diff --git a/postfix/HISTORY b/postfix/HISTORY
index 8482b6195..da3b242d2 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -19528,3 +19528,23 @@ Apologies for any names omitted.
 20140110-15
 
 	Miscellaneous documentation cleanups.
+
+20140116
+
+	Workaround: prepend "-I. -I../../include" to CCARGS, to
+	avoid name clashes with non-Postfix header files. File:
+	makedefs.
+
+20140125
+
+	Cleanup: assorted documentation glitches.
+
+20140209
+
+	Workaround: the Postfix SMTP client now also falls back to
+	plaintext when TLS fails after the TLS protocol handshake.
+	Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_trouble.c.
+
+	Testbed: unsupported HANGUP access map action that drops
+	the connection without responding to the remote SMTP client.
+	File: smtpd/smtpd_check.c.
diff --git a/postfix/README_FILES/FORWARD_SECRECY_README b/postfix/README_FILES/FORWARD_SECRECY_README
index b81bfcbea..8d6fa3dac 100644
--- a/postfix/README_FILES/FORWARD_SECRECY_README
+++ b/postfix/README_FILES/FORWARD_SECRECY_README
@@ -181,12 +181,13 @@ main.cf.
 FFoorrwwaarrdd SSeeccrreeccyy iinn tthhee PPoossttffiixx SSMMTTPP CClliieenntt
 
 The Postfix >= 2.2 SMTP client supports forward secrecy in its default
-configuration. No configuration changes are needed besides turning on elliptic-
-curve support with Postfix 2.6 and 2.7 (see the quick-start section). If the
-remote SMTP server supports cipher suites with forward secrecy (and does not
-override the SMTP client's cipher preference), then the traffic between the
-server and client will resist decryption even if the server's long-term
-authentication keys are later compromised.
+configuration. All supported OpenSSL releases support EDH key exchange. OpenSSL
+releases >= 1.0.0 also support EECDH key exchange (provided elliptic-curve
+support has not been disabled by the vendor as in some versions of RedHat
+Linux). If the remote SMTP server supports cipher suites with forward secrecy
+(and does not override the SMTP client's cipher preference), then the traffic
+between the server and client will resist decryption even if the server's long-
+term authentication keys are later compromised.
 
 The default Postfix SMTP client cipher lists are correctly ordered to prefer
 EECDH and EDH cipher suites ahead of similar cipher suites that don't implement
@@ -200,12 +201,16 @@ a case-by-case basis via the TLS policy table.
 
 GGeettttiinngg ssttaarrtteedd,, qquuiicckk aanndd ddiirrttyy
 
-EEEECCDDHH CClliieenntt aanndd sseerrvveerr ssuuppppoorrtt ((PPoossttffiixx >>== 22..66 wwiitthh OOppeennSSSSLL >>== 11..00..00))
+EEEECCDDHH CClliieenntt ssuuppppoorrtt ((PPoossttffiixx >>== 22..22 wwiitthh OOppeennSSSSLL >>== 11..00..00))
+
+This works "out of the box" without additional configuration.
+
+EEEECCDDHH SSeerrvveerr ssuuppppoorrtt ((PPoossttffiixx >>== 22..66 wwiitthh OOppeennSSSSLL >>== 11..00..00))
 
 With Postfix 2.6 and 2.7, enable elliptic-curve support in the Postfix SMTP
-client and server. This is the default with Postfix >= 2.8. Note, however, that
-elliptic-curve support may be disabled by the vendor, as in some versions of
-RedHat Linux.
+server. This is the default with Postfix >= 2.8. Note, however, that elliptic-
+curve support may be disabled by the vendor, as in some versions of RedHat
+Linux.
 
