From f9922d6a8a76a4a105298a98f7cac76f4cf7a359 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Wed, 25 Jun 2014 00:00:00 -0500
Subject: [PATCH] postfix-2.12-20140625

---
 postfix/HISTORY                      | 104 ++++++++++
 postfix/INSTALL                      | 231 ++++++++++++++-------
 postfix/Makefile.in                  |  95 +++++----
 postfix/README_FILES/INSTALL         | 231 ++++++++++++++-------
 postfix/README_FILES/PACKAGE_README  |   6 +
 postfix/RELEASE_NOTES                |  85 +++++---
 postfix/conf/post-install            |  47 +++--
 postfix/conf/postfix-files           |  42 ++--
 postfix/conf/postfix-script          |  18 +-
 postfix/conf/postmulti-script        |  21 +-
 postfix/html/INSTALL.html            | 298 +++++++++++++++++++--------
 postfix/html/PACKAGE_README.html     |   7 +
 postfix/html/postconf.5.html         | 117 ++++++++---
 postfix/html/postfix.1.html          |  37 ++--
 postfix/html/postmulti.1.html        |  17 +-
 postfix/makedefs                     | 239 +++++++++++++--------
 postfix/man/man1/postfix.1           |  11 +-
 postfix/man/man1/postmulti.1         |  14 +-
 postfix/man/man5/postconf.5          |  94 +++++++--
 postfix/mantools/postlink            |   2 +-
 postfix/meta/.keep                   |   0
 postfix/postfix-env.sh               |   7 +-
 postfix/postfix-install              |  99 +++++----
 postfix/proto/INSTALL.html           | 298 +++++++++++++++++++--------
 postfix/proto/PACKAGE_README.html    |   7 +
 postfix/proto/postconf.proto         | 101 +++++++--
 postfix/src/global/Makefile.in       |   5 +-
 postfix/src/global/dynamicmaps.c     |  73 +++----
 postfix/src/global/dynamicmaps.h     |   2 +-
 postfix/src/global/mail_dict.c       |   4 +-
 postfix/src/global/mail_params.c     |  11 +-
 postfix/src/global/mail_params.h     |  15 +-
 postfix/src/global/mail_version.h    |   2 +-
 postfix/src/postfix/postfix.c        |  13 +-
 postfix/src/postmulti/postmulti.c    |  25 ++-
 postfix/src/qmqpd/qmqpd.c            |   3 +-
 postfix/src/smtpd/Makefile.in        |   9 +-
 postfix/src/smtpd/smtpd_check.c      | 103 ++++++---
 postfix/src/smtpd/smtpd_check_access |   2 +
 postfix/src/smtpd/smtpd_exp.in       |  32 ---
 postfix/src/smtpd/smtpd_exp.ref      |  62 ------
 postfix/src/smtpd/smtpd_server.in    |  59 ++++++
 postfix/src/smtpd/smtpd_server.ref   | 109 ++++++++++
 postfix/src/tls/tls_server.c         |   4 +-
 postfix/src/util/Makefile.in         |   5 +-
 postfix/src/util/dict_db.c           |  19 +-
 postfix/src/util/dict_db.h           |   6 +
 postfix/src/util/dict_lmdb.h         |   1 -
 postfix/src/util/dict_test.c         |   1 +
 49 files changed, 1942 insertions(+), 851 deletions(-)
 create mode 100644 postfix/meta/.keep
 create mode 100644 postfix/src/smtpd/smtpd_server.in
 create mode 100644 postfix/src/smtpd/smtpd_server.ref

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 14f0b5aae..5e88964fd 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -19919,3 +19919,107 @@ Apologies for any names omitted.
 	Cleanup: INFO action in access(5) tables, for consistency
 	with header/body_checks. Viktor Dukhovni.  Files:
 	smtpd/smtpd_check.c, proto/access.
+
+20140619
+
+	Cleanup: process LaMont Jones feedback for shared-library
+	and database-plugin builds. Changes: 1) move non-executable
+	files from $daemon_directory to the default $config_directory
+	(postfix-files*, dynamicmaps.cf*, main.cf.proto/master.cf.proto
+	for multi-instance support); 2) add foo.so -> foo.so.version
+	symlinks; 3) change $shlib_directory and $plugin_directory
+	defaults to /usr/lib/postfix to reduce sprawl.  Files:
+	conf/main.cf.proto, conf/master.cf.proto, conf/postfix-files.proto,
+	conf/post-install, conf/postmulti-script, makedefs,
+	postfix-install, proto/INSTALL.html, global/dynamicmaps.c,
+	global/dynamicmaps.h, global/mail_dict.c, global/mail_params.h,
+	postmulti/postmulti.c.
+
+	Bugfix (introduced: 2001): qmqpd null pointer bug when it
+	logs a lost connection while not in a mail transaction.
+	Reported by Michal Adamek. File: qmqpd/qmqpd.c.
+
+	Cleanup: filter non-printable characters in X509 subject
+	or issuer names. Viktor Dukhovni. File: tls/tls_server.c.
+
+20140620
+
+	Cleanup: for compliance with file system policies, some
+	files have been moved from $daemon-directory to the directory
+	specified with the new meta_directory parameter which has
+	the same default value as config_directory.  This change
+	affects non-executable files that are shared among multiple
+	Postfix instances, such as postfix-files, dynamicmaps.cf,
+	and multi-instance template files.
+
+	For backwards compatibility with Postfix 2.6..2.11, specify
+	"meta_directory = $daemon_directory" in main.cf before
+	installing Postfix, or specify "meta_directory = /path/name"
+	on the "make makefiles", "make install" or "make upgrade"
+	command line.
+
+	Files: Makefile.in, RELEASE_NOTES, conf/post-install,
+	conf/postfix-files.proto, conf/postmulti-script, makedefs,
+	mantools/postlink, postfix-install, proto/INSTALL.html,
+	proto/postconf.proto, global/mail_params.c, global/mail_params.h,
+	postfix/postfix.c, postmulti/postmulti.c.
+
+	Feature: check_xxx_a_access (for xxx in client, reverse_client,
+	helo, sender, recipient) implements access control on all
+	A and AAAA IP addresses for the client hostname, helo
+	parameter, sender domain or recipient domain. Some spam has
+	sender domains with the same IP address but different MX
+	hosts.  Files: global/mail_params.h, smtpd/smtpd_check.c,
+	proto/postconf.proto.
+
+20140622
+
+	Cleanup: eliminated plugin_directory to reduce configuration
+	parameter sprawl. Files: Makefile.in, RELEASE_NOTES,
+	conf/post-install, conf/postfix-files.proto, conf/postfix-script,
+	conf/postmulti-script, makedefs, mantools/postlink,
+	postfix-install, proto/INSTALL.html, proto/postconf.proto,
+	global/Makefile.in, global/mail_dict.c, global/mail_params.c,
+	global/mail_params.h, global/mail_version.h, postfix/postfix.c,
+	postmulti/postmulti.c, smtpd/smtpd_check.c, util/Makefile.in.
+
+20140623
+
+	Cleanup: eliminated the use of Postfix release versions as
+	file name suffixes for shared libraries, database plugins
+	and dynamicmaps.cf.  The shared-library version suffixes
+	were fighting against assumptions and conventions in run-time
+	linkers, including the assumption that ABIs are preserved
+	from one version to the next. The Postfix version can now
+	be embedded in the shlib_directory parameter. As this is
+	sufficient to permit upgrade of a running Postfix system
+	without risking that old binaries will link against newer
+	shared objects, we no longer need a version suffix for
+	dynamicmaps.cf.  Files: Makefile.in, RELEASE_NOTES,
+	conf/postfix-files.proto, makedefs, proto/INSTALL.html,
+	proto/postconf.proto, global/mail_params.h, global/mail_version.h,
+
+20140624
+
+	Cleanup: the commands "make (makefiles|install|upgrade|package)
+	parameter=value" now replace the string MAIL_VERSION in a
+	configuration parameter value with the Postfix release
+	version.  Unfortunately, the more obvious approach, a
+	parameter value with the unexpanded '$mail_version', produces
+	inconsistent results with different make implementations.
+	Files: makedefs, Makefile.in, postfix-install, proto/INSTALL.html,
+	proto/PACKAGE_README.html
+
+	Cleanup: postmulti now requires "postmulti -e init" before
+	accepting other multi-instance requests.  Viktor Dukhovni.
+	File: conf/postmulti-script.
+
+20140625
+
+	Kludge: moved dict_db_cache_size away from dict_db.c in
+	preparation for Berkeley DB database plugin support (a
+	similar kludge was implemented for LMDB).  Files:
+	util/dict_db.[hc], util/dict_test.c, global/mail_params.c.
+
+	Cleanup: don't leak build directory information via SHLIB_ENV
+	in makedefs.out.  Files: Makefile.in, conf/postfix-files.
diff --git a/postfix/INSTALL b/postfix/INSTALL
index 951721231..4a935cb59 100644
--- a/postfix/INSTALL
+++ b/postfix/INSTALL
@@ -155,55 +155,69 @@ Postfix shared-library and database plugin support exists for recent versions
 of Linux, FreeBSD and MacOS X. Shared-library builds may become the default at
 some point in the future.
 
+Overview of topics:
+
+  * 4.3.1 Turning on Postfix shared-library support
+  * 4.3.2 Turning on Postfix database-plugin support
+  * 4.3.3 Customizing Postfix shared libraries and database plugins
+  * 4.4.4 Tips for distribution maintainers
+
+Note: directories with Postfix shared libraries or database plugins should
+contain only postfix-related files. Postfix shared libraries and database
+plugins should not be installed in a "public" system directory such as /usr/lib
+or /usr/local/lib. Linking Postfix shared-library or database-plugin files into
+non-Postfix programs is not supported. Postfix shared libraries and database
+plugins implement a Postfix-internal API that changes without maintaining
+compatibility.
+
+4.3.1 Turning on Postfix shared-library support
+
 Postfix can be built with Postfix shared libraries (files typically named
-libpostfix-*.so.*). Postfix shared libraries add minor run-time overhead and
+libpostfix-*.so). Postfix shared libraries add minor run-time overhead and
 result in significantly-smaller Postfix executable files.
 
 Specify "shared=yes" on the "make makefiles" command line to build Postfix with
 shared-library support.
 
     $ make makefiles shared=yes ...other arguments...
-    $ make makefiles shared=no ...other arguments...
     $ make
 
-This defaults to installing shared libraries in /usr/local/lib, typically with
-names like libpostfix-name.so.version, where the name is a source-code
-directory name such as "util" or "global", and the version is the Postfix
-version: x.y.z for stable releases, x.y-date for snapshot (development)
-releases, or x.y-date-nonprod for non-production releases.
+(Specify "make makefiles shared=no" to explicitly disable Postfix shared-
+library support).
 
-To override the default location or shared-library version, specify, for
-example:
+This installs shared libraries in $shlib_directory, typically, /usr/lib/
+postfix/version or /usr/local/lib/postfix/version, with names like libpostfix-
+name.so, where the name is a source-code directory name such as "util" or
+"global", and the version is the Postfix release version: x.y.z for stable
+releases, x.y-date for snapshot (development) releases, or x.y-date-nonprod for
+non-production releases.
 
-    $ make makefiles shared=yes shlib_directory=/usr/lib \
-	SHLIB_VERSION=1 ...other arguments...
+See section 4.3.3 "Customizing Postfix shared libraries and database plugins"
+below for how to customize the Postfix shared-library location and version.
 
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built and install the libpostfix-*.so.* files
-in a non-system directory. No ldconfig is needed if you keep the libpostfix-
-*.so.* files in the compiled-in default $shlib_directory location.
+4.3.2 Turning on Postfix database-plugin support
 
 Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients with the Debian-style dynamicmaps feature. Postfix 2.12
-supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:, pgsql:, sdbm:,
-and sqlite: database clients. Dynamic loading is useful when you distribute or
-install pre-compiled Postfix packages.
+database clients (database plugins) with the Debian-style dynamicmaps feature.
+Postfix 2.12 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
+pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
+distribute or install pre-compiled Postfix packages.
 
 Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients (database plugins)
-with the Debian-style dynamicmaps feature.
+with support to dynamically load Postfix database clients with the Debian-style
+dynamicmaps feature.
 
     $ make makefiles dynamicmaps=yes ...other arguments...
-    $ make makefiles dynamicmaps=no ...other arguments...
     $ make
 
-This implicitly enables shared-library support, and defaults to installing
-dynamicmaps.cf and database plugins in /usr/libexec/postfix. Database plugins
-are typically named postfix-type.so.version where the type is a database type
-such as "cdb" or "ldap", and where the version is the same as for Postfix
-shared libraries. The installed dynamicmaps.cf configuration file is given a
-suffix with the same version.
+(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
+database-plugin support).
+
+This implicitly enables shared-library support, installs the configuration file
+dynamicmaps.cf in $meta_directory (usually, /etc/postfix or /usr/local/etc/
+postfix), and installs database plugins in $shlib_directory (see above).
+Database plugins are named postfix-type.so where the type is a database type
+such as "cdb" or "ldap".
 
     NOTE: The Postfix 2.12 build procedure expects that you specify database
     library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
@@ -217,50 +231,115 @@ suffix with the same version.
     dependencies. And that was exactly what dynamic database client loading was
     meant to avoid.
 
-To override the default location or shared-library version, specify, for
+See the next section for how to customize the location and version of Postfix
+database plugins and the location of the file dynamicmaps.cf.
+
+4.3.3 Customizing Postfix shared libraries and database plugins
+
+Customizing the location of Postfix shared libraries and database plugins
+
+As a reminder, the directories with Postfix shared libraries or database
+plugins should contain only Postfix-related files. Linking these files into
+other programs is not supported.
+
+To override the default location of Postfix shared libraries and database
+plugins specify, for example:
+
+    $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
+
+If you intend to upgrade Postfix without stopping the mail system, then you
+should append the Postfix release version to the shlib_directory pathname, to
+eliminate the possibility that programs from the old Postfix version will link
+with files from the new Postfix version. For example:
+
+    $ make makefiles shared=yes \
+	shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+
+The command "make makefiles name=value..." will replace the string MAIL_VERSION
+in a configuration parameter value with the Postfix release version. Do not try
+to specify something like $mail_version on this command line. This produces
+inconsistent results with different versions of the make(1) command.
+
+You can change the shlib_directory setting after Postfix is built, with "make
+install" or "make upgrade". However, you may have to run ldconfig if you change
+shlib_directory after Postfix is built (the symptom is that Postfix programs
+fail because the run-time linker cannot find the files libpostfix-*.so). No
+ldconfig command is needed if you keep the files libpostfix-*.so in the
+compiled-in default $shlib_directory location.
+
+    # make upgrade shlib_directory=/usr/local/lib/postfix ...
+    # make install shlib_directory=/usr/local/lib/postfix ...
+
+To append the Postfix release version to the pathname if you intend to upgrade
+Postfix without stopping the mail system:
+
+    # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+    # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+
+See also the comments above for appending MAIL_VERSION with the "make
+makefiles" command.
+
+Customizing the location of dynamicmaps.cf and other files
+
+The meta_directory parameter has the same default setting as the
+config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
+
+You can override the default meta_directory location at compile time or after
+Postfix is built. To override the default location at compile time specify, for
 example:
 
-    % make makefiles dynamicmaps=yes plugin_directory=/usr/lib/postfix \
-	SHLIB_VERSION=1  ...
+    % make makefiles meta_directory=/usr/libexec/postfix ...
 
-You can also override the plugin_directory setting after Postfix is built, with
-"make install" or "make upgrade". In this case, there is no need to run the
-ldconfig command.
+Here is a tip if you want to make a pathname dependent on the Postfix release
+version: the command "make makefiles name=value..." will replace the string
+MAIL_VERSION in a configuration parameter value with the Postfix release
+version. Do not try to specify something like $mail_version on this command
+line. This produces inconsistent results with different versions of the make(1)
+command.
 
-Tips for distribution maintainers:
+You can override the meta_directory setting after Postfix is built, with "make
+install" or "make upgrade".
 
-  * The postfix-install procedure creates a compatibility symlink
-    dynamicmaps.cf -> dynamicmaps.cf.version (as well as a symlink
-    dynamicmaps.cf.d -> dynamicmaps.cf.version.d; more on that below). It is
-    therefore safe to use "unversioned" configuration file names when
-    installing or deinstalling a database plugin. However, Postfix itself will
-    use the "versioned" names, to allow minor upgrades to happen without having
-    to stop Postfix.
+    # make upgrade meta_directory=/usr/libexec/postfix ...
+    # make install meta_directory=/usr/libexec/postfix ...
 
-  * The configuration file dynamicmaps.cf.version will automatically include
-    files under the directory dynamicmaps.cf.d.version, just like the
-    configuration file postfix-files will automatically include files under the
-    directory postfix-files.d. Thanks to this, you don't have to edit postfix-
-    files or dynamicmaps.cf, when installing or deinstalling a database plugin
-    package. Instead, each plugin can have its own configuration file.
+As with the command "make makefiles, the command "make install/upgrade
+name=value..." will replace the string MAIL_VERSION in a configuration
+parameter value with the Postfix release version. Do not try to specify
+something like $mail_version on this command line. This produces inconsistent
+results with different versions of the make(1) command.
 
-  * The plugin_directory setting provides the default directory for shared-
-    library objects with a relative pathname in the file
-    dynamicmaps.cf.version.
+4.4.4 Tips for distribution maintainers
 
-  * Each configuration file under the directory dynamicmaps.cf.d.version must
-    have a name that ends in ".cf" and must have the same format as the file
-    dynamicmaps.cf.version.
+  * The shlib_directory parameter setting also provides the default directory
+    for database plugin files with a relative pathname in the file
+    dynamicmaps.cf.
 
-  * The directory dynamicmaps.cf.d.version is the default directory for shared-
-    library objects with a relative pathname in the files
-    dynamicmaps.cf.d.version/*.cf. Thus, the directory dynamicmaps.cf.d.version
-    may contain both configuration files and shared-library object files.
-    Hence, the requirement that configuration file names must end in ".cf".
+  * The meta_directory parameter specifies the location of the files
+    dynamicmaps.cf, postfix-files, and some multi-instance template files. The
+    meta_directory parameter has the same default value as the config_directory
+    parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
+    backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
+    $daemon_directory" in main.cf before installing or upgrading Postfix, or
+    specify "meta_directory = /path/name" on the "make makefiles", "make
+    install" or "make upgrade" command line.
+
+  * The configuration file dynamicmaps.cf will automatically include files
+    under the directory dynamicmaps.cf.d, just like the configuration file
+    postfix-files will automatically include files under the directory postfix-
+    files.d. Thanks to this, you can install or deinstall a database plugin
+    package without having to edit postfix-files or dynamicmaps.cf. Instead,
+    you give that plugin its own configuration files dynamicmaps.cf.d and
+    postfix-files.d, and you add or remove those configuration files along with
+    the database plugin shared object.
+
+  * Each configuration file under the directory dynamicmaps.cf.d must have the
+    same format as the configuration file dynamicmaps.cf. There is no
+    requirement that these configuration file *names* have a specific format.
 
   * Each configuration file under the directory postfix-files.d must have the
     same format as the configuration file postfix-files. There is no
-    requirement that these configuration file names have a specific format.
+    requirement that these configuration file *names* have a specific format.
 
 4.4 - Building with optional features
 
@@ -306,6 +385,12 @@ directory other than /etc/postfix, use:
     $ make makefiles config_directory=/some/where ...other arguments...
     $ make
 
+The command "make makefiles name=value ..." will replace the string
+MAIL_VERSION in a configuration parameter value with the Postfix release
+version. Do not try to specify something like $mail_version on this command
+line. This produces inconsistent results with different versions of the make(1)
+command.
+
 Parameters whose defaults can be specified in this way are listed below. See
 the postconf(5) manpage for a description (command: "nroff -man man/man5/
 postconf.5 | less").
@@ -329,9 +414,9 @@ postconf.5 | less").
     |_____________________|____________________|
     |manpage_directory	  |/usr/local/man      |
     |_____________________|____________________|
-    |newaliases_path	  |/usr/bin/newaliases |
+    |meta_directory	  |/etc/postfix        |
     |_____________________|____________________|
-    |plugin_directory	  |/usr/libexec/postfix|
+    |newaliases_path	  |/usr/bin/newaliases |
     |_____________________|____________________|
     |queue_directory	  |/var/spool/postfix  |
     |_____________________|____________________|
@@ -339,7 +424,7 @@ postconf.5 | less").
     |_____________________|____________________|
     |sendmail_path	  |/usr/sbin/sendmail  |
     |_____________________|____________________|
-    |shlib_directory	  |/usr/local/lib      |
+    |shlib_directory	  |/usr/lib/postfix    |
     |_____________________|____________________|
 
 4.5.2 - All Postfix versions
@@ -402,7 +487,7 @@ The following is an extensive list of names and values.
 |Name/Value		       |Description				      |
 |______________________________|______________________________________________|
 |			       |Specifies one or more non-default object      |
-|			       |libraries. Postfix 2,12 and later specify some|
+|			       |libraries. Postfix 2.12 and later specify some|
 |			       |of their database library dependencies with   |
 |AUXLIBS="object_library..."   |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB,      |
 |			       |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL,   |
@@ -474,12 +559,6 @@ The following is an extensive list of names and values.
 |OPT=optimization_level        |The default is -O. Specify OPT= to turn off   |
 |			       |optimization.				      |
 |______________________________|______________________________________________|
-|			       |Specifies a non-default Postfix shared-library|
-|			       |version number. The default is to use the     |
-|SHLIB_VERSION=version	       |Postfix version: X.Y.Z for stable releases,   |
-|			       |X.Y-DATE for snapshot releases, X.Y-DATE-     |
-|			       |nonprod for non-production releases.	      |
-|______________________________|______________________________________________|
 |			       |Specifies non-default gcc compiler warning    |
 |WARN="warning_flags..."       |options for use when "make" is invoked in a   |
 |			       |source subdirectory only.		      |
@@ -627,6 +706,16 @@ following commands as the super-user:
     file from a previous installation. If the file does not exist, use
     interactive installation ("make install") instead.
 
+  * If you specify name=value arguments on the "make install" or "make upgrade"
+    command line, then these will take precedence over compiled-in default
+    settings or main.cf settings.
+
+    The command "make install/upgrade name=value ..." will replace the string
+    MAIL_VERSION in a configuration parameter value with the Postfix release
+    version. Do not try to specify something like $mail_version on this command
+    line. This produces inconsistent results with different versions of the
+    make(1) command.
+
 6.4 - Configure Postfix
 
 Proceed to the section on how you wish to run Postfix on your particular
diff --git a/postfix/Makefile.in b/postfix/Makefile.in
index 9ff608a98..ee0a68ee2 100644
--- a/postfix/Makefile.in
+++ b/postfix/Makefile.in
@@ -1,6 +1,6 @@
 SHELL	= /bin/sh
 WARN    = -Wmissing-prototypes -Wformat -Wno-comment
-OPTS	= 'CC=$(CC)'
+OPTS	= 'WARN=$(WARN)'
 DIRS	= src/util src/global src/dns src/tls src/xsasl src/milter src/master \
 	src/postfix src/fsstone src/smtpstone \
 	src/sendmail src/error src/pickup src/cleanup src/smtpd src/local \
@@ -12,20 +12,22 @@ DIRS	= src/util src/global src/dns src/tls src/xsasl src/milter src/master \
 	src/postmulti src/postscreen src/dnsblog src/tlsproxy \
 	src/posttls-finger
 MANDIRS	= proto man html
-LIBEXEC	= libexec/post-install libexec/postfix-files libexec/postfix-script \
-	libexec/postfix-wrapper libexec/main.cf libexec/master.cf \
-	libexec/postmulti-script
-PLUGINS	= plugins/dynamicmaps.cf.$(SHLIB_VERSION)
-EXPAND = sed -e "s;\$${LIB_PREFIX};$(LIB_PREFIX);" \
-	    -e "s;\$${LIB_SUFFIX};$(LIB_SUFFIX);" \
-	    -e "s;\$${SHLIB_VERSION};$(SHLIB_VERSION);"
+LIBEXEC	= libexec/post-install libexec/postfix-script libexec/postfix-wrapper \
+	libexec/postmulti-script libexec/post-install
+PLUGINS	= meta/dynamicmaps.cf
+META	= meta/main.cf.proto meta/master.cf.proto meta/postfix-files \
+	meta/makedefs.out $(PLUGINS)
+EXPAND	= sed -e "s;\$${LIB_PREFIX};$(LIB_PREFIX);" \
+	    -e "s;\$${LIB_SUFFIX};$(LIB_SUFFIX);"
+SHLIB_DIR_OVERRIDE = \
+	$${shlib_directory:-`$(SHLIB_ENV) bin/postconf -dhx shlib_directory`}
 
 default: update
 
-# While generating the top-level Makefile, we must get the PLUGIN_DIR
+# While generating the top-level Makefile, we must get the PLUGIN_LD
 # setting directly from the latest makedefs.out result.
 
