postfix-3.2-20160221

postfix/HISTORY

@@ -22178,3 +22178,11 @@ Apologies for any names omitted.
 20160214
 
 	More manpage cleanups. Viktor, Wietse.
+
+20160215
+
+	Cleanup: "match_list_match: permit_mynetworks: no match" after
+	a SUCCESSFUL permit_mynetworks match of a client IP address was
+	complicating troubleshooting.  The fix is to log additional
+	context to clarify that this "no match" condition is for
+	smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.

postfix/RELEASE_NOTES

@@ -1,169 +1,17 @@
-This is the Postfix 3.1 (experimental) release.
+This is the Postfix 3.2 (experimental) release.
 
-The stable Postfix release is called postfix-3.0.x where 3=major
+The stable Postfix release is called postfix-3.1.x where 3=major
-release number, 0=minor release number, x=patchlevel.  The stable
+release number, 1=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-3.1-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
-If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
+If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1
 before proceeding.
-
-
-Major changes with snaphot 20160207
-===================================
-
-A new "postfix tls" command to quickly enable opportunistic TLS in
-the Postfix SMTP client or server, and to manage SMTP server keys
-and certificates, including certificate signing requests and TLSA
-DNS records for DANE. See the postfix-tls(1) manpage for a detailed
-description.
-
-Major changes with snaphot 20151227
-===================================
-
-The new address_verify_pending_request_limit parameter introduces
-a safety limit for the number of address verification probes in the
-active queue.  The default limit is 1/4 of the active queue maximum
-size. The queue manager enforces the limit by tempfailing probe
-messages that exceed the limit. This design avoids dependencies on
-global counters that get out of sync after a process or system crash.
-
-Tempfailing verify requests is not as bad as one might think.  The
-Postfix verify cache proactively updates active addresses weeks
-before they expire. The address_verify_pending_request_limit affects
-only unknown addresses, and inactive addresses that have expired
-from the address verify cache (by default, after 31 days).
-
-Major changes with snaphot 20151129
-===================================
-
-Machine-readable, JSON-formatted queue listing with "postqueue -j"
-(no "mailq" equivalent).  The output is a stream of JSON objects,
-one per queue file.  To simplify parsing, each JSON object is
-formatted as one text line followed by one newline character. See
-the postqueue(1) manpage for a detailed description of the output
-format.
-
-Major changes with Postfix snapshot 20151031
-============================================
-
-New "smtpd_client_auth_rate_limit" feature, to enforce an optional
-rate limit on the number of AUTH commands per client IP address.
-Similar to other smtpd_client_*rate_limit features, this enforces
-a limit on the number of requests per $anvil_rate_time_unit.
-
-Major changes with Postfix snapshot 20150913
-============================================
-
-New SMTPD policy service attribute "policy_context", with a
-corresponding "smtpd_policy_service_policy_context" configuration
-parameter.  Originally, this was implemented to share the same SMTPD
-policy service endpoint among multiple check_policy_service clients.
-
-Incompatible change with Postfix snapshot 20150721
-==================================================
-
-As of the middle of 2015, all supported Postfix releases no longer
-enable "export" grade ciphers for opportunistic TLS, and no longer
-use the deprecated SSLv2 and SSLv3 protocols for mandatory or
-opportunistic TLS.
-
-These changes are very unlikely to cause problems with server-to-server
-communication over the Internet, but they may result in interoperability
-problems with ancient client or server implementations on internal
-networks.  To address this problem, you can revert the changes with:
-
-Postfix SMTP client settings:
-
-    lmtp_tls_ciphers = export
-    smtp_tls_ciphers = export
-    lmtp_tls_protocols = !SSLv2
-    smtp_tls_protocols = !SSLv2
-    lmtp_tls_mandatory_protocols = !SSLv2
-    smtp_tls_mandatory_protocols = !SSLv2
-
-Postfix SMTP server settings:
-
-    smtpd_tls_ciphers = export
-    smtpd_tls_protocols =
-    smtpd_tls_mandatory_protocols = !SSLv2
-
-These settings, if put in main.cf, affect all Postfix SMTP client
-or server communication, which may be undesirable. To be more
-selective, use "-o name=value" parameter overrides on specific
-services in master.cf. Execute the command "postfix reload" to make
-the changes effective.
-
-Major changes with snaphot 20150710
-===================================
-
-postscreen support for the TTL of DNSBL and DNSWL lookup results
-----------------------------------------------------------------
-
-Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
-that a "not found" result from a DNSBL server will be valid for one
-hour.  This may have been adequate five years ago when postscreen
-was first implemented, but nowadays, that one hour can result in
-missed opportunities to block new spambots.
-
-To address this, postscreen now respects the TTL of DNSBL "not
-found" replies, as well as the TTL of DNSWL replies (both "found"
-and "not found").  The TTL for a "not found" reply is determined
-according to RFC 2308 (the TTL of an SOA record in the reply).
-
-Support for DNSBL or DNSWL reply TTL values is controlled by two
-configuration parameters:
-
-postscreen_dnsbl_min_ttl (default: 60 seconds).
-
-    This parameter specifies a minimum for the amount of time that
-    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
-    This prevents an excessive number of postscreen cache updates
-    when a DNSBL or DNSWL server specifies a very small reply TTL.
-
-postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
-
-    This parameter specifies a maximum for the amount of time that
-    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
-    This prevents cache pollution when a DNSBL or DNSWL server
-    specifies a very large reply TTL.
-
-The postscreen_dnsbl_ttl parameter is now obsolete, and has become
-a default value for the new postscreen_dnsbl_max_ttl parameter.
-
-Destination-independent delivery rate delay
--------------------------------------------
-
-Support to enforce a destination-independent delay between email
-deliveries.  The following example inserts 20 seconds of delay
-between all deliveries with the SMTP transport, limiting the delivery
-rate to at most three messages per minute.
-
-/etc/postfix/main.cf:
-    smtp_transport_rate_delay = 20s
-
-For details, see the description of default_transport_rate_delay
-and transport_transport_rate_delay in the postconf(5) manpage.
-
-Major changes with snaphot 20150523
-===================================
-
-The milter_macro_defaults feature provides an optional list of macro
-name=value pairs. These specify default values for Milter macros
-when no value is available from the SMTP session context.
-
-For example, with "milter_macro_defaults = auth_type=TLS", the
-Postfix SMTP server will send an auth_type of "TLS" to a Milter,
-unless the remote client authenticates with SASL.
-
-This feature was originally implemented for a submission service
-that may authenticate clients with a TLS certificate, without having
-to make changes to the code that implements TLS support.