     /etc/postfix/main.cf:
         # Postfix 2.6 or 2.7 only. This is default with Postfix 2.8 and later.
diff --git a/postfix/html/FORWARD_SECRECY_README.html b/postfix/html/FORWARD_SECRECY_README.html
index af0f53d15..1e0adc0e1 100644
--- a/postfix/html/FORWARD_SECRECY_README.html
+++ b/postfix/html/FORWARD_SECRECY_README.html
@@ -253,9 +253,10 @@ more curves at the desired security level without any changes to
 <h2> <a name="client_fs">Forward Secrecy in the Postfix SMTP Client</a> </h2>
 
 <p> The Postfix &ge; 2.2 SMTP client supports forward secrecy in
-its default configuration.  No configuration changes are needed
-besides turning on elliptic-curve support with Postfix 2.6 and 2.7
-(see the <a href="#quick-start"> quick-start</a> section).  If the
+its default configuration.  All supported OpenSSL releases support
+EDH key exchange.  OpenSSL releases &ge; 1.0.0 also support EECDH
+key exchange (provided elliptic-curve support has not been disabled
+by the vendor as in some versions of RedHat Linux).  If the
 remote SMTP server supports cipher suites with forward secrecy (and
 does not override the SMTP client's cipher preference), then the
 traffic between the server and client will resist decryption even
@@ -277,11 +278,14 @@ href="TLS_README.html#client_tls_policy">TLS policy</a> table. </p>
 
 <h2><a name="quick-start">Getting started, quick and dirty</a></h2>
 
-<h3> EECDH Client and server support (Postfix &ge; 2.6 with OpenSSL
-&ge; 1.0.0) </h3>
+<h3> EECDH Client support (Postfix &ge; 2.2 with OpenSSL &ge; 1.0.0) </h3>
+
+<p> This works "out of the box" without additional configuration. </p>
+
+<h3> EECDH Server support (Postfix &ge; 2.6 with OpenSSL &ge; 1.0.0) </h3>
 
 <p> With Postfix 2.6 and 2.7, enable elliptic-curve support in the
-Postfix SMTP client and server. This is the default with Postfix
+Postfix SMTP server. This is the default with Postfix
 &ge; 2.8. Note, however, that elliptic-curve support may be disabled
 by the vendor, as in some versions of RedHat Linux. </p>
 
diff --git a/postfix/html/postconf.1.html b/postfix/html/postconf.1.html
index ecaed1a25..aa16a13a4 100644
--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@@ -123,6 +123,8 @@ POSTCONF(1)                                                        POSTCONF(1)
 
               The default is as if "<b>-C all</b>" is specified.
 
+              This feature is available with Postfix 2.9 and later.
+
        <b>-d</b>     Print  <a href="postconf.5.html"><b>main.cf</b></a> default parameter settings instead of actual set-
               tings.  Specify <b>-df</b> to fold long  lines  for  human  readability
               (Postfix 2.9 and later).
@@ -330,6 +332,8 @@ POSTCONF(1)                                                        POSTCONF(1)
 
        <b>-p</b>     Show <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This is the default.
 
+              This feature is available with Postfix 2.11 and later.
+
        <b>-P</b>     Show  <a href="master.5.html"><b>master.cf</b></a>  service parameter settings (by default all ser-
               vices   and   all   parameters).    formatted   as   one   "<i>ser-</i>
               <i>vice/type/parameter=value</i>"  per  line.  Specify <b>-Pf</b> to fold long
@@ -444,8 +448,10 @@ POSTCONF(1)                                                        POSTCONF(1)
        The Secure Mailer license must be distributed with this software.
 
 <b>AUTHOR(S)</b>
-       Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
-       Heights, NY 10598, USA
+       Wietse Venema
+       IBM T.J. Watson Research
+       P.O. Box 704
+       Yorktown Heights, NY 10598, USA
 
                                                                    POSTCONF(1)
 </pre> </body> </html>
diff --git a/postfix/makedefs b/postfix/makedefs
index 7ea559081..5f3bcc747 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -638,6 +638,9 @@ CCARGS="$CCARGS -DSNAPSHOT"
 # needed before the code stabilizes.
 #CCARGS="$CCARGS -DNONPROD"
 
