postfix-2.6-20080629

2025-08-29 13:18:12 +00:00 · 2008-06-29 00:00:00 -05:00 · 2008-06-29 00:00:00 -05:00 · ed03f0df0f
commit ed03f0df0f
parent d7f0393465
28 changed files with 337 additions and 206 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -14491,3 +14491,38 @@ Apologies for any names omitted.
 	Bitrot: "make test" was broken due to recent changes in
 	code and due to recent changes at mail-abuse.org.
 20080618
 	Add a note to SMTP session transcript email messages that
 	other details may be found in the maillog file.  Files:
 	smtpd/smtpd_chat.c, smtp/smtp_chat.c.
 20080620
 	Cleanup: with the "Before-queue content filter", RFC3848
 	information was not added to the headers. Carlos Velasco.
 	File smtpd/smtpd.c.
 20080621
 	Cleanup: include unread byte count in the SMTP server's "lost
 	connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.
 20080629
 	Bugfix (introduced Postfix 2.2): multiple inconsistencies
 	in SASL support after introduction of TLS.  The Postfix
 	SMTP server 1) complained about plain-text SASL configuration
 	details when SASL was forbidden for plain-text sessions,
 	and 2) ignored the smtpd_tls_auth_only parameter setting
 	when built without TLS support.  Files: smtpd/smtpd.c,
 	smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
 	smtpd/smtpd_state.c.
 	Some clarification about recipient address versus domain,
 	and recipients per message versus session. File:
 	proto/postconf.proto.
 	The description of SASL authentication attributes was
 	garbled.  File: pipe/pipe.c.
--- a/postfix/README_FILES/SMTPD_ACCESS_README
+++ b/postfix/README_FILES/SMTPD_ACCESS_README
@ -123,7 +123,7 @@ Examples of simple restriction lists are:
    # Don't accept mail from domains that don't exist.
    smtpd_sender_restrictions = reject_unknown_sender_domain
-    # Whitelisting: local clients may specify any destination. Others may not.
+    # Whitelisting: local clients may specify any destination domain.
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    # Block clients that speak too early.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -17,6 +17,23 @@ Incompatibility with Postfix 2.4 and earlier
 If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5
 before proceeding.
 Incompatibility with snapshot 20080629
 ======================================
 When TLS support is not compiled in, the Postfix SMTP server no
 longer ignores the "smtpd_tls_auth_only = yes" parameter setting.
 Earlier Postfix SMTP server versions would announce SASL support,
 and would accept SASL login or sender information.
 Major changes with snapshot 20080629
 ====================================
 The Postfix SMTP server's SASL authentication was re-structured.
 With "smtpd_tls_auth_only = yes", SASL support is now activated
 only after a successful TLS handshake. Earlier Postfix SMTP server
 versions could complain about unavailable SASL mechanisms during
 the plaintext phase of the SMTP protocol.
 Incompatibility with snapshot 20080510
 ======================================
--- a/postfix/html/SMTPD_ACCESS_README.html
+++ b/postfix/html/SMTPD_ACCESS_README.html
@ -136,7 +136,7 @@ no").  </p>
 <ul>
-<li> <p> Disallowing <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> address syntax (example: "MAIL FROM: the
+<li> <p> Disallowing <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> address syntax (example: "MAIL FROM: the
 dude &lt;dude@example.com&gt;"). </p>
 <li> <p> Disallowing addresses that are not enclosed with &lt;&gt;
@ -178,7 +178,7 @@ described in the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
    # Don't accept mail from domains that don't exist.
    <a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> = <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
-    # Whitelisting: local clients may specify any destination. Others may not.
+    # Whitelisting: local clients may specify any destination domain.
    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
    # Block clients that speak too early.
--- a/postfix/html/anvil.8.html
+++ b/postfix/html/anvil.8.html
@ -139,41 +139,41 @@ ANVIL(8)                                                              ANVIL(8)
       into connection count and/or rate limits falsely.
       In this preliminary implementation, a count (or rate) lim-
-       ited  server can have only one remote client at a time. If
+       ited  server  process can have only one remote client at a
-       a server reports multiple simultaneous clients,  state  is
+       time. If a server process  reports  multiple  simultaneous
-       kept only for the last reported client.
+       clients,  state is kept only for the last reported client.
-       The  <a href="anvil.8.html"><b>anvil</b>(8)</a> server automatically discards client request
+       The <a href="anvil.8.html"><b>anvil</b>(8)</a> server automatically discards client  request
-       information after it expires.   To  prevent  the  <a href="anvil.8.html"><b>anvil</b>(8)</a>
+       information  after  it  expires.   To prevent the <a href="anvil.8.html"><b>anvil</b>(8)</a>
       server from discarding client request rate information too
-       early or too late, a rate limited  service  should  always
+       early  or  too  late, a rate limited service should always
-       register  connect/disconnect  events even when it does not
+       register connect/disconnect events even when it  does  not
       explicitly limit them.
 <b>CONFIGURATION PARAMETERS</b>
       On low-traffic mail systems, changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked
       up automatically as <a href="anvil.8.html"><b>anvil</b>(8)</a> processes run for only a lim-
-       ited amount of time. On other mail systems, use  the  com-
+       ited  amount  of time. On other mail systems, use the com-
       mand "<b>postfix reload</b>" to speed up a change.
-       The  text  below  provides  only  a parameter summary. See
+       The text below provides  only  a  parameter  summary.  See
       <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
       <b><a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> (60s)</b>
-              The time unit over which  client  connection  rates
+              The  time  unit  over which client connection rates
              and other rates are calculated.
       <b><a href="postconf.5.html#anvil_status_update_time">anvil_status_update_time</a> (600s)</b>
-              How  frequently  the  <a href="anvil.8.html"><b>anvil</b>(8)</a>  connection and rate
+              How frequently the  <a href="anvil.8.html"><b>anvil</b>(8)</a>  connection  and  rate
              limiting server logs peak usage information.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
              <a href="master.5.html">master.cf</a> configuration files.
       <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much time a Postfix daemon process may take to
+              How much time a Postfix daemon process may take  to
-              handle a request  before  it  is  terminated  by  a
+              handle  a  request  before  it  is  terminated by a
              built-in watchdog timer.
       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@ -181,29 +181,29 @@ ANVIL(8)                                                              ANVIL(8)
              over an internal communication channel.
       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time  that  an  idle  Postfix
+              The  maximum  amount  of  time that an idle Postfix
-              daemon  process  waits  for  an incoming connection
+              daemon process waits  for  an  incoming  connection
              before terminating voluntarily.
       <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of incoming connections  that  a
+              The  maximal  number of incoming connections that a
-              Postfix  daemon  process will service before termi-
+              Postfix daemon process will service  before  termi-
              nating voluntarily.
       <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
              process.
       <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
              process.
       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
+              The  mail  system  name  that  is  prepended to the
-              process  name  in  syslog  records, so that "smtpd"
+              process name in syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".
 <b>SEE ALSO</b>
@ -215,7 +215,7 @@ ANVIL(8)                                                              ANVIL(8)
       <a href="TUNING_README.html">TUNING_README</a>, performance tuning
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
       software.
 <b>HISTORY</b>
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@ -227,31 +227,31 @@ PIPE(8)                                                                PIPE(8)
                     This macro expands to the remote client net-
                     work address.
-                     This is available in Postfix 2.2 and  later.
+                     This feature is available as of Postfix 2.2.
              <b>${client_helo</b>}
                     This macro expands to the remote client HELO
                     command parameter.
-                     This is available in Postfix 2.2 and  later.
+                     This feature is available as of Postfix 2.2.
              <b>${client_hostname</b>}
                     This  macro  expands  to  the  remote client
                     hostname.
-                     This is available in Postfix 2.2 and  later.