postfix/RELEASE_NOTES-3.1

@@ -0,0 +1,188 @@
+This is the Postfix 3.1 (stable) release.
+
+The stable Postfix release is called postfix-3.1.x where 3=major
+release number, 1=minor release number, x=patchlevel.  The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day).  Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
+
+Major changes - address verification safety
+-------------------------------------------
+
+[Feature 20151227] The new address_verify_pending_request_limit
+parameter introduces a safety limit for the number of address
+verification probes in the active queue.  The default limit is 1/4
+of the active queue maximum size. The queue manager enforces the
+limit by tempfailing probe messages that exceed the limit. This
+design avoids dependencies on global counters that get out of sync
+after a process or system crash.
+
+Tempfailing verify requests is not as bad as one might think.  The
+Postfix verify cache proactively updates active addresses weeks
+before they expire. The address_verify_pending_request_limit affects
+only unknown addresses, and inactive addresses that have expired
+from the address verify cache (by default, after 31 days).
+
+Major changes - json support
+----------------------------
+
+[Feature 20151129] Machine-readable, JSON-formatted queue listing
+with "postqueue -j" (no "mailq" equivalent).  The output is a stream
+of JSON objects, one per queue file.  To simplify parsing, each
+JSON object is formatted as one text line followed by one newline
+character. See the postqueue(1) manpage for a detailed description
+of the output format.
+
+Major changes - milter support
+------------------------------
+
+[Feature 20150523] The milter_macro_defaults feature provides an
+optional list of macro name=value pairs. These specify default
+values for Milter macros when no value is available from the SMTP
+session context.
+
+For example, with "milter_macro_defaults = auth_type=TLS", the
+Postfix SMTP server will send an auth_type of "TLS" to a Milter,
+unless the remote client authenticates with SASL.
+
+This feature was originally implemented for a submission service
+that may authenticate clients with a TLS certificate, without having
+to make changes to the code that implements TLS support.
+
+Major changes - output rate control
+-----------------------------------
+
+[Feature 20150710] Destination-independent delivery rate delay
+
+Support to enforce a destination-independent delay between email
+deliveries.  The following example inserts 20 seconds of delay
+between all deliveries with the SMTP transport, limiting the delivery
+rate to at most three messages per minute.
+
+/etc/postfix/main.cf:
+    smtp_transport_rate_delay = 20s
+
+For details, see the description of default_transport_rate_delay
+and transport_transport_rate_delay in the postconf(5) manpage.
+
+Major changes - postscreen dnsbl
+--------------------------------
+
+[Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL
+lookup results
+
+Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
+that a "not found" result from a DNSBL server will be valid for one
+hour.  This may have been adequate five years ago when postscreen
+was first implemented, but nowadays, that one hour can result in
+missed opportunities to block new spambots.
+
+To address this, postscreen now respects the TTL of DNSBL "not
+found" replies, as well as the TTL of DNSWL replies (both "found"
+and "not found").  The TTL for a "not found" reply is determined
+according to RFC 2308 (the TTL of an SOA record in the reply).
+
+Support for DNSBL or DNSWL reply TTL values is controlled by two
+configuration parameters:
+
+postscreen_dnsbl_min_ttl (default: 60 seconds).
+
+    This parameter specifies a minimum for the amount of time that
+    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