-makefiles Makefiles:
+makefiles Makefiles conf/makedefs.out:
 	(echo "# Do not edit -- this file documents how Postfix was built for your machine."; $(SHELL) makedefs) >makedefs.tmp
 	set +e; if cmp makedefs.tmp conf/makedefs.out; then rm makedefs.tmp; \
 	else mv makedefs.tmp conf/makedefs.out; fi >/dev/null 2>/dev/null
@@ -33,11 +35,11 @@ makefiles Makefiles:
 	 (set -e; echo "[$$i]"; cd $$i; rm -f Makefile; \
 	 $(MAKE) -f Makefile.in Makefile MAKELEVEL=) || exit 1; \
 	done
-	set -- `grep '^PLUGIN_DIR' conf/makedefs.out`; \
+	@set -- `grep '^PLUGIN_LD' conf/makedefs.out`; \
 	rm -f Makefile; (cat conf/makedefs.out; \
 	case  "$$3" in \
-	/*) cat Makefile.in;; \
-	 *) grep -v '^PLUGINS' Makefile.in;; \
+	""|":") grep -v '^PLUGINS' Makefile.in;; \
+	     *) cat Makefile.in;; \
 	esac) >Makefile
 
 update printfck tests root_tests:
@@ -45,31 +47,33 @@ update printfck tests root_tests:
 	 (set -e; echo "[$$i]"; cd $$i; $(MAKE) $(OPTS) $@ MAKELEVEL=) || exit 1; \
 	done
 
-update: $(LIBEXEC) $(PLUGINS)
-
-libexec/makedefs.out: conf/makedefs.out
-	rm -f $@ && ln -f $? $@
+update: $(META) $(LIBEXEC)
 
 libexec/post-install: conf/post-install
 	rm -f $@ && ln -f $? $@
 
-libexec/postfix-files: conf/postfix-files conf/makedefs.out Makefile
+# Censor out build directory information.
+
+meta/makedefs.out: conf/makedefs.out
+	grep -v SHLIB_ENV $? > $@
+
+meta/postfix-files: conf/postfix-files conf/makedefs.out Makefile
 	rm -f $@
-	(if [ "${SHLIB_DIR}" = "no" -o "${SHLIB_DIR}" = "" ]; then \
+	(if [ "${SHLIB_DIR_OVERRIDE}" = "no" -o "${SHLIB_DIR}" = "" ]; then \
 	    sed -e '/^\$$shlib_directory/d' \
-		-e '/^\$$plugin_directory/d' conf/postfix-files; \
-	elif [ "${PLUGIN_DIR}" = "no" -o "${PLUGIN_DIR}" = "" ]; then \
-	    sed -e '/^\$$plugin_directory/d' conf/postfix-files | $(EXPAND); \
+		-e '/dynamicmaps.cf/d' conf/postfix-files; \
+	elif [ "${PLUGIN_LD}" = "" ]; then \
+	    sed -e '/dynamicmaps.cf/d' \
+		-e '/^\$$shlib_directory\/\$${LIB_PREFIX}/d' \
+		conf/postfix-files | $(EXPAND); \
 	else \
 	    $(EXPAND) conf/postfix-files | awk -F: ' \
 		BEGIN { \
 		    count = split("'"$(DEFINED_MAP_TYPES)"'", names, " "); \
 		    for (n = 1; n <= count; n++) \
-			have["$$plugin_directory/$(LIB_PREFIX)" names[n] \
+			have["$$shlib_directory/$(LIB_PREFIX)" names[n] \
 			    "$(LIB_SUFFIX)"] = 1; } \
-		/^[$$]plugin_directory.dynamicmaps/ { \
-		    print; next } \
-		/^[$$]plugin_directory.$(LIB_PREFIX)/ { \
+		/^[$$]shlib_directory.$(LIB_PREFIX)/ { \
 		    if (have[$$1]) print; next } \
 		{ print } \
 	    '; \
@@ -83,16 +87,16 @@ libexec/postfix-script: conf/postfix-script
 libexec/postfix-wrapper: conf/postfix-wrapper
 	rm -f $@ && ln -f $? $@
 
-libexec/main.cf: conf/main.cf
+meta/main.cf.proto: conf/main.cf
 	rm -f $@ && ln -f $? $@
 
-libexec/master.cf: conf/master.cf
+meta/master.cf.proto: conf/master.cf
 	rm -f $@ && ln -f $? $@
 
 libexec/postmulti-script: conf/postmulti-script
 	rm -f $@ && ln -f $? $@
 
-plugins/dynamicmaps.cf.$(SHLIB_VERSION): conf/dynamicmaps.cf Makefile
+meta/dynamicmaps.cf: conf/dynamicmaps.cf Makefile
 	rm -f $@ && $(EXPAND) conf/dynamicmaps.cf | $(AWK) ' \
 		BEGIN { split("'"$(DEFINED_MAP_TYPES)"'", map_types); \
 			for (n in map_types) has_type[map_types[n]] = n } \
@@ -107,26 +111,27 @@ manpages:
 
 printfck: update
 
-# The build-time shlib_directory/plugin_directory settings must take
-# precedence over the installed main.cf settings, otherwise we can't
-# update an installed system from dynamicmaps=yes<->dynamicmaps=no
-# or from shared=yes<->shared=no.
+# The build-time shlib_directory setting must take precedence over
+# the installed main.cf settings, otherwise we can't update an
+# installed system from dynamicmaps=yes<->dynamicmaps=no or from
+# shared=yes<->shared=no.
 
 install: update
-	$(SHLIB_ENV) shlib_directory=${SHLIB_DIR} plugin_directory=$(PLUGIN_DIR) \
-		$(SHELL) postfix-install
+	$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
+		postfix-install
 
 package: update
-	$(SHLIB_ENV) shlib_directory=${SHLIB_DIR} plugin_directory=$(PLUGIN_DIR) \
-		$(SHELL) postfix-install -package
+	$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
+		postfix-install -package
 
 upgrade: update
-	$(SHLIB_ENV) shlib_directory=${SHLIB_DIR} plugin_directory=$(PLUGIN_DIR) \
-		$(SHELL) postfix-install -non-interactive
+	$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
+		postfix-install -non-interactive
+	
 
 non-interactive-package: update
-	$(SHLIB_ENV) shlib_directory=${SHLIB_DIR} plugin_directory=$(PLUGIN_DIR) \
-		$(SHELL) postfix-install -non-interactive -package
+	$(SHLIB_ENV) shlib_directory=$(SHLIB_DIR_OVERRIDE) $(SHELL) \
+		postfix-install -non-interactive -package
 
 depend clean:
 	set -e; for i in $(DIRS); do \
@@ -144,9 +149,9 @@ tidy:	clean
 	cp Makefile.init Makefile
 	rm -f README_FILES/RELEASE_NOTES
 	ln -s ../RELEASE_NOTES README_FILES
-	rm -f bin/[!CRS]* lib/[!CRS]* include/[!CRS]* libexec/[!CRS]* plugins/[!CRS]* \
-	    src/*/libpostfix-*.so.* src/*/libpostfix-*.dylib.* \
-	    src/*/postfix-*.so.* src/*/postfix-*.dylib.* \
+	rm -f bin/[!CRS]* lib/[!CRS]* include/[!CRS]* libexec/[!CRS]* \
+	    src/*/libpostfix-*.so src/*/libpostfix-*.dylib \
+	    src/*/postfix-*.so src/*/postfix-*.dylib \
 	    junk */junk */*/junk \
 	    *core */*core */*/*core \
 	    .nfs* */.nfs* */*/.nfs* \
@@ -160,7 +165,7 @@ tidy:	clean
 	    *.bak */*.bak */*/*.bak \
 	    make.err */make.err */*/make.err \
 	    *.gmon */*.gmon */*/*.gmon \
-	    conf/main.cf.default conf/bounce.cf.default
+	    conf/main.cf.default conf/bounce.cf.default meta/*
 	find . -type s -print | xargs rm -f
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL
index 18d60aa6f..d195d015f 100644
--- a/postfix/README_FILES/INSTALL
+++ b/postfix/README_FILES/INSTALL
@@ -155,55 +155,69 @@ Postfix shared-library and database plugin support exists for recent versions
 of Linux, FreeBSD and MacOS X. Shared-library builds may become the default at
 some point in the future.
 
+Overview of topics:
+
+  * 4.3.1 Turning on Postfix shared-library support
+  * 4.3.2 Turning on Postfix database-plugin support
+  * 4.3.3 Customizing Postfix shared libraries and database plugins
+  * 4.4.4 Tips for distribution maintainers
+
+Note: directories with Postfix shared libraries or database plugins should
+contain only postfix-related files. Postfix shared libraries and database
+plugins should not be installed in a "public" system directory such as /usr/lib
+or /usr/local/lib. Linking Postfix shared-library or database-plugin files into
+non-Postfix programs is not supported. Postfix shared libraries and database
+plugins implement a Postfix-internal API that changes without maintaining
+compatibility.
+
+44..33..11 TTuurrnniinngg oonn PPoossttffiixx sshhaarreedd--lliibbrraarryy ssuuppppoorrtt
+
 Postfix can be built with Postfix shared libraries (files typically named
-libpostfix-*.so.*). Postfix shared libraries add minor run-time overhead and
+libpostfix-*.so). Postfix shared libraries add minor run-time overhead and
 result in significantly-smaller Postfix executable files.
 
 Specify "shared=yes" on the "make makefiles" command line to build Postfix with
 shared-library support.
 
     $ make makefiles shared=yes ...other arguments...
-    $ make makefiles shared=no ...other arguments...
     $ make
 
-This defaults to installing shared libraries in /usr/local/lib, typically with
-names like libpostfix-name.so.version, where the name is a source-code
-directory name such as "util" or "global", and the version is the Postfix
-version: x.y.z for stable releases, x.y-date for snapshot (development)
-releases, or x.y-date-nonprod for non-production releases.
+(Specify "make makefiles shared=no" to explicitly disable Postfix shared-
+library support).
 
-To override the default location or shared-library version, specify, for
-example:
+This installs shared libraries in $shlib_directory, typically, /usr/lib/
+postfix/version or /usr/local/lib/postfix/version, with names like libpostfix-
+name.so, where the name is a source-code directory name such as "util" or
+"global", and the version is the Postfix release version: x.y.z for stable
+releases, x.y-date for snapshot (development) releases, or x.y-date-nonprod for
+non-production releases.
 
-    $ make makefiles shared=yes shlib_directory=/usr/lib \
-        SHLIB_VERSION=1 ...other arguments...
+See section 4.3.3 "Customizing Postfix shared libraries and database plugins"
+below for how to customize the Postfix shared-library location and version.
 
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built and install the libpostfix-*.so.* files
-in a non-system directory. No ldconfig is needed if you keep the libpostfix-
-*.so.* files in the compiled-in default $shlib_directory location.
+44..33..22 TTuurrnniinngg oonn PPoossttffiixx ddaattaabbaassee--pplluuggiinn ssuuppppoorrtt
 
 Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients with the Debian-style dynamicmaps feature. Postfix 2.12
-supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:, pgsql:, sdbm:,
-and sqlite: database clients. Dynamic loading is useful when you distribute or
-install pre-compiled Postfix packages.
+database clients (database plugins) with the Debian-style dynamicmaps feature.
+Postfix 2.12 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
+pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
+distribute or install pre-compiled Postfix packages.
 
 Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients (database plugins)
-with the Debian-style dynamicmaps feature.
+with support to dynamically load Postfix database clients with the Debian-style
+dynamicmaps feature.
 
     $ make makefiles dynamicmaps=yes ...other arguments...
-    $ make makefiles dynamicmaps=no ...other arguments...
     $ make
 
-This implicitly enables shared-library support, and defaults to installing
-dynamicmaps.cf and database plugins in /usr/libexec/postfix. Database plugins
-are typically named postfix-type.so.version where the type is a database type
-such as "cdb" or "ldap", and where the version is the same as for Postfix
-shared libraries. The installed dynamicmaps.cf configuration file is given a
-suffix with the same version.
+(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
+database-plugin support).
+
+This implicitly enables shared-library support, installs the configuration file
+dynamicmaps.cf in $meta_directory (usually, /etc/postfix or /usr/local/etc/
+postfix), and installs database plugins in $shlib_directory (see above).
+Database plugins are named postfix-type.so where the type is a database type
+such as "cdb" or "ldap".
 
     NOTE: The Postfix 2.12 build procedure expects that you specify database
     library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
@@ -217,50 +231,115 @@ suffix with the same version.
     dependencies. And that was exactly what dynamic database client loading was
     meant to avoid.
 
-To override the default location or shared-library version, specify, for
+See the next section for how to customize the location and version of Postfix
+database plugins and the location of the file dynamicmaps.cf.
+
+44..33..33 CCuussttoommiizziinngg PPoossttffiixx sshhaarreedd lliibbrraarriieess aanndd ddaattaabbaassee pplluuggiinnss
+
+CCuussttoommiizziinngg tthhee llooccaattiioonn ooff PPoossttffiixx sshhaarreedd lliibbrraarriieess aanndd ddaattaabbaassee pplluuggiinnss
+
+As a reminder, the directories with Postfix shared libraries or database
+plugins should contain only Postfix-related files. Linking these files into
+other programs is not supported.
+
+To override the default location of Postfix shared libraries and database
+plugins specify, for example:
+
+    $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
+
+If you intend to upgrade Postfix without stopping the mail system, then you
+should append the Postfix release version to the shlib_directory pathname, to
+eliminate the possibility that programs from the old Postfix version will link
+with files from the new Postfix version. For example:
+
+    $ make makefiles shared=yes \
+        shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+
+The command "make makefiles name=value..." will replace the string MAIL_VERSION
+in a configuration parameter value with the Postfix release version. Do not try
+to specify something like $mail_version on this command line. This produces
+inconsistent results with different versions of the make(1) command.
+
+You can change the shlib_directory setting after Postfix is built, with "make
+install" or "make upgrade". However, you may have to run ldconfig if you change
+shlib_directory after Postfix is built (the symptom is that Postfix programs
+fail because the run-time linker cannot find the files libpostfix-*.so). No
+ldconfig command is needed if you keep the files libpostfix-*.so in the
+compiled-in default $shlib_directory location.
+
+    # make upgrade shlib_directory=/usr/local/lib/postfix ...
+    # make install shlib_directory=/usr/local/lib/postfix ...
+
+To append the Postfix release version to the pathname if you intend to upgrade
+Postfix without stopping the mail system:
+
+    # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+    # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+
+See also the comments above for appending MAIL_VERSION with the "make
+makefiles" command.
+
+CCuussttoommiizziinngg tthhee llooccaattiioonn ooff ddyynnaammiiccmmaappss..ccff aanndd ootthheerr ffiilleess
+
+The meta_directory parameter has the same default setting as the
+config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
+
+You can override the default meta_directory location at compile time or after
+Postfix is built. To override the default location at compile time specify, for
 example:
 
-    % make makefiles dynamicmaps=yes plugin_directory=/usr/lib/postfix \
-        SHLIB_VERSION=1  ...
+    % make makefiles meta_directory=/usr/libexec/postfix ...
 
-You can also override the plugin_directory setting after Postfix is built, with
-"make install" or "make upgrade". In this case, there is no need to run the
-ldconfig command.
+Here is a tip if you want to make a pathname dependent on the Postfix release
+version: the command "make makefiles name=value..." will replace the string
+MAIL_VERSION in a configuration parameter value with the Postfix release
+version. Do not try to specify something like $mail_version on this command
+line. This produces inconsistent results with different versions of the make(1)
+command.
 
-Tips for distribution maintainers:
+You can override the meta_directory setting after Postfix is built, with "make
+install" or "make upgrade".
 
-  * The postfix-install procedure creates a compatibility symlink
-    dynamicmaps.cf -> dynamicmaps.cf.version (as well as a symlink
-    dynamicmaps.cf.d -> dynamicmaps.cf.version.d; more on that below). It is
-    therefore safe to use "unversioned" configuration file names when
-    installing or deinstalling a database plugin. However, Postfix itself will
-    use the "versioned" names, to allow minor upgrades to happen without having
-    to stop Postfix.
+    # make upgrade meta_directory=/usr/libexec/postfix ...
+    # make install meta_directory=/usr/libexec/postfix ...
 
-  * The configuration file dynamicmaps.cf.version will automatically include
-    files under the directory dynamicmaps.cf.d.version, just like the
-    configuration file postfix-files will automatically include files under the
-    directory postfix-files.d. Thanks to this, you don't have to edit postfix-
-    files or dynamicmaps.cf, when installing or deinstalling a database plugin
-    package. Instead, each plugin can have its own configuration file.
+As with the command "make makefiles, the command "make install/upgrade
+name=value..." will replace the string MAIL_VERSION in a configuration
+parameter value with the Postfix release version. Do not try to specify
+something like $mail_version on this command line. This produces inconsistent
+results with different versions of the make(1) command.
 
-  * The plugin_directory setting provides the default directory for shared-
-    library objects with a relative pathname in the file
-    dynamicmaps.cf.version.
+44..44..44 TTiippss ffoorr ddiissttrriibbuuttiioonn mmaaiinnttaaiinneerrss
 
-  * Each configuration file under the directory dynamicmaps.cf.d.version must
-    have a name that ends in ".cf" and must have the same format as the file
-    dynamicmaps.cf.version.
+  * The shlib_directory parameter setting also provides the default directory
+    for database plugin files with a relative pathname in the file
+    dynamicmaps.cf.
 
-  * The directory dynamicmaps.cf.d.version is the default directory for shared-
-    library objects with a relative pathname in the files
-    dynamicmaps.cf.d.version/*.cf. Thus, the directory dynamicmaps.cf.d.version
-    may contain both configuration files and shared-library object files.
-    Hence, the requirement that configuration file names must end in ".cf".
+  * The meta_directory parameter specifies the location of the files
+    dynamicmaps.cf, postfix-files, and some multi-instance template files. The
+    meta_directory parameter has the same default value as the config_directory
+    parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
+    backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
+    $daemon_directory" in main.cf before installing or upgrading Postfix, or
+    specify "meta_directory = /path/name" on the "make makefiles", "make
+    install" or "make upgrade" command line.
+
+  * The configuration file dynamicmaps.cf will automatically include files
+    under the directory dynamicmaps.cf.d, just like the configuration file
+    postfix-files will automatically include files under the directory postfix-
+    files.d. Thanks to this, you can install or deinstall a database plugin
+    package without having to edit postfix-files or dynamicmaps.cf. Instead,
+    you give that plugin its own configuration files dynamicmaps.cf.d and
+    postfix-files.d, and you add or remove those configuration files along with
+    the database plugin shared object.
+
+  * Each configuration file under the directory dynamicmaps.cf.d must have the
+    same format as the configuration file dynamicmaps.cf. There is no
+    requirement that these configuration file *names* have a specific format.
 
   * Each configuration file under the directory postfix-files.d must have the
     same format as the configuration file postfix-files. There is no
-    requirement that these configuration file names have a specific format.
+    requirement that these configuration file *names* have a specific format.
 
 44..44 -- BBuuiillddiinngg wwiitthh ooppttiioonnaall ffeeaattuurreess
 
@@ -306,6 +385,12 @@ directory other than /etc/postfix, use:
     $ make makefiles config_directory=/some/where ...other arguments...
     $ make
 
+The command "make makefiles name=value ..." will replace the string
+MAIL_VERSION in a configuration parameter value with the Postfix release
+version. Do not try to specify something like $mail_version on this command
+line. This produces inconsistent results with different versions of the make(1)
+command.
+
 Parameters whose defaults can be specified in this way are listed below. See
 the postconf(5) manpage for a description (command: "nroff -man man/man5/
 postconf.5 | less").
@@ -329,9 +414,9 @@ postconf.5 | less").
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
     |manpage_directory    |/usr/local/man      |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |newaliases_path      |/usr/bin/newaliases |
+    |meta_directory       |/etc/postfix        |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |plugin_directory     |/usr/libexec/postfix|
+    |newaliases_path      |/usr/bin/newaliases |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
     |queue_directory      |/var/spool/postfix  |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
@@ -339,7 +424,7 @@ postconf.5 | less").
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
     |sendmail_path        |/usr/sbin/sendmail  |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |shlib_directory      |/usr/local/lib      |
+    |shlib_directory      |/usr/lib/postfix    |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 
 44..55..22 -- AAllll PPoossttffiixx vveerrssiioonnss
@@ -402,7 +487,7 @@ The following is an extensive list of names and values.
 |NNaammee//VVaalluuee                    |DDeessccrriippttiioonn                                   |
 |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 |                              |Specifies one or more non-default object      |
-|                              |libraries. Postfix 2,12 and later specify some|
+|                              |libraries. Postfix 2.12 and later specify some|
 |                              |of their database library dependencies with   |
 |AUXLIBS="object_library..."   |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB,      |
 |                              |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL,   |
@@ -474,12 +559,6 @@ The following is an extensive list of names and values.
 |OPT=optimization_level        |The default is -O. Specify OPT= to turn off   |
 |                              |optimization.                                 |
 |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies a non-default Postfix shared-library|
-|                              |version number. The default is to use the     |
-|SHLIB_VERSION=version         |Postfix version: X.Y.Z for stable releases,   |
-|                              |X.Y-DATE for snapshot releases, X.Y-DATE-     |
-|                              |nonprod for non-production releases.          |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 |                              |Specifies non-default gcc compiler warning    |
 |WARN="warning_flags..."       |options for use when "make" is invoked in a   |
 |                              |source subdirectory only.                     |
@@ -627,6 +706,16 @@ following commands as the super-user:
     file from a previous installation. If the file does not exist, use
     interactive installation ("make install") instead.
 
+  * If you specify name=value arguments on the "make install" or "make upgrade"
+    command line, then these will take precedence over compiled-in default
+    settings or main.cf settings.
+
+    The command "make install/upgrade name=value ..." will replace the string
+    MAIL_VERSION in a configuration parameter value with the Postfix release
+    version. Do not try to specify something like $mail_version on this command
+    line. This produces inconsistent results with different versions of the
+    make(1) command.
+
 66..44 -- CCoonnffiigguurree PPoossttffiixx
 
 Proceed to the section on how you wish to run Postfix on your particular
diff --git a/postfix/README_FILES/PACKAGE_README b/postfix/README_FILES/PACKAGE_README
index d90078337..898ec95f0 100644
--- a/postfix/README_FILES/PACKAGE_README
+++ b/postfix/README_FILES/PACKAGE_README
@@ -57,6 +57,12 @@ installation parameters on the command line:
 With Postfix versions before 2.2 you must invoke the post-install script
 directly (% sshh ppoosstt--iinnssttaallll --nnoonn--iinntteerraaccttiivvee iinnssttaallll__rroooott......).
 
+With Postfix 2.12 and later, the command "make package name=value ..." will
+replace the string MAIL_VERSION in a configuration parameter value with the
+Postfix release version. Do not try to specify something like $mail_version on
+this command line. This produces inconsistent results with different versions
+of the make(1) command.
+
 BBeeggiinn SSeeccuurriittyy AAlleerrtt
 
 WWhheenn bbuuiillddiinngg aann aarrcchhiivvee ffoorr ddiissttrriibbuuttiioonn,, bbee ssuurree ttoo aarrcchhiivvee oonnllyy ffiilleess aanndd
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 7db5b309e..e50d7d3c9 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -16,10 +16,18 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.10 or earlier, read RELEASE_NOTES-2.11
 before proceeding.
 
-Notes for distribution maintainers (20140530)
----------------------------------------------
+Notes for distribution maintainers
+----------------------------------
 
-The Postfix build/install procedure has changed.
+The Postfix build/install procedure has changed to support Postfix
+shared libraries and database plugins.
+
+[Update 20140625: As a result of maintainer feedback, 1) the Postfix
+release version is no longer used as a filename suffix for Postfix
+shared libraries, database plugins or dynamicmaps.cf; 2) non-executable
+files have been moved away from $daemon_directory to $meta_directory
+(usually, /etc/postfix).  The release notes below for 20140530 have
+been updated accordingly.]
 
 To avoid massive frustration due to broken patches, PLEASE BUILD
 POSTFIX FIRST WITHOUT APPLYING ANY PATCHES.  Follow the INSTALL
@@ -33,6 +41,22 @@ Maintainers may also benefit from the makedefs documentation
 (mantools/srctoman - makedefs | nroff -man | less) with information
 about build options that are not described in the INSTALL instructions.
 
+Incompatible changes with snapshot 20140625
+===========================================
+
+For compliance with file system policies, some files have been moved
+from $daemon_directory to the directory specified with the new
+meta_directory configuration parameter which has the same default
+value as the config_directory parameter. This change affects
+non-executable files that are shared between multiple Postfix
+instances such as postfix-files, dynamicmaps.cf, and multi-instance
+template files.
+
+For backwards compatibility with Postfix 2.6 .. 2.11, specify
+"meta_directory = $daemon_directory" in main.cf before installing
+or upgrading Postfix, or specify "meta_directory = /path/name" on
+the "make makefiles", "make install" or "make upgrade" command line.
+
 Incompatible changes with snapshot 20140618
 ===========================================
 
@@ -139,11 +163,11 @@ of Linux, FreeBSD, MacOS X, and for the ancient Solaris 9.
 
 To support Postfix shared libraries and dynamically-loadable database
 clients, the Postfix build procedure had to be changed (specifically,
-the makedefs and Makefile.in files, and the scripts that install
-or update Postfix).  These changes are introduced early in the
-annual Postfix development cycle to give down-stream maintainers
-sufficient time to prepare their build systems for the next stable
-Postfix release.
+the files makedefs and Makefile.in, and the files postfix-install
+and post-install that install or update Postfix).  These changes
+are introduced early in the annual Postfix development cycle to
+give down-stream maintainers sufficient time to prepare their build
+systems for the next stable Postfix release in 2015.
 
 Building with Postfix shared libraries and database plugins
 -----------------------------------------------------------
@@ -151,18 +175,19 @@ Building with Postfix shared libraries and database plugins
 Please see the INSTALL section "Building with Postfix shared libraries
 and database plugins" for fine-tuning details. 
 
-To build with Postfix shared libraries (libpostfix-*.so.*), use:
+To build with Postfix shared libraries (files named libpostfix-*.so),
+use:
 
 % make makefiles shared=yes ...other arguments...
 
 To build with dynamicmaps.cf support and dynamically-loadable
-database clients (postfix-*.so.*), use:
+database clients (files named postfix-*.so), use:
 
 % make makefiles dynamicmaps=yes ...other arguments...
 
-This implicitly enables support for libpostfix-*.so.* shared
-libraries. Postfix 2.12 supports dynamic loading for CDB, LDAP,
-LMDB, MYSQL, PCRE, PGSQL, SDBM, and SQLITE database clients.
+This implicitly enables support for Postfix shared libraries. Postfix
+2.12 supports dynamic loading for CDB, LDAP, LMDB, MYSQL, PCRE,
+PGSQL, SDBM, and SQLITE database clients.
 
 NOTE: The Postfix 2.12 build procedure expects that you specify
 database library dependencies with variables named AUXLIBS_CDB,
@@ -184,22 +209,28 @@ Besides changes to the Postfix "build" system as described above,
 the user-visible changes with respect to Debian are:
 
 - The new shlib_directory parameter specifies the location of the
-  libpostfix-*.so.* shared-library files. You can change the location
-  of these files after Postfix is built. However, you may have to
-  run ldconfig if you move the libpostfix-*.so.* files to a non-system
-  directory.  No ldconfig is needed if you keep the libpostfix-*.so.*
-  files in the compiled-in default $shlib_directory location.
+  libpostfix-*.so shared-library files and the postfix-*.so database
+  plugins. You can change the location of these files after Postfix
+  is built. However, you may have to run ldconfig if you change the
+  libpostfix-*.so location.  No ldconfig is needed if you keep the
+  libpostfix-*.so files in the compiled-in default $shlib_directory
+  location.
 
-- The new plugin_directory parameter specifies the location of the
-  dynamicmaps.cf database plugin configuration file and of any
-  postfix-*.so.* plugins with a relative pathname.  The dynamicmaps.cf
-  location is not hard-coded to /etc, because the file is shared
-  among all Postfix instances just like postfix-files and other
-  files. Files in /etc are meant to be instance-specific.
+- The new meta_directory parameter specifies the location of the
+  file dynamicmaps.cf and some other non-executable files. The
+  meta_directory parameter has the same default value as the
+  config_directory parameter, so this is backwards compatible with
+  Debian (but the default setting may be changed at compile time).
 
-- Postfix supports the directory dynamicmaps.cf.d. in addition to
-  the file dynamicmaps.cf. Maintainers can one configuration file
-  per database plugin, which simplifies installation and removal.
+- Postfix supports the directory dynamicmaps.cf.d in addition to
+  the file dynamicmaps.cf. Maintainers can use one configuration
+  file per database plugin, which simplifies installation and
+  removal of individual plugins.
+
+- Likewise, Postfix supports the directory postfix-files.d in
+  addition to the file postfix-files, Again, maintainers can use
+  one configuration file per database plugin, which simplifies
+  installation and removal of individual plugins.
 