+                     This feature is available as of Postfix 2.2.
              <b>${client_port</b>}
                     This  macro expands to the remote client TCP
                     port number.
-                     This is available in Postfix 2.5 and  later.
+                     This feature is available as of Postfix 2.5.
              <b>${client_protocol</b>}
                     This macro expands to the remote client pro-
                     tocol.
-                     This is available in Postfix 2.2 and  later.
+                     This feature is available as of Postfix 2.2.
              <b>${domain</b>}
                     This  macro expands to the domain portion of
@ -262,7 +262,7 @@ PIPE(8)                                                                PIPE(8)
                     This information is modified by the  <b>h</b>  flag
                     for case folding.
-                     This  is available in Postfix 2.5 and later.
+                     This feature is available as of Postfix 2.5.
              <b>${extension</b>}
                     This macro expands to the extension part  of
@ -309,8 +309,7 @@ PIPE(8)                                                                PIPE(8)
                     This  information  is  modified  by  the <b>hqu</b>
                     flags for quoting and case folding.
-                     This feature is available in Postfix 2.5 and
+                     This feature is available as of Postfix 2.5.
                     later.
              <b>${recipient</b>}
                     This macro expands to the complete recipient
@ -324,29 +323,27 @@ PIPE(8)                                                                PIPE(8)
                     flags for quoting and case folding.
              <b>${sasl_method</b>}
-                     This  macro  expands to the SASL authentica-
+                     This  macro  expands to the name of the SASL
-                     tion mechanism used during the reception  of
+                     authentication mechanism in the AUTH command
-                     the  message.  An  empty string is passed if
+                     when  the  Postfix  SMTP server received the
-                     the message has been received  without  SASL
+                     message.
                     authentication.
-                     This  is available in Postfix 2.2 and later.
+                     This feature is available as of Postfix 2.2.
              <b>${sasl_sender</b>}
-                     This macro expands to the SASL  sender  name
+                     This  macro  expands to the SASL sender name
-                     (i.e.  the  original  submitter  as  per <a href="http://tools.ietf.org/html/rfc4954">RFC</a>
+                     (i.e. the  original  submitter  as  per  <a href="http://tools.ietf.org/html/rfc4954">RFC</a>
-                     <a href="http://tools.ietf.org/html/rfc4954">4954</a>) used during the reception of the  mes-
+                     <a href="http://tools.ietf.org/html/rfc4954">4954</a>)  in  the  MAIL  FROM  command when the
-                     sage.
+                     Postfix SMTP server received the message.
-                     This  is available in Postfix 2.2 and later.
+                     This feature is available as of Postfix 2.2.
              <b>${sasl_username</b>}
-                     This macro expands to  the  SASL  user  name
+                     This  macro expands to the SASL user name in
-                     used during the reception of the message. An
+                     the  AUTH  command  when  the  Postfix  SMTP
-                     empty string is passed if  the  message  has
+                     server received the message.
                     been received without SASL authentication.
-                     This  is available in Postfix 2.2 and later.
+                     This feature is available as of Postfix 2.2.
              <b>${sender</b>}
                     This macro expands to  the  envelope  sender
--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@ -35,8 +35,9 @@ POSTCONF(1)                                                        POSTCONF(1)
                     fix is built with Cyrus SASL support.
              <b>dovecot</b>
-                     This server  plug-in  requires  the  Dovecot
+                     This server plug-in uses the Dovecot authen-
-                     authentication server.
+                     tication server, and is available when Post-
                     fix is built with any form of SASL  support.
              This  feature  is  available  with  Postfix 2.3 and
              later.
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -1147,6 +1147,11 @@ non-delivery notification. Specify a byte count. If you increase
 this limit, then you should increase the <a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> value
 proportionally.  </p>
 <p> Note: be careful when making changes.  Excessively large values
 will result in the loss of non-delivery notifications, when a bounce
 message size exceeds a local or remote MTA's message size limit.
 </p>
 </DD>
@ -3613,7 +3618,7 @@ field in the entry in the <a href="master.5.html">master.cf</a> file.  </p>
 <DT><b><a name="lmtp_destination_recipient_limit">lmtp_destination_recipient_limit</a>
 (default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
-<p> The maximal number of recipients per delivery via the lmtp
+<p> The maximal number of recipients per message for the lmtp
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the <a href="master.5.html">master.cf</a> file.  </p>
@ -5346,6 +5351,11 @@ content.  The usual C-like escape sequences are recognized: <tt>\a
 The maximal size in bytes of a message, including envelope information.
 </p>
 <p> Note: be careful when making changes.  Excessively small values
 will result in the loss of non-delivery notifications, when a bounce
 message size exceeds the local or remote MTA's message size limit.
 </p>
 </DD>
@ -6792,7 +6802,7 @@ first field in the entry in the <a href="master.5.html">master.cf</a> file.  </p
 <DT><b><a name="relay_destination_recipient_limit">relay_destination_recipient_limit</a>
 (default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
-<p> The maximal number of recipients per delivery via the relay
+<p> The maximal number of recipients per message for the relay
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the <a href="master.5.html">master.cf</a> file.  </p>
@ -7701,7 +7711,7 @@ field in the entry in the <a href="master.5.html">master.cf</a> file.  </p>
 <DT><b><a name="smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>
 (default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
-<p> The maximal number of recipients per delivery via the smtp
+<p> The maximal number of recipients per message for the smtp
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the <a href="master.5.html">master.cf</a> file.  </p>
@ -7799,7 +7809,7 @@ destinations, Postfix will try them in the specified order.  </p>
 <p> To prevent mailer loops between MX hosts and fall-back hosts,
 Postfix version 2.2 and later will not use the fallback relays for
-destinations that it is MX host for (and DSN lookup is turned on).
+destinations that it is MX host for (assuming DNS lookup is turned on).
 </p>
@ -10935,7 +10945,7 @@ corresponding action.  </dd>
 <dt><b><a name="check_recipient_mx_access">check_recipient_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for
-the RCPT TO address, and execute the corresponding action.  Note:
+the RCPT TO domain, and execute the corresponding action.  Note:
 a result of "OK" is not allowed for safety reasons. Instead, use
 DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later. </dd>
@ -10943,7 +10953,7 @@ feature is available in Postfix 2.1 and later. </dd>
 <dt><b><a name="check_recipient_ns_access">check_recipient_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers
-for the RCPT TO address, and execute the corresponding action.
+for the RCPT TO domain, and execute the corresponding action.
 Note: a result of "OK" is not allowed for safety reasons. Instead,
 use DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.  </dd>
@ -10954,11 +10964,11 @@ feature is available in Postfix 2.1 and later.  </dd>
 <ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO address matches
+<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
 $<a href="postconf.5.html#relay_domains">relay_domains</a> or a subdomain thereof, and the address contains no
 sender-specified routing (user@elsewhere@domain),
-<li> Postfix is the final destination: the resolved RCPT TO address
+<li> Postfix is the final destination: the resolved RCPT TO domain
 matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>,
 $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and the address
 contains no sender-specified routing (user@elsewhere@domain).
@ -10968,7 +10978,7 @@ contains no sender-specified routing (user@elsewhere@domain).
 <dt><b><a name="permit_mx_backup">permit_mx_backup</a></b></dt>
 <dd>Permit the request when the local mail system is backup MX for
-the RCPT TO address, or when the address is an authorized destination
+the RCPT TO domain, or when the domain is an authorized destination
 (see <a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a> for definition).
 <ul>
@ -11016,11 +11026,11 @@ in Postfix version 2.0 and later.</dd>
 <ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO address matches
+<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
 $<a href="postconf.5.html#relay_domains">relay_domains</a> or a subdomain thereof, and contains no sender-specified
 routing (user@elsewhere@domain),
-<li> Postfix is the final destination: the resolved RCPT TO address
+<li> Postfix is the final destination: the resolved RCPT TO domain
 matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>,
 $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and contains
 no sender-specified routing (user@elsewhere@domain).