+    This prevents an excessive number of postscreen cache updates
+    when a DNSBL or DNSWL server specifies a very small reply TTL.
+
+postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
+
+    This parameter specifies a maximum for the amount of time that
+    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
+    This prevents cache pollution when a DNSBL or DNSWL server
+    specifies a very large reply TTL.
+
+The postscreen_dnsbl_ttl parameter is now obsolete, and has become
+the default value for the new postscreen_dnsbl_max_ttl parameter.
+
+Major changes - sasl auth safety
+--------------------------------
+
+[Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to
+enforce an optional rate limit on AUTH commands per SMTP client IP
+address.  Similar to other smtpd_client_*_rate_limit features, this
+enforces a limit on the number of requests per $anvil_rate_time_unit.
+
+Major changes - smtpd policy
+----------------------------
+
+[Feature 20150913] New SMTPD policy service attribute "policy_context",
+with a corresponding "smtpd_policy_service_policy_context" configuration
+parameter.  Originally, this was implemented to share the same SMTPD
+policy service endpoint among multiple check_policy_service clients.
+
+Incompatible change with Postfix snapshot 20150721
+==================================================
+
+Major changes - tls
+-------------------
+
+[Feature 20160207] A new "postfix tls" command to quickly enable
+opportunistic TLS in the Postfix SMTP client or server, and to
+manage SMTP server keys and certificates, including certificate
+signing requests and TLSA DNS records for DANE. See the postfix-tls(1)
+manpage for a detailed description.
+
+[Feature 20160103] The Postfix SMTP client by default enables DANE
+policies when an MX host has a (DNSSEC) secure TLSA DNS record,
+even if the MX DNS record was obtained with insecure lookups.  The
+existence of a secure TLSA record implies that the host wants to
+talk TLS and not plaintext. For details see the
+smtp_tls_dane_insecure_mx_policy configuration parameter.
+
+[Incompat 20150719] The default Diffie-Hellman non-export prime was
+updated from 1024 to 2048 bits, because SMTP clients are starting
+to reject TLS handshakes with primes smaller than 2048 bits.
+
+Historically, this prime size is not negotiable, and each site needs
+to determine which prime size works best for the majority of its
+clients. See FORWARD_SECRECY_README for some hints in the quick-start
+section.
+
+[Incompat 20150721] As of the middle of 2015, all supported Postfix
+releases no longer enable "export" grade ciphers for opportunistic
+TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for
+mandatory or opportunistic TLS.
+
+These changes are very unlikely to cause problems with server-to-server
+communication over the Internet, but they may result in interoperability
+problems with ancient client or server implementations on internal
+networks.  To address this problem, you can revert the changes with:
+
+Postfix SMTP client settings:
+
+    lmtp_tls_ciphers = export
+    smtp_tls_ciphers = export
+    lmtp_tls_protocols = !SSLv2
+    smtp_tls_protocols = !SSLv2
+    lmtp_tls_mandatory_protocols = !SSLv2
+    smtp_tls_mandatory_protocols = !SSLv2
+
+Postfix SMTP server settings:
+
+    smtpd_tls_ciphers = export
+    smtpd_tls_protocols =
+    smtpd_tls_mandatory_protocols = !SSLv2
+
+These settings, if put in main.cf, affect all Postfix SMTP client
+or server communication, which may be undesirable. To be more
+selective, use "-o name=value" parameter overrides on specific
+services in master.cf. Execute the command "postfix reload" to make
+the changes effective.
+

postfix/WISHLIST

@@ -6,6 +6,8 @@ Wish list:
 
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
 
+	Fix "make test" bitrot.
+
 	Remove this file from the stable release.
 