 Major changes with snapshot 20140321
 ====================================
diff --git a/postfix/conf/post-install b/postfix/conf/post-install
index 58ef79634..f81f6b91d 100644
--- a/postfix/conf/post-install
+++ b/postfix/conf/post-install
@@ -40,8 +40,8 @@
 #	Arguments
 # .IP create-missing
 #	Create missing queue directories with ownerships and permissions
-#	according to the contents of $daemon_directory/postfix-files
-#	and optionally in $daemon_directory/postfix-files.d/*, using
+#	according to the contents of $meta_directory/postfix-files
+#	and optionally in $meta_directory/postfix-files.d/*, using
 #	the mail_owner and setgid_group parameter settings from the
 #	command line, process environment or from the installed
 #	main.cf file.
@@ -49,8 +49,8 @@
 #	This is required at Postfix start-up time.
 # .IP set-permissions
 #	Set all file/directory ownerships and permissions according to the
-#	contents of $daemon_directory/postfix-files and optionally
-#	in $daemon_directory/postfix-files.d/*, using the mail_owner
+#	contents of $meta_directory/postfix-files and optionally
+#	in $meta_directory/postfix-files.d/*, using the mail_owner
 #	and setgid_group parameter settings from the command line,
 #	process environment or from the installed main.cf file.
 #	Implies create-missing.
@@ -60,8 +60,8 @@
 #	settings after Postfix is already installed.
 # .IP upgrade-permissions
 #	Update ownership and permission of existing files/directories as
-#	specified in $daemon_directory/postfix-files and optionally
-#	in $daemon_directory/postfix-files.d/*, using the mail_owner
+#	specified in $meta_directory/postfix-files and optionally
+#	in $meta_directory/postfix-files.d/*, using the mail_owner
 #	and setgid_group parameter settings from the command line,
 #	process environment or from the installed main.cf file.
 #	Implies create-missing.
@@ -176,16 +176,20 @@
 # .IP readme_directory
 #	The directory for the Postfix README files.
 # .IP shlib_directory
-#	The directory for the Postfix shared-library files.
-# .IP plugin_directory
-#	The directory for the Postfix dynamicmaps.cf database plugin
-#	configuration file, and files referenced by that file.
+#	The directory for the Postfix shared-library files, and for
+#	the Postfix dabatase plugin files with a relative pathname
+#	in the file dynamicmaps.cf.
+# .IP meta_directory
+#	The directory for non-executable files that are shared
+#	among multiple Postfix instances, such as postfix-files,
+#	dynamicmaps.cf, as well as the multi-instance template files
+#	main.cf.proto and master.cf.proto.
 # SEE ALSO
 #	postfix-install(1) Postfix primary installation script.
 # FILES
 #	$config_directory/main.cf, Postfix installation parameters.
-#	$daemon_directory/postfix-files, installation control file.
-#	$daemon_directory/postfix-files.d/*, optional control files.
+#	$meta_directory/postfix-files, installation control file.
+#	$meta_directory/postfix-files.d/*, optional control files.
 #	$config_directory/install.cf, obsolete configuration file.
 # LICENSE
 # .ad
@@ -210,7 +214,7 @@ debug=:
 MOST_PARAMETERS="command_directory daemon_directory data_directory
     html_directory mail_owner mailq_path manpage_directory
     newaliases_path queue_directory readme_directory sample_directory
-    sendmail_path setgid_group shlib_directory plugin_directory"
+    sendmail_path setgid_group shlib_directory meta_directory"
 NON_SHARED="config_directory queue_directory data_directory"
 
 USAGE="Usage: $0 [name=value] command
@@ -292,8 +296,8 @@ do
     esac
 done
 
-test -f $daemon_directory/postfix-files || {
-    echo $0: Error: $daemon_directory/postfix-files is not a file. 1>&2
+test -f $meta_directory/postfix-files || {
+    echo $0: Error: $meta_directory/postfix-files is not a file. 1>&2
     exit 1
 }
 
@@ -366,7 +370,8 @@ case $setgid_group in
 esac
 
 for path in "$daemon_directory" "$command_directory" "$queue_directory" \
-    "$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory"
+    "$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory" \
+    "$meta_directory"
 do
    case "$path" in
    /*) ;;
@@ -374,7 +379,7 @@ do
    esac
 done
 
-for path in "$html_directory" "$readme_directory" "$shlib_directory" "$plugin_directory"
+for path in "$html_directory" "$readme_directory" "$shlib_directory"
 do
    case "$path" in
    /*) ;;
@@ -444,15 +449,15 @@ test -n "$override" && {
 	"sample_directory = $sample_directory" \
 	"readme_directory = $readme_directory" \
 	"shlib_directory = $shlib_directory" \
-	"plugin_directory = $plugin_directory" \
+	"meta_directory = $meta_directory" \
     || exit 1
 }
 
-# Use file/directory status information in $daemon_directory/postfix-files.
+# Use file/directory status information in $meta_directory/postfix-files.
 
 test -n "$create" && {
-    postfix_files_d=$daemon_directory/postfix-files.d
-    for postfix_file in $daemon_directory/postfix-files \
+    postfix_files_d=$meta_directory/postfix-files.d
+    for postfix_file in $meta_directory/postfix-files \
 	`test -d $postfix_files_d && { find $postfix_files_d -type f | sort; }`
     do
 	exec <$postfix_file || exit 1
diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files
index 2b333e006..b259bca8c 100644
--- a/postfix/conf/postfix-files
+++ b/postfix/conf/postfix-files
@@ -66,25 +66,27 @@ $queue_directory/public:d:$mail_owner:$setgid_group:710:uc
 $queue_directory/pid:d:root:-:755:uc
 $queue_directory/saved:d:$mail_owner:-:700:ucr
 $queue_directory/trace:d:$mail_owner:-:700:ucr
-# Update shared libraries before daemon or command-line programs.
+# Update shared libraries and plugins before daemon or command-line programs.
 $shlib_directory/lib${LIB_PREFIX}util${LIB_SUFFIX}:f:root:-:755
 $shlib_directory/lib${LIB_PREFIX}global${LIB_SUFFIX}:f:root:-:755
 $shlib_directory/lib${LIB_PREFIX}dns${LIB_SUFFIX}:f:root:-:755
 $shlib_directory/lib${LIB_PREFIX}tls${LIB_SUFFIX}:f:root:-:755
 $shlib_directory/lib${LIB_PREFIX}master${LIB_SUFFIX}:f:root:-:755
-# Update database plugins before daemon or command-line programs.
-$plugin_directory/${LIB_PREFIX}cdb${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/${LIB_PREFIX}ldap${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/${LIB_PREFIX}lmdb${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/${LIB_PREFIX}mysql${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/${LIB_PREFIX}pcre${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/${LIB_PREFIX}pgsql${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/${LIB_PREFIX}sdbm${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755
-$plugin_directory/dynamicmaps.cf.${SHLIB_VERSION}:f:root:-:644:
-$plugin_directory/dynamicmaps.cf.${SHLIB_VERSION}.d:d:root:-:755:
-$plugin_directory/dynamicmaps.cf:l:dynamicmaps.cf.${SHLIB_VERSION}:-::
-$plugin_directory/dynamicmaps.cf.d:l:dynamicmaps.cf.${SHLIB_VERSION}.d:-::
+$shlib_directory/${LIB_PREFIX}cdb${LIB_SUFFIX}:f:root:-:755
+$shlib_directory/${LIB_PREFIX}ldap${LIB_SUFFIX}:f:root:-:755
+$shlib_directory/${LIB_PREFIX}lmdb${LIB_SUFFIX}:f:root:-:755
+$shlib_directory/${LIB_PREFIX}mysql${LIB_SUFFIX}:f:root:-:755
+$shlib_directory/${LIB_PREFIX}pcre${LIB_SUFFIX}:f:root:-:755
+$shlib_directory/${LIB_PREFIX}pgsql${LIB_SUFFIX}:f:root:-:755
+$shlib_directory/${LIB_PREFIX}sdbm${LIB_SUFFIX}:f:root:-:755
+$shlib_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755
+$meta_directory/dynamicmaps.cf.d:d:root:-:755
+$meta_directory/dynamicmaps.cf:f:root:-:644
+$meta_directory/main.cf.proto:f:root:-:644
+$meta_directory/makedefs.out:f:root:-:644
+$meta_directory/master.cf.proto:f:root:-:644
+$meta_directory/postfix-files.d:d:root:-:755
+$meta_directory/postfix-files:f:root:-:644
 $daemon_directory/anvil:f:root:-:755
 $daemon_directory/bounce:f:root:-:755
 $daemon_directory/cleanup:f:root:-:755
@@ -92,17 +94,17 @@ $daemon_directory/discard:f:root:-:755
 $daemon_directory/dnsblog:f:root:-:755
 $daemon_directory/error:f:root:-:755
 $daemon_directory/flush:f:root:-:755
-#$daemon_directory/lmtp:f:root:-:755
 $daemon_directory/local:f:root:-:755
-$daemon_directory/main.cf:f:root:-:644
-$daemon_directory/master.cf:f:root:-:644
+$daemon_directory/main.cf:f:root:-:644:o
+$daemon_directory/master.cf:f:root:-:644:o
 $daemon_directory/master:f:root:-:755
 $daemon_directory/oqmgr:f:root:-:755
 $daemon_directory/pickup:f:root:-:755
 $daemon_directory/pipe:f:root:-:755
 $daemon_directory/post-install:f:root:-:755
-$daemon_directory/postfix-files:f:root:-:644
-$daemon_directory/postfix-files.d:d:root:-:755
+# In case meta_directory == daemon_directory.
+#$daemon_directory/postfix-files:f:root:-:644:o
+#$daemon_directory/postfix-files.d:d:root:-:755:o
 $daemon_directory/postfix-script:f:root:-:755
 $daemon_directory/postfix-wrapper:f:root:-:755
 $daemon_directory/postmulti-script:f:root:-:755
@@ -150,10 +152,8 @@ $config_directory/header_checks:f:root:-:644:p1
 $config_directory/install.cf:f:root:-:644:o
 $config_directory/main.cf.default:f:root:-:644:1
 $config_directory/main.cf:f:root:-:644:p
-$config_directory/makedefs.out:f:root:-:644:1
 $config_directory/master.cf:f:root:-:644:p
 $config_directory/pcre_table:f:root:-:644:o
-$config_directory/postfix-files:f:root:-:644:o
 $config_directory/regexp_table:f:root:-:644:o
 $config_directory/relocated:f:root:-:644:p1
 $config_directory/tcp_table:f:root:-:644:o
diff --git a/postfix/conf/postfix-script b/postfix/conf/postfix-script
index 790161fec..be2187691 100644
--- a/postfix/conf/postfix-script
+++ b/postfix/conf/postfix-script
@@ -71,13 +71,10 @@ no) ;;
         exit 1
     }
 esac
-case $plugin_directory in
-no) ;;
- *) cd $plugin_directory || {
-	$FATAL no Postfix plugin directory $plugin_directory!
-        exit 1
-    }
-esac
+cd $meta_directory || {
+	$FATAL no Postfix meta directory $meta_directory!
+	exit 1
+}
 cd $queue_directory || {
 	$FATAL no Postfix queue directory $queue_directory!
 	exit 1
@@ -259,10 +256,10 @@ check-warn)
 	test -n "$check_shared_files" && {
 		todo="$daemon_directory $todo"
 		test "$shlib_directory" = "no" || todo="$shlib_directory $todo"
-		test "$plugin_directory" = "no" || todo="$plugin_directory $todo"
+		todo="$meta_directory $todo"
 	}
 
-	for dir in $todo
+	for dir in `echo "$todo" | tr ' ' '\12' | sort -u`
 	do
 		ls -lLd $dir | (grep " root " >/dev/null ||
 		    $WARN not owned by root: $dir)
@@ -277,7 +274,6 @@ check-warn)
 		todo="$daemon_directory/* $todo"
 		test "$shlib_directory" = "no" || 
 		    todo="$shlib_directory/libpostfix* $todo"
-		# plugin_directory/* is checked by dynamicmaps routines.
 	}
 
 	find $todo ! -user root \
@@ -287,7 +283,7 @@ check-warn)
 	test -n "$check_shared_files" && todo="$daemon_directory/. $todo"
 	# FIXME don't scan non-Postfix files under /usr/local/lib.
 	test "$shlib_directory" = "no" || 
-	    todo="$shlib_directory/libpostfix* $todo"
+	    todo="$shlib_directory/libpostfix* $shlib_directory/postfix* $todo"
 
 	find $todo \
 		\( -perm -020 -o -perm -002 \) -type f \
diff --git a/postfix/conf/postmulti-script b/postfix/conf/postmulti-script
index 4d1a9feb4..349c8941d 100644
--- a/postfix/conf/postmulti-script
+++ b/postfix/conf/postmulti-script
@@ -14,6 +14,8 @@ umask 022
 #  MAIL_CONFIG			- config_directory of primary instance
 #  command_directory		- From primary instance
 #  daemon_directory		- From primary instance
+#  meta_directory		- From primary instance
+#  shlib_directory		- From primary instance
 #  config_directroy		- config_directory of target instance
 #  queue_directory		- queue_directory of target instance
 #  data_directory		- data_directory of target instance
@@ -30,6 +32,8 @@ umask 022
 : ${MAIL_CONFIG:?"do not invoke this command directly"}
 : ${command_directory:?"do not invoke this command directly"}
 : ${daemon_directory:?"do not invoke this command directly"}
+: ${meta_directory:?"do not invoke this command directly"}
+: ${shlib_directory:?"do not invoke this command directly"}
 
 USAGE="$0 -e create|destroy|import|deport|enable|disable|assign|init"
 usage() { echo "$0: Error: Usage: $USAGE" >&2; exit 1; }
@@ -109,6 +113,17 @@ init)
     exit $? ;;
 esac
 
+# Backport note: "-x" requires 2.10 or later, and is not essential here.
+#
+wrapper=`postconf -hx multi_instance_wrapper` || exit 1
+enable=`postconf -hx multi_instance_enable` || exit 1
+
+test -n "$wrapper" ||
+    fatal "multi_instance_wrapper is empty, run 'postmulti -e init' first."
+
+test "$enable" = "yes" ||
+    fatal "multi_instance_enable!=yes, run 'postmulti -e init' first."
+
 : ${config_directory:?"Invalid empty target instance config_directory"}
 
 case $action in
@@ -138,7 +153,7 @@ create|import)
 
 	tmpdir=$config_directory/.tmp
 	(umask 077; mkdir -p $tmpdir) || exit 1
-	cp -p $daemon_directory/main.cf $tmpdir/main.cf || exit 1
+	cp -p $meta_directory/main.cf.proto $tmpdir/main.cf || exit 1
 
 	# Shared install parameters are cloned from user-specified values in
 	# the default instance, but only if explicitly set there. Otherwise,
@@ -147,6 +162,7 @@ create|import)
 	SHARED_PARAMETERS="
 	    command_directory
 	    daemon_directory
+	    meta_directory
 	    mail_owner
 	    setgid_group
 	    sendmail_path
@@ -157,7 +173,6 @@ create|import)
 	    sample_directory
 	    readme_directory
 	    shlib_directory
-	    plugin_directory
 	"
 
 	shift $#	# Needed on SunOS where bare "set --" is NOP!
@@ -185,7 +200,7 @@ create|import)
 	    "$@" || exit 1
 
 
-	cp -p $daemon_directory/master.cf $tmpdir/master.cf || exit 1
+	cp -p $meta_directory/master.cf.proto $tmpdir/master.cf || exit 1
 	mv $tmpdir/main.cf $config_directory/main.cf || exit 1
 	mv $tmpdir/master.cf $config_directory/master.cf || exit 1
 	rmdir $tmpdir 2>/dev/null
diff --git a/postfix/html/INSTALL.html b/postfix/html/INSTALL.html
index 2072a22f1..5c35d0367 100644
--- a/postfix/html/INSTALL.html
+++ b/postfix/html/INSTALL.html
@@ -236,8 +236,37 @@ $ make
 recent versions of Linux, FreeBSD and MacOS X. Shared-library builds
 may become the default at some point in the future. </p>
 
+<p> Overview of topics: </p>
+
+<ul>
+
+<li><a href="#shared_enable">4.3.1 Turning on Postfix shared-library
+support</a>
+
+<li><a href="#dynamicmaps_enable">4.3.2 Turning on Postfix database-plugin
+support</a>
+
+<li><a href="#shared_custom">4.3.3 Customizing Postfix shared
+libraries and database plugins</a>
+
+<li><a href="#shared_tips">4.4.4 Tips for distribution maintainers</a>
+
+</ul>
+
+<p> Note: directories with Postfix shared libraries or database
+plugins should contain only postfix-related files.  Postfix shared
+libraries and database plugins should not be installed in a "public"
+system directory such as /usr/lib or /usr/local/lib.  Linking Postfix
+shared-library or database-plugin files into non-Postfix programs
+is not supported. Postfix shared libraries and database plugins
+implement a Postfix-internal API that changes without maintaining
+compatibility. </p>
+
+<h4><a name="shared_enable"> 4.3.1 Turning on Postfix shared-library
+support </a></h4>
+
 <p> Postfix can be built with Postfix shared libraries (files
-typically named <tt>libpostfix-*.so.*</tt>). Postfix shared libraries
+typically named <tt>libpostfix-*.so</tt>). Postfix shared libraries
 add minor run-time overhead and result in significantly-smaller
 Postfix executable files. </p>
 
@@ -247,63 +276,57 @@ build Postfix with shared-library support. </p>
 <blockquote>
 <pre>
 $ make makefiles shared=yes ...other arguments...
-$ make makefiles shared=no ...other arguments...
 $ make
 </pre>
 </blockquote>
 
-<p> This defaults to installing shared libraries in /usr/local/lib,
-typically with names like libpostfix-<i>name</i>.so.<i>version</i>,
-where the <i>name</i> is a source-code directory name such as "util"
-or "global", and the <i>version</i> is the Postfix version:
-<i>x.y.z</i> for stable releases, <i>x.y</i>-<i>date</i> for snapshot
-(development) releases, or <i>x.y</i>-<i>date</i>-nonprod for
-non-production releases.  </p>
+<p> (Specify "make makefiles shared=no" to explicitly disable Postfix
+shared-library support). </p>
 
-<p> To override the default location or shared-library version,
-specify, for example: </p>
+<p> This installs shared libraries in $<a href="postconf.5.html#shlib_directory">shlib_directory</a>, typically,
+/usr/lib/postfix/<i>version</i> or /usr/local/lib/postfix/<i>version</i>,
+with names like libpostfix-<i>name</i>.so, where the <i>name</i>
+is a source-code directory name such as "util" or "global", and the
+<i>version</i> is the Postfix release version: <i>x.y.z</i> for
+stable releases, <i>x.y</i>-<i>date</i> for snapshot (development)
+releases, or <i>x.y</i>-<i>date</i>-nonprod for non-production
+releases.  </p>
 
-<blockquote>
-<pre>
-$ make makefiles shared=yes <a href="postconf.5.html#shlib_directory">shlib_directory</a>=/usr/lib \
-    SHLIB_VERSION=1 ...other arguments...
-</pre>
-</blockquote>
+<p> See section 4.3.3 "Customizing Postfix shared libraries and
+database plugins" below for how to customize the Postfix shared-library
+location and version.
 
-<p> You can change the <a href="postconf.5.html#shlib_directory">shlib_directory</a> setting after Postfix is
-built, with "make install" or "make upgrade". However, you may have
-to run ldconfig if you change <a href="postconf.5.html#shlib_directory">shlib_directory</a> after Postfix is built
-and install the libpostfix-*.so.* files in a non-system directory.
-No ldconfig is needed if you keep the libpostfix-*.so.* files in
-the compiled-in default $<a href="postconf.5.html#shlib_directory">shlib_directory</a> location. </p>
+<h4><a name="dynamicmaps_enable"> 4.3.2 Turning on Postfix
+database-plugin support </a></h4>
 
 <p> Additionally, Postfix can be built to support dynamic loading
-of Postfix database clients with the Debian-style dynamicmaps
-feature. Postfix 2.12 supports dynamic loading of <a href="CDB_README.html">cdb</a>:, <a href="ldap_table.5.html">ldap</a>:,
-<a href="lmdb_table.5.html">lmdb</a>:, <a href="mysql_table.5.html">mysql</a>:, <a href="pcre_table.5.html">pcre</a>:, <a href="pgsql_table.5.html">pgsql</a>:, <a href="DATABASE_README.html#types">sdbm</a>:, and <a href="sqlite_table.5.html">sqlite</a>: database clients.
-Dynamic loading is useful when you distribute or install pre-compiled
-Postfix packages. </p>
+of Postfix database clients (database plugins) with the Debian-style
+dynamicmaps feature. Postfix 2.12 supports dynamic loading of <a href="CDB_README.html">cdb</a>:,
+<a href="ldap_table.5.html">ldap</a>:, <a href="lmdb_table.5.html">lmdb</a>:, <a href="mysql_table.5.html">mysql</a>:, <a href="pcre_table.5.html">pcre</a>:, <a href="pgsql_table.5.html">pgsql</a>:, <a href="DATABASE_README.html#types">sdbm</a>:, and <a href="sqlite_table.5.html">sqlite</a>: database
+clients.  Dynamic loading is useful when you distribute or install
+pre-compiled Postfix packages. </p>
 
 <p> Specify "dynamicmaps=yes" on the "make makefiles" command line
 to build Postfix with support to dynamically load Postfix database
-clients (database plugins) with the Debian-style dynamicmaps feature.
+clients with the Debian-style dynamicmaps feature.
 </p>
 
 <blockquote>
 <pre>
 $ make makefiles dynamicmaps=yes ...other arguments...
-$ make makefiles dynamicmaps=no ...other arguments...
 $ make
 </pre>
 </blockquote>
 
-<p> This implicitly enables shared-library support, and defaults
-to installing dynamicmaps.cf and database plugins in /usr/libexec/postfix.
-Database plugins are typically named postfix-<i>type</i>.so.<i>version</i>
-where the <i>type</i> is a database type such as "cdb" or "ldap",
-and where the <i>version</i> is the same as for Postfix shared
-libraries. The installed dynamicmaps.cf configuration file is given
-a suffix with the same version. </p>
+<p> (Specify "make makefiles dynamicmaps=no" to explicitly disable
+Postfix database-plugin support). </p>
+
+<p> This implicitly enables shared-library support, installs the
+configuration file dynamicmaps.cf in $<a href="postconf.5.html#meta_directory">meta_directory</a> (usually,
+/etc/postfix or /usr/local/etc/postfix), and installs database
+plugins in $<a href="postconf.5.html#shlib_directory">shlib_directory</a> (see above).  Database plugins are named
+postfix-<i>type</i>.so where the <i>type</i> is a database type
+such as "cdb" or "ldap". </p>
 
 <blockquote>
 
@@ -322,60 +345,155 @@ database client loading was meant to avoid. </p>
 
 </blockquote>
 
-<p> To override the default location or shared-library version,
-specify, for example: </p>
+<p> See the next section for how to customize the location and
+version of Postfix database plugins and the location of the file
+dynamicmaps.cf.  </p>
+
+<h4><a name="shared_custom"> 4.3.3 Customizing Postfix shared
+libraries and database plugins </a></h4>
+
+<h5> Customizing the location of Postfix shared libraries and
+database plugins </h5>
+
+<p> As a reminder, the directories with Postfix shared libraries
+or database plugins should contain only Postfix-related files.
+Linking these files into other programs is not supported. </p>
+
+<p> To override the default location of Postfix shared libraries
+and database plugins specify, for example: </p>
 
 <blockquote>
 <pre>
-% make makefiles dynamicmaps=yes <a href="postconf.5.html#plugin_directory">plugin_directory</a>=/usr/lib/postfix \
-    SHLIB_VERSION=1  ...
+$ make makefiles shared=yes <a href="postconf.5.html#shlib_directory">shlib_directory</a>=/usr/local/lib/postfix ...
 </pre>
 </blockquote>
 
-<p> You can also override the <a href="postconf.5.html#plugin_directory">plugin_directory</a> setting after Postfix
-is built, with "make install" or "make upgrade". In this case, there
-is no need to run the ldconfig command. </p>
+<p> If you intend to upgrade Postfix without stopping the mail
+system, then you should append the Postfix release version to the
+<a href="postconf.5.html#shlib_directory">shlib_directory</a> pathname, to eliminate the possibility that programs
+from the old Postfix version will link with files from the new
+Postfix version. For example: </p>
 
-<p> Tips for distribution maintainers: 
+<blockquote>
+<pre>
+$ make makefiles shared=yes \
+    <a href="postconf.5.html#shlib_directory">shlib_directory</a>=/usr/local/lib/postfix/MAIL_VERSION ...
+</pre>
+</blockquote>
+
+<p> The command "make makefiles name=value..." will replace the
+string MAIL_VERSION in a configuration parameter value with the
+Postfix release version. Do not try to specify something like
+$<a href="postconf.5.html#mail_version">mail_version</a> on this command line. This produces inconsistent
+results with different versions of the make(1) command.  </p>
+
+<p> You can change the <a href="postconf.5.html#shlib_directory">shlib_directory</a> setting after Postfix is
+built, with "make install" or "make upgrade". However, you may have
+to run ldconfig if you change <a href="postconf.5.html#shlib_directory">shlib_directory</a> after Postfix is built
+(the symptom is that Postfix programs fail because the run-time
+linker cannot find the files libpostfix-*.so).  No ldconfig command
+is needed if you keep the files libpostfix-*.so in the compiled-in
+default $<a href="postconf.5.html#shlib_directory">shlib_directory</a> location. </p>
+
+<blockquote>
+<pre>
+# make upgrade <a href="postconf.5.html#shlib_directory">shlib_directory</a>=/usr/local/lib/postfix ...
+# make install <a href="postconf.5.html#shlib_directory">shlib_directory</a>=/usr/local/lib/postfix ...
+</pre>
+</blockquote>
+
+<p> To append the Postfix release version to the pathname if you
+intend to upgrade Postfix without stopping the mail system:  </p>
+
+<blockquote>
+<pre>
+# make upgrade <a href="postconf.5.html#shlib_directory">shlib_directory</a>=/usr/local/lib/postfix/MAIL_VERSION ...
+# make install <a href="postconf.5.html#shlib_directory">shlib_directory</a>=/usr/local/lib/postfix/MAIL_VERSION ...
+</pre>
+</blockquote>
+
+<p> See also the comments above for appending MAIL_VERSION with
+the "make makefiles" command. </p>
+
+<h5> Customizing the location of dynamicmaps.cf and other files
+</h5>
+
+<p> The <a href="postconf.5.html#meta_directory">meta_directory</a> parameter has the same default setting as
+the <a href="postconf.5.html#config_directory">config_directory</a> parameter, typically /etc/postfix or
+/usr/local/etc/postfix. </p>
+
+<p> You can override the default <a href="postconf.5.html#meta_directory">meta_directory</a> location at compile
+time or after Postfix is built. To override the default location
+at compile time specify, for example: </p>
+
+<blockquote>
+<pre>
+% make makefiles <a href="postconf.5.html#meta_directory">meta_directory</a>=/usr/libexec/postfix ...
+</pre>
+</blockquote>
+
+<p> Here is a tip if you want to make a pathname dependent on the
+Postfix release version: the command "make makefiles name=value..."
+will replace the string MAIL_VERSION in a configuration parameter
+value with the Postfix release version. Do not try to specify
+something like $<a href="postconf.5.html#mail_version">mail_version</a> on this command line. This produces
+inconsistent results with different versions of the make(1) command.
+</p>
+
+<p> You can override the <a href="postconf.5.html#meta_directory">meta_directory</a> setting after Postfix is
+built, with "make install" or "make upgrade". </p>
+
+<blockquote>
+<pre>
+# make upgrade <a href="postconf.5.html#meta_directory">meta_directory</a>=/usr/libexec/postfix ...
+# make install <a href="postconf.5.html#meta_directory">meta_directory</a>=/usr/libexec/postfix ...
+</pre>
+</blockquote>
+
+<p> As with the command "make makefiles, the command "make
+install/upgrade name=value..." will replace the string MAIL_VERSION
+in a configuration parameter value with the Postfix release version.
+Do not try to specify something like $<a href="postconf.5.html#mail_version">mail_version</a> on this command
+line. This produces inconsistent results with different versions
+of the make(1) command.  </p>
+
+<h4><a name="shared_tips"> 4.4.4 Tips for distribution maintainers
+</a></h4>
 