@ -11031,7 +11041,7 @@ code for rejected requests (default: 554). </dd>
 <dt><b><a name="reject_unknown_recipient_domain">reject_unknown_recipient_domain</a></b></dt>
 <dd>Reject the request when Postfix is not final destination for
-the recipient address, and the RCPT TO address has no DNS A or MX
+the recipient domain, and the RCPT TO domain has no DNS A or MX
 record, or when it has a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later). <br> The
 <a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter specifies the response code
@ -13458,7 +13468,7 @@ first field in the entry in the <a href="master.5.html">master.cf</a> file.  </p
 <DT><b><a name="virtual_destination_recipient_limit">virtual_destination_recipient_limit</a>
 (default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
-<p> The maximal number of recipients per delivery via the virtual
+<p> The maximal number of recipients per message for the virtual
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the <a href="master.5.html">master.cf</a> file.  </p>
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@ -37,8 +37,9 @@ listed below.
 This server plug-in is available when Postfix is built with
 Cyrus SASL support.
 .IP \fBdovecot\fR
-This server plug-in requires the Dovecot authentication
+This server plug-in uses the Dovecot authentication server,
-server.
+and is available when Postfix is built with any form of SASL
 support.
 .RE
 .IP
 This feature is available with Postfix 2.3 and later.
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -637,6 +637,10 @@ The maximal amount of original message text that is sent in a
 non-delivery notification. Specify a byte count. If you increase
 this limit, then you should increase the mime_nesting_limit value
 proportionally.
 .PP
 Note: be careful when making changes.  Excessively large values
 will result in the loss of non-delivery notifications, when a bounce
 message size exceeds a local or remote MTA's message size limit.
 .SH bounce_template_file (default: empty)
 Pathname of a configuration file with bounce message templates.
 These override the built-in templates of delivery status notification
@ -1997,7 +2001,7 @@ via the lmtp message delivery transport. This limit is enforced by
 the queue manager. The message delivery transport name is the first
 field in the entry in the master.cf file.
 .SH lmtp_destination_recipient_limit (default: $default_destination_recipient_limit)
-The maximal number of recipients per delivery via the lmtp
+The maximal number of recipients per message for the lmtp
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.
@ -2953,6 +2957,10 @@ message_reject_characters = \e0
 This feature is available in Postfix 2.3 and later.
 .SH message_size_limit (default: 10240000)
 The maximal size in bytes of a message, including envelope information.
 .PP
 Note: be careful when making changes.  Excessively small values
 will result in the loss of non-delivery notifications, when a bounce
 message size exceeds the local or remote MTA's message size limit.
 .SH message_strip_characters (default: empty)
 The set of characters that Postfix will remove from message
 content.  The usual C-like escape sequences are recognized: \ea
@ -3778,7 +3786,7 @@ first field in the entry in the master.cf file.
 .PP
 This feature is available in Postfix 2.0 and later.
 .SH relay_destination_recipient_limit (default: $default_destination_recipient_limit)
-The maximal number of recipients per delivery via the relay
+The maximal number of recipients per message for the relay
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.
@ -4340,7 +4348,7 @@ via the smtp message delivery transport. This limit is enforced by
 the queue manager. The message delivery transport name is the first
 field in the entry in the master.cf file.
 .SH smtp_destination_recipient_limit (default: $default_destination_recipient_limit)
-The maximal number of recipients per delivery via the smtp
+The maximal number of recipients per message for the smtp
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.
@ -4407,7 +4415,7 @@ destinations, Postfix will try them in the specified order.
 .PP
 To prevent mailer loops between MX hosts and fall-back hosts,
 Postfix version 2.2 and later will not use the fallback relays for
-destinations that it is MX host for (and DSN lookup is turned on).
+destinations that it is MX host for (assuming DNS lookup is turned on).
 .SH smtp_generic_maps (default: empty)
 Optional lookup tables that perform address rewriting in the
 SMTP client, typically to transform a locally valid address into
@ -6625,30 +6633,30 @@ TO address, domain, parent domains, or localpart@, and execute the
 corresponding action.
 .IP "\fBcheck_recipient_mx_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the MX hosts for
-the RCPT TO address, and execute the corresponding action.  Note:
+the RCPT TO domain, and execute the corresponding action.  Note:
 a result of "OK" is not allowed for safety reasons. Instead, use
 DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.
 .IP "\fBcheck_recipient_ns_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the DNS servers
-for the RCPT TO address, and execute the corresponding action.
+for the RCPT TO domain, and execute the corresponding action.
 Note: a result of "OK" is not allowed for safety reasons. Instead,
 use DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.
 .IP "\fBpermit_auth_destination\fR"
 Permit the request when one of the following is true:
 .IP \(bu
-Postfix is mail forwarder: the resolved RCPT TO address matches
+Postfix is mail forwarder: the resolved RCPT TO domain matches
 $relay_domains or a subdomain thereof, and the address contains no
 sender-specified routing (user@elsewhere@domain),
 .IP \(bu
-Postfix is the final destination: the resolved RCPT TO address
+Postfix is the final destination: the resolved RCPT TO domain
 matches $mydestination, $inet_interfaces, $proxy_interfaces,
 $virtual_alias_domains, or $virtual_mailbox_domains, and the address
 contains no sender-specified routing (user@elsewhere@domain).
 .IP "\fBpermit_mx_backup\fR"
 Permit the request when the local mail system is backup MX for
-the RCPT TO address, or when the address is an authorized destination
+the RCPT TO domain, or when the domain is an authorized destination
 (see permit_auth_destination for definition).
 .IP \(bu
 Safety: permit_mx_backup does not accept addresses that have
@ -6688,11 +6696,11 @@ in Postfix version 2.0 and later.
 .IP "\fBreject_unauth_destination\fR"
 Reject the request unless one of the following is true:
 .IP \(bu
-Postfix is mail forwarder: the resolved RCPT TO address matches
+Postfix is mail forwarder: the resolved RCPT TO domain matches
 $relay_domains or a subdomain thereof, and contains no sender-specified
 routing (user@elsewhere@domain),
 .IP \(bu
-Postfix is the final destination: the resolved RCPT TO address
+Postfix is the final destination: the resolved RCPT TO domain
 matches $mydestination, $inet_interfaces, $proxy_interfaces,
 $virtual_alias_domains, or $virtual_mailbox_domains, and contains
 no sender-specified routing (user@elsewhere@domain).
@ -6700,7 +6708,7 @@ no sender-specified routing (user@elsewhere@domain).
 code for rejected requests (default: 554).
 .IP "\fBreject_unknown_recipient_domain\fR"
 Reject the request when Postfix is not final destination for
-the recipient address, and the RCPT TO address has no DNS A or MX
+the recipient domain, and the RCPT TO domain has no DNS A or MX
 record, or when it has a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later).
 .br
@ -8268,7 +8276,7 @@ via the virtual message delivery transport. This limit is enforced
 by the queue manager. The message delivery transport name is the
 first field in the entry in the master.cf file.
 .SH virtual_destination_recipient_limit (default: $default_destination_recipient_limit)
-The maximal number of recipients per delivery via the virtual
+The maximal number of recipients per message for the virtual
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.
--- a/postfix/man/man8/anvil.8
+++ b/postfix/man/man8/anvil.8
@ -181,7 +181,8 @@ appear to have the same client address and can run into connection
 count and/or rate limits falsely.
 In this preliminary implementation, a count (or rate) limited server
-can have only one remote client at a time. If a server reports
+process can have only one remote client at a time. If a
 server process reports
 multiple simultaneous clients, state is kept only for the last
 reported client.
