passes a test, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
+whitelisted from 24 hours for simple tests, to 1 week for complex
-tests or 1 week for complex tests.  This minimizes the impact of
+tests.  Whitelisting minimizes the impact of <a href="postscreen.8.html">postscreen(8)</a>'s tests
-the tests on legitimate mail clients. </p>
+on legitimate mail clients. </p>
 <p> After logging its findings, <a href="postscreen.8.html">postscreen(8)</a> by default hands off
 all connections to a Postfix SMTP server process. This mode is
@ -340,14 +342,15 @@ a relatively long expiration time. </p>
 <li> <p> <a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP engine does not implement
 the AUTH, STARTTLS, XCLIENT, and XFORWARD features.  STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
 if you need to make these services available on port 25, then do
 not enable the tests after the 220 server greeting. </p>
 </ul>
 <p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
+service, so that they never have to deal with <a href="postscreen.8.html">postscreen(8)</a>'s tests.
-should directly connect to a Postfix SMTP server, or they
+</p>
 should be placed on the <a href="postscreen.8.html">postscreen(8)</a> whitelist. </p>
 <ul>
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@ -451,11 +451,26 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              and LDAP_SCOPE_ONELEVEL.
       <b>bind (default: yes)</b>
-              Whether or not to bind to the  LDAP  server.  Newer
+              Whether or how to bind to the  LDAP  server.  Newer
              LDAP implementations don't require clients to bind,
              which saves time. Example:
                  # Don't bind
                  bind = no
                  # Use SIMPLE bind
                  bind = yes
                  # Use SASL bind
                  bind = sasl
              Postfix versions prior to 2.8 only support "bind  =
              no"  which means don't bind, and "bind = yes" which
              means do a SIMPLE bind.  Postfix 2.8 and later also
              supports "bind = SASL" when compiled with LDAP SASL
              support as described in <a href="LDAP_README.html">LDAP_README</a>, it  also  adds
              the  synonyms "bind = none" and "bind = simple" for
              "bind = no" and "bind = yes" respectively. See  the
              SASL section below for additional parameters avail-
              able with "bind = sasl".
              If you do need to bind, you might consider  config-
              uring  Postfix to connect to the local machine on a
@ -470,6 +485,9 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              guished name. Example:
                  bind_dn = uid=postfix, dc=your, dc=com
              With "bind =  sasl"  (see  above)  the  DN  may  be
              optional  for some SASL mechanisms, don't specify a
              DN if not needed.
       <b>bind_pw (default: empty)</b>
              The password for the distinguished name  above.  If
@ -483,6 +501,9 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              mand. Example:
                  bind_pw = postfixpw
              With "bind = sasl" (see above) the password may  be
              optional  for some SASL mechanisms, don't specify a
              password if not needed.
       <b>cache (IGNORED with a warning)</b>
@ -553,12 +574,63 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              What  level  to  set  for debugging in the OpenLDAP
              libraries.
 <b>LDAP SASL PARAMETERS</b>
       If you're using the OpenLDAP libraries compiled with  SASL
       support,  Postfix  2.8 and later built with LDAP SASL sup-
       port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to  LDAP
       servers via SASL.
       This  enables authentication to the LDAP server via mecha-
       nisms other than a simple password. The added  flexibility
       has  a  cost: it is no longer practical to set an explicit
       timeout on the duration of an LDAP bind  operation.  Under
       adverse  conditions,  whether a SASL bind times out, or if
       it does, the duration of the timeout is determined by  the
       LDAP and SASL libraries.
       It  is  best  to  use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>
       <a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out  the
       proxymap  request.  This  also lets you tailer the process
       environment by overriding the <a href="proxymap.8.html">proxymap(8)</a>  import_environ-
       ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings
       may be needed to configure  GSSAPI  credential  caches  or
       other  SASL mechanism specific options. The GSSAPI creden-
       tials used for LDAP lookups may need to be different  than
       say those used for the Postfix SMTP client to authenticate
       to remote servers.
       Using SASL mechanisms requires LDAP  protocol  version  3,
       the  default  protocol version is 2 for backwards compati-
       bility. You must set "version = 3" in addition to "bind  =
       sasl".
       The  following  parameters are relevant to using LDAP with
       SASL
       <b>sasl (default: no)</b>
              Whether or not to use SASL  binds  to  the  server.
              Can be yes or no.
       <b>sasl_mechs (default: empty)</b>
              Space separated list of SASL mechanism(s) to try.
       <b>sasl_realm (default: empty)</b>
              SASL Realm to use, if applicable.
       <b>sasl_authz_id (default: empty)</b>
              The  SASL  authorization  identity  to  assert,  if
              applicable.
       <b>sasl_minssf (default: 0)</b>
              The minimum required sasl security factor  required
              to establish a connection.
 <b>LDAP SSL AND STARTTLS PARAMETERS</b>
-       If you're using the OpenLDAP libraries compiled  with  SSL
+       If  you're  using the OpenLDAP libraries compiled with SSL
-       support,  Postfix  can connect to LDAP SSL servers and can
+       support, Postfix can connect to LDAP SSL servers  and  can
       issue the STARTTLS command.
-       LDAP SSL service can be requested by using a LDAP SSL  URL
+       LDAP  SSL service can be requested by using a LDAP SSL URL
       in the server_host parameter:
           server_host = ldaps://ldap.example.com:636
@ -567,82 +639,82 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
           start_tls = yes
-       Both  forms  require LDAP protocol version 3, which has to
+       Both forms require LDAP protocol version 3, which  has  to
       be set explicitly with:
           version = 3
       If any of the Postfix programs querying the map is config-
-       ured  in  <a href="master.5.html">master.cf</a>  to run chrooted, all the certificates
+       ured in <a href="master.5.html">master.cf</a> to run chrooted,  all  the  certificates
       and keys involved have to be copied to the chroot jail. Of
-       course,  the  private  keys should only be readable by the
+       course, the private keys should only be  readable  by  the
       user "postfix".
-       The following parameters are  relevant  to  LDAP  SSL  and
+       The  following  parameters  are  relevant  to LDAP SSL and
       STARTTLS:
       <b>start_tls (default: no)</b>
              Whether or not to issue STARTTLS upon connection to
-              the server.  Don't set this with LDAP SSL (the  SSL
+              the  server.  Don't set this with LDAP SSL (the SSL
              session is setup automatically when the TCP connec-
              tion is opened).
-       <b>tls_ca_cert_dir  (No   default;   set   either   this   or</b>
+       <b>tls_ca_cert_dir   (No   default;   set   either   this  or</b>
       <b>tls_ca_cert_file)</b>
              Directory  containing  X509  Certificate  Authority
-              certificates  in  PEM format which are to be recog-
+              certificates in PEM format which are to  be  recog-
-              nized by the client  in  SSL/TLS  connections.  The
+              nized  by  the  client  in SSL/TLS connections. The
-              files  each  contain one CA certificate.  The files
+              files each contain one CA certificate.   The  files
-              are looked up by the CA subject  name  hash  value,
+              are  looked  up  by the CA subject name hash value,
-              which  must hence be available. If more than one CA
+              which must hence be available. If more than one  CA
-              certificate with the same name  hash  value  exist,
+              certificate  with  the  same name hash value exist,
-              the  extension  must be different (e.g. 9d66eef0.0,
+              the extension must be different  (e.g.  9d66eef0.0,
-              9d66eef0.1 etc). The search  is  performed  in  the
+              9d66eef0.1  etc).  The  search  is performed in the
-              ordering  of  the  extension  number, regardless of
+              ordering of the  extension  number,  regardless  of
              other  properties  of  the  certificates.  Use  the
              c_rehash utility (from the OpenSSL distribution) to
              create the necessary links.