 <ul>
 
-<li> <p> The postfix-install procedure creates a compatibility
-symlink dynamicmaps.cf -> dynamicmaps.cf.<i>version</i> (as well
-as a symlink dynamicmaps.cf.d -> dynamicmaps.cf.<i>version</i>.d;
-more on that below).  It is therefore safe to use "unversioned"
-configuration file names when installing or deinstalling a database
-plugin. However, Postfix itself will use the "versioned" names, to
-allow minor upgrades to happen without having to stop Postfix. </p>
+<li> <p> The <a href="postconf.5.html#shlib_directory">shlib_directory</a> parameter setting also provides the
+default directory for database plugin files with a relative pathname
+in the file dynamicmaps.cf. </p>
 
-<li> <p> The configuration file dynamicmaps.cf.<i>version</i> will
-automatically include files under the directory
-dynamicmaps.cf.d.<i>version</i>, just like the configuration file
-postfix-files will automatically include files under the directory
-postfix-files.d.  Thanks to this, you don't have to edit postfix-files
-or dynamicmaps.cf, when installing or deinstalling a database plugin
-package. Instead, each plugin can have its own configuration file.
-</p>
+<li> <p> The <a href="postconf.5.html#meta_directory">meta_directory</a> parameter specifies the location of the
+files dynamicmaps.cf, postfix-files, and some multi-instance template
+files. The <a href="postconf.5.html#meta_directory">meta_directory</a> parameter has the same default value as
+the <a href="postconf.5.html#config_directory">config_directory</a> parameter (typically, /etc/postfix or
+/usr/local/etc/postfix). For backwards compatibility with Postfix
+2.6 .. 2.11, specify "<a href="postconf.5.html#meta_directory">meta_directory</a> = $<a href="postconf.5.html#daemon_directory">daemon_directory</a>" in <a href="postconf.5.html">main.cf</a>
+before installing or upgrading Postfix, or specify "<a href="postconf.5.html#meta_directory">meta_directory</a>
+= /path/name" on the "make makefiles", "make install" or "make
+upgrade" command line.  </p>
 
-<li> <p> The <a href="postconf.5.html#plugin_directory">plugin_directory</a> setting provides the default directory
-for shared-library objects with a relative pathname in the file
-dynamicmaps.cf.<i>version</i>.
+<li> <p> The configuration file dynamicmaps.cf will automatically
+include files under the directory dynamicmaps.cf.d, just like the
+configuration file postfix-files will automatically include files
+under the directory postfix-files.d.  Thanks to this, you can install
+or deinstall a database plugin package without having to edit
+postfix-files or dynamicmaps.cf. Instead, you give that plugin its
+own configuration files dynamicmaps.cf.d and postfix-files.d, and
+you add or remove those configuration files along with the database
+plugin shared object.  </p>
 
-<li> <p> Each configuration file under the directory
-dynamicmaps.cf.d.<i>version</i> must have a name that ends in ".cf"
-and must have the same format as the file dynamicmaps.cf.<i>version</i>.
-</p>
-
-<li> <p> The directory dynamicmaps.cf.d.<i>version</i> is the default
-directory for shared-library objects with a relative pathname in
-the files dynamicmaps.cf.d.<i>version</i>/*.cf.  Thus, the directory
-dynamicmaps.cf.d.<i>version</i> may contain both configuration files
-and shared-library object files.  Hence, the requirement that
-configuration file names must end in ".cf".  </p>
+<li> <p> Each configuration file under the directory dynamicmaps.cf.d
+must have the same format as the configuration file dynamicmaps.cf.
+There is no requirement that these configuration file *names* have a
+specific format.  </p>
 
 <li> <p> Each configuration file under the directory postfix-files.d
 must have the same format as the configuration file postfix-files.
-There is no requirement that these configuration file names have a
+There is no requirement that these configuration file *names* have a
 specific format.  </p>
 
 </ul>
@@ -445,6 +563,12 @@ $ make
 </pre>
 </blockquote>
 
+<p> The command "make makefiles name=value ..." will replace the
+string MAIL_VERSION in a configuration parameter value with the
+Postfix release version. Do not try to specify something like
+$<a href="postconf.5.html#mail_version">mail_version</a> on this command line. This produces inconsistent
+results with different versions of the make(1) command.  </p>
+
 <p> Parameters whose defaults can be specified in this way are
 listed below. See the <a href="postconf.5.html">postconf(5)</a> manpage for a description
 (command: "<tt>nroff -man man/man5/postconf.5 | less</tt>").  </p>
@@ -471,9 +595,9 @@ listed below. See the <a href="postconf.5.html">postconf(5)</a> manpage for a de
 
 <tr> <td><a href="postconf.5.html#manpage_directory">manpage_directory</a></td> <td>/usr/local/man</td> </tr>
 
-<tr> <td><a href="postconf.5.html#newaliases_path">newaliases_path</a></td> <td>/usr/bin/newaliases</td> </tr>
+<tr> <td><a href="postconf.5.html#meta_directory">meta_directory</a></td> <td>/etc/postfix</td> </tr>
 
-<tr> <td><a href="postconf.5.html#plugin_directory">plugin_directory</a></td> <td>/usr/libexec/postfix</td> </tr>
+<tr> <td><a href="postconf.5.html#newaliases_path">newaliases_path</a></td> <td>/usr/bin/newaliases</td> </tr>
 
 <tr> <td><a href="postconf.5.html#queue_directory">queue_directory</a></td> <td>/var/spool/postfix</td> </tr>
 
@@ -481,7 +605,7 @@ listed below. See the <a href="postconf.5.html">postconf(5)</a> manpage for a de
 
 <tr> <td><a href="postconf.5.html#sendmail_path">sendmail_path</a></td> <td>/usr/sbin/sendmail</td> </tr>
 
-<tr> <td><a href="postconf.5.html#shlib_directory">shlib_directory</a></td> <td>/usr/local/lib</td> </tr>
+<tr> <td><a href="postconf.5.html#shlib_directory">shlib_directory</a></td> <td>/usr/lib/postfix</td> </tr>
 
 </table>
 
@@ -578,7 +702,7 @@ $ make
 <tr> <th colspan="2"> Name/Value </th> <th> Description </th> </tr>
 
 <tr> <td colspan="2"> AUXLIBS="object_library..."</td> <td> Specifies
-one or more non-default object libraries. Postfix 2,12 and later
+one or more non-default object libraries. Postfix 2.12 and later
 specify some of their database library dependencies with <a href="CDB_README.html">AUXLIBS_CDB</a>,
 <a href="LDAP_README.html">AUXLIBS_LDAP</a>, <a href="LMDB_README.html">AUXLIBS_LMDB</a>, <a href="MYSQL_README.html">AUXLIBS_MYSQL</a>, <a href="PCRE_README.html">AUXLIBS_PCRE</a>, <a href="PGSQL_README.html">AUXLIBS_PGSQL</a>,
 <a href="SDBM_README.html">AUXLIBS_SDBM</a>, and <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>, respectively. </td> </tr>
@@ -647,12 +771,6 @@ Specify DEBUG= to turn off debugging. </td> </tr>
 a non-default optimization level. The default is -O.  Specify OPT=
 to turn off optimization. </td> </tr>
 
-<tr> <td colspan="2"> SHLIB_VERSION=version </td> <td> Specifies a
-non-default Postfix shared-library version number. The default is
-to use the Postfix version: X.Y.Z for stable releases, X.Y-DATE for
-snapshot releases, X.Y-DATE-nonprod for non-production releases.
-</td> </tr>
-
 <tr> <td colspan="2"> WARN="warning_flags..." </td> <td> Specifies
 non-default <tt>gcc</tt> compiler warning options for use when
 "<tt>make</tt>" is invoked in a source subdirectory only. </td>
@@ -857,6 +975,16 @@ pathnames that end in ".postfix"</b>. </p>
 does not exist, use interactive installation ("make install")
 instead. </p>
 
+<li> <p> If you specify name=value arguments on the "make install"
+or "make upgrade" command line, then these will take precedence
+over compiled-in default settings or <a href="postconf.5.html">main.cf</a> settings. </p>
+
+<p> The command "make install/upgrade name=value ..." will replace
+the string MAIL_VERSION in a configuration parameter value with the
+Postfix release version. Do not try to specify something like
+$<a href="postconf.5.html#mail_version">mail_version</a> on this command line. This produces inconsistent
+results with different versions of the make(1) command.  </p>
+
 </ul>
 
 <h3>6.4 - Configure Postfix</h3>
diff --git a/postfix/html/PACKAGE_README.html b/postfix/html/PACKAGE_README.html
index 5f651bc3e..30c738045 100644
--- a/postfix/html/PACKAGE_README.html
+++ b/postfix/html/PACKAGE_README.html
@@ -85,6 +85,13 @@ non-default installation parameters on the command line: </p>
 script directly (<tt>% <b>sh post-install -non-interactive
 install_root...</b></tt>). </p>
 
+<p> With Postfix 2.12 and later, the command "make package name=value
+..." will replace the string MAIL_VERSION in a configuration parameter
+value with the Postfix release version. Do not try to specify
+something like $<a href="postconf.5.html#mail_version">mail_version</a> on this command line. This produces
+inconsistent results with different versions of the make(1) command.
+</p>
+
 <h2>Begin Security Alert</h2>
 
 <p> <b> When building an archive for distribution, be sure to
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 9ebfa0ffa..5c3873c3c 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -6198,6 +6198,27 @@ and <a href="postconf.5.html#body_checks">body_checks</a>.  </p>
 <p> This feature is available in Postfix 2.3 and later.  </p>
 
 
+</DD>
+
+<DT><b><a name="meta_directory">meta_directory</a>
+(default: see 'postconf -d' output)</b></DT><DD>
+
+<p> The location of non-executable files that are shared among
+multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+and the multi-instance template files <a href="postconf.5.html">main.cf</a>.proto and <a href="master.5.html">master.cf</a>.proto.
+This directory should contain only Postfix-related files.  Typically,
+the <a href="postconf.5.html#meta_directory">meta_directory</a> parameter has the same default as the <a href="postconf.5.html#config_directory">config_directory</a>
+parameter (/etc/postfix or /usr/local/etc/postfix).  </p>
+
+<p> For backwards compatibility with Postfix versions 2.6..2.11,
+specify "<a href="postconf.5.html#meta_directory">meta_directory</a> = $<a href="postconf.5.html#daemon_directory">daemon_directory</a>" in <a href="postconf.5.html">main.cf</a> before
+installing or upgrading Postfix, or specify "<a href="postconf.5.html#meta_directory">meta_directory</a> =
+/path/name" on the "make makefiles", "make install" or "make upgrade"
+command line.  </p>
+
+<p> This feature is available in Postfix 2.12 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="milter_command_timeout">milter_command_timeout</a>
@@ -7090,19 +7111,6 @@ is rejected by the <b><a href="postconf.5.html#reject_plaintext_session">reject_
 <p> This feature is available in Postfix 2.3 and later. </p>
 
 
-</DD>
-
-<DT><b><a name="plugin_directory">plugin_directory</a>
-(default: see 'postconf -d' output)</b></DT><DD>
-
-<p> The location of the Postfix dynamicmaps.cf database plugin
-configuration file, and of database plugins with a relative pathname.
-This is set to "no" when Postfix database plugin support is disabled
-at compile time. </p>
-
-<p> This feature is available in Postfix 2.12 and later. </p>
-
-
 </DD>
 
 <DT><b><a name="postmulti_control_commands">postmulti_control_commands</a>
@@ -9553,15 +9561,34 @@ earlier: "<b>/etc/postfix/post-install set-permissions</b>".
 <DT><b><a name="shlib_directory">shlib_directory</a>
 (default: see 'postconf -d' output)</b></DT><DD>
 
-<p> The location of Postfix shared libraries (libpostfix-*.so.*).
-This parameter defaults to "no" when Postfix shared libraries are
-disabled at compile time. </p>
+<p> The location of Postfix shared libraries (libpostfix-*.so),
+and the default location of Postfix database plugins (libpostfix-*.so)
+that have a relative pathname in the dynamicmaps.cf file.  The
+<a href="postconf.5.html#shlib_directory">shlib_directory</a> parameter defaults to "no" when Postfix shared
+libraries and database plugins are disabled at compile time, otherwise
+it typically defaults to /usr/lib/postfix or /usr/local/lib/postfix.
+</p>
 
-<p> NOTE: You can change the location of these files after Postfix
-is built. However, you may have to run ldconfig if you move the
-libpostfix-*.so.* files to a non-system directory.  No ldconfig is
-needed if you keep the libpostfix-*.so.* files in the compiled-in
-default $<a href="postconf.5.html#shlib_directory">shlib_directory</a> location. </p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The directory specified with <a href="postconf.5.html#shlib_directory">shlib_directory</a> should contain
+only Postfix-related files. Postfix shared libraries and database
+plugins should not be installed in a "public" system directory such
+as /usr/lib or /usr/local/lib. Linking Postfix shared-library files
+or database plugins into non-Postfix programs is not supported.
+Postfix shared libraries and database plugins implement a
+Postfix-internal API that changes without maintaining compatibility.
+</p>
+
+<li> <p> You can change the <a href="postconf.5.html#shlib_directory">shlib_directory</a> value after Postfix is
+built. However, you may have to run ldconfig or equivalent to prevent
+Postfix programs from failing because the libpostfix-*.so files are
+not found.  No ldconfig command is needed if you keep the libpostfix-*.so
+files in the compiled-in default $<a href="postconf.5.html#shlib_directory">shlib_directory</a> location. </p>
+
+</ul>
 
 <p> This feature is available in Postfix 2.12 and later. </p>
 
@@ -13002,6 +13029,14 @@ Postfix version 2.5).  This feature is available with Postfix version
 parent domains, client IP address, or networks obtained by stripping
 least significant octets. See the <a href="access.5.html">access(5)</a> manual page for details. </dd>
 
+<dt><b><a name="check_client_a_access">check_client_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for the
+client hostname, and execute the corresponding action.  Note: a result
+of "OK" is not allowed for safety reasons. Instead, use DUNNO in order
+to exclude specific hosts from blacklists.  This feature is available
+in Postfix 2.12 and later.  </dd>
+
 <dt><b><a name="check_client_mx_access">check_client_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for the
@@ -13028,6 +13063,14 @@ safety reasons.  Instead, use DUNNO in order to exclude specific
 hosts from blacklists.  This feature is available in Postfix 2.6
 and later.</dd>
 
+<dt><b><a name="check_reverse_client_hostname_a_access">check_reverse_client_hostname_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for the
+unverified reverse client hostname, and execute the corresponding
+action.  Note: a result of "OK" is not allowed for safety reasons.
+Instead, use DUNNO in order to exclude specific hosts from blacklists.
+This feature is available in Postfix 2.12 and later.  </dd>
+
 <dt><b><a name="check_reverse_client_hostname_mx_access">check_reverse_client_hostname_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for the
@@ -13786,6 +13829,18 @@ Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required
 restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
 simply skip <a href="postconf.5.html#check_helo_access">check_helo_access</a> by not sending HELO or EHLO).  </dd>
 
+<dt><b><a name="check_helo_a_access">check_helo_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for
+the HELO or EHLO hostname, and execute the corresponding action.
+Note 1: a result of "OK" is not allowed for safety reasons. Instead,
+use DUNNO in order to exclude specific hosts from blacklists.  Note
+2: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this
+restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
+simply skip check_helo_a_access by not sending HELO or EHLO).  This
+feature is available in Postfix 2.12 and later.
+</dd>
+
 <dt><b><a name="check_helo_mx_access">check_helo_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for
@@ -14251,6 +14306,14 @@ that is received with the RCPT TO command.
 TO address, domain, parent domains, or localpart@, and execute the
 corresponding action.  </dd>
 
+<dt><b><a name="check_recipient_a_access">check_recipient_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for
+the RCPT TO domain, and execute the corresponding action.  Note:
+a result of "OK" is not allowed for safety reasons. Instead, use
+DUNNO in order to exclude specific hosts from blacklists.  This
+feature is available in Postfix 2.12 and later. </dd>
+
 <dt><b><a name="check_recipient_mx_access">check_recipient_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for
@@ -15027,10 +15090,18 @@ received with the MAIL FROM command.
 address, domain, parent domains, or localpart@, and execute the
 corresponding action. </dd>
 
+<dt><b><a name="check_sender_a_access">check_sender_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for
+the MAIL FROM domain, and execute the corresponding action.  Note:
+a result of "OK" is not allowed for safety reasons. Instead, use
+DUNNO in order to exclude specific hosts from blacklists.  This
+feature is available in Postfix 2.12 and later. </dd>
+
 <dt><b><a name="check_sender_mx_access">check_sender_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for
-the MAIL FROM address, and execute the corresponding action.  Note:
+the MAIL FROM domain, and execute the corresponding action.  Note:
 a result of "OK" is not allowed for safety reasons. Instead, use
 DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later. </dd>
@@ -15038,7 +15109,7 @@ feature is available in Postfix 2.1 and later. </dd>
 <dt><b><a name="check_sender_ns_access">check_sender_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers
-for the MAIL FROM address, and execute the corresponding action.
+for the MAIL FROM domain, and execute the corresponding action.
 Note: a result of "OK" is not allowed for safety reasons. Instead,
 use DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.  </dd>
diff --git a/postfix/html/postfix.1.html b/postfix/html/postfix.1.html
index 87ab7ceb0..2a850394f 100644
--- a/postfix/html/postfix.1.html
+++ b/postfix/html/postfix.1.html
@@ -179,40 +179,43 @@ POSTFIX(1)                                                          POSTFIX(1)
 
        Available in Postfix version 2.12 and later:
 
-       <b><a href="postconf.5.html#plugin_directory">plugin_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix dynamicmaps.cf database plugin  con-
-              figuration  file,  and of database plugins with a relative path-
-              name.
+       <b><a href="postconf.5.html#meta_directory">meta_directory</a> (see 'postconf -d' output)</b>
+              The location of non-executable files that are shared among  mul-
+              tiple  Postfix instances, such as postfix-files, dynamicmaps.cf,
+              and the multi-instance template  files  <a href="postconf.5.html">main.cf</a>.proto  and  <a href="master.5.html">mas-
+              ter.cf</a>.proto.
 
        <b><a href="postconf.5.html#shlib_directory">shlib_directory</a> (see 'postconf -d' output)</b>
-              The location of Postfix shared libraries (libpostfix-*.so.*).
+              The  location  of  Postfix shared libraries (libpostfix-*.so.*),
+              and of Postfix database plugins that have a relative pathname in
+              the dynamicmaps.cf file.
 
        Other configuration parameters:
 
        <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
-              The list of environment parameters that a Postfix  process  will
+              The  list  of environment parameters that a Postfix process will
               import from a non-Postfix parent process.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              The  mail  system  name that is prepended to the process name in
-              syslog records, so that "smtpd"  becomes,  for  example,  "post-
+              The mail system name that is prepended to the  process  name  in
+              syslog  records,  so  that  "smtpd" becomes, for example, "post-
               fix/smtpd".
 
        Available in Postfix version 2.6 and later:
 
        <b><a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> (empty)</b>
-              An  optional  list of non-default Postfix configuration directo-
-              ries; these directories belong to additional  Postfix  instances
-              that  share  the Postfix executable files and documentation with
-              the default Postfix instance, and  that  are  started,  stopped,
+              An optional list of non-default Postfix  configuration  directo-
+              ries;  these  directories belong to additional Postfix instances
+              that share the Postfix executable files and  documentation  with
+              the  default  Postfix  instance,  and that are started, stopped,
               etc., together with the default Postfix instance.
 
        <b><a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> (empty)</b>
-              The  pathname of a multi-instance manager command that the <a href="postfix.1.html"><b>post-</b></a>
-              <a href="postfix.1.html"><b>fix</b>(1)</a>  command  invokes  when  the   <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
+              The pathname of a multi-instance manager command that the  <a href="postfix.1.html"><b>post-</b></a>
+              <a href="postfix.1.html"><b>fix</b>(1)</a>   command  invokes  when  the  <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
               parameter value is non-empty.
 
        <b><a href="postconf.5.html#multi_instance_group">multi_instance_group</a> (empty)</b>
@@ -222,15 +225,15 @@ POSTFIX(1)                                                          POSTFIX(1)
               The optional instance name of this Postfix instance.
 
        <b><a href="postconf.5.html#multi_instance_enable">multi_instance_enable</a> (no)</b>
-              Allow  this  Postfix instance to be started, stopped, etc., by a
+              Allow this Postfix instance to be started, stopped, etc.,  by  a
               multi-instance manager.
 
 <b>FILES</b>
-       Prior to Postfix version 2.6, all of the following files were in  <b>$<a href="postconf.5.html#config_directory">con</a>-</b>
+       Prior  to Postfix version 2.6, all of the following files were in <b>$<a href="postconf.5.html#config_directory">con</a>-</b>
        <b><a href="postconf.5.html#config_directory">fig_directory</a></b>. Some files are now in <b>$<a href="postconf.5.html#daemon_directory">daemon_directory</a></b> so that they can
        be shared among multiple instances that run the same Postfix version.
 
-       Use the command "<b>postconf <a href="postconf.5.html#config_directory">config_directory</a></b>" or "<b>postconf  <a href="postconf.5.html#daemon_directory">daemon_direc</a>-</b>
+       Use  the command "<b>postconf <a href="postconf.5.html#config_directory">config_directory</a></b>" or "<b>postconf <a href="postconf.5.html#daemon_directory">daemon_direc</a>-</b>
        <b><a href="postconf.5.html#daemon_directory">tory</a></b>" to expand the names into their actual values.
 
        $<a href="postconf.5.html#config_directory">config_directory</a>/<a href="postconf.5.html">main.cf</a>, Postfix configuration parameters
diff --git a/postfix/html/postmulti.1.html b/postfix/html/postmulti.1.html
index a177f8f5a..cd84a79a2 100644
--- a/postfix/html/postmulti.1.html
+++ b/postfix/html/postmulti.1.html
@@ -356,9 +356,22 @@ POSTMULTI(1)                                                      POSTMULTI(1)
               syslog  records,  so  that  "smtpd" becomes, for example, "post-
               fix/smtpd".
 
+       Available in Postfix 2.12 and later:
+
+       <b><a href="postconf.5.html#meta_directory">meta_directory</a> (see 'postconf -d' output)</b>
+              The location of non-executable files that are shared among  mul-
+              tiple  Postfix instances, such as postfix-files, dynamicmaps.cf,
+              and the multi-instance template  files  <a href="postconf.5.html">main.cf</a>.proto  and  <a href="master.5.html">mas-
+              ter.cf</a>.proto.
+
+       <b><a href="postconf.5.html#shlib_directory">shlib_directory</a> (see 'postconf -d' output)</b>
+              The  location  of  Postfix shared libraries (libpostfix-*.so.*),
+              and of Postfix database plugins that have a relative pathname in
+              the dynamicmaps.cf file.
+
 <b>FILES</b>
-       $<a href="postconf.5.html#daemon_directory">daemon_directory</a>/<a href="postconf.5.html">main.cf</a>, stock configuration file
-       $<a href="postconf.5.html#daemon_directory">daemon_directory</a>/<a href="master.5.html">master.cf</a>, stock configuration file
+       $<a href="postconf.5.html#meta_directory">meta_directory</a>/<a href="postconf.5.html">main.cf</a>.proto, stock configuration file
+       $<a href="postconf.5.html#meta_directory">meta_directory</a>/<a href="master.5.html">master.cf</a>.proto, stock configuration file
        $<a href="postconf.5.html#daemon_directory">daemon_directory</a>/postmulti-script, life-cycle helper program
 
 <b>SEE ALSO</b>
diff --git a/postfix/makedefs b/postfix/makedefs
index 58bb9eca9..c93af8fb2 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -18,6 +18,12 @@
 #	environment variables (or as name=value pairs on the "make"
 #	command line). Use quotes if variables contain whitespace
 #	or shell meta characters.
+#
+#	The "make makefiles name=value..." command will replace the
+#	string MAIL_VERSION in a parameter value with the Postfix
+#	release version. Do not try to specify something like
+#	$mail_version on this command line. This produces inconsistent
+#	results with different versions of the make(1) command.
 # .IP \fBAUXLIBS=\fIobject_library...\fR
 #	Specifies one or more non-default object libraries. Postfix
 #	2,12 and later specify some of their database library
@@ -85,7 +91,7 @@
 # .IP \fBdynamicmaps=yes\fR
 # .IP \fBdynamicmaps=no\fR
 #	Enable (disable) Postfix builds with the configuration file
-#	$plugin_directory/dynamicmaps.cf and dynamically-loadable
+#	$meta_directory/dynamicmaps.cf and dynamically-loadable
 #	database plugins typically named postfix-*.so.*.  The setting
 #	"dynamicmaps=yes" implicitly enables Postfix shared libraries.
 #
@@ -97,19 +103,13 @@
 #
 #	command_directory config_directory daemon_directory
 #	data_directory default_database_type html_directory
-#	mailq_path manpage_directory newaliases_path plugin_directory
+#	mailq_path manpage_directory meta_directory newaliases_path
 #	queue_directory readme_directory sendmail_path shlib_directory
 #
 #	See the postconf(5) manpage for a description of these
 #	parameters.
 #
 #	This feature was introduced with Postfix 2.12.
-# .IP \fBSHLIB_VERSION=\fIversion\fR
-#	Specifies a non-default shared-library version for Postfix
-#	libraries and database plugins.  By default, the version
-#	equals the default value for the $mail_version parameter.
-#
-#	This feature was introduced with Postfix 2.12.
 # .IP \fBWARN=\fIwarning_flags\fR
 #	Specifies non-default gcc compiler warning options for use when
 #	"make" is invoked in a source subdirectory only.
@@ -708,6 +708,91 @@ CCARGS="$CCARGS -DSNAPSHOT"
 # Workaround: prepend Postfix include files before other include files.
 CCARGS="-I. -I../../include $CCARGS"
 