 	Things to do after the stable release:

postfix/conf/postfix-tls-script

@@ -317,10 +317,7 @@ openssl=`$postconf -c $default_config_directory -xh openssl_path`
 
 # ----- END OpenSSL-specific -----
 
-# Make this our *last* "cd", so all the key/cert generation runs in the
+test -n "$config_directory" -a -d "$config_directory" || {
-# configuration directory.
-#
-test -n "$config_directory" && cd $config_directory || {
     $FATAL no Postfix configuration directory $config_directory!
     exit 1
 }
@@ -566,7 +563,8 @@ info_enable_client() {
 
 info_client_deployed() {
 	cat <<-EOM
-	Enabled opportunistic TLS in the Postfix SMTP client, run:
+	Enabled opportunistic TLS in the Postfix SMTP client.
+	Run the command:
 	  # postfix reload
 	if you want the new settings to take effect immediately.
 	EOM
@@ -603,7 +601,8 @@ info_server_deployed() {
 	    echo "Enabled opportunistic TLS in the Postfix SMTP server"
 	fi
 	cat <<-EOM
-	New TLS private key and certificate deployed, run:
+	New TLS private key and certificate deployed.
+	Run the command:
 	  # postfix reload
 	if you want the new settings to take effect immediately.
 	EOM
@@ -616,9 +615,9 @@ info_csr() {
 	  # postfix tls output-server-csr -k $2 [<hostname> ...]
 	EOM
 	if [ -z "$3" ]; then
-	    echo "Save the signed certificate chain in ${config_directory}/$1, and deploy as above."
+	    echo "Save the signed certificate chain in $1, and deploy as above."
 	else
-	    echo "Save the signed certificate chain in ${config_directory}/$1."
+	    echo "Save the signed certificate chain in $1."
 	fi
 }
 
@@ -659,9 +658,24 @@ set_fqdn() {
 set_keyfile() {
     keyfile=$1
     case $keyfile in
-	"") : empty ok;;
+       rsa) if [ -n "${rsa}" ]; then
-      $rsa) keyfile=`$postconf -nxh smtpd_tls_key_file`;;
+		keyfile=`$postconf -nxh smtpd_tls_key_file`
-    $ecdsa) keyfile=`$postconf -nxh smtpd_tls_eckey_file`;;
+	    else
+		keyfile=
+	    fi
+	    ;;
+     ecdsa) if [ -n "${ecdsa}" ]; then
+		keyfile=`$postconf -nxh smtpd_tls_eckey_file`
+	    else
+		keyfile=
+	    fi
+	    ;;
+        "") : empty ok;;
+      none) : see below;;
+        /*) ;;
+         *) # User-specified key pathnames are relative to the configuration
+	    # directory
+	    keyfile="${config_directory}/${keyfile}";;
     esac
     if [ "${keyfile}" = "none" ]; then keyfile= ; fi
 }
@@ -681,8 +695,10 @@ ensure_key() {
 
     case $_algo in
 	"") $FATAL "Internal error: empty algorithm "; return 1;;
-      $rsa) keyfile="key-${stamp}.pem";   certfile="cert-${stamp}.pem";;
+      $rsa) keyfile="${config_directory}/key-${stamp}.pem"
-    $ecdsa) keyfile="eckey-${stamp}.pem"; certfile="eccert-${stamp}.pem";;
+	    certfile="${config_directory}/cert-${stamp}.pem";;
+    $ecdsa) keyfile="${config_directory}/eckey-${stamp}.pem"
+	    certfile="${config_directory}/eccert-${stamp}.pem";;
 	 *) $FATAL "Internal error: bad algorithm '${_algo}'"
 	    return 1;;
     esac
@@ -1003,8 +1019,21 @@ deploy-server-cert)
 	    exit 1
 	fi
 	shift
-	deploy_server_cert "$@" || exit 1
+
-	info_server_deployed "$1" "$2" "deploy" | $INFO
+	# User-specified key and cert pathnames are relative to the
+	# configuration directory
+	#
+	case "${1}" in
+	/*) certfile="${1}" ;;
+	 *) certfile="${config_directory}/${1}" ;;
+	esac
+	case "${2}" in
+	/*) certfile="${2}" ;;
+	 *) certfile="${config_directory}/${2}" ;;
+	esac
+
+	deploy_server_cert "${certfile}" "${keyfile}" || exit 1
+	info_server_deployed "${certfile}" "${keyfile}" "deploy" | $INFO
 	;;
 
 output-server-csr)

postfix/html/postconf.1.html

@@ -290,30 +290,31 @@ POSTCONF(1)                                                        POSTCONF(1)
                      ple:  "<b><a href="DATABASE_README.html#types">randmap</a>:{</b><i>result</i><b>_</b><i>1,  ...,  result</i><b>_</b><i>n</i><b>}</b>".  Each  table
                      query returns a random choice from the specified results.
                      The first and last characters  of  the  "<a href="DATABASE_README.html#types">randmap</a>:"  table
-                     name  must be "<b>{</b>" and "<b>}</b>".  Within these, individual maps
+                     name  must  be  "<b>{</b>"  and  "<b>}</b>".   Within these, individual
-                     are separated with comma or whitespace.
+                     results are separated with comma or whitespace. To give a
+                     specific result more weight, specify it multiple times.
 