--- a/postfix/man/man8/pipe.8
+++ b/postfix/man/man8/pipe.8
@ -210,23 +210,23 @@ $(\fIname\fR) are also recognized.  Specify \fB$$\fR where a single
 .IP \fB${\fBclient_address\fR}\fR
 This macro expands to the remote client network address.
 .sp
-This is available in Postfix 2.2 and later.
+This feature is available as of Postfix 2.2.
 .IP \fB${\fBclient_helo\fR}\fR
 This macro expands to the remote client HELO command parameter.
 .sp
-This is available in Postfix 2.2 and later.
+This feature is available as of Postfix 2.2.
 .IP \fB${\fBclient_hostname\fR}\fR
 This macro expands to the remote client hostname.
 .sp
-This is available in Postfix 2.2 and later.
+This feature is available as of Postfix 2.2.
 .IP \fB${\fBclient_port\fR}\fR
 This macro expands to the remote client TCP port number.
 .sp
-This is available in Postfix 2.5 and later.
+This feature is available as of Postfix 2.5.
 .IP \fB${\fBclient_protocol\fR}\fR
 This macro expands to the remote client protocol.
 .sp
-This is available in Postfix 2.2 and later.
+This feature is available as of Postfix 2.2.
 .IP \fB${\fBdomain\fR}\fR
 This macro expands to the domain portion of the recipient
 address.  For example, with an address \fIuser+foo@domain\fR
@ -234,7 +234,7 @@ the domain is \fIdomain\fR.
 .sp
 This information is modified by the \fBh\fR flag for case folding.
 .sp
-This is available in Postfix 2.5 and later.
+This feature is available as of Postfix 2.5.
 .IP \fB${\fBextension\fR}\fR
 This macro expands to the extension part of a recipient address.
 For example, with an address \fIuser+foo@domain\fR the extension is
@ -268,7 +268,7 @@ command-line arguments as there are recipients.
 This information is modified by the \fBhqu\fR flags for quoting
 and case folding.
 .sp
-This feature is available in Postfix 2.5 and later.
+This feature is available as of Postfix 2.5.
 .IP \fB${\fBrecipient\fR}\fR
 This macro expands to the complete recipient address.
 .sp
@ -278,22 +278,22 @@ expands to as many command-line arguments as there are recipients.
 This information is modified by the \fBhqu\fR flags for quoting
 and case folding.
 .IP \fB${\fBsasl_method\fR}\fR
-This macro expands to the SASL authentication mechanism used
+This macro expands to the name of the SASL authentication
-during the reception of the message. An empty string is passed
+mechanism in the AUTH command when the Postfix SMTP server
-if the message has been received without SASL authentication.
+received the message.
 .sp
-This is available in Postfix 2.2 and later.
+This feature is available as of Postfix 2.2.
 .IP \fB${\fBsasl_sender\fR}\fR
 This macro expands to the SASL sender name (i.e. the original
-submitter as per RFC 4954) used during the reception of the message.
+submitter as per RFC 4954) in the MAIL FROM command when
 the Postfix SMTP server received the message.
 .sp
-This is available in Postfix 2.2 and later.
+This feature is available as of Postfix 2.2.
 .IP \fB${\fBsasl_username\fR}\fR
-This macro expands to the SASL user name used during the reception
+This macro expands to the SASL user name in the AUTH command
-of the message. An empty string is passed if the message has been
+when the Postfix SMTP server received the message.
 received without SASL authentication.
 .sp
-This is available in Postfix 2.2 and later.
+This feature is available as of Postfix 2.2.
 .IP \fB${\fBsender\fR}\fR
 This macro expands to the envelope sender address. By default,
 the null sender address expands to MAILER-DAEMON; this can
--- a/postfix/proto/SMTPD_ACCESS_README.html
+++ b/postfix/proto/SMTPD_ACCESS_README.html
@ -178,7 +178,7 @@ described in the postconf(5) manual page. </p>
    # Don't accept mail from domains that don't exist.
    smtpd_sender_restrictions = reject_unknown_sender_domain
-    # Whitelisting: local clients may specify any destination. Others may not.
+    # Whitelisting: local clients may specify any destination domain.
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    # Block clients that speak too early.
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -713,6 +713,11 @@ non-delivery notification. Specify a byte count. If you increase
 this limit, then you should increase the mime_nesting_limit value
 proportionally.  </p>
 <p> Note: be careful when making changes.  Excessively large values
 will result in the loss of non-delivery notifications, when a bounce
 message size exceeds a local or remote MTA's message size limit.
 </p>
 %PARAM canonical_maps 
 <p>
@ -1353,7 +1358,7 @@ destinations, Postfix will try them in the specified order.  </p>
 <p> To prevent mailer loops between MX hosts and fall-back hosts,
 Postfix version 2.2 and later will not use the fallback relays for
-destinations that it is MX host for (and DSN lookup is turned on).
+destinations that it is MX host for (assuming DNS lookup is turned on).
 </p>
 %PARAM fallback_relay 
@ -2712,6 +2717,11 @@ Specify 0 when mail delivery should be tried only once.
 The maximal size in bytes of a message, including envelope information.
 </p>
 <p> Note: be careful when making changes.  Excessively small values
 will result in the loss of non-delivery notifications, when a bounce
 message size exceeds the local or remote MTA's message size limit.
 </p>
 %PARAM minimal_backoff_time 300s
 <p>
@ -3897,7 +3907,7 @@ field in the entry in the master.cf file.  </p>
 %PARAM lmtp_destination_recipient_limit $default_destination_recipient_limit
-<p> The maximal number of recipients per delivery via the lmtp
+<p> The maximal number of recipients per message for the lmtp
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.  </p>
@ -3917,7 +3927,7 @@ first field in the entry in the master.cf file.  </p>
 %PARAM relay_destination_recipient_limit $default_destination_recipient_limit
-<p> The maximal number of recipients per delivery via the relay
+<p> The maximal number of recipients per message for the relay
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.  </p>
@ -3937,7 +3947,7 @@ field in the entry in the master.cf file.  </p>
 %PARAM smtp_destination_recipient_limit $default_destination_recipient_limit
-<p> The maximal number of recipients per delivery via the smtp
+<p> The maximal number of recipients per message for the smtp
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.  </p>
@ -3955,7 +3965,7 @@ first field in the entry in the master.cf file.  </p>
 %PARAM virtual_destination_recipient_limit $default_destination_recipient_limit
-<p> The maximal number of recipients per delivery via the virtual
+<p> The maximal number of recipients per message for the virtual
 message delivery transport. This limit is enforced by the queue
 manager. The message delivery transport name is the first field in
 the entry in the master.cf file.  </p>
@ -5394,7 +5404,7 @@ corresponding action.  </dd>
 <dt><b><a name="check_recipient_mx_access">check_recipient_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>Search the specified access(5) database for the MX hosts for
-the RCPT TO address, and execute the corresponding action.  Note:
+the RCPT TO domain, and execute the corresponding action.  Note:
 a result of "OK" is not allowed for safety reasons. Instead, use
 DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later. </dd>
@ -5402,7 +5412,7 @@ feature is available in Postfix 2.1 and later. </dd>
 <dt><b><a name="check_recipient_ns_access">check_recipient_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 <dd>Search the specified access(5) database for the DNS servers
-for the RCPT TO address, and execute the corresponding action.
+for the RCPT TO domain, and execute the corresponding action.
 Note: a result of "OK" is not allowed for safety reasons. Instead,
 use DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.  </dd>
@ -5413,11 +5423,11 @@ feature is available in Postfix 2.1 and later.  </dd>
 <ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO address matches
+<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
 $relay_domains or a subdomain thereof, and the address contains no
 sender-specified routing (user@elsewhere@domain),
-<li> Postfix is the final destination: the resolved RCPT TO address
+<li> Postfix is the final destination: the resolved RCPT TO domain
 matches $mydestination, $inet_interfaces, $proxy_interfaces,
 $virtual_alias_domains, or $virtual_mailbox_domains, and the address
 contains no sender-specified routing (user@elsewhere@domain).