-       <b>tls_ca_cert_file  (No  default;   set   either   this   or</b>
+       <b>tls_ca_cert_file   (No   default;   set   either  this  or</b>
       <b>tls_ca_cert_dir)</b>
              File containing the X509 Certificate Authority cer-
-              tificates  in PEM format which are to be recognized
+              tificates in PEM format which are to be  recognized
-              by the client in SSL/TLS connections. This  setting
+              by  the client in SSL/TLS connections. This setting
              takes precedence over tls_ca_cert_dir.
       <b>tls_cert (No default; you must set this)</b>
-              File  containing  client's  X509  certificate to be
+              File containing client's  X509  certificate  to  be
              used by the client in SSL/ TLS connections.
       <b>tls_key (No default; you must set this)</b>
-              File containing the private  key  corresponding  to
+              File  containing  the  private key corresponding to
              the above tls_cert.
       <b>tls_require_cert (default: no)</b>
              Whether or not to request server's X509 certificate
-              and check its validity  when  establishing  SSL/TLS
+              and  check  its  validity when establishing SSL/TLS
-              connections.   The supported values are <b>no</b> and <b>yes</b>.
+              connections.  The supported values are <b>no</b> and  <b>yes</b>.
-              With <b>no</b>, the server certificate trust chain is  not
+              With  <b>no</b>, the server certificate trust chain is not
-              checked,  but  with  OpenLDAP  prior to 2.1.13, the
+              checked, but with OpenLDAP  prior  to  2.1.13,  the
              name in the server certificate must still match the
              LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
-              server name is not necessarily what you  specified,
+              server  name is not necessarily what you specified,
-              rather  it  is  determined (by reverse lookup) from
+              rather it is determined (by  reverse  lookup)  from
-              the IP address of the LDAP server connection.  With
+              the  IP address of the LDAP server connection. With
-              OpenLDAP  prior  to  2.0.13, subjectAlternativeName
+              OpenLDAP prior  to  2.0.13,  subjectAlternativeName
              extensions  in  the  LDAP  server  certificate  are
-              ignored:  the  server  name  must match the subject
+              ignored: the server name  must  match  the  subject
              CommonName. The <b>no</b> setting corresponds to the <b>never</b>
-              value  of  <b>TLS_REQCERT</b> in LDAP client configuration
+              value of <b>TLS_REQCERT</b> in LDAP  client  configuration
              files.
-              Don't use TLS with OpenLDAP 2.0.x  (and  especially
+              Don't  use  TLS with OpenLDAP 2.0.x (and especially
              with x &lt;= 11) if you can avoid it.
-              With  <b>yes</b>, the server certificate must be issued by
+              With <b>yes</b>, the server certificate must be issued  by
-              a trusted CA, and not be expired. The  LDAP  server
+              a  trusted  CA, and not be expired. The LDAP server
-              name  must  match  one  of the name(s) found in the
+              name must match one of the  name(s)  found  in  the
              certificate (see above for OpenLDAP library version
              dependent behavior). The <b>yes</b> setting corresponds to
              the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-
@ -650,27 +722,27 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
              The "try" and "never" values of <b>TLS_REQCERT</b> have no
              equivalents  here.  They  are  not  available  with
-              OpenLDAP  2.0,  and  in  any case have questionable
+              OpenLDAP 2.0, and in  any  case  have  questionable
-              security properties. Either you want  TLS  verified
+              security  properties.  Either you want TLS verified
              LDAP connections, or you don't.
              The <b>yes</b> value only works correctly with Postfix 2.5
-              and later, or with OpenLDAP  2.0.  Earlier  Postfix
+              and  later,  or  with OpenLDAP 2.0. Earlier Postfix
-              releases  or  later  OpenLDAP  releases  don't work
+              releases or  later  OpenLDAP  releases  don't  work
-              together with this setting. Support for  LDAP  over
+              together  with  this setting. Support for LDAP over
-              TLS  was added to Postfix based on the OpenLDAP 2.0
+              TLS was added to Postfix based on the OpenLDAP  2.0
              API.
       <b>tls_random_file (No default)</b>
-              Path of a file to  obtain  random  bits  from  when
+              Path  of  a  file  to  obtain random bits from when
-              /dev/[u]random  is not available, to be used by the
+              /dev/[u]random is not available, to be used by  the
              client in SSL/TLS connections.
       <b>tls_cipher_suite (No default)</b>
              Cipher suite to use in SSL/TLS negotiations.
 <b>EXAMPLE</b>
-       Here's a basic example for using LDAP to look up  <a href="local.8.html">local(8)</a>
+       Here's  a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
       aliases.  Assume that in <a href="postconf.5.html">main.cf</a>, you have:
           <a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
@ -681,14 +753,14 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
           server_host = ldap.example.com
           search_base = dc=example, dc=com
-       Upon  receiving  mail  for a local address "ldapuser" that
+       Upon receiving mail for a local  address  "ldapuser"  that
-       isn't found in the  /etc/aliases  database,  Postfix  will
+       isn't  found  in  the  /etc/aliases database, Postfix will
       search the LDAP server listening at port 389 on ldap.exam-
-       ple.com.  It will bind anonymously, search for any  direc-
+       ple.com.   It will bind anonymously, search for any direc-
-       tory  entries  whose  mailacceptinggeneralid  attribute is
+       tory entries  whose  mailacceptinggeneralid  attribute  is
       "ldapuser", read the "maildrop" attributes of those found,
       and build a list of their maildrops, which will be treated
-       as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message  will  be  deliv-
+       as  <a href="http://tools.ietf.org/html/rfc822">RFC822</a>  addresses  to which the message will be deliv-
       ered.
 <b>SEE ALSO</b>
@ -702,13 +774,13 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
       <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
       software.
 <b>AUTHOR(S)</b>
-       Carsten  Hoeger,  Hery  Rakotoarisoa,  John Hensley, Keith
+       Carsten Hoeger, Hery  Rakotoarisoa,  John  Hensley,  Keith
-       Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon,  Mike
+       Stevenson,  LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
-       Mattice,  Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
+       Mattice, Prabhat K Singh, Sami Haahtinen, Samuel  Tardieu,
       Victor Duchovni, and many others.
                                                                 LDAP_TABLE(5)
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@ -55,75 +55,74 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
       Problems and transactions are logged to <b>syslogd</b>(8).
 <b>BUGS</b>
-       Some   of   the   non-default   protocol   tests   involve
+       The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine  does  not
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s  built-in SMTP protocol engine. When these
+       announce  support for STARTTLS, AUTH, XCLIENT or XFORWARD.
       Support for STARTTLS and AUTH may be added in the  future.
       In  the  mean  time,  if  you  need to make these services
       available on port 25, then  do  not  enable  the  optional
       "after 220 server greeting" tests.
       The  optional  "after  220  server greeting" tests involve
       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When  these
       tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
-       rary  whitelist but it cannot not hand off the "live" con-
+       rary whitelist but it cannot not hand off the "live"  con-
-       nection to a Postfix SMTP server process in the middle  of
+       nection  to a Postfix SMTP server process in the middle of
-       a  session.   Instead,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  defers  attempts to
+       a session.   Instead,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  defers  attempts  to
-       deliver mail with a 4XX status, and waits for  the  client
+       deliver  mail  with a 4XX status, and waits for the client
-       to  disconnect.   The next time a good client connects, it
+       to disconnect.  The next time a good client  connects,  it
-       will be allowed to talk to a Postfix SMTP  server  process
+       will  be  allowed to talk to a Postfix SMTP server process
-       to  deliver  mail.  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  mitigates the impact of
+       to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  mitigates  the  impact  of
-       this limitation by giving such  tests  a  long  expiration
+       this  limitation  by  giving  such tests a long expiration
       time.