+# Portability and usability considerations.
+#
+# In an ideal world we would be able to provide the option to say
+# "make makefiles shlib_directory=/some/where/'$mail_version'".  This
+# would allow a running system to be upggraded without worries about
+# tempororary program-library ABI incompatibilities (the Postfix
+# library API changes incompatibly from one version to the next).
+#
+# Unfortunately, gmake performs macro expansion on values in name=value
+# command-line arguments. In the specific example above, gmake would
+# eat up the "$" and "m" before it even invokes makedefs, and it
+# ould replace "'${mail_version}'" and "'$(mail_version)'" with
+# nothing. 
+#
+# We could work around this by documenting that $$ must be used (and
+# fix $$ in the case that people use traditional make).  But this
+# would be non-intuitive and bad from a usability point of view.
+#
+# We could work around this by documenting that people must pass
+# name=value via the environment instead of the command line, as in
+# "shlib_directory=/some/where/'$mail_version' make makefiles", or
+# that they issue "export" or "setenv" commands depending on their
+# interactive shell. That would be non-intuitive and bad usability.
+#
+# Even if we did any of the above, we would not want to pass the
+# unexpanded $mail_version via CCARGS, because that requires extra
+# quoting with `echo "$parm_val" | sed 's/[$]/\\\\$$/'` which is
+# just too ugly to be portable.
+#
+# The upshot of all this is that we will expand MAIL_VERSION in the
+# "make makefiles parameter=value" command line, and that we pass
+# the expanded text via CCARGS. This is clumsier but cleaner.
+
+# Helper function to determine DEF_MAIL_VERSION.
+
+def_mail_version()
+{
+    trap 'rm -f makedefs.test makedefs.test.[co]' 1 2 3 15
+    cat > makedefs.test.c <<'EOF'
+#include <stdlib.h>
+#include <stdio.h>
+EOF
+        # Avoid "nested comment" warnings. Top-of-file comments start in
+        # column 1 and have no code after "*/", not even in header files.
+        # If this is insufficient, kill the problem with #ifndef MAKEDEFS.
+        sed '/^\/\*/,/\*\//d' src/global/mail_version.h >>makedefs.test.c
+        cat >>makedefs.test.c <<EOF
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+int     main(void)
+{
+    printf("%s\n", DEF_MAIL_VERSION);
+    fflush(stdout);
+    exit(ferror(stdout) ? 1 : 0);
+}
+EOF
+    eval ${CC-gcc} ${CCARGS} -o makedefs.test makedefs.test.c || exit 1
+    ./makedefs.test || exit 1
+    rm -f makedefs.test makedefs.test.[co]
+}
+
+# Helper function to expand MAIL_VERSION in command-line value.
+
+expand_MAIL_VERSION()
+{
+    case "$mail_version" in
+    "") mail_version=`def_mail_version` || exit 1
+    esac
+    echo "$1" | sed "s/MAIL_VERSION/$mail_version/g"
+}
+
+
+# Helper function to expand $mail_version in parameter value.
+
+expand_mail_version()
+{
+    case "$mail_version" in
+    "") mail_version=`def_mail_version` || exit 1
+    esac
+    echo "$1" | sed "
+	s/\$[{(]mail_version[)}]/$mail_version/g
+	s/\$mail_version/$mail_version/g
+    "
+}
 # Optionally override installation-parameter default settings.
 
 command_directory_macro=DEF_COMMAND_DIR
@@ -715,25 +800,29 @@ config_directory_macro=DEF_CONFIG_DIR
 daemon_directory_macro=DEF_DAEMON_DIR
 data_directory_macro=DEF_DATA_DIR
 mailq_path_macro=DEF_MAILQ_PATH
+meta_directory_macro=DEF_META_DIR
 newaliases_path_macro=DEF_NEWALIAS_PATH
-plugin_directory_macro=DEF_PLUGIN_DIR
 queue_directory_macro=DEF_QUEUE_DIR
 sendmail_path_macro=DEF_SENDMAIL_PATH
 shlib_directory_macro=DEF_SHLIB_DIR
 
-# shlib_directory and plugin_directory are checked here because "no"
-# is not a good answer.  Instead, build with "dynamicmaps=no" or
-# "shared=no" as appropriate.
+# shlib_directory is checked here because "no" is not a good answer.
+# Instead, build with "dynamicmaps=no" and "shared=no" as appropriate.
 
 for parm_name in command_directory config_directory daemon_directory \
-	data_directory mailq_path newaliases_path plugin_directory \
+	data_directory mailq_path meta_directory newaliases_path \
 	queue_directory sendmail_path shlib_directory
 do
     eval parm_val=\"\$$parm_name\"
     eval parm_macro=\"\$${parm_name}_macro\"
     case "$parm_val" in
     "") ;;
-    /*) CCARGS="$CCARGS -D$parm_macro=\\\"$parm_val\\\"";;
+    /*) case "$parm_val" in
+	*MAIL_VERSION*)
+	    parm_val=`expand_MAIL_VERSION "$parm_val"` || exit 1
+	    eval ${parm_name}=\""\$parm_val"\";;
+	esac
+	CCARGS="$CCARGS -D$parm_macro=\\\"$parm_val\\\"";;
      *) error "$parm_name must specify an absolute path name";;
     esac
 done
@@ -748,7 +837,12 @@ do
     eval parm_macro=\"\$${parm_name}_macro\"
     case "$parm_val" in
     "") ;;
- /*|no) CCARGS="$CCARGS -D$parm_macro=\\\"$parm_val\\\"";;
+ /*|no) case "$parm_val" in
+	*MAIL_VERSION*)
+	    parm_val=`expand_MAIL_VERSION "$parm_val"` || exit 1
+	    eval ${parm_name}=\""\$parm_val"\";;
+	esac
+	CCARGS="$CCARGS -D$parm_macro=\\\"$parm_val\\\"";;
      *) error "$parm_name must specify \"no\" or an absolute path name";;
     esac
 done
@@ -761,7 +855,12 @@ do
     eval parm_macro=\"\$${parm_name}_macro\"
     case "$parm_val" in
     "") ;;
-     *) CCARGS="$CCARGS -D$parm_macro=\\\"$parm_val\\\"";;
+     *) case "$parm_val" in
+	*MAIL_VERSION*)
+	    parm_val=`expand_MAIL_VERSION "$parm_val"` || exit 1
+	    eval ${parm_name}=\""\$parm_val"\";;
+	esac
+	CCARGS="$CCARGS -D$parm_macro=\\\"$parm_val\\\"";;
     esac
 done
 
@@ -801,25 +900,27 @@ yes)
 	 PLUGIN_MAP_SO_MAKE=
 	 PLUGIN_MAP_SO_UPDATE=
 	 PLUGIN_LD=
-	 plugin_directory=no
-	 CCARGS="$CCARGS -UUSE_DYNAMIC_MAPS -DDEF_PLUGIN_DIR=\\\"no\\\""
+	 CCARGS="$CCARGS -UUSE_DYNAMIC_MAPS"
 	 ;;
     esac
 
     # Determine the shared-library and plugin installation directory.
-    for parm_name in shlib_directory plugin_directory
-    do
-	eval parm_val=\"\$$parm_name\"
-	eval parm_macro=\"\$${parm_name}_macro\"
-	case "$parm_val" in
-	/*|no) # CCARGS was already updated above.
-	    ;;
-	"") trap 'rm -f makedefs.test makedefs.test.[co]' 1 2 3 15
-	    sed -n '
-		/_SHLIB_DIR/,/^$/p
-		/_PLUGIN_DIR/,/^$/p
-	    ' src/global/mail_params.h >makedefs.test.c
-	    cat >>makedefs.test.c <<EOF
+    # The shlib_directory parameter is special. If the DEF_SHLIB_DIR
+    # C-language constant ends in "$mail_version" then the custom
+    # code below expands this by peeking at the DEF_MAIL_VERSION
+    # C-language constant.
+    #
+    parm_name=shlib_directory
+    eval parm_val=\"\$$parm_name\"
+    eval parm_macro=\"\$${parm_name}_macro\"
+    case "$parm_val" in
+    /*|no) # CCARGS was already updated above.
+	;;
+    "") trap 'rm -f makedefs.test makedefs.test.[co]' 1 2 3 15
+	sed -n '
+	    /_SHLIB_DIR/,/^$/p
+	' src/global/mail_params.h >makedefs.test.c
+	cat >>makedefs.test.c <<EOF
 #include <stdlib.h>
 #include <stdio.h>
 int     main(void)
@@ -829,56 +930,34 @@ int     main(void)
     exit(ferror(stdout) ? 1 : 0);
 }
 EOF
-	    eval ${CC-gcc} ${CCARGS} -o makedefs.test makedefs.test.c || exit 1
-	    eval $parm_name=`./makedefs.test` || exit 1
-	    rm -f makedefs.test makedefs.test.[co]
-	    ;;
-	 *) # this parameter was already checked above.
-	    error "Can't happen in $0 - $parm_val is not an absolute path"
-	    ;;
-	esac
-    done
-
-    # Determine the shared-library version.
-    test -z "$SHLIB_VERSION" && {
-	trap 'rm -f makedefs.test makedefs.test.[co]' 1 2 3 15
-	(cat <<'EOF'
-#include <stdlib.h>
-#include <stdio.h>
-EOF
-	# Avoid "nested comment" warnings. Top-of-file comments start in
-	# column 1 and have no code after "*/", not even in header files.
-	# If this is insufficient, kill the problem with #ifndef MAKEDEFS.
-	sed '/^\/\*/,/\*\//d' src/global/mail_version.h
-	cat <<'EOF'
-int     main(void)
-{
-    printf("%s\n", DEF_MAIL_VERSION);
-    fflush(stdout);
-    exit(ferror(stdout) ? 1 : 0);
-}
-EOF
-    ) >makedefs.test.c
-	eval ${CC-gcc} -DMAKEDEFS ${CCARGS} -o makedefs.test makedefs.test.c || exit 1
-	SHLIB_VERSION=`./makedefs.test` || exit 1
+	eval ${CC-gcc} ${CCARGS} -o makedefs.test makedefs.test.c || exit 1
+	parm_val=`./makedefs.test` || exit 1
 	rm -f makedefs.test makedefs.test.[co]
-    }
+	case $parm_val in
+	*'$'mail_version*|*'$'{mail_version}*|'$('mail_version')'*)
+	    parm_val=`expand_mail_version "$parm_val"` || exit 1
+	    eval ${parm_name}=\""\$parm_val"\"
+	esac
+	CCARGS="$CCARGS -D$parm_macro=\\\"$parm_val\\\""
+	;;
+     *) # this parameter was already checked above.
+	error "Can't happen in $0 - $parm_val is not an absolute path"
+	;;
+    esac
+
     LIB_PREFIX=postfix-
-    LIB_SUFFIX=${SHLIB_SUFFIX}.${SHLIB_VERSION}
-    CCARGS="$CCARGS -DSHLIB_VERSION=\\\"$SHLIB_VERSION\\\""
+    LIB_SUFFIX=${SHLIB_SUFFIX}
     ;;
 
 no|"")
     shlib_directory=no
-    plugin_directory=no
     CCARGS="$CCARGS -UUSE_DYNAMIC_LIBS -DDEF_SHLIB_DIR=\\\"no\\\""
-    CCARGS="$CCARGS -UUSE_DYNAMIC_MAPS -DDEF_PLUGIN_DIR=\\\"no\\\""
+    CCARGS="$CCARGS -UUSE_DYNAMIC_MAPS"
     SHLIB_CFLAGS=
     SHLIB_SUFFIX=
     SHLIB_LD=:
     SHLIB_RPATH=
     SHLIB_ENV=
-    SHLIB_VERSION=
     LIB_PREFIX=
     LIB_SUFFIX=.a
     NON_PLUGIN_MAP_OBJ='$(MAP_OBJ)'
@@ -922,17 +1001,17 @@ DEFINED_MAP_TYPES=`
 
 PLUGGABLE_MAPS="CDB LDAP LMDB MYSQL PCRE PGSQL SDBM SQLITE"
 
-case "$plugin_directory" in
-/*) for name in $PLUGGABLE_MAPS
-    do
-	eval test -n "\"\$AUXLIBS_$name\"" && 
-	    eval PLUGIN_AUXLIBS="\"\$PLUGIN_AUXLIBS
+case "$dynamicmaps" in
+yes) for name in $PLUGGABLE_MAPS
+     do
+	 eval test -n "\"\$AUXLIBS_$name\"" && 
+	     eval PLUGIN_AUXLIBS="\"\$PLUGIN_AUXLIBS
 AUXLIBS_$name = \$AUXLIBS_$name\""
-    done;;
- *) for name in $PLUGGABLE_MAPS
-    do
-	eval AUXLIBS="\"\$AUXLIBS \$AUXLIBS_$name\""
-    done;;
+     done;;
+  *) for name in $PLUGGABLE_MAPS
+     do
+	 eval AUXLIBS="\"\$AUXLIBS \$AUXLIBS_$name\""
+     done;;
 esac
 
 sed 's/   */ /g' <<EOF
@@ -961,9 +1040,7 @@ SHLIB_DIR = $shlib_directory
 SHLIB_ENV = $SHLIB_ENV
 SHLIB_LD = $SHLIB_LD
 SHLIB_RPATH = $SHLIB_RPATH
-SHLIB_VERSION = $SHLIB_VERSION
 # Switch between dynamicmaps.cf plugins and hard-linked databases.
-PLUGIN_DIR = $plugin_directory
 NON_PLUGIN_MAP_OBJ = $NON_PLUGIN_MAP_OBJ
 PLUGIN_MAP_OBJ = $PLUGIN_MAP_OBJ
 PLUGIN_MAP_OBJ_UPDATE = $PLUGIN_MAP_OBJ_UPDATE
diff --git a/postfix/man/man1/postfix.1 b/postfix/man/man1/postfix.1
index 6d7c3c0da..206c61380 100644
--- a/postfix/man/man1/postfix.1
+++ b/postfix/man/man1/postfix.1
@@ -165,11 +165,14 @@ The directory with Postfix-writable data files (for example:
 caches, pseudo-random numbers).
 .PP
 Available in Postfix version 2.12 and later:
-.IP "\fBplugin_directory (see 'postconf -d' output)\fR"
-The location of the Postfix dynamicmaps.cf database plugin
-configuration file, and of database plugins with a relative pathname.
+.IP "\fBmeta_directory (see 'postconf -d' output)\fR"
+The location of non-executable files that are shared among
+multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+and the multi-instance template files main.cf.proto and master.cf.proto.
 .IP "\fBshlib_directory (see 'postconf -d' output)\fR"
-The location of Postfix shared libraries (libpostfix-*.so.*).
+The location of Postfix shared libraries (libpostfix-*.so.*),
+and of Postfix database plugins that have a relative pathname in
+the dynamicmaps.cf file.
 .PP
 Other configuration parameters:
 .IP "\fBimport_environment (see 'postconf -d' output)\fR"
diff --git a/postfix/man/man1/postmulti.1 b/postfix/man/man1/postmulti.1
index 593316571..f26b339c3 100644
--- a/postfix/man/man1/postmulti.1
+++ b/postfix/man/man1/postmulti.1
@@ -368,11 +368,21 @@ The syslog facility of Postfix logging.
 .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
 The mail system name that is prepended to the process name in syslog
 records, so that "smtpd" becomes, for example, "postfix/smtpd".
+.PP
+Available in Postfix 2.12 and later:
+.IP "\fBmeta_directory (see 'postconf -d' output)\fR"
+The location of non-executable files that are shared among
+multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+and the multi-instance template files main.cf.proto and master.cf.proto.
+.IP "\fBshlib_directory (see 'postconf -d' output)\fR"
+The location of Postfix shared libraries (libpostfix-*.so.*),
+and of Postfix database plugins that have a relative pathname in
+the dynamicmaps.cf file.
 .SH "FILES"
 .na
 .nf
-$daemon_directory/main.cf, stock configuration file
-$daemon_directory/master.cf, stock configuration file
+$meta_directory/main.cf.proto, stock configuration file
+$meta_directory/master.cf.proto, stock configuration file
 $daemon_directory/postmulti-script, life-cycle helper program
 .SH "SEE ALSO"
 .na
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 7e0ae6db5..d74aab7e2 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -3674,6 +3674,21 @@ message_strip_characters = \e0
 .ft R
 .PP
 This feature is available in Postfix 2.3 and later.
+.SH meta_directory (default: see 'postconf -d' output)
+The location of non-executable files that are shared among
+multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+and the multi-instance template files main.cf.proto and master.cf.proto.
+This directory should contain only Postfix-related files.  Typically,
+the meta_directory parameter has the same default as the config_directory
+parameter (/etc/postfix or /usr/local/etc/postfix).
+.PP
+For backwards compatibility with Postfix versions 2.6..2.11,
+specify "meta_directory = $daemon_directory" in main.cf before
+installing or upgrading Postfix, or specify "meta_directory =
+/path/name" on the "make makefiles", "make install" or "make upgrade"
+command line.
+.PP
+This feature is available in Postfix 2.12 and later.
 .SH milter_command_timeout (default: 30s)
 The time limit for sending an SMTP command to a Milter (mail
 filter) application, and for receiving the response.
@@ -4238,13 +4253,6 @@ The numerical Postfix SMTP server response code when a request
 is rejected by the \fBreject_plaintext_session\fR restriction.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH plugin_directory (default: see 'postconf -d' output)
-The location of the Postfix dynamicmaps.cf database plugin
-configuration file, and of database plugins with a relative pathname.
-This is set to "no" when Postfix database plugin support is disabled
-at compile time.
-.PP
-This feature is available in Postfix 2.12 and later.
 .SH postmulti_control_commands (default: reload flush)
 The \fBpostfix\fR(1) commands that the \fBpostmulti\fR(1) instance manager
 treats as "control" commands, that operate on running instances. For
@@ -5845,15 +5853,29 @@ Postfix directories. When this parameter value is changed you need
 to re-run "\fBpostfix set-permissions\fR" (with Postfix version 2.0 and
 earlier: "\fB/etc/postfix/post-install set-permissions\fR".
 .SH shlib_directory (default: see 'postconf -d' output)
-The location of Postfix shared libraries (libpostfix-*.so.*).
-This parameter defaults to "no" when Postfix shared libraries are
-disabled at compile time.
+The location of Postfix shared libraries (libpostfix-*.so),
+and the default location of Postfix database plugins (libpostfix-*.so)
+that have a relative pathname in the dynamicmaps.cf file.  The
+shlib_directory parameter defaults to "no" when Postfix shared
+libraries and database plugins are disabled at compile time, otherwise
+it typically defaults to /usr/lib/postfix or /usr/local/lib/postfix.
 .PP
-NOTE: You can change the location of these files after Postfix
-is built. However, you may have to run ldconfig if you move the
-libpostfix-*.so.* files to a non-system directory.  No ldconfig is
-needed if you keep the libpostfix-*.so.* files in the compiled-in
-default $shlib_directory location.
+Notes:
+.IP \(bu
+The directory specified with shlib_directory should contain
+only Postfix-related files. Postfix shared libraries and database
+plugins should not be installed in a "public" system directory such
+as /usr/lib or /usr/local/lib. Linking Postfix shared-library files
+or database plugins into non-Postfix programs is not supported.
+Postfix shared libraries and database plugins implement a
+Postfix-internal API that changes without maintaining compatibility.
+.IP \(bu
+You can change the shlib_directory value after Postfix is
+built. However, you may have to run ldconfig or equivalent to prevent
+Postfix programs from failing because the libpostfix-*.so files are
+not found.  No ldconfig command is needed if you keep the libpostfix-*.so
+files in the compiled-in default $shlib_directory location.
+.br
 .PP
 This feature is available in Postfix 2.12 and later.
 .SH show_user_unknown_table_name (default: yes)
@@ -8492,6 +8514,13 @@ Search the specified access database for the client hostname,
 parent domains, client IP address, or networks obtained by stripping
 least significant octets. See the \fBaccess\fR(5) manual page for details.
 .br
+.IP "\fBcheck_client_a_access \fItype:table\fR\fR"
+Search the specified \fBaccess\fR(5) database for the IP addresses for the
+client hostname, and execute the corresponding action.  Note: a result
+of "OK" is not allowed for safety reasons. Instead, use DUNNO in order
+to exclude specific hosts from blacklists.  This feature is available
+in Postfix 2.12 and later.
+.br
 .IP "\fBcheck_client_mx_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the MX hosts for the
 client hostname, and execute the corresponding action.  Note: a result
@@ -8515,6 +8544,13 @@ safety reasons.  Instead, use DUNNO in order to exclude specific
 hosts from blacklists.  This feature is available in Postfix 2.6
 and later.
 .br
+.IP "\fBcheck_reverse_client_hostname_a_access \fItype:table\fR\fR"
+Search the specified \fBaccess\fR(5) database for the IP addresses for the
+unverified reverse client hostname, and execute the corresponding
+action.  Note: a result of "OK" is not allowed for safety reasons.
+Instead, use DUNNO in order to exclude specific hosts from blacklists.
+This feature is available in Postfix 2.12 and later.
+.br
 .IP "\fBcheck_reverse_client_hostname_mx_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the MX hosts for the
 unverified reverse client hostname, and execute the corresponding
@@ -9126,6 +9162,16 @@ Note: specify "smtpd_helo_required = yes" to fully enforce this
 restriction (without "smtpd_helo_required = yes", a client can
 simply skip check_helo_access by not sending HELO or EHLO).
 .br
+.IP "\fBcheck_helo_a_access \fItype:table\fR\fR"
+Search the specified \fBaccess\fR(5) database for the IP addresses for
+the HELO or EHLO hostname, and execute the corresponding action.
+Note 1: a result of "OK" is not allowed for safety reasons. Instead,
+use DUNNO in order to exclude specific hosts from blacklists.  Note
+2: specify "smtpd_helo_required = yes" to fully enforce this
+restriction (without "smtpd_helo_required = yes", a client can
+simply skip check_helo_a_access by not sending HELO or EHLO).  This
+feature is available in Postfix 2.12 and later.
+.br
 .IP "\fBcheck_helo_mx_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the MX hosts for
 the HELO or EHLO hostname, and execute the corresponding action.
@@ -9443,6 +9489,13 @@ Search the specified \fBaccess\fR(5) database for the resolved RCPT
 TO address, domain, parent domains, or localpart@, and execute the
 corresponding action.
 .br
+.IP "\fBcheck_recipient_a_access \fItype:table\fR\fR"
+Search the specified \fBaccess\fR(5) database for the IP addresses for
+the RCPT TO domain, and execute the corresponding action.  Note:
+a result of "OK" is not allowed for safety reasons. Instead, use
+DUNNO in order to exclude specific hosts from blacklists.  This
+feature is available in Postfix 2.12 and later.
+.br
 .IP "\fBcheck_recipient_mx_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the MX hosts for
 the RCPT TO domain, and execute the corresponding action.  Note:
@@ -10051,16 +10104,23 @@ Search the specified \fBaccess\fR(5) database for the MAIL FROM
 address, domain, parent domains, or localpart@, and execute the
 corresponding action.
 .br
+.IP "\fBcheck_sender_a_access \fItype:table\fR\fR"
+Search the specified \fBaccess\fR(5) database for the IP addresses for
+the MAIL FROM domain, and execute the corresponding action.  Note:
+a result of "OK" is not allowed for safety reasons. Instead, use
+DUNNO in order to exclude specific hosts from blacklists.  This
+feature is available in Postfix 2.12 and later.
+.br
 .IP "\fBcheck_sender_mx_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the MX hosts for
-the MAIL FROM address, and execute the corresponding action.  Note:
+the MAIL FROM domain, and execute the corresponding action.  Note:
 a result of "OK" is not allowed for safety reasons. Instead, use
 DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.
 .br
 .IP "\fBcheck_sender_ns_access \fItype:table\fR\fR"
 Search the specified \fBaccess\fR(5) database for the DNS servers
-for the MAIL FROM address, and execute the corresponding action.
+for the MAIL FROM domain, and execute the corresponding action.
 Note: a result of "OK" is not allowed for safety reasons. Instead,
 use DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 5622e5d9b..fdf078c48 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -390,7 +390,7 @@ while (<>) {
     s;\bdefault_desti[-</Bb>]*\n* *[<Bb>]*na[-</Bb>]*\n* *[<Bb>]*tion_con[-</Bb>]*\n* *[<Bb>]*currency_failed_cohort_limit\b;<a href="postconf.5.html#default_destination_concurrency_failed_cohort_limit">$&</a>;g;
     s;\bdestination_concurrency_feedback_debug\b;<a href="postconf.5.html#destination_concurrency_feedback_debug">$&</a>;g;
     s;\bdefault_destina[-</Bb>]*\n* *[<Bb>]*tion_rate_delay\b;<a href="postconf.5.html#default_destination_rate_delay">$&</a>;g;
-    s;\bplugin_directory\b;<a href="postconf.5.html#plugin_directory">$&</a>;g;
+    s;\bmeta_directory\b;<a href="postconf.5.html#meta_directory">$&</a>;g;
 
     s;\bqmqpd_client_port_logging\b;<a href="postconf.5.html#qmqpd_client_port_logging">$&</a>;g;
     s;\bqmqpd_error_delay\b;<a href="postconf.5.html#qmqpd_error_delay">$&</a>;g;
diff --git a/postfix/meta/.keep b/postfix/meta/.keep
new file mode 100644
index 000000000..e69de29bb
diff --git a/postfix/postfix-env.sh b/postfix/postfix-env.sh
index 2d1d63d58..9c0fe44cf 100644
--- a/postfix/postfix-env.sh
+++ b/postfix/postfix-env.sh
@@ -1,8 +1,5 @@
 #!/bin/sh
 
-# Run a program with the new libraries, not the installed ones.
+# Run a program with the new shared libraries instead of the installed ones.
 
-export LD_LIBRARY_PATH
-LD_LIBRARY_PATH=`pwd`/lib
-
-"$@"
+LD_LIBRARY_PATH=`pwd`/lib exec "$@"
diff --git a/postfix/postfix-install b/postfix/postfix-install
index a60cf2af4..076fbb22b 100644
--- a/postfix/postfix-install
+++ b/postfix/postfix-install
@@ -57,11 +57,16 @@
 #	parameter settings. These settings have the highest precedence.
 # .IP "command line"
 #	Parameter settings can be given as name=value arguments on
-#	the postfix-install command line.
+#	the postfix-install command line. This mode will replace
+#	the string MAIL_VERSION in a configuration parameter value
+#	with the Postfix release version (Postfix 2.12 and later).
 # .IP "process environment"
 #	Parameter settings can be given as name=value environment
-#	variables. Environment parameters can also be specified on the
-#	make(1) command line as "make install name=value ...".
+#	variables. Environment parameters can also be specified on
+#	the make(1) command line as "make install name=value ...".
+#	This mode will replace the string MAIL_VERSION in a
+#	configuration parameter value with the Postfix release
+#	version (Postfix 2.12 and later).
 # .IP "installed configuration files"
 #	If a parameter is not specified via the command line or via the
 #	process environment, postfix-install will attempt to extract its
@@ -144,25 +149,29 @@
 #	The final destination directory for the Postfix sample configuration
 #	files. This parameter is obsolete as of Postfix version 2.1.
 #	This parameter setting is recorded in the installed main.cf file.
-# .IP plugin_directory
-#	The final destination directory for the Postfix dynamicmaps.cf
-#	database plugin configuration file, and files referenced by
-#	that file.  This is "no" when dynamic linking is disabled
-#	at compile time.
+# .IP meta_directory
+#	The final destination directory for non-executable files
+#	that are shared among multiple Postfix instances, such
+#	as postfix-files, dynamicmaps.cf, as well as the multi-instance
+#	template files main.cf.proto and master.cf.proto. This
+#	directory should contain only Postfix-related files.
 # .IP readme_directory
 #	The final destination directory for the Postfix README files.
 #	This parameter setting is recorded in the installed main.cf file.
 # .IP shlib_directory
-#	The final destination directory for Postfix shared-library files.
-#	The built-in default value is specified at compile time.
-#	If you change this at installation time, then you should specify
-#	only "standard" system directories. Otherwise, additional
-#	configuration will be required with ldconfig(1) or equivalent.
+#	The final destination directory for Postfix shared-library
+#	files, and the default directory for Postfix database plugin
+#	files with a relative pathname in the file dynamicmaps.cf.
+#	This directory should contain only Postfix-related files.
+#	The shlib_directory parameter built-in default value is
+#	specified at compile time.  If you change this at installation
+#	time, then additional configuration will be required with
+#	ldconfig(1) or equivalent.
 # SEE ALSO
 #	post-install(1) post-installation procedure
 # FILES
 #	$config_directory/main.cf, Postfix installation configuration.
-#	$daemon_directory/postfix-files, installation control file.
+#	$meta_directory/postfix-files, installation control file.
 #	$config_directory/install.cf, obsolete configuration file.
 # LICENSE
 # .ad
@@ -221,6 +230,28 @@ test -x bin/postconf || {
     exit 1
 }
 
+CONFIG_PARAMS="command_directory daemon_directory data_directory \
+html_directory mail_owner mailq_path manpage_directory newaliases_path \
+queue_directory readme_directory sendmail_path setgid_group shlib_directory \
+meta_directory"
+
+# Expand the string MAIL_VERSION in "make install" etc. name=value
+# command-line arguments (and consequently, in environment settings),
+# for consistency with "make makefiles".
+
+for name in $CONFIG_PARAMS sample_directory install_root tempdir
+do
+    eval junk=\$$name
+    case "$junk" in
+    *MAIL_VERSION*) 
+	case "$mail_version" in
+	"") mail_version="`bin/postconf -dhx mail_version`" || exit 1
+	esac
+	eval ${name}=\"`echo "$junk" | sed "s/MAIL_VERSION/$mail_version/g"`\" ||
+	    exit 1;; 
+    esac
+done
+
 case `uname -s` in
 HP-UX*) FMT=cat;;
      *) FMT=fmt;;
@@ -387,9 +418,10 @@ HTML files. Specify \"no\" if you do not want to install these files."
 shlib_directory_prompt="the final destination directory for Postfix
 shared-library files."
 