@ -5427,7 +5437,7 @@ contains no sender-specified routing (user@elsewhere@domain).
 <dt><b><a name="permit_mx_backup">permit_mx_backup</a></b></dt>
 <dd>Permit the request when the local mail system is backup MX for
-the RCPT TO address, or when the address is an authorized destination
+the RCPT TO domain, or when the domain is an authorized destination
 (see permit_auth_destination for definition).
 <ul>
@ -5475,11 +5485,11 @@ in Postfix version 2.0 and later.</dd>
 <ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO address matches
+<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
 $relay_domains or a subdomain thereof, and contains no sender-specified
 routing (user@elsewhere@domain),
-<li> Postfix is the final destination: the resolved RCPT TO address
+<li> Postfix is the final destination: the resolved RCPT TO domain
 matches $mydestination, $inet_interfaces, $proxy_interfaces,
 $virtual_alias_domains, or $virtual_mailbox_domains, and contains
 no sender-specified routing (user@elsewhere@domain).
@ -5490,7 +5500,7 @@ code for rejected requests (default: 554). </dd>
 <dt><b><a name="reject_unknown_recipient_domain">reject_unknown_recipient_domain</a></b></dt>
 <dd>Reject the request when Postfix is not final destination for
-the recipient address, and the RCPT TO address has no DNS A or MX
+the recipient domain, and the RCPT TO domain has no DNS A or MX
 record, or when it has a malformed MX record such as a record with
 a zero-length MX hostname (Postfix version 2.3 and later). <br> The
 unknown_address_reject_code parameter specifies the response code
--- a/postfix/src/anvil/anvil.c
+++ b/postfix/src/anvil/anvil.c
@ -161,7 +161,8 @@
 /*	count and/or rate limits falsely.
 /*
 /*	In this preliminary implementation, a count (or rate) limited server
-/*	can have only one remote client at a time. If a server reports
+/*	process can have only one remote client at a time. If a
 /*	server process reports
 /*	multiple simultaneous clients, state is kept only for the last
 /*	reported client.
 /*
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20080606"
+#define MAIL_RELEASE_DATE	"20080629"
 #define MAIL_VERSION_NUMBER	"2.6"
 #ifdef SNAPSHOT
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@ -200,23 +200,23 @@
 /* .IP \fB${\fBclient_address\fR}\fR
 /*	This macro expands to the remote client network address.
 /* .sp
-/*	This is available in Postfix 2.2 and later.
+/*	This feature is available as of Postfix 2.2.
 /* .IP \fB${\fBclient_helo\fR}\fR
 /*	This macro expands to the remote client HELO command parameter.
 /* .sp
-/*	This is available in Postfix 2.2 and later.
+/*	This feature is available as of Postfix 2.2.
 /* .IP \fB${\fBclient_hostname\fR}\fR
 /*	This macro expands to the remote client hostname.
 /* .sp
-/*	This is available in Postfix 2.2 and later.
+/*	This feature is available as of Postfix 2.2.
 /* .IP \fB${\fBclient_port\fR}\fR
 /*	This macro expands to the remote client TCP port number.
 /* .sp
-/*	This is available in Postfix 2.5 and later.
+/*	This feature is available as of Postfix 2.5.
 /* .IP \fB${\fBclient_protocol\fR}\fR
 /*	This macro expands to the remote client protocol.
 /* .sp
-/*	This is available in Postfix 2.2 and later.
+/*	This feature is available as of Postfix 2.2.
 /* .IP \fB${\fBdomain\fR}\fR
 /*	This macro expands to the domain portion of the recipient
 /*	address.  For example, with an address \fIuser+foo@domain\fR
@ -224,7 +224,7 @@
 /* .sp
 /*	This information is modified by the \fBh\fR flag for case folding.
 /* .sp
-/*	This is available in Postfix 2.5 and later.
+/*	This feature is available as of Postfix 2.5.
 /* .IP \fB${\fBextension\fR}\fR
 /*	This macro expands to the extension part of a recipient address.
 /*	For example, with an address \fIuser+foo@domain\fR the extension is
@ -258,7 +258,7 @@
 /*	This information is modified by the \fBhqu\fR flags for quoting
 /*	and case folding.
 /* .sp
-/*	This feature is available in Postfix 2.5 and later.
+/*	This feature is available as of Postfix 2.5.
 /* .IP \fB${\fBrecipient\fR}\fR
 /*	This macro expands to the complete recipient address.
 /* .sp
@ -268,22 +268,22 @@
 /*	This information is modified by the \fBhqu\fR flags for quoting
 /*	and case folding.
 /* .IP \fB${\fBsasl_method\fR}\fR
-/*	This macro expands to the SASL authentication mechanism used
+/*	This macro expands to the name of the SASL authentication
-/*	during the reception of the message. An empty string is passed
+/*	mechanism in the AUTH command when the Postfix SMTP server
-/*	if the message has been received without SASL authentication.
+/*	received the message.
 /* .sp
-/*	This is available in Postfix 2.2 and later.
+/*	This feature is available as of Postfix 2.2.
 /* .IP \fB${\fBsasl_sender\fR}\fR
 /*	This macro expands to the SASL sender name (i.e. the original
-/*	submitter as per RFC 4954) used during the reception of the message.
+/*	submitter as per RFC 4954) in the MAIL FROM command when
 /*	the Postfix SMTP server received the message.
 /* .sp
-/*	This is available in Postfix 2.2 and later.
+/*	This feature is available as of Postfix 2.2.
 /* .IP \fB${\fBsasl_username\fR}\fR
-/*	This macro expands to the SASL user name used during the reception
+/*	This macro expands to the SASL user name in the AUTH command
-/*	of the message. An empty string is passed if the message has been
+/*	when the Postfix SMTP server received the message.
 /*	received without SASL authentication.
 /* .sp
-/*	This is available in Postfix 2.2 and later.
+/*	This feature is available as of Postfix 2.2.
 /* .IP \fB${\fBsender\fR}\fR
 /*	This macro expands to the envelope sender address. By default,
 /*	the null sender address expands to MAILER-DAEMON; this can
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@ -31,8 +31,9 @@
 /*	This server plug-in is available when Postfix is built with
 /*	Cyrus SASL support.
 /* .IP \fBdovecot\fR
-/*	This server plug-in requires the Dovecot authentication
+/*	This server plug-in uses the Dovecot authentication server,
-/*	server.
+/*	and is available when Postfix is built with any form of SASL
 /*	support.
 /* .RE
 /* .IP
 /*	This feature is available with Postfix 2.3 and later.