       The  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  built-in SMTP protocol engine does not
       announce support for STARTTLS, AUTH, XCLIENT  or  XFORWARD
       (support  for  STARTTLS  and  AUTH  may  be  added  in the
       future).  End-user clients should connect directly to  the
       submission  service;  other systems that require the above
       features should directly connect to a Postfix SMTP server,
       or they should be placed on the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> whitelist.
 <b>CONFIGURATION PARAMETERS</b>
-       Changes  to  <a href="postconf.5.html">main.cf</a>  are  not picked up automatically, as
+       Changes to <a href="postconf.5.html">main.cf</a> are not  picked  up  automatically,  as
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for  several  hours.   Use
+       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  processes  may  run for several hours.  Use
       the command "postfix reload" after a configuration change.
-       The text below provides  only  a  parameter  summary.  See
+       The  text  below  provides  only  a parameter summary. See
       <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
-       NOTE:  Some  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>   parameters  implement stress-
+       NOTE: Some  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>   parameters  implement  stress-
-       dependent behavior.   This  is  supported  only  when  the
+       dependent  behavior.   This  is  supported  only  when the
-       default  value is stress-dependent (that is, it looks like
+       default value is stress-dependent (that is, it looks  like
       ${stress?X}${stress:Y}).  Other parameters always evaluate
       as if the stress value is the empty string.
 <b>TRIAGE PARAMETERS</b>
       <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
-              client sends a bare newline character, that  is,  a
+              client  sends  a bare newline character, that is, a
              newline not preceded by carriage return.
       <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
-              Enable  "bare  newline"  SMTP protocol tests in the
+              Enable "bare newline" SMTP protocol  tests  in  the
              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
       <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
-              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
+              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
-              client   is   permanently   blacklisted   with  the
+              client  is   permanently   blacklisted   with   the
              <a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> parameter.
       <b><a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> (empty)</b>
              Network addresses that are permanently blacklisted;
-              see  the  <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter for
+              see the <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a>  parameter  for
              possible actions.
       <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
-              Disable the SMTP VRFY command in the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+              Disable  the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
              daemon.
       <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
              client's  combined  DNSBL  score  is  equal  to  or
-              greater  than  a  threshold  (as  defined  with the
+              greater than  a  threshold  (as  defined  with  the
              <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>-
              <a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters).
       <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
-              A  mapping  from  actual  DNSBL  domain  name which
+              A mapping  from  actual  DNSBL  domain  name  which
-              includes a secret password,  to  the  DNSBL  domain
+              includes  a  secret  password,  to the DNSBL domain
              name  that  postscreen  will  reply  with  when  it
              rejects mail.
@ -132,16 +131,16 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
              weight factors.
       <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
-              The  inclusive  lower  bound  for  blocking an SMTP
+              The inclusive lower  bound  for  blocking  an  SMTP
              client,  based  on  its  combined  DNSBL  score  as
-              defined  with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
+              defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>  parameter.
       <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
              List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server con-
              siders in violation of the SMTP protocol.
       <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
              client speaks before its turn within the time spec-
              ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
@ -149,130 +148,130 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
              The  <i>text</i>  in  the  optional  "220-<i>text</i>..."  server
              response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real
              Postfix SMTP server's "220 text..." response, in an
-              attempt to confuse bad SMTP clients  so  that  they
+              attempt  to  confuse  bad SMTP clients so that they
              speak before their turn (pre-greet).
       <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b>
              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for
-              an SMTP client to send a command before  its  turn,
+              an  SMTP  client to send a command before its turn,
-              and  for  DNS  blocklist  lookup  results to arrive
+              and for DNS  blocklist  lookup  results  to  arrive
-              (default: up to 2 seconds under  stress,  up  to  6
+              (default:  up  to  2  seconds under stress, up to 6
              seconds otherwise).
       <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
-              Require  that  a  remote  SMTP client sends HELO or
+              Require that a remote SMTP  client  sends  HELO  or
              EHLO before commencing a MAIL transaction.
       <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
-              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
+              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
-              client  sends  non-SMTP  commands as specified with
+              client sends non-SMTP commands  as  specified  with
              the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter.
       <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
-              Enable   "non-SMTP   command"    tests    in    the
+              Enable    "non-SMTP    command"    tests   in   the
              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
       <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
-              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes  when  an  SMTP
-              client sends multiple commands instead  of  sending
+              client  sends  multiple commands instead of sending
-              one  command and waiting for the server to respond.
+              one command and waiting for the server to  respond.
       <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
-              Enable "pipelining"  SMTP  protocol  tests  in  the
+              Enable  "pipelining"  SMTP  protocol  tests  in the
              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
       <b><a href="postconf.5.html#postscreen_whitelist_networks">postscreen_whitelist_networks</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
              Network addresses that are permanently whitelisted,
-              and that will not  be  subjected  to  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+              and  that  will  not  be subjected to <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
              checks.
       <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
-              The  internal  service  that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
+              The internal service  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  forwards
              allowed connections to.
 <b>CACHE CONTROLS</b>
       <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
-              The amount  of  time  between  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  cache
+              The  amount  of  time  between  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
              cleanup runs.
       <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$<a href="postconf.5.html#data_directory">data_directory</a>/ps_cache)</b>
-              Persistent  storage  for  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
+              Persistent storage  for  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  server
              decisions.
       <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an
-              expired  temporary  whitelist  entry  before  it is
+              expired temporary  whitelist  entry  before  it  is
              removed.
       <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
-              results  from a successful "bare newline" SMTP pro-
+              results from a successful "bare newline" SMTP  pro-
              tocol test.
       <b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
              results from a successful DNS blocklist test.
       <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
-              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
              results from a successful PREGREET test.
       <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
-              results  from  a successful "non_smtp_command" SMTP
+              results from a successful  "non_smtp_command"  SMTP
              protocol test.
       <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
+              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
-              results  from a successful "pipelining" SMTP proto-
+              results from a successful "pipelining" SMTP  proto-
              col test.
 <b>RESOURCE CONTROLS</b>
       <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
-              Upon input, long lines are chopped up  into  pieces
+              Upon  input,  long lines are chopped up into pieces
-              of  at  most this length; upon delivery, long lines
+              of at most this length; upon delivery,  long  lines
              are reconstructed.
       <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b>
       <b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b>
-              How many simultaneous  connections  any  client  is
+              How  many  simultaneous  connections  any client is
              allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
       <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
-              The  limit on the total number of commands per SMTP
+              The limit on the total number of commands per  SMTP
-              session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP  protocol
+              session  for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
              engine.
       <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b>
-              The  command  "read" time limit for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
+              The command "read" time limit  for  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
              built-in SMTP protocol engine.
       <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
-              The number of clients that can be waiting for  ser-
+              The  number of clients that can be waiting for ser-
              vice from a real SMTP server process.
       <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
-              The  number  of non-whitelisted clients that can be
+              The number of non-whitelisted clients that  can  be
-              waiting for a decision whether  they  will  receive
+              waiting  for  a  decision whether they will receive
              service from a real SMTP server process.
       <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
-              How  much  time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
+              How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may  take  to
-              respond to an SMTP client command or to  perform  a
+              respond  to  an SMTP client command or to perform a
              cache operation before it is terminated by a built-
              in watchdog timer.
 <b>MISCELLANEOUS CONTROLS</b>
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
              <a href="master.5.html">master.cf</a> configuration files.