               <b>regexp</b> (read-only)
-                     A lookup table based on  regular  expressions.  The  file
+                     A  lookup  table  based  on regular expressions. The file
                      format is described in <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>.
 
               <b>sdbm</b>   An indexed file type based on hashing.  Available on sys-
                      tems with support for SDBM databases.
 
               <b>socketmap</b> (read-only)
-                     Sendmail-style  socketmap  client.  The  table  name   is
+                     Sendmail-style   socketmap  client.  The  table  name  is
-                     <b>inet</b>:<i>host</i>:<i>port</i>:<i>name</i>  for  a  TCP/IP server, or <b>unix</b>:<i>path-</i>
+                     <b>inet</b>:<i>host</i>:<i>port</i>:<i>name</i> for a TCP/IP  server,  or  <b>unix</b>:<i>path-</i>
-                     <i>name</i>:<i>name</i> for a UNIX-domain server. This is described  in
+                     <i>name</i>:<i>name</i>  for a UNIX-domain server. This is described in
                      <a href="socketmap_table.5.html"><b>socketmap_table</b>(5)</a>.
 
               <b>sqlite</b> (read-only)
                      SQLite database. This is described in <a href="sqlite_table.5.html"><b>sqlite_table</b>(5)</a>.
 
               <b>static</b> (read-only)
-                     A  table  that  always returns its name as lookup result.
+                     A table that always returns its name  as  lookup  result.
                      For example, <b><a href="DATABASE_README.html#types">static</a>:foobar</b> always returns the string <b>foo-</b>
-                     <b>bar</b>  as lookup result. Specify "<b><a href="DATABASE_README.html#types">static</a>:{</b> <i>text with white-</i>
+                     <b>bar</b> as lookup result. Specify "<b><a href="DATABASE_README.html#types">static</a>:{</b> <i>text with  white-</i>
-                     <i>space</i> <b>}</b>" when the result contains whitespace;  this  form
+                     <i>space</i>  <b>}</b>"  when the result contains whitespace; this form
                      ignores whitespace after "<b>{</b>" and before "<b>}</b>". See also the
                      <i><a href="DATABASE_README.html#types">inline</a>:</i> map.
 
@@ -321,53 +322,53 @@ POSTCONF(1)                                                        POSTCONF(1)
                      TCP/IP client. The protocol is described in <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
 
               <b>texthash</b> (read-only)
-                     Produces  similar results as <a href="DATABASE_README.html#types">hash</a>: files, except that you
+                     Produces similar results as <a href="DATABASE_README.html#types">hash</a>: files, except that  you
-                     don't need to run the <a href="postmap.1.html"><b>postmap</b>(1)</a> command before  you  can
+                     don't  need  to run the <a href="postmap.1.html"><b>postmap</b>(1)</a> command before you can
-                     use  the  file, and that it does not detect changes after
+                     use the file, and that it does not detect  changes  after
                      the file is read.
 
               <b>unionmap</b> (read-only)
-                     A table that sends each query to multiple  lookup  tables
+                     A  table  that sends each query to multiple lookup tables
-                     and  that  concatenates  all  found results, separated by
+                     and that concatenates all  found  results,  separated  by
                      comma.  The table name syntax is the same as for <b>pipemap</b>.
 
               <b>unix</b> (read-only)
-                     A  limited  view of the UNIX authentication database. The
+                     A limited view of the UNIX authentication  database.  The
                      following tables are implemented:
 
                      <b>unix:passwd.byname</b>
-                            The table is the UNIX password database.  The  key
+                            The  table  is the UNIX password database. The key
-                            is  a  login  name.  The result is a password file
+                            is a login name.  The result is  a  password  file
                             entry in <b>passwd</b>(5) format.
 
                      <b>unix:group.byname</b>
                             The table is the UNIX group database. The key is a
-                            group  name.   The result is a group file entry in
+                            group name.  The result is a group file  entry  in
                             <b>group</b>(5) format.
 
-              Other table types may exist depending on how Postfix was  built.
+              Other  table types may exist depending on how Postfix was built.
 
-       <b>-M</b>     Show  <a href="master.5.html"><b>master.cf</b></a>  file contents instead of <a href="postconf.5.html"><b>main.cf</b></a> file contents.
+       <b>-M</b>     Show <a href="master.5.html"><b>master.cf</b></a> file contents instead of <a href="postconf.5.html"><b>main.cf</b></a>  file  contents.
               Specify <b>-Mf</b> to fold long lines for human readability.
 