--- a/postfix/src/smtp/smtp_chat.c
+++ b/postfix/src/smtp/smtp_chat.c
@ -431,5 +431,7 @@ void    smtp_chat_notify(SMTP_SESSION *session)
    for (cpp = session->history->argv; *cpp; cpp++)
 	line_wrap(printable(*cpp, '?'), LENGTH, INDENT, print_line,
 		  (char *) notice);
    post_mail_fputs(notice, "");
    post_mail_fprintf(notice, "For other details, see the local mail logfile");
    (void) post_mail_fclose(notice);
 }
--- a/postfix/src/smtpd/Makefile.in
+++ b/postfix/src/smtpd/Makefile.in
@ -315,6 +315,7 @@ smtpd_milter.o: ../../include/vstring.h
 smtpd_milter.o: smtpd.h
 smtpd_milter.o: smtpd_milter.c
 smtpd_milter.o: smtpd_milter.h
 smtpd_milter.o: smtpd_sasl_glue.h
 smtpd_peer.o: ../../include/argv.h
 smtpd_peer.o: ../../include/attr.h
 smtpd_peer.o: ../../include/inet_proto.h
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@ -1115,6 +1115,7 @@ char   *var_smtpd_tls_level;
 bool    var_smtpd_use_tls;
 bool    var_smtpd_enforce_tls;
 bool    var_smtpd_tls_wrappermode;
 bool    var_smtpd_tls_auth_only;
 #ifdef USE_TLS
 char   *var_smtpd_relay_ccerts;
@ -1123,7 +1124,6 @@ int     var_smtpd_starttls_tmout;
 char   *var_smtpd_tls_CAfile;
 char   *var_smtpd_tls_CApath;
 bool    var_smtpd_tls_ask_ccert;
 bool    var_smtpd_tls_auth_only;
 int     var_smtpd_tls_ccert_vd;
 char   *var_smtpd_tls_cert_file;
 char   *var_smtpd_tls_mand_ciph;
@ -1555,11 +1555,7 @@ static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 #endif
 #ifdef USE_SASL_AUTH
    if ((discard_mask & EHLO_MASK_AUTH) == 0) {
-	if (var_smtpd_sasl_enable && !sasl_client_exception(state)
+	if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) {
 #ifdef USE_TLS
 	    && (!state->tls_auth_only || state->tls_context)
 #endif
 	    ) {
 	    ENQUEUE_FMT_REPLY(state, reply_buf, "AUTH %s",
 			      state->sasl_mechanism_list);
 	    if (var_broken_auth_clients)
@ -1709,7 +1705,7 @@ static int mail_open_stream(SMTPD_STATE *state)
 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
 			MAIL_ATTR_RWR_CONTEXT, FORWARD_DOMAIN(state));
 #ifdef USE_SASL_AUTH
-	    if (var_smtpd_sasl_enable) {
+	    if (smtpd_sasl_is_active(state)) {
 		if (state->sasl_method)
 		    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
 				MAIL_ATTR_SASL_METHOD, state->sasl_method);
@ -1810,7 +1806,7 @@ static int mail_open_stream(SMTPD_STATE *state)
     * Log the queue ID with the message origin.
     */
 #ifdef USE_SASL_AUTH
-    if (var_smtpd_sasl_enable)
+    if (smtpd_sasl_is_active(state))
 	smtpd_sasl_mail_log(state);
    else
 #endif
@ -2052,7 +2048,8 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 		return (-1);
 	    }
 #ifdef USE_SASL_AUTH
-	} else if (var_smtpd_sasl_enable && strncasecmp(arg, "AUTH=", 5) == 0) {
+	} else if (smtpd_sasl_is_active(state)
 		   && strncasecmp(arg, "AUTH=", 5) == 0) {
 	    if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) {
 		smtpd_chat_reply(state, "%s", err);
 		return (-1);
@ -2233,7 +2230,7 @@ static void mail_reset(SMTPD_STATE *state)
    state->saved_delay = 0;
 #endif
 #ifdef USE_SASL_AUTH
-    if (var_smtpd_sasl_enable)
+    if (smtpd_sasl_is_active(state))
 	smtpd_sasl_mail_reset(state);
 #endif
    state->discard = 0;
@ -2756,7 +2753,8 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 #endif
 	    rfc3848_sess = "";
 #ifdef USE_SASL_AUTH
-	if (var_smtpd_sasl_enable && var_smtpd_sasl_auth_hdr && state->sasl_username) {
+	if (smtpd_sasl_is_active(state) && var_smtpd_sasl_auth_hdr
 	    && state->sasl_username) {
 	    username = VSTRING_STRDUP(state->sasl_username);
 	    comment_sanitize(username);
 	    out_fprintf(out_stream, REC_TYPE_NORM,
@ -2764,7 +2762,7 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	    vstring_free(username);
 	}
 	/* RFC 3848 is defined for ESMTP only. */
-	if (var_smtpd_sasl_enable && state->sasl_username
+	if (smtpd_sasl_is_active(state) && state->sasl_username
 	    && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
 	    rfc3848_auth = "A";
 	else
@ -2773,7 +2771,7 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	if (state->rcpt_count == 1 && state->recipient) {
 	    out_fprintf(out_stream, REC_TYPE_NORM,
 			state->cleanup ? "\tby %s (%s) with %s%s%s id %s" :
-			"\tby %s (%s) with %s",
+			"\tby %s (%s) with %s%s%s",
 			var_myhostname, var_mail_name,
 			state->protocol, rfc3848_sess,
 			rfc3848_auth, state->queue_id);
@ -2784,7 +2782,7 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	} else {
 	    out_fprintf(out_stream, REC_TYPE_NORM,
 			state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" :
-			"\tby %s (%s) with %s;",
+			"\tby %s (%s) with %s%s%s;",
 			var_myhostname, var_mail_name,
 			state->protocol, rfc3848_sess,
 			rfc3848_auth, state->queue_id);
@ -3521,7 +3519,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	state->protocol = mystrdup(MAIL_PROTO_SMTP);
    }
 #ifdef USE_SASL_AUTH
-    if (var_smtpd_sasl_enable)
+    if (smtpd_sasl_is_active(state))
 	smtpd_sasl_auth_reset(state);
 #endif
    chat_reset(state, 0);
@ -3916,12 +3914,17 @@ static void smtpd_start_tls(SMTPD_STATE *state)
     * offered within a plain-text session.
     */
 #ifdef USE_SASL_AUTH
-    if (var_smtpd_sasl_enable
+    if (var_smtpd_sasl_enable) {
-	&& strcmp(var_smtpd_sasl_tls_opts, var_smtpd_sasl_opts) != 0) {
+	/* Non-wrappermode, presumably. */
-	smtpd_sasl_auth_reset(state);
+	if (smtpd_sasl_is_active(state)
-	smtpd_sasl_disconnect(state);
+	    && strcmp(var_smtpd_sasl_opts, var_smtpd_sasl_tls_opts) != 0) {
-	smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
+	    smtpd_sasl_auth_reset(state);
-			   var_smtpd_sasl_tls_opts);
+	    smtpd_sasl_deactivate(state);
 	}
 	/* Wrappermode and non-wrappermode. */
 	if (smtpd_sasl_is_active(state) == 0)
 	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
 				var_smtpd_sasl_tls_opts);
    }
 #endif
 }
@ -4265,6 +4268,27 @@ static void smtpd_proto(SMTPD_STATE *state)
 	    ehlo_words = var_smtpd_ehlo_dis_words;
 	state->ehlo_discard_mask = ehlo_mask(ehlo_words);
 	/*
 	 * SASL initialization for plaintext mode.
 	 * 
 	 * XXX Backwards compatibility: allow AUTH commands when the AUTH
 	 * announcement is suppressed via smtpd_sasl_exceptions_networks.
 	 * 
 	 * XXX Safety: don't enable SASL with "smtpd_tls_auth_only = yes" and
 	 * non-TLS build.