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number  of  digits  after the decimal
+              The maximal number  of  digits  after  the  decimal
              point when logging sub-second delay values.
       <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
-              The location of  all  postfix  administrative  com-
+              The  location  of  all  postfix administrative com-
              mands.
       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@ -280,24 +279,24 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
              over an internal communication channel.
       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time  that  an  idle  Postfix
+              The  maximum  amount  of  time that an idle Postfix
-              daemon  process  waits  for  an incoming connection
+              daemon process waits  for  an  incoming  connection
              before terminating voluntarily.
       <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
              process.
       <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
              process.
       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              The mail system  name  that  is  prepended  to  the
+              The  mail  system  name  that  is  prepended to the
-              process  name  in  syslog  records, so that "smtpd"
+              process name in syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".
 <b>SEE ALSO</b>
@ -309,12 +308,12 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
       <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
       software.
 <b>HISTORY</b>
-       Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier  work
+       Many  ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
-       by  Michael Tokarev, in OpenBSD spamd, and in MailChannels
+       by Michael Tokarev, in OpenBSD spamd, and in  MailChannels
       Traffic Control.
 <b>AUTHOR(S)</b>
--- a/postfix/man/man5/ldap_table.5
+++ b/postfix/man/man5/ldap_table.5
@ -422,14 +422,27 @@ The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
 These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
 and LDAP_SCOPE_ONELEVEL.
 .IP "\fBbind (default: yes)\fR"
-Whether or not to bind to the LDAP server. Newer LDAP
+Whether or how to bind to the LDAP server. Newer LDAP
 implementations don't require clients to bind, which saves
 time. Example:
 .nf
    # Don't bind
    bind = no
    # Use SIMPLE bind
    bind = yes
    # Use SASL bind
    bind = sasl
 .fi
 Postfix versions prior to 2.8 only support "bind = no" which
 means don't bind, and "bind = yes" which means do a SIMPLE bind.
 Postfix 2.8 and later also supports "bind = SASL" when compiled
 with LDAP SASL support as described in LDAP_README, it also adds
 the synonyms "bind = none" and "bind = simple" for "bind = no"
 and "bind = yes" respectively. See the SASL section below for
 additional parameters available with "bind = sasl".
 If you do need to bind, you might consider configuring
 Postfix to connect to the local machine on a port that's
 an SSL tunnel to your LDAP server. If your LDAP server
@ -443,6 +456,8 @@ If you do have to bind, do it with this distinguished name. Example:
 .nf
    bind_dn = uid=postfix, dc=your, dc=com
 .fi
 With "bind = sasl" (see above) the DN may be optional for some SASL
 mechanisms, don't specify a DN if not needed.
 .IP "\fBbind_pw (default: empty)\fR"
 The password for the distinguished name above. If you have
 to use this, you probably want to make the map configuration
@ -456,6 +471,8 @@ command. Example:
 .nf
    bind_pw = postfixpw
 .fi
 With "bind = sasl" (see above) the password may be optional
 for some SASL mechanisms, don't specify a password if not needed.
 .IP "\fBcache (IGNORED with a warning)\fR"
 .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 .IP "\fBcache_size (IGNORED with a warning)\fR"
@ -512,6 +529,49 @@ Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
 Specifies the LDAP protocol version to use.
 .IP "\fBdebuglevel (default: 0)\fR"
 What level to set for debugging in the OpenLDAP libraries.
 .SH "LDAP SASL PARAMETERS"
 .na
 .nf
 .ad
 .fi
 If you're using the OpenLDAP libraries compiled with SASL
 support, Postfix 2.8 and later built with LDAP SASL support
 as described in LDAP_README can authenticate to LDAP servers
 via SASL.
 This enables authentication to the LDAP server via mechanisms
 other than a simple password. The added flexibility has a cost:
 it is no longer practical to set an explicit timeout on the duration
 of an LDAP bind operation. Under adverse conditions, whether a SASL
 bind times out, or if it does, the duration of the timeout is
 determined by the LDAP and SASL libraries.
 It is best to use tables that use SASL binds via proxymap(8), this
 way the requesting process can time-out the proxymap request. This
 also lets you tailer the process environment by overriding the
 proxymap(8) import_environment setting in master.cf(5). Special
 environment settings may be needed to configure GSSAPI credential
 caches or other SASL mechanism specific options. The GSSAPI
 credentials used for LDAP lookups may need to be different than
 say those used for the Postfix SMTP client to authenticate to remote
 servers.
 Using SASL mechanisms requires LDAP protocol version 3, the default
 protocol version is 2 for backwards compatibility. You must set
 "version = 3" in addition to "bind = sasl".
 The following parameters are relevant to using LDAP with SASL
 .IP "\fBsasl (default: no)\fR"
 Whether or not to use SASL binds to the server.  Can be yes or no.
 .IP "\fBsasl_mechs (default: empty)\fR"
 Space separated list of SASL mechanism(s) to try.
 .IP "\fBsasl_realm (default: empty)\fR"
 SASL Realm to use, if applicable.
 .IP "\fBsasl_authz_id (default: empty)\fR"
 The SASL authorization identity to assert, if applicable.
 .IP "\fBsasl_minssf (default: 0)\fR"
 The minimum required sasl security factor required to establish a
 connection.
 .SH "LDAP SSL AND STARTTLS PARAMETERS"
 .na
 .nf
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@ -60,7 +60,14 @@ Problems and transactions are logged to \fBsyslogd\fR(8).
 .SH BUGS
 .ad
 .fi
-Some of the non-default protocol tests involve
+The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
 Support for STARTTLS and AUTH may be added in the future.
 In the mean time, if you need to make these services available
 on port 25, then do not enable the optional "after 220
 server greeting" tests.
 The optional "after 220 server greeting" tests involve
 \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
 these tests succeed, \fBpostscreen\fR(8) adds the client
 to the temporary whitelist but it cannot not hand off the
@ -72,14 +79,6 @@ connects, it will be allowed to talk to a Postfix SMTP
 server process to deliver mail. \fBpostscreen\fR(8) mitigates
 the impact of this limitation by giving such tests a long
 expiration time.
 The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
 (support for STARTTLS and AUTH may be added in the future).
 End-user clients should connect directly to the submission
 service; other systems that require the above features
 should directly connect to a Postfix SMTP server, or they
 should be placed on the \fBpostscreen\fR(8) whitelist.
 .SH "CONFIGURATION PARAMETERS"
 .na
 .nf
--- a/postfix/proto/LDAP_README.html
+++ b/postfix/proto/LDAP_README.html
@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
 or whatever you have, and you may need to use the appropriate linker
 option (e.g. '-R') so the executables can find it at runtime. </p>
 <p> If you are using OpenLDAP, and the libraries were built with SASL
 support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
 For example: </p>
 <blockquote>
 <pre>
     CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
 </pre>
 </blockquote>
 <h2><a name="config">Configuring LDAP lookups</a></h2>
 <p> In order to use LDAP lookups, define an LDAP source
@ -140,9 +150,9 @@ alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
 </blockquote>
 <p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
-STARTTLS. For a complete description, see the ldap_table(5) manual
+and LDAP SASL. For a complete description, see the ldap_table(5)
-page. </p>
+manual page. </p>
 <h2><a name="example_alias">Example: local(8) aliases</a></h2>
@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
 limit LDAP search results to leaf nodes only. Victor generalized
 this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
 <li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
 mechanisms, beyond the password-based LDAP "simple" bind. </li>
 </ul>
 And of course Wietse.