               Specify zero or more arguments, each with a <i>service-name</i> or <i>ser-</i>
-              <i>vice-name/service-type</i>  pair,  where  <i>service-name</i>  is the first
+              <i>vice-name/service-type</i> pair, where  <i>service-name</i>  is  the  first
-              field of a <a href="master.5.html">master.cf</a> entry and <i>service-type</i>  is  one  of  (<b>inet</b>,
+              field  of  a  <a href="master.5.html">master.cf</a>  entry and <i>service-type</i> is one of (<b>inet</b>,
               <b>unix</b>, <b>fifo</b>, or <b>pass</b>).
 
-              If  <i>service-name</i> or <i>service-name/service-type</i> is specified, only
+              If <i>service-name</i> or <i>service-name/service-type</i> is specified,  only
-              the matching <a href="master.5.html">master.cf</a> entries  will  be  output.  For  example,
+              the  matching  <a href="master.5.html">master.cf</a>  entries  will  be output. For example,
-              "<b>postconf  -Mf  smtp</b>" will output all services named "smtp", and
+              "<b>postconf -Mf smtp</b>" will output all services named  "smtp",  and
-              "<b>postconf -Mf smtp/inet</b>" will output only the smtp service  that
+              "<b>postconf  -Mf smtp/inet</b>" will output only the smtp service that
-              listens  on  the network.  Trailing service type fields that are
+              listens on the network.  Trailing service type fields  that  are
               omitted will be handled as "*" wildcard fields.
 
               This feature is available with Postfix 2.9 and later. The syntax
-              was  changed  from  "<i>name.type</i>" to "<i>name/type</i>", and "*" wildcard
+              was changed from "<i>name.type</i>" to "<i>name/type</i>",  and  "*"  wildcard
               support was added with Postfix 2.11.
 
        <b>-n</b>     Show only configuration parameters that have explicit <i>name=value</i>
-              settings  in  <a href="postconf.5.html"><b>main.cf</b></a>.  Specify <b>-nf</b> to fold long lines for human
+              settings in <a href="postconf.5.html"><b>main.cf</b></a>.  Specify <b>-nf</b> to fold long lines  for  human
               readability (Postfix 2.9 and later).
 
        <b>-o</b> <i>name=value</i>
@@ -379,41 +380,41 @@ POSTCONF(1)                                                        POSTCONF(1)
 
               This feature is available with Postfix 2.11 and later.
 
-       <b>-P</b>     Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default  all  ser-
+       <b>-P</b>     Show  <a href="master.5.html"><b>master.cf</b></a>  service parameter settings (by default all ser-
-              vices  and  all  parameters), formatted as "<i>service/type/parame-</i>
+              vices and all parameters),  formatted  as  "<i>service/type/parame-</i>
               <i>ter=value</i>", one per line.  Specify <b>-Pf</b> to fold long lines.
 
-              Specify one or more "<i>service/type/parameter</i>"  instances  on  the
+              Specify  one  or  more "<i>service/type/parameter</i>" instances on the
-              <a href="postconf.1.html"><b>postconf</b>(1)</a>  command  line  to limit the output to parameters of
+              <a href="postconf.1.html"><b>postconf</b>(1)</a> command line to limit the output  to  parameters  of
-              interest.  Trailing parameter name or service type  fields  that
+              interest.   Trailing  parameter name or service type fields that
               are omitted will be handled as "*" wildcard fields.
 
               This feature is available with Postfix 2.11 and later.
 
        <b>-t</b> [<i>template</i><b>_</b><i>file</i>]
-              Display  the templates for text that appears at the beginning of
+              Display the templates for text that appears at the beginning  of
-              delivery status notification (DSN) messages,  without  expanding
+              delivery  status  notification (DSN) messages, without expanding
               $<b>name</b> expressions.
 
               To override the built-in templates, specify a template file name
-              at the end of the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line, or  specify  a  file
+              at  the  end  of the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line, or specify a file
               name in <a href="postconf.5.html"><b>main.cf</b></a> with the <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a></b> parameter.
 
-              To  force  selection of the built-in templates, specify an empty
+              To force selection of the built-in templates, specify  an  empty
-              template file name on the <a href="postconf.1.html"><b>postconf</b>(1)</a>  command  line  (in  shell
+              template  file  name  on  the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line (in shell
               language: "").
 
               This feature is available with Postfix 2.3 and later.
 