-plugin_directory_prompt="the final destination directory for the
-Postfix dynamicmaps.cf configuration file and files referenced by
-that file."
+meta_directory_prompt="the final destination directory for
+non-executable files that are shared among multiple Postfix instances,
+such as postfix-files, dynamicmaps.cf, as well as the multi-instance
+template files main.cf.proto and master.cf.proto."
 
 # Default settings, just to get started.
 
@@ -452,11 +484,6 @@ grep setgid_group $CONFIG_DIRECTORY/main.cf >/dev/null 2>&1 || {
     }
 }
 
-CONFIG_PARAMS="command_directory daemon_directory data_directory \
-html_directory mail_owner mailq_path manpage_directory newaliases_path \
-queue_directory readme_directory sendmail_path setgid_group shlib_directory \
-plugin_directory"
-
 # Extract parameter settings from the installed main.cf file.
 
 test -f $CONFIG_DIRECTORY/main.cf && {
@@ -517,7 +544,7 @@ case "$manpage_directory" in
      exit 1;;
 esac
 
-for path in "$html_directory" "$readme_directory" "$shlib_directory" "$plugin_directory"
+for path in "$html_directory" "$readme_directory" "$shlib_directory"
 do
    case "$path" in
    /*) ;;
@@ -528,7 +555,8 @@ do
 done
 
 for path in "$daemon_directory" "$data_directory" "$command_directory" "$queue_directory" \
-    "$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory"
+    "$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory" \
+    "$meta_directory"
 do
    case "$path" in
    /*) ;;
@@ -545,8 +573,8 @@ do
 done
 
 for path in command_directory config_directory daemon_directory data_directory \
-    manpage_directory queue_directory shlib_directory plugin_directory html_directory \
-    readme_directory
+    manpage_directory queue_directory shlib_directory html_directory \
+    readme_directory meta_directory
 do
    case "$path" in
    no) ;;
@@ -602,21 +630,20 @@ HTML_DIRECTORY=$install_root$html_directory
 MANPAGE_DIRECTORY=$install_root$manpage_directory
 README_DIRECTORY=$install_root$readme_directory
 SHLIB_DIRECTORY=$install_root$shlib_directory
-PLUGIN_DIRECTORY=$install_root$plugin_directory
+META_DIRECTORY=$install_root$meta_directory
 
 # Avoid repeated tests for existence of these; default permissions suffice.
 
 test -d $DAEMON_DIRECTORY || mkdir -p $DAEMON_DIRECTORY || exit 1
 test -d $COMMAND_DIRECTORY || mkdir -p $COMMAND_DIRECTORY || exit 1
 test -d $QUEUE_DIRECTORY || mkdir -p $QUEUE_DIRECTORY || exit 1
-test "$plugin_directory" = "no" -o -d $PLUGIN_DIRECTORY ||
-	mkdir -p $PLUGIN_DIRECTORY || exit 1
 test "$shlib_directory" = "no" -o -d $SHLIB_DIRECTORY ||
 	mkdir -p $SHLIB_DIRECTORY || exit 1
 test "$html_directory" = "no" -o -d $HTML_DIRECTORY || 
 	mkdir -p $HTML_DIRECTORY || exit 1
 test "$readme_directory" = "no" -o -d $README_DIRECTORY || 
 	mkdir -p $README_DIRECTORY || exit 1
+test -d $META_DIRECTORY || mkdir -p $META_DIRECTORY || exit 1
 
 # Upgrade or first-time installation?
 
@@ -629,7 +656,7 @@ fi
 
 # Install files, using information from the postfix-files file.
 
-exec < libexec/postfix-files || exit 1
+exec < meta/postfix-files || exit 1
 while IFS=: read path type owner group mode flags junk
 do
     IFS="$BACKUP_IFS"
@@ -703,9 +730,9 @@ do
 	'$shlib_directory')
 	    compare_or_replace $mode "$owner" "$group" lib/$file \
 		    $SHLIB_DIRECTORY/$file || exit 1;;
-	'$plugin_directory')
-	    compare_or_replace $mode "$owner" "$group" plugins/$file \
-		$PLUGIN_DIRECTORY/$file || exit 1;;
+	'$meta_directory')
+	    compare_or_replace $mode "$owner" "$group" meta/$file \
+		$META_DIRECTORY/$file || exit 1;;
 	'$daemon_directory')
 	    compare_or_replace $mode "$owner" "$group" libexec/$file \
 		$DAEMON_DIRECTORY/$file || exit 1;;
@@ -731,7 +758,7 @@ do
 	    test "$readme_directory" = "no" ||
 		compare_or_replace $mode "$owner" "$group" README_FILES/$file \
 		    $README_DIRECTORY/$file || exit 1;;
-	 *) echo $0: Error: unknown entry $path in libexec/postfix-files 1>&2
+	 *) echo $0: Error: unknown entry $path in meta/postfix-files 1>&2
 	    exit 1;;
 	esac) || exit 1
 	continue;;
@@ -762,7 +789,7 @@ do
 	) || exit 1
 	continue;;
 
-     *) echo $0: Error: unknown type $type for $path in libexec/postfix-files 1>&2
+     *) echo $0: Error: unknown type $type for $path in meta/postfix-files 1>&2
 	exit 1;;
     esac
 
@@ -788,7 +815,7 @@ bin/postconf -c $CONFIG_DIRECTORY -e \
     "sample_directory = $sample_directory" \
     "readme_directory = $readme_directory" \
     "shlib_directory = $shlib_directory" \
-    "plugin_directory = $plugin_directory" \
+    "meta_directory = $meta_directory" \
 || exit 1
 
 # If Postfix is being installed locally from source code, do the
diff --git a/postfix/proto/INSTALL.html b/postfix/proto/INSTALL.html
index 47e958ed0..695bba4fd 100644
--- a/postfix/proto/INSTALL.html
+++ b/postfix/proto/INSTALL.html
@@ -236,8 +236,37 @@ $ make
 recent versions of Linux, FreeBSD and MacOS X. Shared-library builds
 may become the default at some point in the future. </p>
 
+<p> Overview of topics: </p>
+
+<ul>
+
+<li><a href="#shared_enable">4.3.1 Turning on Postfix shared-library
+support</a>
+
+<li><a href="#dynamicmaps_enable">4.3.2 Turning on Postfix database-plugin
+support</a>
+
+<li><a href="#shared_custom">4.3.3 Customizing Postfix shared
+libraries and database plugins</a>
+
+<li><a href="#shared_tips">4.4.4 Tips for distribution maintainers</a>
+
+</ul>
+
+<p> Note: directories with Postfix shared libraries or database
+plugins should contain only postfix-related files.  Postfix shared
+libraries and database plugins should not be installed in a "public"
+system directory such as /usr/lib or /usr/local/lib.  Linking Postfix
+shared-library or database-plugin files into non-Postfix programs
+is not supported. Postfix shared libraries and database plugins
+implement a Postfix-internal API that changes without maintaining
+compatibility. </p>
+
+<h4><a name="shared_enable"> 4.3.1 Turning on Postfix shared-library
+support </a></h4>
+
 <p> Postfix can be built with Postfix shared libraries (files
-typically named <tt>libpostfix-*.so.*</tt>). Postfix shared libraries
+typically named <tt>libpostfix-*.so</tt>). Postfix shared libraries
 add minor run-time overhead and result in significantly-smaller
 Postfix executable files. </p>
 
@@ -247,63 +276,57 @@ build Postfix with shared-library support. </p>
 <blockquote>
 <pre>
 $ make makefiles shared=yes ...other arguments...
-$ make makefiles shared=no ...other arguments...
 $ make
 </pre>
 </blockquote>
 
-<p> This defaults to installing shared libraries in /usr/local/lib,
-typically with names like libpostfix-<i>name</i>.so.<i>version</i>,
-where the <i>name</i> is a source-code directory name such as "util"
-or "global", and the <i>version</i> is the Postfix version:
-<i>x.y.z</i> for stable releases, <i>x.y</i>-<i>date</i> for snapshot
-(development) releases, or <i>x.y</i>-<i>date</i>-nonprod for
-non-production releases.  </p>
+<p> (Specify "make makefiles shared=no" to explicitly disable Postfix
+shared-library support). </p>
 
-<p> To override the default location or shared-library version,
-specify, for example: </p>
+<p> This installs shared libraries in $shlib_directory, typically,
+/usr/lib/postfix/<i>version</i> or /usr/local/lib/postfix/<i>version</i>,
+with names like libpostfix-<i>name</i>.so, where the <i>name</i>
+is a source-code directory name such as "util" or "global", and the
+<i>version</i> is the Postfix release version: <i>x.y.z</i> for
+stable releases, <i>x.y</i>-<i>date</i> for snapshot (development)
+releases, or <i>x.y</i>-<i>date</i>-nonprod for non-production
+releases.  </p>
 
-<blockquote>
-<pre>
-$ make makefiles shared=yes shlib_directory=/usr/lib \
-    SHLIB_VERSION=1 ...other arguments...
-</pre>
-</blockquote>
+<p> See section 4.3.3 "Customizing Postfix shared libraries and
+database plugins" below for how to customize the Postfix shared-library
+location and version.
 
-<p> You can change the shlib_directory setting after Postfix is
-built, with "make install" or "make upgrade". However, you may have
-to run ldconfig if you change shlib_directory after Postfix is built
-and install the libpostfix-*.so.* files in a non-system directory.
-No ldconfig is needed if you keep the libpostfix-*.so.* files in
-the compiled-in default $shlib_directory location. </p>
+<h4><a name="dynamicmaps_enable"> 4.3.2 Turning on Postfix
+database-plugin support </a></h4>
 
 <p> Additionally, Postfix can be built to support dynamic loading
-of Postfix database clients with the Debian-style dynamicmaps
-feature. Postfix 2.12 supports dynamic loading of cdb:, ldap:,
-lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients.
-Dynamic loading is useful when you distribute or install pre-compiled
-Postfix packages. </p>
+of Postfix database clients (database plugins) with the Debian-style
+dynamicmaps feature. Postfix 2.12 supports dynamic loading of cdb:,
+ldap:, lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database
+clients.  Dynamic loading is useful when you distribute or install
+pre-compiled Postfix packages. </p>
 
 <p> Specify "dynamicmaps=yes" on the "make makefiles" command line
 to build Postfix with support to dynamically load Postfix database
-clients (database plugins) with the Debian-style dynamicmaps feature.
+clients with the Debian-style dynamicmaps feature.
 </p>
 
 <blockquote>
 <pre>
 $ make makefiles dynamicmaps=yes ...other arguments...
-$ make makefiles dynamicmaps=no ...other arguments...
 $ make
 </pre>
 </blockquote>
 
-<p> This implicitly enables shared-library support, and defaults
-to installing dynamicmaps.cf and database plugins in /usr/libexec/postfix.
-Database plugins are typically named postfix-<i>type</i>.so.<i>version</i>
-where the <i>type</i> is a database type such as "cdb" or "ldap",
-and where the <i>version</i> is the same as for Postfix shared
-libraries. The installed dynamicmaps.cf configuration file is given
-a suffix with the same version. </p>
+<p> (Specify "make makefiles dynamicmaps=no" to explicitly disable
+Postfix database-plugin support). </p>
+
+<p> This implicitly enables shared-library support, installs the
+configuration file dynamicmaps.cf in $meta_directory (usually,
+/etc/postfix or /usr/local/etc/postfix), and installs database
+plugins in $shlib_directory (see above).  Database plugins are named
+postfix-<i>type</i>.so where the <i>type</i> is a database type
+such as "cdb" or "ldap". </p>
 
 <blockquote>
 
@@ -322,60 +345,155 @@ database client loading was meant to avoid. </p>
 
 </blockquote>
 
-<p> To override the default location or shared-library version,
-specify, for example: </p>
+<p> See the next section for how to customize the location and
+version of Postfix database plugins and the location of the file
+dynamicmaps.cf.  </p>
+
+<h4><a name="shared_custom"> 4.3.3 Customizing Postfix shared
+libraries and database plugins </a></h4>
+
+<h5> Customizing the location of Postfix shared libraries and
+database plugins </h5>
+
+<p> As a reminder, the directories with Postfix shared libraries
+or database plugins should contain only Postfix-related files.
+Linking these files into other programs is not supported. </p>
+
+<p> To override the default location of Postfix shared libraries
+and database plugins specify, for example: </p>
 
 <blockquote>
 <pre>
-% make makefiles dynamicmaps=yes plugin_directory=/usr/lib/postfix \
-    SHLIB_VERSION=1  ...
+$ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
 </pre>
 </blockquote>
 
-<p> You can also override the plugin_directory setting after Postfix
-is built, with "make install" or "make upgrade". In this case, there
-is no need to run the ldconfig command. </p>
+<p> If you intend to upgrade Postfix without stopping the mail
+system, then you should append the Postfix release version to the
+shlib_directory pathname, to eliminate the possibility that programs
+from the old Postfix version will link with files from the new
+Postfix version. For example: </p>
 
-<p> Tips for distribution maintainers: 
+<blockquote>
+<pre>
+$ make makefiles shared=yes \
+    shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+</pre>
+</blockquote>
+
+<p> The command "make makefiles name=value..." will replace the
+string MAIL_VERSION in a configuration parameter value with the
+Postfix release version. Do not try to specify something like
+$mail_version on this command line. This produces inconsistent
+results with different versions of the make(1) command.  </p>
+
+<p> You can change the shlib_directory setting after Postfix is
+built, with "make install" or "make upgrade". However, you may have
+to run ldconfig if you change shlib_directory after Postfix is built
+(the symptom is that Postfix programs fail because the run-time
+linker cannot find the files libpostfix-*.so).  No ldconfig command
+is needed if you keep the files libpostfix-*.so in the compiled-in
+default $shlib_directory location. </p>
+
+<blockquote>
+<pre>
+# make upgrade shlib_directory=/usr/local/lib/postfix ...
+# make install shlib_directory=/usr/local/lib/postfix ...
+</pre>
+</blockquote>
+
+<p> To append the Postfix release version to the pathname if you
+intend to upgrade Postfix without stopping the mail system:  </p>
+
+<blockquote>
+<pre>
+# make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+# make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
+</pre>
+</blockquote>
+
+<p> See also the comments above for appending MAIL_VERSION with
+the "make makefiles" command. </p>
+
+<h5> Customizing the location of dynamicmaps.cf and other files
+</h5>
+
+<p> The meta_directory parameter has the same default setting as
+the config_directory parameter, typically /etc/postfix or
+/usr/local/etc/postfix. </p>
+
+<p> You can override the default meta_directory location at compile
+time or after Postfix is built. To override the default location
+at compile time specify, for example: </p>
+
+<blockquote>
+<pre>
+% make makefiles meta_directory=/usr/libexec/postfix ...
+</pre>
+</blockquote>
+
+<p> Here is a tip if you want to make a pathname dependent on the
+Postfix release version: the command "make makefiles name=value..."
+will replace the string MAIL_VERSION in a configuration parameter
+value with the Postfix release version. Do not try to specify
+something like $mail_version on this command line. This produces
+inconsistent results with different versions of the make(1) command.
+</p>
+
+<p> You can override the meta_directory setting after Postfix is
+built, with "make install" or "make upgrade". </p>
+
+<blockquote>
+<pre>
+# make upgrade meta_directory=/usr/libexec/postfix ...
+# make install meta_directory=/usr/libexec/postfix ...
+</pre>
+</blockquote>
+
+<p> As with the command "make makefiles, the command "make
+install/upgrade name=value..." will replace the string MAIL_VERSION
+in a configuration parameter value with the Postfix release version.
+Do not try to specify something like $mail_version on this command
+line. This produces inconsistent results with different versions
+of the make(1) command.  </p>
+
+<h4><a name="shared_tips"> 4.4.4 Tips for distribution maintainers
+</a></h4>
 
 <ul>
 
-<li> <p> The postfix-install procedure creates a compatibility
-symlink dynamicmaps.cf -> dynamicmaps.cf.<i>version</i> (as well
-as a symlink dynamicmaps.cf.d -> dynamicmaps.cf.<i>version</i>.d;
-more on that below).  It is therefore safe to use "unversioned"
-configuration file names when installing or deinstalling a database
-plugin. However, Postfix itself will use the "versioned" names, to
-allow minor upgrades to happen without having to stop Postfix. </p>
+<li> <p> The shlib_directory parameter setting also provides the
+default directory for database plugin files with a relative pathname
+in the file dynamicmaps.cf. </p>
 
-<li> <p> The configuration file dynamicmaps.cf.<i>version</i> will
-automatically include files under the directory
-dynamicmaps.cf.d.<i>version</i>, just like the configuration file
-postfix-files will automatically include files under the directory
-postfix-files.d.  Thanks to this, you don't have to edit postfix-files
-or dynamicmaps.cf, when installing or deinstalling a database plugin
-package. Instead, each plugin can have its own configuration file.
-</p>
+<li> <p> The meta_directory parameter specifies the location of the
+files dynamicmaps.cf, postfix-files, and some multi-instance template
+files. The meta_directory parameter has the same default value as
+the config_directory parameter (typically, /etc/postfix or
+/usr/local/etc/postfix). For backwards compatibility with Postfix
+2.6 .. 2.11, specify "meta_directory = $daemon_directory" in main.cf
+before installing or upgrading Postfix, or specify "meta_directory
+= /path/name" on the "make makefiles", "make install" or "make
+upgrade" command line.  </p>
 
-<li> <p> The plugin_directory setting provides the default directory
-for shared-library objects with a relative pathname in the file
-dynamicmaps.cf.<i>version</i>.
+<li> <p> The configuration file dynamicmaps.cf will automatically
+include files under the directory dynamicmaps.cf.d, just like the
+configuration file postfix-files will automatically include files
+under the directory postfix-files.d.  Thanks to this, you can install
+or deinstall a database plugin package without having to edit
+postfix-files or dynamicmaps.cf. Instead, you give that plugin its
+own configuration files dynamicmaps.cf.d and postfix-files.d, and
+you add or remove those configuration files along with the database
+plugin shared object.  </p>
 
-<li> <p> Each configuration file under the directory
-dynamicmaps.cf.d.<i>version</i> must have a name that ends in ".cf"
-and must have the same format as the file dynamicmaps.cf.<i>version</i>.
-</p>
-
-<li> <p> The directory dynamicmaps.cf.d.<i>version</i> is the default
-directory for shared-library objects with a relative pathname in
-the files dynamicmaps.cf.d.<i>version</i>/*.cf.  Thus, the directory
-dynamicmaps.cf.d.<i>version</i> may contain both configuration files
-and shared-library object files.  Hence, the requirement that
-configuration file names must end in ".cf".  </p>
+<li> <p> Each configuration file under the directory dynamicmaps.cf.d
+must have the same format as the configuration file dynamicmaps.cf.
+There is no requirement that these configuration file *names* have a
+specific format.  </p>
 
 <li> <p> Each configuration file under the directory postfix-files.d
 must have the same format as the configuration file postfix-files.
-There is no requirement that these configuration file names have a
+There is no requirement that these configuration file *names* have a
 specific format.  </p>
 
 </ul>
@@ -445,6 +563,12 @@ $ make
 </pre>
 </blockquote>
 
+<p> The command "make makefiles name=value ..." will replace the
+string MAIL_VERSION in a configuration parameter value with the
+Postfix release version. Do not try to specify something like
+$mail_version on this command line. This produces inconsistent
+results with different versions of the make(1) command.  </p>
+
 <p> Parameters whose defaults can be specified in this way are
 listed below. See the postconf(5) manpage for a description
 (command: "<tt>nroff -man man/man5/postconf.5 | less</tt>").  </p>
@@ -471,9 +595,9 @@ listed below. See the postconf(5) manpage for a description
 
 <tr> <td>manpage_directory</td> <td>/usr/local/man</td> </tr>
 
-<tr> <td>newaliases_path</td> <td>/usr/bin/newaliases</td> </tr>
+<tr> <td>meta_directory</td> <td>/etc/postfix</td> </tr>
 
-<tr> <td>plugin_directory</td> <td>/usr/libexec/postfix</td> </tr>
+<tr> <td>newaliases_path</td> <td>/usr/bin/newaliases</td> </tr>
 
 <tr> <td>queue_directory</td> <td>/var/spool/postfix</td> </tr>
 
@@ -481,7 +605,7 @@ listed below. See the postconf(5) manpage for a description
 
 <tr> <td>sendmail_path</td> <td>/usr/sbin/sendmail</td> </tr>
 
-<tr> <td>shlib_directory</td> <td>/usr/local/lib</td> </tr>
+<tr> <td>shlib_directory</td> <td>/usr/lib/postfix</td> </tr>
 
 </table>
 
@@ -578,7 +702,7 @@ $ make
 <tr> <th colspan="2"> Name/Value </th> <th> Description </th> </tr>
 
 <tr> <td colspan="2"> AUXLIBS="object_library..."</td> <td> Specifies
-one or more non-default object libraries. Postfix 2,12 and later
+one or more non-default object libraries. Postfix 2.12 and later
 specify some of their database library dependencies with AUXLIBS_CDB,
 AUXLIBS_LDAP, AUXLIBS_LMDB, AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL,
 AUXLIBS_SDBM, and AUXLIBS_SQLITE, respectively. </td> </tr>
@@ -647,12 +771,6 @@ Specify DEBUG= to turn off debugging. </td> </tr>
 a non-default optimization level. The default is -O.  Specify OPT=
 to turn off optimization. </td> </tr>
 
-<tr> <td colspan="2"> SHLIB_VERSION=version </td> <td> Specifies a
-non-default Postfix shared-library version number. The default is
-to use the Postfix version: X.Y.Z for stable releases, X.Y-DATE for
-snapshot releases, X.Y-DATE-nonprod for non-production releases.
-</td> </tr>
-
 <tr> <td colspan="2"> WARN="warning_flags..." </td> <td> Specifies
 non-default <tt>gcc</tt> compiler warning options for use when
 "<tt>make</tt>" is invoked in a source subdirectory only. </td>
@@ -857,6 +975,16 @@ pathnames that end in ".postfix"</b>. </p>
 does not exist, use interactive installation ("make install")
 instead. </p>
 
+<li> <p> If you specify name=value arguments on the "make install"
+or "make upgrade" command line, then these will take precedence
+over compiled-in default settings or main.cf settings. </p>
+
+<p> The command "make install/upgrade name=value ..." will replace
+the string MAIL_VERSION in a configuration parameter value with the
+Postfix release version. Do not try to specify something like
+$mail_version on this command line. This produces inconsistent
+results with different versions of the make(1) command.  </p>
+
 </ul>
 
 <h3>6.4 - Configure Postfix</h3>
diff --git a/postfix/proto/PACKAGE_README.html b/postfix/proto/PACKAGE_README.html
index 1698f9a7a..c7916d1f2 100644
--- a/postfix/proto/PACKAGE_README.html
+++ b/postfix/proto/PACKAGE_README.html
@@ -85,6 +85,13 @@ non-default installation parameters on the command line: </p>
 script directly (<tt>% <b>sh post-install -non-interactive
 install_root...</b></tt>). </p>
 
+<p> With Postfix 2.12 and later, the command "make package name=value
+..." will replace the string MAIL_VERSION in a configuration parameter
+value with the Postfix release version. Do not try to specify
+something like $mail_version on this command line. This produces
+inconsistent results with different versions of the make(1) command.
+</p>
+
 <h2>Begin Security Alert</h2>
 
 <p> <b> When building an archive for distribution, be sure to
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 79e9581f0..2af63381b 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -4982,6 +4982,14 @@ Postfix version 2.5).  This feature is available with Postfix version
 parent domains, client IP address, or networks obtained by stripping
 least significant octets. See the access(5) manual page for details. </dd>
 
+<dt><b><a name="check_client_a_access">check_client_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified access(5) database for the IP addresses for the
+client hostname, and execute the corresponding action.  Note: a result
+of "OK" is not allowed for safety reasons. Instead, use DUNNO in order
+to exclude specific hosts from blacklists.  This feature is available
+in Postfix 2.12 and later.  </dd>
+
 <dt><b><a name="check_client_mx_access">check_client_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified access(5) database for the MX hosts for the
@@ -5008,6 +5016,14 @@ safety reasons.  Instead, use DUNNO in order to exclude specific
 hosts from blacklists.  This feature is available in Postfix 2.6
 and later.</dd>
 
+<dt><b><a name="check_reverse_client_hostname_a_access">check_reverse_client_hostname_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified access(5) database for the IP addresses for the
+unverified reverse client hostname, and execute the corresponding
+action.  Note: a result of "OK" is not allowed for safety reasons.
+Instead, use DUNNO in order to exclude specific hosts from blacklists.
+This feature is available in Postfix 2.12 and later.  </dd>
+
 <dt><b><a name="check_reverse_client_hostname_mx_access">check_reverse_client_hostname_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified access(5) database for the MX hosts for the
@@ -5554,6 +5570,18 @@ Note: specify "smtpd_helo_required = yes" to fully enforce this
 restriction (without "smtpd_helo_required = yes", a client can
 simply skip check_helo_access by not sending HELO or EHLO).  </dd>
 
+<dt><b><a name="check_helo_a_access">check_helo_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified access(5) database for the IP addresses for
+the HELO or EHLO hostname, and execute the corresponding action.
+Note 1: a result of "OK" is not allowed for safety reasons. Instead,
+use DUNNO in order to exclude specific hosts from blacklists.  Note
+2: specify "smtpd_helo_required = yes" to fully enforce this
+restriction (without "smtpd_helo_required = yes", a client can
+simply skip check_helo_a_access by not sending HELO or EHLO).  This
+feature is available in Postfix 2.12 and later.
+</dd>
+
 <dt><b><a name="check_helo_mx_access">check_helo_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified access(5) database for the MX hosts for
@@ -5833,6 +5861,14 @@ that is received with the RCPT TO command.
 TO address, domain, parent domains, or localpart@, and execute the
 corresponding action.  </dd>
 