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
 many zombies avoid spamming the same site repeatedly, in an attempt
 to fly under the radar.  Once postscreen(8) decides that a client
 is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail.  </p>
+further delays for legitimate mail. Clients that pass postscreen(8)
 are still subject to the checks that are built into Postfix smtpd(8),
 Postfix built-in content filters, and external content filters.
 </p>
 <p> Zombies have challenges too: they have only a limited amount
 of time to deliver spam before their IP address becomes blacklisted.
@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
 <p> postscreen(8) uses a variety of measurements to recognize
 zombies.  First, postscreen(8) determines if the remote SMTP client
 IP address is blacklisted.  Second, postscreen(8) looks for protocol
-compromises that are made to speed up delivery.  The results of
+compromises that are made to speed up delivery.  These are good
-such measurements don't change with each delivery attempt, and are
+indicators for making is-it-a-zombie decisions based on single
-therefore good for making an is-it-a-zombie decision based on a
+measurements.  </p>
 single measurement.  </p>
 <p> postscreen(8) does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
+can vary from one delivery to the next, especially with clients
-that (also) send legitimate email. Content is therefore not good
+that (also) send legitimate email.  Content is not a good indicator
-for making an is-it-a-zombie decision based on a single measurement,
+for making is-it-a-zombie decisions based on single measurements,
 and that is the problem that postscreen(8) is focused on.  </p>
 <h2> <a name="general"> General operation </a> </h2>
 <p> The postscreen(8) triage process involves a number of tests,
 in the order as described below.  Some tests introduce a delay of
-a few seconds.  Once a client passes all tests, its IP address is
+a few seconds.  Once a client passes a test, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
+whitelisted from 24 hours for simple tests, to 1 week for complex
-tests or 1 week for complex tests.  This minimizes the impact of
+tests.  Whitelisting minimizes the impact of postscreen(8)'s tests
-the tests on legitimate mail clients. </p>
+on legitimate mail clients. </p>
 <p> After logging its findings, postscreen(8) by default hands off
 all connections to a Postfix SMTP server process. This mode is
@ -340,14 +342,15 @@ a relatively long expiration time. </p>
 <li> <p> postscreen(8)'s built-in SMTP engine does not implement
 the AUTH, STARTTLS, XCLIENT, and XFORWARD features.  STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
 if you need to make these services available on port 25, then do
 not enable the tests after the 220 server greeting. </p>
 </ul>
 <p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
+service, so that they never have to deal with postscreen(8)'s tests.
-should directly connect to a Postfix SMTP server, or they
+</p>
 should be placed on the postscreen(8) whitelist. </p>
 <ul>
--- a/postfix/proto/ldap_table
+++ b/postfix/proto/ldap_table
@ -410,14 +410,27 @@
 #	These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
 #	and LDAP_SCOPE_ONELEVEL.
 # .IP "\fBbind (default: yes)\fR"
-#	Whether or not to bind to the LDAP server. Newer LDAP
+#	Whether or how to bind to the LDAP server. Newer LDAP
 #	implementations don't require clients to bind, which saves
 #	time. Example:
 #
 # .nf
 #	    # Don't bind
 #	    bind = no
 #	    # Use SIMPLE bind
 #	    bind = yes
 #	    # Use SASL bind
 #	    bind = sasl
 # .fi
 #
 #	Postfix versions prior to 2.8 only support "bind = no" which
 #	means don't bind, and "bind = yes" which means do a SIMPLE bind.
 #	Postfix 2.8 and later also supports "bind = SASL" when compiled
 #	with LDAP SASL support as described in LDAP_README, it also adds
 #	the synonyms "bind = none" and "bind = simple" for "bind = no"
 #	and "bind = yes" respectively. See the SASL section below for
 #	additional parameters available with "bind = sasl".
 #
 #	If you do need to bind, you might consider configuring
 #	Postfix to connect to the local machine on a port that's
 #	an SSL tunnel to your LDAP server. If your LDAP server
@ -431,6 +444,8 @@
 # .nf
 #	    bind_dn = uid=postfix, dc=your, dc=com
 # .fi
 #	With "bind = sasl" (see above) the DN may be optional for some SASL
 #	mechanisms, don't specify a DN if not needed.
 # .IP "\fBbind_pw (default: empty)\fR"
 #	The password for the distinguished name above. If you have
 #	to use this, you probably want to make the map configuration
@ -444,6 +459,8 @@
 # .nf
 #	    bind_pw = postfixpw
 # .fi
 #	With "bind = sasl" (see above) the password may be optional
 #	for some SASL mechanisms, don't specify a password if not needed.
 # .IP "\fBcache (IGNORED with a warning)\fR"
 # .IP "\fBcache_expiry (IGNORED with a warning)\fR"
 # .IP "\fBcache_size (IGNORED with a warning)\fR"
@ -500,6 +517,47 @@
 #	Specifies the LDAP protocol version to use.
 # .IP "\fBdebuglevel (default: 0)\fR"
 #	What level to set for debugging in the OpenLDAP libraries.
 # LDAP SASL PARAMETERS
 # .ad
 # .fi
 #	If you're using the OpenLDAP libraries compiled with SASL
 #	support, Postfix 2.8 and later built with LDAP SASL support
 #	as described in LDAP_README can authenticate to LDAP servers
 #	via SASL.
 #
 #	This enables authentication to the LDAP server via mechanisms
 #	other than a simple password. The added flexibility has a cost:
 #	it is no longer practical to set an explicit timeout on the duration
 #	of an LDAP bind operation. Under adverse conditions, whether a SASL
 #	bind times out, or if it does, the duration of the timeout is
 #	determined by the LDAP and SASL libraries.
 #
 # 	It is best to use tables that use SASL binds via proxymap(8), this
 #	way the requesting process can time-out the proxymap request. This
 #	also lets you tailer the process environment by overriding the
 #	proxymap(8) import_environment setting in master.cf(5). Special
 #	environment settings may be needed to configure GSSAPI credential
 #	caches or other SASL mechanism specific options. The GSSAPI
 #	credentials used for LDAP lookups may need to be different than
 #	say those used for the Postfix SMTP client to authenticate to remote
 #	servers.
 #
 #	Using SASL mechanisms requires LDAP protocol version 3, the default
 #	protocol version is 2 for backwards compatibility. You must set
 #	"version = 3" in addition to "bind = sasl".
 #
 #	The following parameters are relevant to using LDAP with SASL
 # .IP "\fBsasl (default: no)\fR"
 #	Whether or not to use SASL binds to the server.  Can be yes or no.
 # .IP "\fBsasl_mechs (default: empty)\fR"
 #	Space separated list of SASL mechanism(s) to try. 
 # .IP "\fBsasl_realm (default: empty)\fR"
 #	SASL Realm to use, if applicable.
 # .IP "\fBsasl_authz_id (default: empty)\fR"
 #	The SASL authorization identity to assert, if applicable.
 # .IP "\fBsasl_minssf (default: 0)\fR"
 #	The minimum required sasl security factor required to establish a
 #	connection.
 # LDAP SSL AND STARTTLS PARAMETERS
 # .ad
 # .fi
--- a/postfix/src/cleanup/cleanup_map1n.c
+++ b/postfix/src/cleanup/cleanup_map1n.c
@ -15,13 +15,18 @@
 /*	This module implements one-to-many table mapping via table lookup.
 /*	Table lookups are done with quoted (externalized) address forms.
 /*	The process is recursive. The recursion terminates when the
-/*	left-hand side appears in its own expansion, or when a maximal
+/*	left-hand side appears in its own expansion.
 /*	nesting level is reached.
 /*
 /*	cleanup_map1n_internal() is the interface for addresses in
 /*	internal (unquoted) form.