+# Workaround: prepend Postfix include files before other include files.
+CCARGS="-I. -I../../include $CCARGS"
+
 sed 's/  / /g' <<EOF
 SYSTYPE	= $SYSTYPE
 AR	= $AR
diff --git a/postfix/man/man1/postconf.1 b/postfix/man/man1/postconf.1
index 59631d036..07784d596 100644
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@@ -143,6 +143,8 @@ All the above classes.
 .IP
 The default is as if "\fB-C all\fR" is
 specified.
+
+This feature is available with Postfix 2.9 and later.
 .IP \fB-d\fR
 Print \fBmain.cf\fR default parameter settings instead of
 actual settings.
@@ -347,6 +349,8 @@ Override \fBmain.cf\fR parameter settings.
 This feature is available with Postfix 2.10 and later.
 .IP \fB-p\fR
 Show \fBmain.cf\fR parameter settings. This is the default.
+
+This feature is available with Postfix 2.11 and later.
 .IP \fB-P\fR
 Show \fBmaster.cf\fR service parameter settings (by default
 all services and all parameters).  formatted as one
@@ -486,5 +490,7 @@ software.
 .SH "AUTHOR(S)"
 .na
 .nf
-Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
-Heights, NY 10598, USA
+Wietse Venema
+IBM T.J. Watson Research
+P.O. Box 704
+Yorktown Heights, NY 10598, USA
diff --git a/postfix/proto/FORWARD_SECRECY_README.html b/postfix/proto/FORWARD_SECRECY_README.html
index ec30b2fb3..99f303361 100644
--- a/postfix/proto/FORWARD_SECRECY_README.html
+++ b/postfix/proto/FORWARD_SECRECY_README.html
@@ -253,9 +253,10 @@ main.cf. </p>
 <h2> <a name="client_fs">Forward Secrecy in the Postfix SMTP Client</a> </h2>
 
 <p> The Postfix &ge; 2.2 SMTP client supports forward secrecy in
-its default configuration.  No configuration changes are needed
-besides turning on elliptic-curve support with Postfix 2.6 and 2.7
-(see the <a href="#quick-start"> quick-start</a> section).  If the
+its default configuration.  All supported OpenSSL releases support
+EDH key exchange.  OpenSSL releases &ge; 1.0.0 also support EECDH
+key exchange (provided elliptic-curve support has not been disabled
+by the vendor as in some versions of RedHat Linux).  If the
 remote SMTP server supports cipher suites with forward secrecy (and
 does not override the SMTP client's cipher preference), then the
 traffic between the server and client will resist decryption even
@@ -277,11 +278,14 @@ href="TLS_README.html#client_tls_policy">TLS policy</a> table. </p>
 
 <h2><a name="quick-start">Getting started, quick and dirty</a></h2>
 
-<h3> EECDH Client and server support (Postfix &ge; 2.6 with OpenSSL
-&ge; 1.0.0) </h3>
+<h3> EECDH Client support (Postfix &ge; 2.2 with OpenSSL &ge; 1.0.0) </h3>
+
+<p> This works "out of the box" without additional configuration. </p>
+
+<h3> EECDH Server support (Postfix &ge; 2.6 with OpenSSL &ge; 1.0.0) </h3>
 