        <b>-T</b> <i>mode</i>
-              If  Postfix  is compiled without TLS support, the <b>-T</b> option pro-
+              If Postfix is compiled without TLS support, the <b>-T</b>  option  pro-
-              duces no output.  Otherwise, if an invalid  <i>mode</i>  is  specified,
+              duces  no  output.   Otherwise, if an invalid <i>mode</i> is specified,
-              the  <b>-T</b> option reports an error and exits with a non-zero status
+              the <b>-T</b> option reports an error and exits with a non-zero  status
               code. The valid modes are:
 
               <b>compile-version</b>
                      Output the OpenSSL version that Postfix was compiled with
-                     (i.e.  the  OpenSSL version in a header file). The output
+                     (i.e. the OpenSSL version in a header file).  The  output
                      format is the same as with the command "<b>openssl version</b>".
 
               <b>run-version</b>
@@ -421,28 +422,28 @@ POSTCONF(1)                                                        POSTCONF(1)
                      runtime (i.e. the OpenSSL version in a shared library).
 
               <b>public-key-algorithms</b>
-                     Output the lower-case names of the  supported  public-key
+                     Output  the  lower-case names of the supported public-key
                      algorithms, one per-line.
 
               This feature is available with Postfix 3.1 and later.
 
-       <b>-v</b>     Enable  verbose  logging  for  debugging  purposes.  Multiple <b>-v</b>
+       <b>-v</b>     Enable verbose  logging  for  debugging  purposes.  Multiple  <b>-v</b>
               options make the software increasingly verbose.
 
-       <b>-x</b>     Expand <i>$name</i> in  <a href="postconf.5.html"><b>main.cf</b></a>  or  <a href="master.5.html"><b>master.cf</b></a>  parameter  values.  The
+       <b>-x</b>     Expand  <i>$name</i>  in  <a href="postconf.5.html"><b>main.cf</b></a>  or  <a href="master.5.html"><b>master.cf</b></a>  parameter values. The
               expansion is recursive.
 
               This feature is available with Postfix 2.10 and later.
 
-       <b>-X</b>     Edit  the  <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and remove the parameters
+       <b>-X</b>     Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and remove  the  parameters
               named on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line.  Specify a list of param-
               eter names, not "<i>name=value</i>" pairs.
 
-              With  <b>-M</b>,  edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one
+              With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and  remove  one
-              or more service entries as specified with "<i>service/type</i>" on  the
+              or  more service entries as specified with "<i>service/type</i>" on the
               <a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
 
-              With  <b>-P</b>,  edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one
+              With <b>-P</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and  remove  one
               or more service parameter settings (-o parameter=value settings)
               as specied with "<i>service/type/parameter</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a> com-
               mand line.
@@ -451,10 +452,10 @@ POSTCONF(1)                                                        POSTCONF(1)
               into place.  Specify quotes to protect special characters on the
               <a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
 
-              There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform  the  reverse  opera-
+              There  is  no  <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera-
               tion.
 
-              This  feature is available with Postfix 2.10 and later.  Support
+              This feature is available with Postfix 2.10 and later.   Support
               for -M and -P was added with Postfix 2.11.
 
        <b>-#</b>     Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and comment out the parame-
@@ -462,18 +463,18 @@ POSTCONF(1)                                                        POSTCONF(1)
               eters revert to their default values.  Specify a list of parame-
               ter names, not "<i>name=value</i>" pairs.
 
-              With  <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and comment out
+              With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and comment  out
-              one or more service entries as specified with "<i>service/type</i>"  on
+              one  or more service entries as specified with "<i>service/type</i>" on
               the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
 
               In all cases the file is copied to a temporary file then renamed
               into place.  Specify quotes to protect special characters on the
               <a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
 
-              There  is  no  <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera-
+              There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform  the  reverse  opera-
               tion.
 
-              This feature is available with Postfix 2.6  and  later.  Support
+              This  feature  is  available with Postfix 2.6 and later. Support
               for -M was added with Postfix 2.11.
 
 <b>DIAGNOSTICS</b>
@@ -484,18 +485,18 @@ POSTCONF(1)                                                        POSTCONF(1)
               Directory with Postfix configuration files.
 
 <b>CONFIGURATION PARAMETERS</b>
-       The  following  <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to this pro-
+       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to  this  pro-
        gram.
 
-       The text below provides only a parameter summary. See  <a href="postconf.5.html"><b>postconf</b>(5)</a>  for
+       The  text  below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
        more details including examples.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
               figuration files.
 
        <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a> (empty)</b>
-              Pathname of a configuration file with bounce message  templates.
+              Pathname  of a configuration file with bounce message templates.
 