 /* DIAGNOSTICS
-/*	Recoverable errors: the global \fIcleanup_errs\fR flag is updated.
+/*	When the maximal expansion or recursion limit is reached,
 /*	the alias is not expanded and the CLEANUP_STAT_DEFER error
 /*	is raised with reason "4.6.0 Alias expansion error".
 /*
 /*	When table lookup fails, the alias is not expanded and the
 /*	CLEANUP_STAT_WRITE error is raised with reason "4.6.0 Alias
 /*	expansion error".
 /* SEE ALSO
 /*	mail_addr_map(3) address mappings
 /*	mail_addr_find(3) address lookups
@ -93,15 +98,26 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
     * must index the array explicitly, instead of running along it with a
     * pointer.
     */
-#define UPDATE(ptr,new)	{ myfree(ptr); ptr = mystrdup(new); }
+#define UPDATE(ptr,new)	do { \
 	if (ptr) myfree(ptr); ptr = mystrdup(new); \
    } while (0)
 #define STR	vstring_str
-#define RETURN(x) { been_here_free(been_here); return (x); }
+#define RETURN(x) do { \
 	been_here_free(been_here); return (x); \
    } while (0)
 #define UNEXPAND(argv, addr) do { \
 	argv_truncate((argv), 0); argv_add((argv), (addr), (char *) 0); \
    } while (0)
    for (arg = 0; arg < argv->argc; arg++) {
 	if (argv->argc > var_virt_expan_limit) {
-	    msg_warn("%s: unreasonable %s map expansion size for %s",
+	    msg_warn("%s: unreasonable %s map expansion size for %s -- "
 		     "deferring delivery",
 		     state->queue_id, maps->title, addr);
-	    break;
+	    state->errs |= CLEANUP_STAT_DEFER;
 	    UPDATE(state->reason, "4.6.0 Alias expansion error");
 	    UNEXPAND(argv, addr);
 	    RETURN(argv);
 	}
 	for (count = 0; /* void */ ; count++) {
@ -111,9 +127,13 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
 	    if (been_here_check_fixed(been_here, argv->argv[arg]) != 0)
 		break;
 	    if (count >= var_virt_recur_limit) {
-		msg_warn("%s: unreasonable %s map nesting for %s",
+		msg_warn("%s: unreasonable %s map nesting for %s -- "
 			 "deferring delivery",
 			 state->queue_id, maps->title, addr);
-		break;
+		state->errs |= CLEANUP_STAT_DEFER;
 		UPDATE(state->reason, "4.6.0 Alias expansion error");
 		UNEXPAND(argv, addr);
 		RETURN(argv);
 	    }
 	    quote_822_local(state->temp1, argv->argv[arg]);
 	    if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) {
@ -136,9 +156,12 @@ ARGV   *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
 		myfree(saved_lhs);
 		argv_free(lookup);
 	    } else if (dict_errno != 0) {
-		msg_warn("%s: %s map lookup problem for %s",
+		msg_warn("%s: %s map lookup problem for %s -- "
 			 "deferring delivery",
 			 state->queue_id, maps->title, addr);
 		state->errs |= CLEANUP_STAT_WRITE;
 		UPDATE(state->reason, "4.6.0 Alias expansion error");
 		UNEXPAND(argv, addr);
 		RETURN(argv);
 	    } else {
 		break;
--- a/postfix/src/global/dict_ldap.c
+++ b/postfix/src/global/dict_ldap.c
@ -103,6 +103,16 @@
 /* .IP version
 /*	Specifies the LDAP protocol version to use.  Default is version
 /*	\fI2\fR.
 /* .IP "\fBsasl (no)\fR"
 /*	Whether or not to use SASL binds with the server.
 /* .IP "\fBsasl_mechs (empty)\fR"
 /*	Specifies a space-separated list of LDAP SASL Mechanisms.
 /* .IP "\fBsasl_realm (empty)\fR"
 /*	The realm to use for SASL binds.
 /* .IP "\fBsasl_authz_id (empty)\fR"
 /*	The SASL Authorization Identity to assert.
 /* .IP "\fBsasl_minssf (0)\fR"
 /*	The minimum SASL SSF to allow.
 /* .IP start_tls
 /*	Whether or not to issue STARTTLS upon connection to the server.
 /*	At this time, STARTTLS and LDAP SSL are only available if the
@ -208,16 +218,44 @@
 #include <dict.h>
 #include <stringops.h>
 #include <binhash.h>
 #include <name_code.h>
 /* Global library. */
 #include "cfg_parser.h"
 #include "db_common.h"
 #include "mail_conf.h"
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 /*
  * SASL headers, for sasl_interact_t. Either SASL v1 or v2 should be fine.
  */
 #include <sasl.h>
 #endif
 /* Application-specific. */
 #include "dict_ldap.h"
 #define DICT_LDAP_BIND_NONE	0
 #define DICT_LDAP_BIND_SIMPLE	1
 #define DICT_LDAP_BIND_SASL	2
 #define DICT_LDAP_DO_BIND(d)	((d)->bind != DICT_LDAP_BIND_NONE)
 #define DICT_LDAP_DO_SASL(d)	((d)->bind == DICT_LDAP_BIND_SASL)
 static const NAME_CODE bindopt_table[] = {
    CONFIG_BOOL_NO,	DICT_LDAP_BIND_NONE,
    "none",		DICT_LDAP_BIND_NONE,
    CONFIG_BOOL_YES,	DICT_LDAP_BIND_SIMPLE,
    "simple",		DICT_LDAP_BIND_SIMPLE,
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    "sasl", 		DICT_LDAP_BIND_SASL,
 #endif
 #endif
    0, -1,
 };
 typedef struct {
    LDAP   *conn_ld;
    int     conn_refcount;
@ -254,6 +292,13 @@ typedef struct {
    int     debuglevel;
    int     version;
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    int     sasl;
    char    *sasl_mechs;
    char    *sasl_realm;
    char    *sasl_authz;
    int     sasl_minssf;
 #endif
    int     ldap_ssl;
    int     start_tls;
    int     tls_require_cert;
@ -407,6 +452,49 @@ static int dict_ldap_set_errno(LDAP *ld, int rc)
    return rc;
 }
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 /*
  * Context structure for SASL property callback.
  */
 typedef struct bind_props {
    char *authcid;
    char *passwd;
    char *realm;
    char *authzid;
 } bind_props;
 static int
 ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter)
 {
    sasl_interact_t *in;
    bind_props *ctx = (bind_props *)props;
    for (in = inter; in->id != SASL_CB_LIST_END; in++)
    {
 	in->result = NULL;
 	switch(in->id)
 	{
 	case SASL_CB_GETREALM:
 	    in->result = ctx->realm;
 	    break;
 	case SASL_CB_AUTHNAME:
 	    in->result = ctx->authcid;
 	    break;
 	case SASL_CB_USER:
 	    in->result = ctx->authzid;
 	    break;
 	case SASL_CB_PASS:
 	    in->result = ctx->passwd;
 	    break;
 	}
 	if (in->result)
 	    in->len = strlen(in->result);
    }
    return LDAP_SUCCESS;
 }
 #endif
 /* dict_ldap_result - Read and parse LDAP result */
 static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
@ -427,6 +515,40 @@ static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
    return LDAP_SUCCESS;
 }
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 /* Asynchronous SASL auth if SASL is enabled */
 static int dict_ldap_bind_sasl(DICT_LDAP *dict_ldap)
 {
    int     rc;
    bind_props props;
    static VSTRING *minssf = 0;
    if (minssf == 0)
 	minssf = vstring_alloc(12);
    vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf);
    if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS,
 			       (char *) minssf)) != LDAP_OPT_SUCCESS)
 	return (rc);
    props.authcid = dict_ldap->bind_dn;
    props.passwd = dict_ldap->bind_pw;
    props.realm = dict_ldap->sasl_realm;
    props.authzid = dict_ldap->sasl_authz;
    if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL,
 					    dict_ldap->sasl_mechs, NULL, NULL,
 					    LDAP_SASL_QUIET, ldap_b2_interact,
 					    &props)) != LDAP_SUCCESS)
 	return (rc);
    return (LDAP_SUCCESS);
 }
 #endif
 /* dict_ldap_bind_st - Synchronous simple auth with timeout */
 static int dict_ldap_bind_st(DICT_LDAP *dict_ldap)
@ -746,26 +868,36 @@ static int dict_ldap_connect(DICT_LDAP *dict_ldap)
    }
 #endif
 #define DN_LOG_VAL(dict_ldap) \
 	((dict_ldap)->bind_dn[0] ? (dict_ldap)->bind_dn : "empty or implicit")
    /*
     * If this server requires a bind, do so. Thanks to Sam Tardieu for
     * noticing that the original bind call was broken.