+<dt><b><a name="check_recipient_a_access">check_recipient_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified access(5) database for the IP addresses for
+the RCPT TO domain, and execute the corresponding action.  Note:
+a result of "OK" is not allowed for safety reasons. Instead, use
+DUNNO in order to exclude specific hosts from blacklists.  This
+feature is available in Postfix 2.12 and later. </dd>
+
 <dt><b><a name="check_recipient_mx_access">check_recipient_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified access(5) database for the MX hosts for
@@ -6334,10 +6370,18 @@ received with the MAIL FROM command.
 address, domain, parent domains, or localpart@, and execute the
 corresponding action. </dd>
 
+<dt><b><a name="check_sender_a_access">check_sender_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>Search the specified access(5) database for the IP addresses for
+the MAIL FROM domain, and execute the corresponding action.  Note:
+a result of "OK" is not allowed for safety reasons. Instead, use
+DUNNO in order to exclude specific hosts from blacklists.  This
+feature is available in Postfix 2.12 and later. </dd>
+
 <dt><b><a name="check_sender_mx_access">check_sender_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified access(5) database for the MX hosts for
-the MAIL FROM address, and execute the corresponding action.  Note:
+the MAIL FROM domain, and execute the corresponding action.  Note:
 a result of "OK" is not allowed for safety reasons. Instead, use
 DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later. </dd>
@@ -6345,7 +6389,7 @@ feature is available in Postfix 2.1 and later. </dd>
 <dt><b><a name="check_sender_ns_access">check_sender_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
 <dd>Search the specified access(5) database for the DNS servers
-for the MAIL FROM address, and execute the corresponding action.
+for the MAIL FROM domain, and execute the corresponding action.
 Note: a result of "OK" is not allowed for safety reasons. Instead,
 use DUNNO in order to exclude specific hosts from blacklists.  This
 feature is available in Postfix 2.1 and later.  </dd>
@@ -15900,23 +15944,50 @@ deliveries.  See default_delivery_status_filter for details.  </p>
 
 %PARAM shlib_directory see 'postconf -d' output
 
-<p> The location of Postfix shared libraries (libpostfix-*.so.*).
-This parameter defaults to "no" when Postfix shared libraries are
-disabled at compile time. </p>
+<p> The location of Postfix shared libraries (libpostfix-*.so),
+and the default location of Postfix database plugins (libpostfix-*.so)
+that have a relative pathname in the dynamicmaps.cf file.  The
+shlib_directory parameter defaults to "no" when Postfix shared
+libraries and database plugins are disabled at compile time, otherwise
+it typically defaults to /usr/lib/postfix or /usr/local/lib/postfix.
+</p>
 
-<p> NOTE: You can change the location of these files after Postfix
-is built. However, you may have to run ldconfig if you move the
-libpostfix-*.so.* files to a non-system directory.  No ldconfig is
-needed if you keep the libpostfix-*.so.* files in the compiled-in
-default $shlib_directory location. </p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The directory specified with shlib_directory should contain
+only Postfix-related files. Postfix shared libraries and database
+plugins should not be installed in a "public" system directory such
+as /usr/lib or /usr/local/lib. Linking Postfix shared-library files
+or database plugins into non-Postfix programs is not supported.
+Postfix shared libraries and database plugins implement a
+Postfix-internal API that changes without maintaining compatibility.
+</p>
+
+<li> <p> You can change the shlib_directory value after Postfix is
+built. However, you may have to run ldconfig or equivalent to prevent
+Postfix programs from failing because the libpostfix-*.so files are
+not found.  No ldconfig command is needed if you keep the libpostfix-*.so
+files in the compiled-in default $shlib_directory location. </p>
+
+</ul>
 
 <p> This feature is available in Postfix 2.12 and later. </p>
 
-%PARAM plugin_directory see 'postconf -d' output
+%PARAM meta_directory see 'postconf -d' output
 
-<p> The location of the Postfix dynamicmaps.cf database plugin
-configuration file, and of database plugins with a relative pathname.
-This is set to "no" when Postfix database plugin support is disabled
-at compile time. </p>
+<p> The location of non-executable files that are shared among
+multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+and the multi-instance template files main.cf.proto and master.cf.proto.
+This directory should contain only Postfix-related files.  Typically,
+the meta_directory parameter has the same default as the config_directory
+parameter (/etc/postfix or /usr/local/etc/postfix).  </p>
+
+<p> For backwards compatibility with Postfix versions 2.6..2.11,
+specify "meta_directory = $daemon_directory" in main.cf before
+installing or upgrading Postfix, or specify "meta_directory =
+/path/name" on the "make makefiles", "make install" or "make upgrade"
+command line.  </p>
 
 <p> This feature is available in Postfix 2.12 and later. </p>
diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in
index 16e62a6a5..9bbbdb514 100644
--- a/postfix/src/global/Makefile.in
+++ b/postfix/src/global/Makefile.in
@@ -118,7 +118,6 @@ TESTPROG= domain_list dot_lockfile mail_addr_crunch mail_addr_find \
 LIBS	= ../../lib/lib$(LIB_PREFIX)util$(LIB_SUFFIX)
 LIB_DIR	= ../../lib
 INC_DIR	= ../../include
-PLG_DIR= ../../plugins
 PLUGIN_MAP_SO = $(LIB_PREFIX)ldap$(LIB_SUFFIX) $(LIB_PREFIX)mysql$(LIB_SUFFIX) \
 	$(LIB_PREFIX)pgsql$(LIB_SUFFIX) $(LIB_PREFIX)sqlite$(LIB_SUFFIX) \
 	$(LIB_PREFIX)lmdb$(LIB_SUFFIX) $(LIB_PREFIX)cdb$(LIB_SUFFIX) \
@@ -182,11 +181,11 @@ plugin_map_so_update: $(PLUGIN_MAP_SO)
 	do \
 	  for type in $(DEFINED_MAP_TYPES); do \
 	      case $$i in $(LIB_PREFIX)$$type$(LIB_SUFFIX)) \
-		  cmp -s $$i $(PLG_DIR)/$$i 2>/dev/null || cp $$i $(PLG_DIR); \
+		  cmp -s $$i $(LIB_DIR)/$$i 2>/dev/null || cp $$i $(LIB_DIR); \
 		  continue 2;; \
 	      esac; \
 	  done; \
-	  rm -f $(PLG_DIR)/$$i; \
+	  rm -f $(LIB_DIR)/$$i; \
 	done
 
 dot_lockfile: $(LIB) $(LIBS)
diff --git a/postfix/src/global/dynamicmaps.c b/postfix/src/global/dynamicmaps.c
index 544661620..358aa6077 100644
--- a/postfix/src/global/dynamicmaps.c
+++ b/postfix/src/global/dynamicmaps.c
@@ -6,7 +6,7 @@
 /* SYNOPSIS
 /*	#include <dynamicmaps.h>
 /*
-/*	void dymap_init(const char *path)
+/*	void dymap_init(const char *conf_path, const char *plugin_dir)
 /* DESCRIPTION
 /*	This module reads the dynamicmaps.cf file and performs
 /*	run-time loading of Postfix dictionaries. Each dynamicmaps.cf
@@ -14,19 +14,13 @@
 /*	of a shared-library object, the name of a "dict_open"
 /*	function for access to individual dictionary entries, and
 /*	optionally the name of a "mkmap_open" function for bulk-mode
-/*	dictionary creation. The configuration file's parent directory
-/*	is the default directory for shared-library objects with a
-/*	relative pathname.
+/*	dictionary creation. Plugins may be specified with a relative
+/*	pathname.
 /*
 /*	A dictionary may be installed without editing the file
 /*	dynamicmaps.cf, by placing a configuration file under the
 /*	directory dynamicmaps.cf.d, with the same format as
-/*	dynamicmaps.cf.  These configuration file names must end in
-/*	".cf".  As before, a configuration file's parent directory
-/*	is the default directory for shared-library objects with a
-/*	relative pathname. Thus, the directory dynamicmaps.cf.d may
-/*	contain both configuration files and shared-library object
-/*	files.
+/*	dynamicmaps.cf.
 /*
 /*	dymap_init() reads the specified configuration file which
 /*	is in dynamicmaps.cf format, and hooks itself into the
@@ -37,6 +31,12 @@
 /*	already been linked into the process address space, nor
 /*	will it hide their dictionaries types from later "open"
 /*	requests.
+/*
+/*	Arguments:
+/* .IP conf_path
+/*	Pathname for the dynamicmaps configuration file.
+/* .IP plugin_dir
+/*	Default directory for plugins with a relative pathname.
 /* SEE ALSO
 /*	load_lib(3) low-level run-time linker adapter
 /* DIAGNOSTICS
@@ -106,11 +106,6 @@ static DICT_OPEN_EXTEND_FN saved_dict_open_hook = 0;
 static MKMAP_OPEN_EXTEND_FN saved_mkmap_open_hook = 0;
 static DICT_MAPNAMES_EXTEND_FN saved_dict_mapnames_hook = 0;
 
- /*
-  * Mandatory dynamicmaps.cf.d/ configuration file suffix.
-  */
-#define DYMAP_CF_SUFFIX	".cf"
-
 #define STREQ(x, y) (strcmp((x), (y)) == 0)
 
 /* dymap_dict_lookup - look up "dict_foo_open" function */
@@ -143,7 +138,7 @@ static DICT_OPEN_FN dymap_dict_lookup(const char *dict_type)
     }
     if (st.st_uid != 0 || (st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
 	msg_warn("unsupported dictionary type: %s "
-		 "(%s: file is writable by non-root users)",
+		 "(%s: file is owned or writable by non-root users)",
 		 dict_type, dp->soname);
 	return (0);
     }
@@ -187,7 +182,7 @@ static MKMAP_OPEN_FN dymap_mkmap_lookup(const char *dict_type)
 		  dict_type, dp->soname, dict_type);
     if (st.st_uid != 0 || (st.st_mode & (S_IWGRP | S_IWOTH)) != 0)
 	msg_fatal("unsupported dictionary type: %s "
-		  "(%s: file is writable by non-root users)",
+		  "(%s: file is owned or writable by non-root users)",
 		  dict_type, dp->soname);
     fn[0].name = dp->mkmap_name;
     fn[1].name = 0;
@@ -257,7 +252,7 @@ static void dymap_read_conf(const char *path, const char *path_base)
 	if (fstat(vstream_fileno(fp), &st) < 0)
 	    msg_fatal("%s: fstat failed; %m", path);
 	if (st.st_uid != 0 || (st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
-	    msg_warn("%s: file is writable by non-root users"
+	    msg_warn("%s: file is owned or writable by non-root users"
 		     " -- skipping this file", path);
 	} else {
 	    buf = vstring_alloc(100);
@@ -307,15 +302,13 @@ static void dymap_read_conf(const char *path, const char *path_base)
 
 /* dymap_init - initialize dictionary type to soname etc. mapping */
 
-void    dymap_init(const char *path)
+void    dymap_init(const char *conf_path, const char *plugin_dir)
 {
     const char myname[] = "dymap_init";
     SCAN_DIR *dir;
-    char   *path_base;
-    char   *path_d;
+    char   *conf_path_d;
     const char *conf_name;
-    char   *path_d_conf;
-    char   *suffix;
+    VSTRING *sub_conf_path;
 
     /*
      * Reload dynamicsmaps.cf, but don't reload already-loaded plugins.
@@ -327,35 +320,29 @@ void    dymap_init(const char *path)
     /*
      * Read dynamicmaps.cf.
      */
-    path_base = mystrdup(path);
-    (void) split_at_right(path_base, '/');
-    dymap_read_conf(path, path_base);
-    myfree(path_base);
+    dymap_read_conf(conf_path, plugin_dir);
 
     /*
-     * Read dynamicmaps.cf.d/filename entries. We allow shared-object files
-     * in dynamicmaps.cf.d. Therefore, configuration file names must have a
-     * distinct suffix.
+     * Read dynamicmaps.cf.d/filename entries.
      */
-    path_d = concatenate(path, ".d", (char *) 0);
-    if ((dir = scan_dir_open(path_d)) != 0) {
+    conf_path_d = concatenate(conf_path, ".d", (char *) 0);
+    if (access(conf_path_d, R_OK | X_OK) == 0
+	&& (dir = scan_dir_open(conf_path_d)) != 0) {
+	sub_conf_path = vstring_alloc(100);
 	while ((conf_name = scan_dir_next(dir)) != 0) {
-	    if ((suffix = strrchr(conf_name, '.')) != 0
-		&& strcmp(suffix, DYMAP_CF_SUFFIX) == 0) {
-		path_d_conf = concatenate(path_d, "/", conf_name, (char *) 0);
-		dymap_read_conf(path_d_conf, path_d);
-		myfree(path_d_conf);
-	    } else if (errno != 0) {
-		/* Don't crash all programs - degrade gracefully. */
-		msg_warn("%s: directory read error: %m", path_d);
-	    }
+	    vstring_sprintf(sub_conf_path, "%s/%s", conf_path_d, conf_name);
+	    dymap_read_conf(vstring_str(sub_conf_path), plugin_dir);
 	}
+	if (errno != 0)
+	    /* Don't crash all programs - degrade gracefully. */
+	    msg_warn("%s: directory read error: %m", conf_path_d);
 	scan_dir_close(dir);
+	vstring_free(sub_conf_path);
     } else if (errno != ENOENT) {
 	/* Don't crash all programs - degrade gracefully. */
-	msg_warn("%s: directory open failed: %m", path_d);
+	msg_warn("%s: directory open failed: %m", conf_path_d);
     }
-    myfree(path_d);
+    myfree(conf_path_d);
 
     /*
      * Future proofing, in case someone "improves" the code. We can't hook
diff --git a/postfix/src/global/dynamicmaps.h b/postfix/src/global/dynamicmaps.h
index d1613d4fe..1ac1f414d 100644
--- a/postfix/src/global/dynamicmaps.h
+++ b/postfix/src/global/dynamicmaps.h
@@ -16,7 +16,7 @@
   */
 #ifdef USE_DYNAMIC_LIBS
 
-extern void dymap_init(const char *);
+extern void dymap_init(const char *, const char *);
 
 #endif
 /* LICENSE
diff --git a/postfix/src/global/mail_dict.c b/postfix/src/global/mail_dict.c
index 8716c300a..6d6d729f2 100644
--- a/postfix/src/global/mail_dict.c
+++ b/postfix/src/global/mail_dict.c
@@ -85,12 +85,12 @@ void    mail_dict_init(void)
 #ifdef USE_DYNAMIC_MAPS
     char   *path;
 
-    path = concatenate(var_plugin_dir, "/", "dynamicmaps.cf",
+    path = concatenate(var_meta_dir, "/", "dynamicmaps.cf",
 #ifdef SHLIB_VERSION
 		       ".", SHLIB_VERSION,
 #endif
 		       (char *) 0);
-    dymap_init(path);
+    dymap_init(path, var_shlib_dir);
     myfree(path);
 #endif
 
diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c
index 0708ffd58..ba77e91cf 100644
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@@ -28,7 +28,7 @@
 /*	char	*var_daemon_dir;
 /*	char	*var_data_dir;
 /*	char	*var_command_dir;
-/*	char	*var_plugin_dir;
+/*	char	*var_meta_dir;
 /*	char	*var_queue_dir;
 /*	char	*var_shlib_dir;
 /*	int	var_use_limit;
@@ -179,9 +179,7 @@
 #include <safe_open.h>
 #include <mymalloc.h>
 #include <dict.h>
-#ifdef HAS_DB
 #include <dict_db.h>
-#endif
 #include <dict_lmdb.h>
 #include <inet_proto.h>
 #include <vstring_vstream.h>
@@ -222,7 +220,7 @@ char   *var_config_dir;
 char   *var_daemon_dir;
 char   *var_data_dir;
 char   *var_command_dir;
-char   *var_plugin_dir;
+char   *var_meta_dir;
 char   *var_queue_dir;
 char   *var_shlib_dir;
 int     var_use_limit;
@@ -322,6 +320,7 @@ char   *var_dsn_filter;
 const char null_format_string[1] = "";
 
 DEFINE_DICT_LMDB_MAP_SIZE;
+DEFINE_DICT_DB_CACHE_SIZE;
 
 /* check_myhostname - lookup hostname and validate */
 
@@ -557,7 +556,7 @@ void    mail_params_init()
 	VAR_DAEMON_DIR, DEF_DAEMON_DIR, &var_daemon_dir, 1, 0,
 	VAR_DATA_DIR, DEF_DATA_DIR, &var_data_dir, 1, 0,
 	VAR_COMMAND_DIR, DEF_COMMAND_DIR, &var_command_dir, 1, 0,
-	VAR_PLUGIN_DIR, DEF_PLUGIN_DIR, &var_plugin_dir, 1, 0,
+	VAR_META_DIR, DEF_META_DIR, &var_meta_dir, 1, 0,
 	VAR_QUEUE_DIR, DEF_QUEUE_DIR, &var_queue_dir, 1, 0,
 	VAR_SHLIB_DIR, DEF_SHLIB_DIR, &var_shlib_dir, 1, 0,
 	VAR_PID_DIR, DEF_PID_DIR, &var_pid_dir, 1, 0,
@@ -731,9 +730,7 @@ void    mail_params_init()
     check_mail_owner();
     check_sgid_group();
     check_overlap();
-#ifdef HAS_DB
     dict_db_cache_size = var_db_read_buf;
-#endif
     dict_lmdb_map_size = var_lmdb_map_size;
     inet_windowsize = var_inet_windowsize;
 
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index c268b6ec8..8eddb1cab 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2204,6 +2204,11 @@ extern int var_map_defer_code;
 #define CHECK_HELO_NS_ACL	"check_helo_ns_access"
 #define CHECK_SENDER_NS_ACL	"check_sender_ns_access"
 #define CHECK_RECIP_NS_ACL	"check_recipient_ns_access"
+#define CHECK_CLIENT_A_ACL	"check_client_a_access"
+#define CHECK_REVERSE_CLIENT_A_ACL "check_reverse_client_hostname_a_access"
+#define CHECK_HELO_A_ACL	"check_helo_a_access"
+#define CHECK_SENDER_A_ACL	"check_sender_a_access"
+#define CHECK_RECIP_A_ACL	"check_recipient_a_access"
 
 #define WARN_IF_REJECT		"warn_if_reject"
 
@@ -3789,15 +3794,15 @@ extern char *var_local_dsn_filter;
   */
 #define VAR_SHLIB_DIR	"shlib_directory"
 #ifndef DEF_SHLIB_DIR
-#define DEF_SHLIB_DIR	"/usr/local/lib"
+#define DEF_SHLIB_DIR	"/usr/lib/postfix/$mail_version"
 #endif
 extern char *var_shlib_dir;
 
-#define VAR_PLUGIN_DIR	"plugin_directory"
-#ifndef DEF_PLUGIN_DIR
-#define DEF_PLUGIN_DIR	"/usr/libexec/postfix"
+#define VAR_META_DIR	"meta_directory"
+#ifndef DEF_META_DIR
+#define DEF_META_DIR	DEF_CONFIG_DIR
 #endif
-extern char *var_plugin_dir;
+extern char *var_meta_dir;
 
 /* LICENSE
 /* .ad
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index bd2583373..977bb88e7 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20140618"
+#define MAIL_RELEASE_DATE	"20140625"
 #define MAIL_VERSION_NUMBER	"2.12"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c
index c8f08a307..a1ec5ff4f 100644
--- a/postfix/src/postfix/postfix.c
+++ b/postfix/src/postfix/postfix.c
@@ -155,11 +155,14 @@
 /*	caches, pseudo-random numbers).
 /* .PP
 /*	Available in Postfix version 2.12 and later:
-/* .IP "\fBplugin_directory (see 'postconf -d' output)\fR"
-/*	The location of the Postfix dynamicmaps.cf database plugin
-/*	configuration file, and of database plugins with a relative pathname.
+/* .IP "\fBmeta_directory (see 'postconf -d' output)\fR"
+/*	The location of non-executable files that are shared among
+/*	multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+/*	and the multi-instance template files main.cf.proto and master.cf.proto.
 /* .IP "\fBshlib_directory (see 'postconf -d' output)\fR"
-/*	The location of Postfix shared libraries (libpostfix-*.so.*).
+/*	The location of Postfix shared libraries (libpostfix-*.so.*),
+/*	and of Postfix database plugins that have a relative pathname in
+/*	the dynamicmaps.cf file.
 /* .PP
 /*	Other configuration parameters:
 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
@@ -508,7 +511,7 @@ int     main(int argc, char **argv)
     check_setenv(VAR_COMMAND_DIR, var_command_dir);	/* main.cf */
     check_setenv(VAR_DAEMON_DIR, var_daemon_dir);	/* main.cf */
     check_setenv(VAR_DATA_DIR, var_data_dir);	/* main.cf */
-    check_setenv(VAR_PLUGIN_DIR, var_plugin_dir);	/* main.cf */
+    check_setenv(VAR_META_DIR, var_meta_dir);	/* main.cf */
     check_setenv(VAR_QUEUE_DIR, var_queue_dir);	/* main.cf */
     check_setenv(VAR_CONFIG_DIR, var_config_dir);	/* main.cf */
     check_setenv(VAR_SHLIB_DIR, var_shlib_dir);	/* main.cf */
diff --git a/postfix/src/postmulti/postmulti.c b/postfix/src/postmulti/postmulti.c
index 14cd1933f..00c57010a 100644
--- a/postfix/src/postmulti/postmulti.c
+++ b/postfix/src/postmulti/postmulti.c
@@ -352,9 +352,19 @@
 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
 /*	The mail system name that is prepended to the process name in syslog
 /*	records, so that "smtpd" becomes, for example, "postfix/smtpd".
+/* .PP
+/*	Available in Postfix 2.12 and later:
+/* .IP "\fBmeta_directory (see 'postconf -d' output)\fR"
+/*	The location of non-executable files that are shared among
+/*	multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+/*	and the multi-instance template files main.cf.proto and master.cf.proto.
+/* .IP "\fBshlib_directory (see 'postconf -d' output)\fR"
+/*	The location of Postfix shared libraries (libpostfix-*.so.*),
+/*	and of Postfix database plugins that have a relative pathname in
+/*	the dynamicmaps.cf file.
 /* FILES
-/*	$daemon_directory/main.cf, stock configuration file
-/*	$daemon_directory/master.cf, stock configuration file
+/*	$meta_directory/main.cf.proto, stock configuration file
+/*	$meta_directory/master.cf.proto, stock configuration file
 /*	$daemon_directory/postmulti-script, life-cycle helper program
 /* SEE ALSO
 /*	postfix(1), Postfix control program
@@ -447,6 +457,8 @@ typedef struct {
 static SHARED_PATH shared_dir_table[] = {
     VAR_COMMAND_DIR, &var_command_dir,
     VAR_DAEMON_DIR, &var_daemon_dir,
+    VAR_META_DIR, &var_meta_dir,
+    VAR_SHLIB_DIR, &var_shlib_dir,
     0,
 };
 
@@ -942,13 +954,22 @@ static void check_shared_dir_status(void)
     struct stat st;
     const SHARED_PATH *sp;
 
+    /*
+     * XXX Avoid false conflicts with meta_directory. This usually overlaps
+     * with other directories, typcally config_directory, shlib_directory or
+     * daemon_directory.
+     */
     for (sp = shared_dir_table; sp->param_name; ++sp) {
+	if (sp->param_value[0][0] != '/')	/* "no" or other special */
+	    continue;
 	if (stat(sp->param_value[0], &st) < 0)
 	    msg_fatal("%s = '%s': directory not found: %m",
 		      sp->param_name, sp->param_value[0]);
 	if (!S_ISDIR(st.st_mode))
 	    msg_fatal("%s = '%s' is not a directory",
 		      sp->param_name, sp->param_value[0]);
+	if (strcmp(sp->param_name, VAR_META_DIR) == 0)
+	    continue;
 	register_claim(var_config_dir, sp->param_name, sp->param_value[0]);
     }
 }
diff --git a/postfix/src/qmqpd/qmqpd.c b/postfix/src/qmqpd/qmqpd.c
index c720704f2..6b8f4f610 100644
--- a/postfix/src/qmqpd/qmqpd.c
+++ b/postfix/src/qmqpd/qmqpd.c
@@ -706,7 +706,8 @@ static void qmqpd_proto(QMQPD_STATE *state)
      */
     if (state->reason && state->where)
 	msg_info("%s: %s: %s while %s",
-	      state->queue_id, state->namaddr, state->reason, state->where);
+		 state->queue_id ? state->queue_id : "NOQUEUE",
+		 state->namaddr, state->reason, state->where);
 }
 
 /* qmqpd_service - service one client */
diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in
index b0c375ef9..4e3397d0e 100644
--- a/postfix/src/smtpd/Makefile.in
+++ b/postfix/src/smtpd/Makefile.in
@@ -74,7 +74,8 @@ tidy:	clean
 
 tests: smtpd_check_test smtpd_check_test2 smtpd_acl_test smtpd_exp_test \
 	smtpd_token_test smtpd_check_test4 smtpd_check_dsn_test \
-	smtpd_check_backup_test smtpd_dnswl_test smtpd_error_test
+	smtpd_check_backup_test smtpd_dnswl_test smtpd_error_test \
+	smtpd_server_test
 
 root_tests:
 
@@ -114,6 +115,12 @@ smtpd_exp_test: smtpd_check smtpd_exp.in smtpd_exp.ref
 	diff smtpd_exp.ref smtpd_exp.tmp
 	rm -f smtpd_exp.tmp smtpd_check_access.*
 
+smtpd_server_test: smtpd_check smtpd_server.in smtpd_server.ref
+	$(SHLIB_ENV) ../postmap/postmap hash:smtpd_check_access
+	$(SHLIB_ENV) ./smtpd_check <smtpd_server.in >smtpd_server.tmp 2>&1
+	diff smtpd_server.ref smtpd_server.tmp
+	rm -f smtpd_server.tmp smtpd_check_access.*
+
 smtpd_check_dsn_test: smtpd_check smtpd_check_dsn.in smtpd_check_dsn.ref smtpd_check_access
 	$(SHLIB_ENV) ../postmap/postmap hash:smtpd_check_access
 	$(SHLIB_ENV) ./smtpd_check <smtpd_check_dsn.in >smtpd_check.tmp 2>&1
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 930f47567..8ba92cbc3 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -2668,7 +2668,11 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
     /*
      * Sanity check.
      */
-    if (type != T_MX && type != T_NS)
+    if (type != T_MX && type != T_NS && type != T_A
+#ifdef HAS_IPV6
+	&& type != T_AAAA
+#endif
+	)
 	msg_panic("%s: unexpected resource type \"%s\" in request",
 		  myname, dns_strtype(type));
 