 <b>FILES</b>
        /etc/postfix/<a href="postconf.5.html">main.cf</a>, Postfix configuration parameters

postfix/man/man1/postconf.1

@@ -316,8 +316,9 @@ An in\-memory table that performs random selection. Example:
 "\fBrandmap:{\fIresult_1, ..., result_n\fB}\fR". Each table query
 returns a random choice from the specified results. The first
 and last characters of the "randmap:" table name must be
-"\fB{\fR" and "\fB}\fR".  Within these, individual maps are
+"\fB{\fR" and "\fB}\fR".  Within these, individual results
-separated with comma or whitespace.
+are separated with comma or whitespace. To give a specific
+result more weight, specify it multiple times.
 .IP "\fBregexp\fR (read\-only)"
 A lookup table based on regular expressions. The file format
 is described in \fBregexp_table\fR(5).

postfix/src/dns/Makefile.in

@@ -381,6 +381,7 @@ dns_strtype.o: dns.h
 dns_strtype.o: dns_strtype.c
 test_dns_lookup.o: ../../include/argv.h
 test_dns_lookup.o: ../../include/check_arg.h
+test_dns_lookup.o: ../../include/mail_params.h
 test_dns_lookup.o: ../../include/msg.h
 test_dns_lookup.o: ../../include/msg_vstream.h
 test_dns_lookup.o: ../../include/myaddrinfo.h

postfix/src/dns/dns.h

@@ -225,7 +225,6 @@ extern int dns_lookup_rl(const char *, unsigned, DNS_RR **, VSTRING *,
 			         VSTRING *, int *, int,...);
 extern int dns_lookup_rv(const char *, unsigned, DNS_RR **, VSTRING *,
 			         VSTRING *, int *, int, unsigned *);
-extern int dns_ncache_ttl_fix_enable;
 
 #define dns_lookup(name, type, rflags, list, fqdn, why) \
     dns_lookup_x((name), (type), (rflags), (list), (fqdn), (why), (int *) 0, \

postfix/src/dns/test_dns_lookup.c

@@ -41,6 +41,10 @@
 #include <mymalloc.h>
 #include <argv.h>
 
+/* Global library. */
+
+#include <mail_params.h>
+
 /* Application-specific. */
 
 #include "dns.h"
@@ -86,7 +90,7 @@ int     main(int argc, char **argv)
 	    lflags |= DNS_REQ_FLAG_NCACHE_TTL;
 	    break;
 	case 'p':
-	    dns_ncache_ttl_fix_enable = 1;
+	    var_dns_ncache_ttl_fix = 1;
 	    break;
 	default:
 	    usage(argv);

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20160214"
+#define MAIL_RELEASE_DATE	"20160221"
-#define MAIL_VERSION_NUMBER	"3.1"
+#define MAIL_VERSION_NUMBER	"3.2"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/postconf/postconf.c

@@ -310,8 +310,9 @@
 /*	"\fBrandmap:{\fIresult_1, ..., result_n\fB}\fR". Each table query
 /*	returns a random choice from the specified results. The first
 /*	and last characters of the "randmap:" table name must be
-/*	"\fB{\fR" and "\fB}\fR".  Within these, individual maps are
+/*	"\fB{\fR" and "\fB}\fR".  Within these, individual results
-/*	separated with comma or whitespace.
+/*	are separated with comma or whitespace. To give a specific
+/*	result more weight, specify it multiple times.
 /* .IP "\fBregexp\fR (read-only)"
 /*	A lookup table based on regular expressions. The file format
 /*	is described in \fBregexp_table\fR(5).

postfix/src/smtpd/smtpd_check.c

@@ -934,6 +934,7 @@ static int PRINTFLIKE(5, 6) smtpd_acl_permit(SMTPD_STATE *state,
 					             const char *reply_name,
 					             const char *format,...)
 {
+    const char myname[] = "smtpd_acl_permit";
     va_list ap;
     const char *whatsup;
 
@@ -946,6 +947,9 @@ static int PRINTFLIKE(5, 6) smtpd_acl_permit(SMTPD_STATE *state,
     /*
      * First, find out if (and how) this permit action should be logged.
      */
+    if (msg_verbose)
+	msg_info("%s: checking %s settings", myname, VAR_SMTPD_ACL_PERM_LOG);
+
     if (state->defer_if_permit.active) {
 	/* This action is overruled. Do not log. */
 	whatsup = 0;
@@ -966,6 +970,9 @@ static int PRINTFLIKE(5, 6) smtpd_acl_permit(SMTPD_STATE *state,
 	    va_end(ap);
 	}
 	log_whatsup(state, whatsup, STR(error_text));
+    } else {
+	if (msg_verbose)
+	    msg_info("%s: %s: no match", myname, VAR_SMTPD_ACL_PERM_LOG);
     }
     return (SMTPD_CHECK_OK);
 }