     */
-    if (dict_ldap->bind) {
+    if (DICT_LDAP_DO_BIND(dict_ldap)) {
 	if (msg_verbose)
-	    msg_info("%s: Binding to server %s as dn %s",
+	    msg_info("%s: Binding to server %s with dn %s",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn);
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
 #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
 	if (DICT_LDAP_DO_SASL(dict_ldap)) {
 	    rc = dict_ldap_bind_sasl(dict_ldap);
 	} else {
 	    rc = dict_ldap_bind_st(dict_ldap);
 	}
 #else
 	rc = dict_ldap_bind_st(dict_ldap);
 #endif
 	if (rc != LDAP_SUCCESS) {
-	    msg_warn("%s: Unable to bind to server %s as %s: %d (%s)",
+	    msg_warn("%s: Unable to bind to server %s with dn %s: %d (%s)",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn,
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap),
 		     rc, ldap_err2string(rc));
 	    DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
 	}
 	if (msg_verbose)
-	    msg_info("%s: Successful bind to server %s as %s ",
+	    msg_info("%s: Successful bind to server %s with dn %s",
-		     myname, dict_ldap->server_host, dict_ldap->bind_dn);
+		     myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
    }
    /* Save connection handle in shared container */
    DICT_LDAP_CONN(dict_ldap)->conn_ld = dict_ldap->ld;
@ -798,13 +930,19 @@ static void dict_ldap_conn_find(DICT_LDAP *dict_ldap)
    ADDSTR(keybuf, dict_ldap->server_host);
    ADDINT(keybuf, dict_ldap->server_port);
    ADDINT(keybuf, dict_ldap->bind);
-    ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_dn : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_dn : "");
-    ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_pw : "");
+    ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_pw : "");
    ADDINT(keybuf, dict_ldap->dereference);
    ADDINT(keybuf, dict_ldap->chase_referrals);
    ADDINT(keybuf, dict_ldap->debuglevel);
    ADDINT(keybuf, dict_ldap->version);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_mechs : "");
    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_realm : "");
    ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_authz : "");
    ADDINT(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_minssf : 0);
 #endif
    ADDINT(keybuf, dict_ldap->ldap_ssl);
    ADDINT(keybuf, dict_ldap->start_tls);
    ADDINT(keybuf, sslon ? dict_ldap->tls_require_cert : 0);
@ -1437,6 +1575,13 @@ static void dict_ldap_close(DICT *dict)
    if (dict_ldap->ctx)
 	db_common_free_ctx(dict_ldap->ctx);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    if (DICT_LDAP_DO_SASL(dict_ldap)) {
 	myfree(dict_ldap->sasl_mechs);
 	myfree(dict_ldap->sasl_realm);
 	myfree(dict_ldap->sasl_authz);
    }
 #endif
    myfree(dict_ldap->tls_ca_cert_file);
    myfree(dict_ldap->tls_ca_cert_dir);
    myfree(dict_ldap->tls_cert);
@ -1461,6 +1606,7 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
    char   *server_host;
    char   *scope;
    char   *attr;
    char   *bindopt;
    int     tmp;
    int     vendor_version = dict_ldap_vendor_version();
@ -1666,9 +1812,14 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
    myfree(attr);
    /*
-     * get configured value of "bind"; default to true
+     * get configured value of "bind"; default to simple bind
     */
-    dict_ldap->bind = cfg_get_bool(dict_ldap->parser, "bind", 1);
+    bindopt = cfg_get_str(dict_ldap->parser, "bind", CONFIG_BOOL_YES, 1, 0);
    dict_ldap->bind = name_code(bindopt_table, NAME_CODE_FLAG_NONE, bindopt);
    if (dict_ldap->bind < 0)
 	msg_fatal("%s: unsupported parameter value: %s = %s",
 		  dict_ldap->parser->name, "bind", bindopt);
    myfree(bindopt);
    /*
     * get configured value of "bind_dn"; default to ""
@ -1723,6 +1874,25 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
 					      "chase_referrals", 0);
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 #if defined(USE_LDAP_SASL)
    /*
     * SASL options
     */
    if (DICT_LDAP_DO_SASL(dict_ldap)) {
 	dict_ldap->sasl_mechs =
 	    cfg_get_str(dict_ldap->parser, "sasl_mechs", "", 0, 0);
 	dict_ldap->sasl_realm =
 	    cfg_get_str(dict_ldap->parser, "sasl_realm", "", 0, 0);
 	dict_ldap->sasl_authz =
 	    cfg_get_str(dict_ldap->parser, "sasl_authz_id", "", 0, 0);
 	dict_ldap->sasl_minssf =
 	    cfg_get_int(dict_ldap->parser, "sasl_minssf", 0, 0, 4096);
    } else {
 	dict_ldap->sasl_mechs = 0;
 	dict_ldap->sasl_realm = 0;
 	dict_ldap->sasl_authz = 0;
    }
 #endif
    /*
     * TLS options
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20101201"
+#define MAIL_RELEASE_DATE	"20101204"
 #define MAIL_VERSION_NUMBER	"2.8"
 #ifdef SNAPSHOT
--- a/postfix/src/global/mime_state.c
+++ b/postfix/src/global/mime_state.c
@ -49,7 +49,7 @@
 /*
 /*	In order to fend off denial of service attacks, message headers
 /*	are truncated at or above var_header_limit bytes, message boundary
-/*	strings are truncated at var_boundary_len bytes, and the multipart
+/*	strings are truncated at var_mime_bound_len bytes, and the multipart
 /*	nesting level is limited to var_mime_maxdepth levels.
 /*
 /*	mime_state_alloc() creates a MIME state machine. The machine
--- a/postfix/src/global/pipe_command.c
+++ b/postfix/src/global/pipe_command.c
@ -85,8 +85,7 @@
 /*	configuration parameter. The group ID must be non-zero.
 /* .IP "PIPE_CMD_TIME_LIMIT (int)"
 /*	The amount of time the command is allowed to run before it
-/*	is terminated with SIGKILL. The default is the limit given
+/*	is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME.
 /*	with the \fIcommand_time_limit\fR configuration parameter.
 /* .IP "PIPE_CMD_SHELL (char *)"
 /*	The shell to use when executing the command specified with
 /*	PIPE_CMD_COMMAND. This shell is invoked regardless of the
@ -211,7 +210,7 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
    args->cwd = 0;
    args->chroot = 0;
-    pipe_command_maxtime = var_command_maxtime;
+    pipe_command_maxtime = DEF_COMMAND_MAXTIME;
    /*
     * Then, override the defaults with user-supplied inputs.