@@ -2711,6 +2715,9 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
     }
 
     /*
+     * If the request is type A or AAAA, fabricate an MX record that points
+     * to the domain name itself, and skip name-based access control.
+     * 
      * If the domain name does not exist then we apply no restriction.
      * 
      * If the domain name exists but no MX record exists, fabricate an MX record
@@ -2719,27 +2726,36 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
      * If the domain name exists but no NS record exists, look up parent domain
      * NS records.
      */
-    dns_status = dns_lookup(domain, type, 0, &server_list,
-			    (VSTRING *) 0, (VSTRING *) 0);
-    if (dns_status == DNS_NOTFOUND /* Not: h_errno == NO_DATA */ ) {
-	if (type == T_MX) {
-	    server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0,
-					domain, strlen(domain) + 1);
-	    dns_status = DNS_OK;
-	} else if (type == T_NS && h_errno == NO_DATA) {
-	    while ((domain = strchr(domain, '.')) != 0 && domain[1]) {
-		domain += 1;
-		dns_status = dns_lookup(domain, type, 0, &server_list,
-					(VSTRING *) 0, (VSTRING *) 0);
-		if (dns_status != DNS_NOTFOUND || h_errno != NO_DATA)
-		    break;
+    if (type == T_A
+#ifdef HAS_IPV6
+	|| type == T_AAAA
+#endif
+	) {
+	server_list = dns_rr_create(domain, domain, T_MX, C_IN, 0, 0,
+				    domain, strlen(domain) + 1);
+    } else {
+	dns_status = dns_lookup(domain, type, 0, &server_list,
+				(VSTRING *) 0, (VSTRING *) 0);
+	if (dns_status == DNS_NOTFOUND /* Not: h_errno == NO_DATA */ ) {
+	    if (type == T_MX) {
+		server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0,
+					    domain, strlen(domain) + 1);
+		dns_status = DNS_OK;
+	    } else if (type == T_NS && h_errno == NO_DATA) {
+		while ((domain = strchr(domain, '.')) != 0 && domain[1]) {
+		    domain += 1;
+		    dns_status = dns_lookup(domain, type, 0, &server_list,
+					    (VSTRING *) 0, (VSTRING *) 0);
+		    if (dns_status != DNS_NOTFOUND || h_errno != NO_DATA)
+			break;
+		}
 	    }
 	}
-    }
-    if (dns_status != DNS_OK) {
-	msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type),
-		 domain && domain[1] ? domain : name, dns_strerror(h_errno));
-	return (SMTPD_CHECK_DUNNO);
+	if (dns_status != DNS_OK) {
+	    msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type),
+		domain && domain[1] ? domain : name, dns_strerror(h_errno));
+	    return (SMTPD_CHECK_DUNNO);
+	}
     }
 
     /*
@@ -2762,15 +2778,17 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
 		CHECK_SERVER_RETURN(status);
 	    continue;
 	}
-	if ((status = check_domain_access(state, table, (char *) server->data,
+	if (type != T_A && type != T_AAAA
+	    && ((status = check_domain_access(state, table, (char *) server->data,
 				      FULL, &found, reply_name, reply_class,
-					  def_acl)) != 0 || found)
+					      def_acl)) != 0 || found))
 	    CHECK_SERVER_RETURN(status);
 	if ((aierr = hostname_to_sockaddr((char *) server->data,
 					  (char *) 0, 0, &res0)) != 0) {
-	    msg_warn("Unable to look up %s host %s for %s %s: %s",
-		     dns_strtype(type), (char *) server->data,
-		     reply_class, reply_name, MAI_STRERROR(aierr));
+	    if (type != T_A && type != T_AAAA)
+		msg_warn("Unable to look up %s host %s for %s %s: %s",
+			 dns_strtype(type), (char *) server->data,
+			 reply_class, reply_name, MAI_STRERROR(aierr));
 	    continue;
 	}
 	/* Now we must also free the addrinfo result. */
@@ -3950,6 +3968,13 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					     SMTPD_NAME_CLIENT, def_acl);
 		forbid_whitelist(state, name, status, state->name);
 	    }
+	} else if (is_map_command(state, name, CHECK_CLIENT_A_ACL, &cpp)) {
+	    if (strcasecmp(state->name, "unknown") != 0) {
+		status = check_server_access(state, *cpp, state->name,
+					     T_A, state->namaddr,
+					     SMTPD_NAME_CLIENT, def_acl);
+		forbid_whitelist(state, name, status, state->name);
+	    }
 	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) {
 	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
 		status = check_server_access(state, *cpp, state->reverse_name,
@@ -3964,6 +3989,13 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					     SMTPD_NAME_REV_CLIENT, def_acl);
 		forbid_whitelist(state, name, status, state->reverse_name);
 	    }
+	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_A_ACL, &cpp)) {
+	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
+		status = check_server_access(state, *cpp, state->reverse_name,
+					     T_A, state->namaddr,
+					     SMTPD_NAME_REV_CLIENT, def_acl);
+		forbid_whitelist(state, name, status, state->reverse_name);
+	    }
 	}
 
 	/*
@@ -4018,6 +4050,13 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					     SMTPD_NAME_HELO, def_acl);
 		forbid_whitelist(state, name, status, state->helo_name);
 	    }
+	} else if (is_map_command(state, name, CHECK_HELO_A_ACL, &cpp)) {
+	    if (state->helo_name) {
+		status = check_server_access(state, *cpp, state->helo_name,
+					     T_A, state->helo_name,
+					     SMTPD_NAME_HELO, def_acl);
+		forbid_whitelist(state, name, status, state->helo_name);
+	    }
 	} else if (strcasecmp(name, REJECT_NON_FQDN_HELO_HOSTNAME) == 0
 		   || strcasecmp(name, REJECT_NON_FQDN_HOSTNAME) == 0) {
 	    if (state->helo_name) {
@@ -4115,6 +4154,13 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					     SMTPD_NAME_SENDER, def_acl);
 		forbid_whitelist(state, name, status, state->sender);
 	    }
+	} else if (is_map_command(state, name, CHECK_SENDER_A_ACL, &cpp)) {
+	    if (state->sender && *state->sender) {
+		status = check_server_access(state, *cpp, state->sender,
+					     T_A, state->sender,
+					     SMTPD_NAME_SENDER, def_acl);
+		forbid_whitelist(state, name, status, state->sender);
+	    }
 	} else if (strcasecmp(name, REJECT_RHSBL_SENDER) == 0) {
 	    if (cpp[1] == 0)
 		msg_warn("restriction %s requires domain name argument", name);
@@ -4212,6 +4258,13 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					     SMTPD_NAME_RECIPIENT, def_acl);
 		forbid_whitelist(state, name, status, state->recipient);
 	    }
+	} else if (is_map_command(state, name, CHECK_RECIP_A_ACL, &cpp)) {
+	    if (state->recipient && *state->recipient) {
+		status = check_server_access(state, *cpp, state->recipient,
+					     T_A, state->recipient,
+					     SMTPD_NAME_RECIPIENT, def_acl);
+		forbid_whitelist(state, name, status, state->recipient);
+	    }
 	} else if (strcasecmp(name, REJECT_RHSBL_RECIPIENT) == 0) {
 	    if (cpp[1] == 0)
 		msg_warn("restriction %s requires domain name argument", name);
diff --git a/postfix/src/smtpd/smtpd_check_access b/postfix/src/smtpd/smtpd_check_access
index 97761bd9b..663f18090 100644
--- a/postfix/src/smtpd/smtpd_check_access
+++ b/postfix/src/smtpd/smtpd_check_access
@@ -31,6 +31,8 @@ ok@ok.domain		OK
 ok.domain		OK
 <>			550 Go away postmaster
 
+54.187.136.235		reject bizsat.net, gypsysoul.org spam
+
 blackholes.mail-abuse.org	$rbl_code client=$client
  client_address=$client_address
  client_name=$client_name helo_name=$helo_name 
diff --git a/postfix/src/smtpd/smtpd_exp.in b/postfix/src/smtpd/smtpd_exp.in
index e60ed878a..a8baf7656 100644
--- a/postfix/src/smtpd/smtpd_exp.in
+++ b/postfix/src/smtpd/smtpd_exp.in
@@ -60,35 +60,3 @@ recipient_restrictions reject_rhsbl_helo,abuse.rfc-ignorant.org
 helo example.tld
 mail sname@sdomain
 rcpt rname@rdomain
-#
-# Check MX access
-#
-helo_restrictions check_helo_mx_access,hash:smtpd_check_access
-#helo verisign-wildcard.com
-helo verisign.com
-helo example.tld
-sender_restrictions check_sender_mx_access,hash:smtpd_check_access
-mail foo@pls.net.au
-#mail foo@verisign-wildcard.com
-mail foo@verisign.com
-recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
-#rcpt foo@verisign-wildcard.com
-rcpt foo@verisign.com
-rcpt foo@1.2.3.porcupine.org
-#
-# Check NS access
-#
-helo_restrictions check_helo_ns_access,hash:smtpd_check_access
-helo email-publisher.com
-helo ns1.topica.com
-#helo verisign-wildcard.com
-helo example.tld
-sender_restrictions check_sender_ns_access,hash:smtpd_check_access
-mail foo@email-publisher.com
-mail foo@ns1.topica.com
-#mail foo@verisign-wildcard.com
-recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
-rcpt foo@email-publisher.com
-rcpt foo@ns1.topica.com
-#rcpt foo@verisign-wildcard.com
-rcpt foo@1.2.3.porcupine.org
diff --git a/postfix/src/smtpd/smtpd_exp.ref b/postfix/src/smtpd/smtpd_exp.ref
index 7a41e21bd..5e4264d62 100644
--- a/postfix/src/smtpd/smtpd_exp.ref
+++ b/postfix/src/smtpd/smtpd_exp.ref
@@ -109,65 +109,3 @@ OK
 >>> rcpt rname@rdomain
 ./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
 554 5.7.1 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain
->>> #
->>> # Check MX access
->>> #
->>> helo_restrictions check_helo_mx_access,hash:smtpd_check_access
-OK
->>> #helo verisign-wildcard.com
->>> helo verisign.com
-OK
->>> helo example.tld
-./smtpd_check: warning: Unable to look up MX host example.tld for Helo command example.tld: hostname nor servname provided, or not known
-OK
->>> sender_restrictions check_sender_mx_access,hash:smtpd_check_access
-OK
->>> mail foo@pls.net.au
-OK
->>> #mail foo@verisign-wildcard.com
->>> mail foo@verisign.com
-OK
->>> recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
-OK
->>> #rcpt foo@verisign-wildcard.com
->>> rcpt foo@verisign.com
-OK
->>> rcpt foo@1.2.3.porcupine.org
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10; from=<foo@verisign.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
-554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10
->>> #
->>> # Check NS access
->>> #
->>> helo_restrictions check_helo_ns_access,hash:smtpd_check_access
-OK
->>> helo email-publisher.com
-./smtpd_check: <queue id>: reject: HELO from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <email-publisher.com>: Helo command rejected: Access denied; from=<foo@verisign.com> proto=SMTP helo=<email-publisher.com>
-554 5.7.1 <email-publisher.com>: Helo command rejected: Access denied
->>> helo ns1.topica.com
-./smtpd_check: <queue id>: reject: HELO from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <ns1.topica.com>: Helo command rejected: Access denied; from=<foo@verisign.com> proto=SMTP helo=<ns1.topica.com>
-554 5.7.1 <ns1.topica.com>: Helo command rejected: Access denied
->>> #helo verisign-wildcard.com
->>> helo example.tld
-./smtpd_check: warning: Unable to look up NS host for example.tld: Host not found
-OK
->>> sender_restrictions check_sender_ns_access,hash:smtpd_check_access
-OK
->>> mail foo@email-publisher.com
-./smtpd_check: <queue id>: reject: MAIL from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@email-publisher.com>: Sender address rejected: Access denied; from=<foo@email-publisher.com> proto=SMTP helo=<example.tld>
-554 5.7.1 <foo@email-publisher.com>: Sender address rejected: Access denied
->>> mail foo@ns1.topica.com
-./smtpd_check: <queue id>: reject: MAIL from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@ns1.topica.com>: Sender address rejected: Access denied; from=<foo@ns1.topica.com> proto=SMTP helo=<example.tld>
-554 5.7.1 <foo@ns1.topica.com>: Sender address rejected: Access denied
->>> #mail foo@verisign-wildcard.com
->>> recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
-OK
->>> rcpt foo@email-publisher.com
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@email-publisher.com>: Recipient address rejected: Access denied; from=<foo@ns1.topica.com> to=<foo@email-publisher.com> proto=SMTP helo=<example.tld>
-554 5.7.1 <foo@email-publisher.com>: Recipient address rejected: Access denied
->>> rcpt foo@ns1.topica.com
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@ns1.topica.com>: Recipient address rejected: Access denied; from=<foo@ns1.topica.com> to=<foo@ns1.topica.com> proto=SMTP helo=<example.tld>
-554 5.7.1 <foo@ns1.topica.com>: Recipient address rejected: Access denied
->>> #rcpt foo@verisign-wildcard.com
->>> rcpt foo@1.2.3.porcupine.org
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org; from=<foo@ns1.topica.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
-554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org
diff --git a/postfix/src/smtpd/smtpd_server.in b/postfix/src/smtpd/smtpd_server.in
new file mode 100644
index 000000000..8bd78bceb
--- /dev/null
+++ b/postfix/src/smtpd/smtpd_server.in
@@ -0,0 +1,59 @@
+#
+# Initialize.
+#
+#! ../bin/postmap smtpd_check_access
+#msg_verbose 1
+smtpd_delay_reject 0
+mynetworks 127.0.0.0/8,168.100.189.0/28
+relay_domains porcupine.org
+maps_rbl_domains dnsbltest.porcupine.org
+rbl_reply_maps hash:smtpd_check_access
+client spike.porcupine.org 168.100.189.2
+#
+# Check MX access
+#
+helo_restrictions check_helo_mx_access,hash:smtpd_check_access
+#helo verisign-wildcard.com
+helo verisign.com
+helo example.tld
+sender_restrictions check_sender_mx_access,hash:smtpd_check_access
+mail foo@pls.net.au
+#mail foo@verisign-wildcard.com
+mail foo@verisign.com
+recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
+#rcpt foo@verisign-wildcard.com
+rcpt foo@verisign.com
+rcpt foo@1.2.3.porcupine.org
+#
+# Check NS access
+#
+helo_restrictions check_helo_ns_access,hash:smtpd_check_access
+helo email-publisher.com
+helo ns1.topica.com
+#helo verisign-wildcard.com
+helo example.tld
+sender_restrictions check_sender_ns_access,hash:smtpd_check_access
+mail foo@email-publisher.com
+mail foo@ns1.topica.com
+#mail foo@verisign-wildcard.com
+recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
+rcpt foo@email-publisher.com
+rcpt foo@ns1.topica.com
+#rcpt foo@verisign-wildcard.com
+rcpt foo@1.2.3.porcupine.org
+#
+# Check A access
+#
+helo_restrictions check_helo_a_access,hash:smtpd_check_access
+helo help.gypsysoul.org
+helo gypsysoul.org
+client_restrictions check_client_a_access,hash:smtpd_check_access
+client help.gypsysoul.org 1.2.3.4
+client gypsysoul.org 1.2.3.4
+#reverse_client_restrictions check_reverse_client_a_access,hash:smtpd_check_access
+#client help.gypsysoul.org 1.2.3.4
+#client gypsysoul.org 1.2.3.4
+sender_restrictions check_sender_a_access,hash:smtpd_check_access
+mail foo@gypsysoul.org
+recipient_restrictions check_recipient_a_access,hash:smtpd_check_access
+mail foo@gypsysoul.org
diff --git a/postfix/src/smtpd/smtpd_server.ref b/postfix/src/smtpd/smtpd_server.ref
new file mode 100644
index 000000000..fee9ad29e
--- /dev/null
+++ b/postfix/src/smtpd/smtpd_server.ref
@@ -0,0 +1,109 @@
+>>> #
+>>> # Initialize.
+>>> #
+>>> #! ../bin/postmap smtpd_check_access
+>>> #msg_verbose 1
+>>> smtpd_delay_reject 0
+OK
+>>> mynetworks 127.0.0.0/8,168.100.189.0/28
+OK
+>>> relay_domains porcupine.org
+OK
+>>> maps_rbl_domains dnsbltest.porcupine.org
+OK
+>>> rbl_reply_maps hash:smtpd_check_access
+OK
+>>> client spike.porcupine.org 168.100.189.2
+OK
+>>> #
+>>> # Check MX access
+>>> #
+>>> helo_restrictions check_helo_mx_access,hash:smtpd_check_access
+OK
+>>> #helo verisign-wildcard.com
+>>> helo verisign.com
+OK
+>>> helo example.tld
+./smtpd_check: warning: Unable to look up MX host example.tld for Helo command example.tld: hostname nor servname provided, or not known
+OK
+>>> sender_restrictions check_sender_mx_access,hash:smtpd_check_access
+OK
+>>> mail foo@pls.net.au
+OK
+>>> #mail foo@verisign-wildcard.com
+>>> mail foo@verisign.com
+OK
+>>> recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
+OK
+>>> #rcpt foo@verisign-wildcard.com
+>>> rcpt foo@verisign.com
+OK
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10; from=<foo@verisign.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10
+>>> #
+>>> # Check NS access
+>>> #
+>>> helo_restrictions check_helo_ns_access,hash:smtpd_check_access
+OK
+>>> helo email-publisher.com
+./smtpd_check: <queue id>: reject: HELO from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <email-publisher.com>: Helo command rejected: Access denied; from=<foo@verisign.com> proto=SMTP helo=<email-publisher.com>
+554 5.7.1 <email-publisher.com>: Helo command rejected: Access denied
+>>> helo ns1.topica.com
+./smtpd_check: <queue id>: reject: HELO from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <ns1.topica.com>: Helo command rejected: Access denied; from=<foo@verisign.com> proto=SMTP helo=<ns1.topica.com>
+554 5.7.1 <ns1.topica.com>: Helo command rejected: Access denied
+>>> #helo verisign-wildcard.com
+>>> helo example.tld
+./smtpd_check: warning: Unable to look up NS host for example.tld: Host not found
+OK
+>>> sender_restrictions check_sender_ns_access,hash:smtpd_check_access
+OK
+>>> mail foo@email-publisher.com
+./smtpd_check: <queue id>: reject: MAIL from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@email-publisher.com>: Sender address rejected: Access denied; from=<foo@email-publisher.com> proto=SMTP helo=<example.tld>
+554 5.7.1 <foo@email-publisher.com>: Sender address rejected: Access denied
+>>> mail foo@ns1.topica.com
+./smtpd_check: <queue id>: reject: MAIL from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@ns1.topica.com>: Sender address rejected: Access denied; from=<foo@ns1.topica.com> proto=SMTP helo=<example.tld>
+554 5.7.1 <foo@ns1.topica.com>: Sender address rejected: Access denied
+>>> #mail foo@verisign-wildcard.com
+>>> recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
+OK
+>>> rcpt foo@email-publisher.com
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@email-publisher.com>: Recipient address rejected: Access denied; from=<foo@ns1.topica.com> to=<foo@email-publisher.com> proto=SMTP helo=<example.tld>
+554 5.7.1 <foo@email-publisher.com>: Recipient address rejected: Access denied
+>>> rcpt foo@ns1.topica.com
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@ns1.topica.com>: Recipient address rejected: Access denied; from=<foo@ns1.topica.com> to=<foo@ns1.topica.com> proto=SMTP helo=<example.tld>
+554 5.7.1 <foo@ns1.topica.com>: Recipient address rejected: Access denied
+>>> #rcpt foo@verisign-wildcard.com
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org; from=<foo@ns1.topica.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 5.7.1 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org
+>>> #
+>>> # Check A access
+>>> #
+>>> helo_restrictions check_helo_a_access,hash:smtpd_check_access
+OK
+>>> helo help.gypsysoul.org
+OK
+>>> helo gypsysoul.org
+./smtpd_check: <queue id>: reject: HELO from spike.porcupine.org[168.100.189.2]: 554 5.7.1 <gypsysoul.org>: Helo command rejected: bizsat.net, gypsysoul.org spam; from=<foo@ns1.topica.com> proto=SMTP helo=<gypsysoul.org>
+554 5.7.1 <gypsysoul.org>: Helo command rejected: bizsat.net, gypsysoul.org spam
+>>> client_restrictions check_client_a_access,hash:smtpd_check_access
+OK
+>>> client help.gypsysoul.org 1.2.3.4
+OK
+>>> client gypsysoul.org 1.2.3.4
+./smtpd_check: <queue id>: reject: CONNECT from gypsysoul.org[1.2.3.4]: 554 5.7.1 <gypsysoul.org[1.2.3.4]>: Client host rejected: bizsat.net, gypsysoul.org spam; from=<foo@ns1.topica.com> proto=SMTP helo=<gypsysoul.org>
+554 5.7.1 <gypsysoul.org[1.2.3.4]>: Client host rejected: bizsat.net, gypsysoul.org spam
+>>> #reverse_client_restrictions check_reverse_client_a_access,hash:smtpd_check_access
+>>> #client help.gypsysoul.org 1.2.3.4
+>>> #client gypsysoul.org 1.2.3.4
+>>> sender_restrictions check_sender_a_access,hash:smtpd_check_access
+OK
+>>> mail foo@gypsysoul.org
+./smtpd_check: <queue id>: reject: MAIL from gypsysoul.org[1.2.3.4]: 554 5.7.1 <foo@gypsysoul.org>: Sender address rejected: bizsat.net, gypsysoul.org spam; from=<foo@gypsysoul.org> proto=SMTP helo=<gypsysoul.org>
+554 5.7.1 <foo@gypsysoul.org>: Sender address rejected: bizsat.net, gypsysoul.org spam
+>>> recipient_restrictions check_recipient_a_access,hash:smtpd_check_access
+OK
+>>> mail foo@gypsysoul.org
+./smtpd_check: <queue id>: reject: MAIL from gypsysoul.org[1.2.3.4]: 554 5.7.1 <foo@gypsysoul.org>: Sender address rejected: bizsat.net, gypsysoul.org spam; from=<foo@gypsysoul.org> proto=SMTP helo=<gypsysoul.org>
+554 5.7.1 <foo@gypsysoul.org>: Sender address rejected: bizsat.net, gypsysoul.org spam
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index f6b283549..8b3dcd572 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -854,10 +854,10 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
 	if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
 	    X509_NAME_oneline(X509_get_subject_name(peer),
 			      buf, sizeof(buf));
-	    msg_info("subject=%s", buf);
+	    msg_info("subject=%s", printable(buf, '?'));
 	    X509_NAME_oneline(X509_get_issuer_name(peer),
 			      buf, sizeof(buf));
-	    msg_info("issuer=%s", buf);
+	    msg_info("issuer=%s", printable(buf, '?'));
 	}
 	TLScontext->peer_CN = tls_peer_CN(peer, TLScontext);
 	TLScontext->issuer_CN = tls_issuer_CN(peer, TLScontext);
diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in
index f32f8f07e..c7ef0a5ec 100644
--- a/postfix/src/util/Makefile.in
+++ b/postfix/src/util/Makefile.in
@@ -128,7 +128,6 @@ PLUGIN_MAP_SO = $(LIB_PREFIX)pcre$(LIB_SUFFIX)
 
 LIB_DIR	= ../../lib
 INC_DIR	= ../../include
-PLG_DIR = ../../plugins
 
 .c.o:;	$(CC) $(SHLIB_CFLAGS) $(CFLAGS) -c $*.c
 
@@ -168,11 +167,11 @@ plugin_map_so_update: $(PLUGIN_MAP_SO)
 	do \
 	  for type in $(DEFINED_MAP_TYPES); do \
 	      case $$i in $(LIB_PREFIX)$$type$(LIB_SUFFIX)) \
-		  cmp -s $$i $(PLG_DIR)/$$i 2>/dev/null || cp $$i $(PLG_DIR); \
+		  cmp -s $$i $(LIB_DIR)/$$i 2>/dev/null || cp $$i $(LIB_DIR); \
 		  continue 2;; \
 	      esac; \
 	  done; \
-	  rm -f $(PLG_DIR)/$$i; \
+	  rm -f $(LIB_DIR)/$$i; \
 	done
 
 plugin_map_obj_update: $(LIB_MAP_OBJ)
diff --git a/postfix/src/util/dict_db.c b/postfix/src/util/dict_db.c
index ba0a54c8b..abc3ae780 100644
--- a/postfix/src/util/dict_db.c
+++ b/postfix/src/util/dict_db.c
@@ -6,7 +6,9 @@
 /* SYNOPSIS
 /*	#include <dict_db.h>
 /*
-/*	int	dict_db_cache_size;
+/*	extern int dict_db_cache_size;
+/*
+/*	DEFINE_DICT_DB_CACHE_SIZE;
 /*
 /*	DICT	*dict_hash_open(path, open_flags, dict_flags)
 /*	const char *path;
@@ -27,6 +29,10 @@
 /*	For better performance while creating a large table, specify a large
 /*	buffer size before opening the file.
 /*
+/*	This variable cannot be exported via the dict(3) API and
+/*	must therefore be defined in the calling program by invoking
+/*	the DEFINE_DICT_DB_CACHE_SIZE macro at the global level.
+/*
 /*	Arguments:
 /* .IP path
 /*	The database pathname, not including the ".db" suffix.
@@ -126,17 +132,6 @@ typedef struct {
 #define SCOPY(buf, data, size) \
     vstring_str(vstring_strncpy(buf ? buf : (buf = vstring_alloc(10)), data, size))
 
- /*
-  * You can override the default dict_db_cache_size setting before calling
-  * dict_hash_open() or dict_btree_open(). This is done in mkmap_db_open() to
-  * set a larger memory pool for database (re)builds.
-  * 
-  * XXX This should be specified via the DICT interface so that it becomes an
-  * object property, instead of being specified by poking a global variable
-  * so that it becomes a class property.
-  */
-int     dict_db_cache_size = (128 * 1024);	/* 128K default memory pool */
-
 #define DICT_DB_NELM		4096
 
 #if DB_VERSION_MAJOR > 1
diff --git a/postfix/src/util/dict_db.h b/postfix/src/util/dict_db.h
index 59120fa08..9b5f6cada 100644
--- a/postfix/src/util/dict_db.h
+++ b/postfix/src/util/dict_db.h
@@ -27,9 +27,15 @@ extern DICT *dict_btree_open(const char *, int, int);
 
  /*
   * XXX Should be part of the DICT interface.
+  * 
+  * You can override the default dict_db_cache_size setting before calling
+  * dict_hash_open() or dict_btree_open(). This is done in mkmap_db_open() to
+  * set a larger memory pool for database (re)builds.
   */
 extern int dict_db_cache_size;
 
+#define DEFINE_DICT_DB_CACHE_SIZE int dict_db_cache_size = (128 * 1024)
+
 /* LICENSE
 /* .ad
 /* .fi
diff --git a/postfix/src/util/dict_lmdb.h b/postfix/src/util/dict_lmdb.h
index a9cad8610..ccc165ac0 100644
--- a/postfix/src/util/dict_lmdb.h
+++ b/postfix/src/util/dict_lmdb.h
@@ -27,7 +27,6 @@ extern DICT *dict_lmdb_open(const char *, int, int);
   * XXX Should be part of the DICT interface.
   */
 extern size_t dict_lmdb_map_size;
-extern unsigned int dict_lmdb_max_readers;
 
  /* Minimum size without SIGSEGV. */
 #define DEFINE_DICT_LMDB_MAP_SIZE size_t dict_lmdb_map_size = 8192
diff --git a/postfix/src/util/dict_test.c b/postfix/src/util/dict_test.c
index a00c650a0..4b4529847 100644
--- a/postfix/src/util/dict_test.c
+++ b/postfix/src/util/dict_test.c
@@ -24,6 +24,7 @@
 #include <dict_lmdb.h>
 
 DEFINE_DICT_LMDB_MAP_SIZE;
+DEFINE_DICT_DB_CACHE_SIZE;
 
 static NORETURN usage(char *myname)
 {