 	 */
 #ifdef USE_SASL_AUTH
 	if (var_smtpd_sasl_enable && smtpd_sasl_is_active(state) == 0
 #ifdef USE_TLS
 	    && state->tls_context == 0 && !state->tls_auth_only
 #else
 	    && var_smtpd_tls_auth_only == 0
 #endif
 	    )
 	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
 				var_smtpd_sasl_opts);
 #endif
 	for (;;) {
 	    if (state->flags & SMTPD_FLAG_HANGUP)
 		break;
@ -4373,8 +4397,9 @@ static void smtpd_proto(SMTPD_STATE *state)
     */
    if (state->reason && state->where) {
 	if (strcmp(state->where, SMTPD_CMD_DATA) == 0) {
-	    msg_info("%s after %s (%lu bytes) from %s",
+	    msg_info("%s after %s (approximately %lu bytes) from %s",
-		     state->reason, state->where, (long) state->act_size,
+		     state->reason, state->where,
 		     (long) (state->act_size + vstream_peek(state->client)),
 		     state->namaddr);
 	} else if (strcmp(state->where, SMTPD_AFTER_DOT)
 		   || strcmp(state->reason, REASON_LOST_CONNECTION)) {
@ -4394,8 +4419,10 @@ static void smtpd_proto(SMTPD_STATE *state)
 #endif
    helo_reset(state);
 #ifdef USE_SASL_AUTH
-    if (var_smtpd_sasl_enable)
+    if (smtpd_sasl_is_active(state)) {
 	smtpd_sasl_auth_reset(state);
 	smtpd_sasl_deactivate(state);
    }
 #endif
    chat_reset(state, 0);
    mail_reset(state);
@ -4800,8 +4827,8 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
 	VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
 	VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
 #ifdef USE_TLS
 	VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
 #ifdef USE_TLS
 	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
 	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
 	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
--- a/postfix/src/smtpd/smtpd_chat.c
+++ b/postfix/src/smtpd/smtpd_chat.c
@ -266,5 +266,7 @@ void    smtpd_chat_notify(SMTPD_STATE *state)
    post_mail_fputs(notice, "");
    if (state->reason)
 	post_mail_fprintf(notice, "Session aborted, reason: %s", state->reason);
    post_mail_fputs(notice, "");
    post_mail_fprintf(notice, "For other details, see the local mail logfile");
    (void) post_mail_fclose(notice);
 }
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@ -3247,7 +3247,7 @@ static int reject_auth_sender_login_mismatch(SMTPD_STATE *state, const char *sen
    /*
     * Reject if the client is logged in and does not own the sender address.
     */
-    if (var_smtpd_sasl_enable && state->sasl_username != 0) {
+    if (smtpd_sasl_is_active(state) && state->sasl_username != 0) {
 	reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, sender);
 	if (reply->flags & RESOLVE_FLAG_FAIL)
 	    reject_dict_retry(state, sender);
@ -3280,7 +3280,7 @@ static int reject_unauth_sender_login_mismatch(SMTPD_STATE *state, const char *s
     * Reject if the client is not logged in and the sender address has an
     * owner.
     */
-    if (var_smtpd_sasl_enable && state->sasl_username == 0) {
+    if (smtpd_sasl_is_active(state) && state->sasl_username == 0) {
 	reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, sender);
 	if (reply->flags & RESOLVE_FLAG_FAIL)
 	    reject_dict_retry(state, sender);
@ -3373,13 +3373,13 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
 			  ATTR_TYPE_STR, MAIL_ATTR_STRESS, var_stress,
 #ifdef USE_SASL_AUTH
 			  ATTR_TYPE_STR, MAIL_ATTR_SASL_METHOD,
-			  var_smtpd_sasl_enable && state->sasl_method ?
+			  smtpd_sasl_is_active(state) && state->sasl_method ?
 			  state->sasl_method : "",
 			  ATTR_TYPE_STR, MAIL_ATTR_SASL_USERNAME,
-			  var_smtpd_sasl_enable && state->sasl_username ?
+		       smtpd_sasl_is_active(state) && state->sasl_username ?
 			  state->sasl_username : "",
 			  ATTR_TYPE_STR, MAIL_ATTR_SASL_SENDER,
-			  var_smtpd_sasl_enable && state->sasl_sender ?
+			  smtpd_sasl_is_active(state) && state->sasl_sender ?
 			  state->sasl_sender : "",
 #endif
 #ifdef USE_TLS
@ -3731,7 +3731,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					  state->sender, SMTPD_NAME_SENDER);
 	} else if (strcasecmp(name, REJECT_AUTH_SENDER_LOGIN_MISMATCH) == 0) {
 #ifdef USE_SASL_AUTH
-	    if (var_smtpd_sasl_enable) {
+	    if (smtpd_sasl_is_active(state)) {
 		if (state->sender && *state->sender)
 		    status = reject_auth_sender_login_mismatch(state, state->sender);
 	    } else
@ -3739,7 +3739,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 		msg_warn("restriction `%s' ignored: no SASL support", name);
 	} else if (strcasecmp(name, REJECT_UNAUTH_SENDER_LOGIN_MISMATCH) == 0) {
 #ifdef USE_SASL_AUTH
-	    if (var_smtpd_sasl_enable) {
+	    if (smtpd_sasl_is_active(state)) {
 		if (state->sender && *state->sender)
 		    status = reject_unauth_sender_login_mismatch(state, state->sender);
 	    } else
@ -3800,7 +3800,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			 cpp[1], CHECK_RELAY_DOMAINS);
 	} else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
 #ifdef USE_SASL_AUTH
-	    if (var_smtpd_sasl_enable)
+	    if (smtpd_sasl_is_active(state))
 		status = permit_sasl_auth(state,
 					  SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
 #endif
@ -3963,7 +3963,7 @@ void    smtpd_check_rewrite(SMTPD_STATE *state)
 		status = SMTPD_CHECK_OK;
 	} else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
 #ifdef USE_SASL_AUTH
-	    if (var_smtpd_sasl_enable)
+	    if (smtpd_sasl_is_active(state))
 		status = permit_sasl_auth(state, SMTPD_CHECK_OK,
 					  SMTPD_CHECK_DUNNO);
 #endif
@ -4970,19 +4970,19 @@ bool    var_smtpd_sasl_enable = 0;
 #ifdef USE_SASL_AUTH
-/* smtpd_sasl_connect - stub */
+/* smtpd_sasl_activate - stub */
-void    smtpd_sasl_connect(SMTPD_STATE *state, const char *opts_name,
+void    smtpd_sasl_activate(SMTPD_STATE *state, const char *opts_name,
-			           const char *opts_var)
+			            const char *opts_var)
 {
-    msg_panic("smtpd_sasl_connect was called");
+    msg_panic("smtpd_sasl_activate was called");
 }
-/* smtpd_sasl_disconnect - stub */
+/* smtpd_sasl_deactivate - stub */
-void    smtpd_sasl_disconnect(SMTPD_STATE *state)
+void    smtpd_sasl_deactivate(SMTPD_STATE *state)
 {
-    msg_panic("smtpd_sasl_disconnect was called");
+    msg_panic("smtpd_sasl_deactivate was called");
 }
 /* permit_sasl_auth - stub */
--- a/postfix/src/smtpd/smtpd_milter.c
+++ b/postfix/src/smtpd/smtpd_milter.c
@ -45,6 +45,7 @@
 /* Application-specific. */
 #include <smtpd.h>
 #include <smtpd_sasl_glue.h>
 #include <smtpd_milter.h>
 /*
@ -138,7 +139,7 @@ const char *smtpd_milter_eval(const char *name, void *ptr)
    /*
     * MAIL FROM macros.