 <p> With Postfix 2.6 and 2.7, enable elliptic-curve support in the
-Postfix SMTP client and server. This is the default with Postfix
+Postfix SMTP server. This is the default with Postfix
 &ge; 2.8. Note, however, that elliptic-curve support may be disabled
 by the vendor, as in some versions of RedHat Linux. </p>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 9c60fe76e..459a55f99 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20140115"
+#define MAIL_RELEASE_DATE	"20140209"
 #define MAIL_VERSION_NUMBER	"2.12"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/rcpt_print.c b/postfix/src/global/rcpt_print.c
index 1c8b0cfa7..c98809cc4 100644
--- a/postfix/src/global/rcpt_print.c
+++ b/postfix/src/global/rcpt_print.c
@@ -26,8 +26,10 @@
 /*	The Secure Mailer license must be distributed with this
 /*	software.
 /* AUTHOR(S)
-/*	Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
-/*	Heights, NY 10598, USA
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/milter/milter_macros.c b/postfix/src/milter/milter_macros.c
index b62f32be7..c54eed941 100644
--- a/postfix/src/milter/milter_macros.c
+++ b/postfix/src/milter/milter_macros.c
@@ -94,8 +94,10 @@
 /*	The Secure Mailer license must be distributed with this
 /*	software.
 /* AUTHOR(S)
-/*	Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
-/*	Heights, NY 10598, USA
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index df8ab4d45..23bcbb082 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -137,6 +137,8 @@
 /* .IP
 /*	The default is as if "\fB-C all\fR" is
 /*	specified.
+/*
+/*	This feature is available with Postfix 2.9 and later.
 /* .IP \fB-d\fR
 /*	Print \fBmain.cf\fR default parameter settings instead of
 /*	actual settings.
@@ -341,6 +343,8 @@
 /*	This feature is available with Postfix 2.10 and later.
 /* .IP \fB-p\fR
 /*	Show \fBmain.cf\fR parameter settings. This is the default.
+/*
+/*	This feature is available with Postfix 2.11 and later.
 /* .IP \fB-P\fR
 /*	Show \fBmaster.cf\fR service parameter settings (by default
 /*	all services and all parameters).  formatted as one
@@ -464,8 +468,10 @@
 /*	The Secure Mailer license must be distributed with this
 /*	software.
 /* AUTHOR(S)
-/*	Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
-/*	Heights, NY 10598, USA
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in
index 6be38f833..e5013e4a2 100644
--- a/postfix/src/smtp/Makefile.in
+++ b/postfix/src/smtp/Makefile.in
@@ -728,6 +728,7 @@ smtp_trouble.o: ../../include/vbuf.h
 smtp_trouble.o: ../../include/vstream.h
 smtp_trouble.o: ../../include/vstring.h
 smtp_trouble.o: smtp.h
+smtp_trouble.o: smtp_sasl.h
 smtp_trouble.o: smtp_trouble.c
 smtp_unalias.o: ../../include/argv.h
 smtp_unalias.o: ../../include/attr.h
diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h
index 336a4f47f..99ab7391f 100644
--- a/postfix/src/smtp/smtp.h
+++ b/postfix/src/smtp/smtp.h
@@ -453,6 +453,29 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[];
   * Encapsulate the following so that we don't expose details of of
   * connection management and error handling to the SMTP protocol engine.
   */
+#ifdef USE_SASL_AUTH
+#define HAVE_SASL_CREDENTIALS \
+	(var_smtp_sasl_enable \
+	     && *var_smtp_sasl_passwd \
+	     && smtp_sasl_passwd_lookup(session))
+#else
+#define HAVE_SASL_CREDENTIALS	(0)
+#endif
+
+#define PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE \
+	(session->tls_context == 0 \
+	    && session->tls->level == TLS_LEV_MAY \
+	    && !HAVE_SASL_CREDENTIALS)
+
+#define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \
+	(session->tls_context != 0 \
+	    && session->tls->level == TLS_LEV_MAY \
+	    && !HAVE_SASL_CREDENTIALS)
+
+ /*
+  * XXX The following will not retry recipients that were deferred while the
+  * SMTP_MISC_FLAG_FINAL_SERVER flag was already set.
+  */
 #define RETRY_AS_PLAINTEXT do { \
 	session->tls_retry_plain = 1; \
 	state->misc_flags &= ~SMTP_MISC_FLAG_FINAL_SERVER; \
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index ff278c1ff..3f7aeea07 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -1015,6 +1015,19 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop,
 			&& next == 0)
 			state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER;
 		    smtp_xfer(state);
+#ifdef USE_TLS
+
+		    /*
+		     * When opportunistic TLS fails after the STARTTLS
+		     * handshake, try the same address again, with TLS
+		     * disabled. See also the RETRY_AS_PLAINTEXT macro.
+		     */
+		    if ((retry_plain = session->tls_retry_plain) != 0) {
+			--sess_count;
+			--addr_count;
+			next = addr;
+		    }
+#endif
 		}
 		smtp_cleanup_session(state);
 	    } else {
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index 1f9759d38..fbae51f2d 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -838,13 +838,7 @@ static int smtp_start_tls(SMTP_STATE *state)
 	 * plaintext connections, then we don't want delivery to fail with
 	 * "relay access denied".
 	 */
-	if (session->tls->level == TLS_LEV_MAY
-#ifdef USE_SASL_AUTH
-	    && !(var_smtp_sasl_enable
-		 && *var_smtp_sasl_passwd
-		 && smtp_sasl_passwd_lookup(session))
-#endif
-	    )
+	if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE)
 	    RETRY_AS_PLAINTEXT;
 	return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
 			       SMTP_RESP_FAKE(&fake, "4.7.5"),
diff --git a/postfix/src/smtp/smtp_trouble.c b/postfix/src/smtp/smtp_trouble.c
index 4a0c30627..c5ed83f29 100644
--- a/postfix/src/smtp/smtp_trouble.c
+++ b/postfix/src/smtp/smtp_trouble.c
@@ -156,6 +156,7 @@
 /* Application-specific. */
 