--- a/postfix/src/global/scache_clnt.c
+++ b/postfix/src/global/scache_clnt.c
@ -414,7 +414,7 @@ SCACHE *scache_clnt_create(const char *server, int timeout,
    sp->scache->size = scache_clnt_size;
    sp->scache->free = scache_clnt_free;
-    service = concatenate("local:private/", var_scache_service, (char *) 0);
+    service = concatenate("local:private/", server, (char *) 0);
    sp->auto_clnt = auto_clnt_create(service, timeout, idle_limit, ttl_limit);
    myfree(service);
--- a/postfix/src/local/local.c
+++ b/postfix/src/local/local.c
@ -626,7 +626,7 @@ char   *var_allow_commands;
 char   *var_allow_files;
 char   *var_alias_maps;
 int     var_dup_filter_limit;
-int     var_command_maxtime;
+int     var_command_maxtime;		/* You can now leave this here. */
 char   *var_home_mailbox;
 char   *var_mailbox_command;
 char   *var_mailbox_cmd_maps;
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@ -196,8 +196,9 @@ static int cleanup_service_error_reason(PICKUP_INFO *info, int status,
     * -r" when a message is already delivered (or bounced). The Postfix
     * sendmail command rejects submissions without recipients.
     */
-    if (reason == 0)
+    if (reason == 0 || *reason == 0)
-	msg_warn("%s: %s", info->path, cleanup_strerror(status));
+	msg_warn("%s: error writing %s: %s",
 		  info->path, info->id, cleanup_strerror(status));
    return ((status & (CLEANUP_STAT_BAD | CLEANUP_STAT_RCPT)) ?
 	    REMOVE_MESSAGE_FILE : KEEP_MESSAGE_FILE);
 }
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@ -530,7 +530,7 @@
  * Tunable parameters. Values are taken from the config file, after
  * prepending the service name to _name, and so on.
  */
-int     var_command_maxtime;		/* system-wide */
+int     var_command_maxtime;		/* You can now leave this here. */
 /*
  * For convenience. Instead of passing around lists of parameters, bundle
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@ -46,7 +46,14 @@
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /* BUGS
-/*	Some of the non-default protocol tests involve
+/*	The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 /*	not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
 /*	Support for STARTTLS and AUTH may be added in the future.
 /*	In the mean time, if you need to make these services available
 /*	on port 25, then do not enable the optional "after 220
 /*	server greeting" tests.
 /*
 /*	The optional "after 220 server greeting" tests involve
 /*	\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
 /*	these tests succeed, \fBpostscreen\fR(8) adds the client
 /*	to the temporary whitelist but it cannot not hand off the
@ -58,14 +65,6 @@
 /*	server process to deliver mail. \fBpostscreen\fR(8) mitigates
 /*	the impact of this limitation by giving such tests a long
 /*	expiration time.
 /*
 /*	The \fBpostscreen\fR(8) built-in SMTP protocol engine does
 /*	not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
 /*	(support for STARTTLS and AUTH may be added in the future).
 /*	End-user clients should connect directly to the submission
 /*	service; other systems that require the above features
 /*	should directly connect to a Postfix SMTP server, or they
 /*	should be placed on the \fBpostscreen\fR(8) whitelist.
 /* CONFIGURATION PARAMETERS
 /* .ad
 /* .fi
@ -525,7 +524,7 @@ static void ps_service(VSTREAM *smtp_client_stream,
     * Reply with 421 when the client has too many open connections.
     */
    if (var_ps_cconn_limit > 0
-	&& state->client_concurrency  > var_ps_cconn_limit) {
+	&& state->client_concurrency > var_ps_cconn_limit) {
 	msg_info("NOQUEUE: reject: CONNECT from [%s]:%s: too many connections",
 		 state->smtp_client_addr, state->smtp_client_port);
 	PS_DROP_SESSION_STATE(state,
--- a/postfix/src/postscreen/postscreen_early.c
+++ b/postfix/src/postscreen/postscreen_early.c
@ -258,9 +258,7 @@ void    ps_early_tests(PS_STATE *state)
     */
    if ((state->flags & PS_STATE_FLAG_PREGR_TODO) != 0
 	&& ps_teaser_greeting != 0
-	&& ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	&& PS_SEND_REPLY(state, ps_teaser_greeting) != 0) {
 			 state->smtp_client_addr, state->smtp_client_port,
 			 ps_teaser_greeting) != 0) {
 	ps_hangup_event(state);
 	return;
    }
--- a/postfix/src/postscreen/postscreen_misc.c
+++ b/postfix/src/postscreen/postscreen_misc.c
@ -125,9 +125,7 @@ void    ps_conclude(PS_STATE *state)
 	ps_send_socket(state);
    } else {
 	if ((state->flags & PS_STATE_FLAG_HANGUP) == 0)
-	    (void) ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	    (void) PS_SEND_REPLY(state, state->final_reply);
 			   state->smtp_client_addr, state->smtp_client_port,
 				 state->final_reply);
 	msg_info("DISCONNECT [%s]:%s", PS_CLIENT_ADDR_PORT(state));
 	ps_free_session_state(state);
    }
--- a/postfix/src/postscreen/postscreen_send.c
+++ b/postfix/src/postscreen/postscreen_send.c
@ -85,9 +85,8 @@ int     ps_send_reply(int smtp_client_fd, const char *smtp_client_addr,
     * XXX Need to make sure that the TCP send buffer is large enough for any
     * response, so that a nasty client can't cause this process to block.
     */
-    ret = (write_buf(smtp_client_fd, text, strlen(text),
+    ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT);
-		     PS_SEND_TEXT_TIMEOUT) < 0);
+    if (ret < 0 && errno != EPIPE)
    if (ret != 0 && errno != EPIPE)
 	msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port);
    return (ret);
 }
@ -164,9 +163,7 @@ void    ps_send_socket(PS_STATE *state)
 	 LOCAL_CONNECT(ps_smtpd_service_name, NON_BLOCKING,
 		       PS_SEND_SOCK_CONNECT_TIMEOUT)) < 0) {
 	msg_warn("cannot connect to service %s: %m", ps_smtpd_service_name);
-	ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	PS_SEND_REPLY(state, "421 4.3.2 All server ports are busy\r\n");
 		      state->smtp_client_addr, state->smtp_client_port,
 		      "421 4.3.2 All server ports are busy\r\n");
 	ps_free_session_state(state);
 	return;
    }
@ -175,9 +172,7 @@ void    ps_send_socket(PS_STATE *state)
 		      vstream_fileno(state->smtp_client_stream)) < 0) {
 	msg_warn("cannot pass connection to service %s: %m",
 		 ps_smtpd_service_name);
-	ps_send_reply(vstream_fileno(state->smtp_client_stream),
+	PS_SEND_REPLY(state, "421 4.3.2 No system resources\r\n");
 		      state->smtp_client_addr, state->smtp_client_port,
 		      "421 4.3.2 No system resources\r\n");
 	ps_free_session_state(state);
 	return;
    } else {
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@ -753,7 +753,7 @@ int     var_smtp_mxsess_limit;
 int     var_smtp_cache_conn;
 int     var_smtp_reuse_time;
 char   *var_smtp_cache_dest;
-char   *var_scache_service;
+char   *var_scache_service;		/* You can now leave this here. */
 bool    var_smtp_cache_demand;
 char   *var_smtp_ehlo_dis_words;
 char   *var_smtp_ehlo_dis_maps;