     */
-#define IF_SASL_ENABLED(s) (var_smtpd_sasl_enable && (s) ? (s) : 0)
+#define IF_SASL_ENABLED(s) (smtpd_sasl_is_active(state) && (s) ? (s) : 0)
    if (strcmp(name, S8_MAC_I) == 0)
 	return (state->queue_id);
--- a/postfix/src/smtpd/smtpd_sasl_glue.c
+++ b/postfix/src/smtpd/smtpd_sasl_glue.c
@ -8,7 +8,7 @@
 /*
 /*	void    smtpd_sasl_initialize()
 /*
-/*	void	smtpd_sasl_connect(state, sasl_opts_name, sasl_opts_val)
+/*	void	smtpd_sasl_activate(state, sasl_opts_name, sasl_opts_val)
 /*	SMTPD_STATE *state;
 /*	const char *sasl_opts_name;
 /*	const char *sasl_opts_val;
@ -21,7 +21,13 @@
 /*	void	smtpd_sasl_logout(state)
 /*	SMTPD_STATE *state;
 /*
-/*	void	smtpd_sasl_disconnect(state)
+/*	void	smtpd_sasl_deactivate(state)
 /*	SMTPD_STATE *state;
 /*
 /*	int	smtpd_sasl_is_active(state)
 /*	SMTPD_STATE *state;
 /*
 /*	int	smtpd_sasl_set_inactive(state)
 /*	SMTPD_STATE *state;
 /* DESCRIPTION
 /*	This module encapsulates most of the detail specific to SASL
@ -32,7 +38,7 @@
 /*	need access to the file system for run-time loading of
 /*	plug-in modules. There is no corresponding cleanup routine.
 /*
-/*	smtpd_sasl_connect() performs per-connection initialization.
+/*	smtpd_sasl_activate() performs per-connection initialization.
 /*	This routine should be called once at the start of every
 /*	connection. The sasl_opts_name and sasl_opts_val parameters
 /*	are the postfix configuration parameters setting the security
@ -54,9 +60,16 @@
 /*	smtpd_sasl_logout() cleans up after smtpd_sasl_authenticate().
 /*	This routine exists for the sake of symmetry.
 /*
-/*	smtpd_sasl_disconnect() performs per-connection cleanup.
+/*	smtpd_sasl_deactivate() performs per-connection cleanup.
 /*	This routine should be called at the end of every connection.
 /*
 /*	smtpd_sasl_is_active() is a predicate that returns true
 /*	if the SMTP server session state is between smtpd_sasl_activate()
 /*	and smtpd_sasl_deactivate().
 /*
 /*	smtpd_sasl_set_inactive() initializes the SMTP session
 /*	state before the first smtpd_sasl_activate() call.
 /*
 /*	Arguments:
 /* .IP state
 /*	SMTP session context.
@ -145,13 +158,19 @@ void    smtpd_sasl_initialize(void)
 }
-/* smtpd_sasl_connect - per-connection initialization */
+/* smtpd_sasl_activate - per-connection initialization */
-void    smtpd_sasl_connect(SMTPD_STATE *state, const char *sasl_opts_name,
+void    smtpd_sasl_activate(SMTPD_STATE *state, const char *sasl_opts_name,
-			           const char *sasl_opts_val)
+			            const char *sasl_opts_val)
 {
    const char *mechanism_list;
    /*
     * Sanity check.
     */
    if (smtpd_sasl_is_active(state))
 	msg_panic("smtpd_sasl_activate: already active");
    /*
     * Initialize SASL-specific state variables. Use long-lived storage for
     * base 64 conversion results, rather than local variables, to avoid
@ -185,9 +204,9 @@ void    smtpd_sasl_connect(SMTPD_STATE *state, const char *sasl_opts_name,
    state->sasl_mechanism_list = mystrdup(mechanism_list);
 }
-/* smtpd_sasl_disconnect - per-connection cleanup */
+/* smtpd_sasl_deactivate - per-connection cleanup */
-void    smtpd_sasl_disconnect(SMTPD_STATE *state)
+void    smtpd_sasl_deactivate(SMTPD_STATE *state)
 {
    if (state->sasl_reply) {
 	vstring_free(state->sasl_reply);
--- a/postfix/src/smtpd/smtpd_sasl_glue.h
+++ b/postfix/src/smtpd/smtpd_sasl_glue.h
@ -12,12 +12,15 @@
  * SASL protocol interface
  */
 extern void smtpd_sasl_initialize(void);
-extern void smtpd_sasl_connect(SMTPD_STATE *, const char *, const char *);
+extern void smtpd_sasl_activate(SMTPD_STATE *, const char *, const char *);
-extern void smtpd_sasl_disconnect(SMTPD_STATE *);
+extern void smtpd_sasl_deactivate(SMTPD_STATE *);
 extern int smtpd_sasl_authenticate(SMTPD_STATE *, const char *, const char *);
 extern void smtpd_sasl_logout(SMTPD_STATE *);
 extern int permit_sasl_auth(SMTPD_STATE *, int, int);
 #define smtpd_sasl_is_active(s)		((s)->sasl_server != 0)
 #define smtpd_sasl_set_inactive(s)	((void) ((s)->sasl_server = 0))
 /* LICENSE
 /* .ad
 /* .fi
--- a/postfix/src/smtpd/smtpd_sasl_proto.c
+++ b/postfix/src/smtpd/smtpd_sasl_proto.c
@ -146,24 +146,24 @@ int     smtpd_sasl_auth_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	smtpd_chat_reply(state, "503 5.5.1 Error: send HELO/EHLO first");
 	return (-1);
    }
-    if (SMTPD_STAND_ALONE(state) || !var_smtpd_sasl_enable
+    if (SMTPD_STAND_ALONE(state) || !smtpd_sasl_is_active(state)
 	|| (state->ehlo_discard_mask & EHLO_MASK_AUTH)) {
 	state->error_mask |= MAIL_ERROR_PROTOCOL;
 	smtpd_chat_reply(state, "503 5.5.1 Error: authentication not enabled");
 	return (-1);
    }
    if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0) {
-        if (err[0] == '5') {
+	if (err[0] == '5') {
-            state->error_mask |= MAIL_ERROR_POLICY;
+	    state->error_mask |= MAIL_ERROR_POLICY;
-            smtpd_chat_reply(state, "%s", err);
+	    smtpd_chat_reply(state, "%s", err);
-            return (-1);
+	    return (-1);
-        }
+	}
-        /* Sendmail compatibility: map 4xx into 454. */
+	/* Sendmail compatibility: map 4xx into 454. */
-        else if (err[0] == '4') {
+	else if (err[0] == '4') {
-            state->error_mask |= MAIL_ERROR_POLICY;
+	    state->error_mask |= MAIL_ERROR_POLICY;
-            smtpd_chat_reply(state, "454 4.3.0 Try again later");
+	    smtpd_chat_reply(state, "454 4.3.0 Try again later");
-            return (-1);
+	    return (-1);
-        }
+	}
    }
 #ifdef USE_TLS
    if (state->tls_auth_only && !state->tls_context) {
@ -209,7 +209,7 @@ char   *smtpd_sasl_mail_opt(SMTPD_STATE *state, const char *addr)
    /*
     * Do not store raw RFC2554 protocol data.
     */
-    if (!var_smtpd_sasl_enable) {
+    if (!smtpd_sasl_is_active(state)) {
 	state->error_mask |= MAIL_ERROR_PROTOCOL;
 	return ("503 5.5.4 Error: authentication disabled");
    }
--- a/postfix/src/smtpd/smtpd_state.c
+++ b/postfix/src/smtpd/smtpd_state.c
@ -149,8 +149,7 @@ void    smtpd_state_init(SMTPD_STATE *state, VSTREAM *stream,
 #ifdef USE_SASL_AUTH
    if (SMTPD_STAND_ALONE(state))
 	var_smtpd_sasl_enable = 0;
-    if (var_smtpd_sasl_enable)
+    smtpd_sasl_set_inactive(state);
 	smtpd_sasl_connect(state, VAR_SMTPD_SASL_OPTS, var_smtpd_sasl_opts);
 #endif
    state->milter_argv = 0;
@ -216,9 +215,4 @@ void    smtpd_state_reset(SMTPD_STATE *state)
 	vstring_free(state->dsn_buf);
    if (state->dsn_orcpt_buf)
 	vstring_free(state->dsn_orcpt_buf);
 #ifdef USE_SASL_AUTH
    if (var_smtpd_sasl_enable)
 	smtpd_sasl_disconnect(state);
 #endif
 }