 #include "smtp.h"
+#include "smtp_sasl.h"
 
 #define SMTP_THROTTLE	1
 #define SMTP_NOTHROTTLE	0
@@ -433,10 +434,18 @@ int     smtp_stream_except(SMTP_STATE *state, int code, const char *description)
     case SMTP_ERR_EOF:
 	dsb_simple(why, "4.4.2", "lost connection with %s while %s",
 		   session->namaddr, description);
+#ifdef USE_TLS
+	if (PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE)
+	    RETRY_AS_PLAINTEXT;
+#endif
 	break;
     case SMTP_ERR_TIME:
 	dsb_simple(why, "4.4.2", "conversation with %s timed out while %s",
 		   session->namaddr, description);
+#ifdef USE_TLS
+	if (PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE)
+	    RETRY_AS_PLAINTEXT;
+#endif
 	break;
     case SMTP_ERR_DATA:
 	session->error_mask |= MAIL_ERROR_DATA;
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 8d2bd2d63..8fdcb62fd 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -236,6 +236,7 @@
 #include <dsn_util.h>
 #include <conv_time.h>
 #include <xtext.h>
+#include <smtp_stream.h>
 
 /* Application-specific. */
 
@@ -1068,7 +1069,7 @@ static int permit_inet_interfaces(SMTPD_STATE *state)
     if (msg_verbose)
 	msg_info("%s: %s %s", myname, state->name, state->addr);
 
-    if (own_inet_addr((struct sockaddr *) & (state->sockaddr)))
+    if (own_inet_addr((struct sockaddr *) &(state->sockaddr)))
 	/* Permit logging in generic_checks() only. */
 	return (SMTPD_CHECK_OK);
     return (SMTPD_CHECK_DUNNO);
@@ -2110,6 +2111,22 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
 				   reply_name, reply_class,
 				   *dp.text ? dp.text : "Access denied"));
     }
+#ifndef SHUT_RDWR
+#define SHUT_RDWR   2
+#endif
+
+    /*
+     * HANGUP. Text is optional. Drop the connection without sending any
+     * reply.
+     * 
+     * Note: this is an unsupported test feature. No attempt is made to maintain
+     * compatibility between successive versions.
+     */
+    if (STREQUAL(value, "HANGUP", cmd_len)) {
+	shutdown(vstream_fileno(state->client), SHUT_RDWR);
+	log_whatsup(state, "hangup", cmd_text);
+	vstream_longjmp(state->client, SMTP_ERR_QUIET);
+    }
 
     /*
      * WARN. Text is optional.
