From ffe80bd40324df4845f3b0705c6abc10d2a59d4b Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <postfix-users@dukhovni.org>
Date: Sat, 25 Oct 2014 14:17:24 -0400
Subject: [PATCH] postfix-2.12-20141106

---
 postfix/HISTORY                            | 40 ++++++++++++++
 postfix/README_FILES/BUILTIN_FILTER_README | 51 +++++++++++++++++-
 postfix/WISHLIST                           | 24 ++-------
 postfix/html/BUILTIN_FILTER_README.html    | 61 +++++++++++++++++++++-
 postfix/html/postconf.5.html               | 10 ++--
 postfix/html/smtp-sink.1.html              |  2 +
 postfix/html/smtpd.8.html                  |  3 +-
 postfix/man/man1/smtp-sink.1               |  2 +
 postfix/man/man5/postconf.5                | 10 ++--
 postfix/man/man8/smtpd.8                   |  2 +-
 postfix/proto/BUILTIN_FILTER_README.html   | 61 +++++++++++++++++++++-
 postfix/proto/postconf.proto               | 10 ++--
 postfix/src/cleanup/cleanup_addr.c         |  5 ++
 postfix/src/global/mail_params.h           |  7 ++-
 postfix/src/global/mail_version.h          |  2 +-
 postfix/src/smtp/smtp_tls_policy.c         |  2 +
 postfix/src/smtpd/smtpd.c                  | 22 +++++++-
 postfix/src/smtpstone/smtp-sink.c          | 10 +++-
 postfix/src/tlsproxy/tlsproxy.c            |  5 ++
 19 files changed, 285 insertions(+), 44 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 8741a9f7a..f65554850 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -20696,3 +20696,43 @@ Apologies for any names omitted.
 	Cleanup: the last remaining remnants of the withdrawn
 	smtp_tls_fallback_level feature. Files: mantools/postlink,
 	global/mail_params.h.
+
+20141021
+
+	Per IETF TLS WG consensus, the tls_session_ticket_cipher
+	default setting was changed from aes-128-cbc to aes-256-cbc.
+	Take that, you quantum computer attackers! Viktor Dukhovni.
+	Files: proto/postconf.proto, global/mail_params.h.
+
+20141024
+
+	Cleanup: added $smtpd_mumble_restrictions to the proxy_read_maps
+	default setting. File: global/mail_params.h.
+
+	Documentation: different header/body checks for MX service
+	and SMTP submissions. File: proto/BUILTIN_FILTER_README.html.
+
+	Cleanup: don't send "bare" original recipient in SMTP DSN
+	attributes. File: cleanup/cleanup_addr.c.
+
+	Feature: smtp-sink -N option to suppress DSN announcement.
+	File: smtpstone/smtp-sink.c.
+
+20141025
+
+	Bugfix (introduced: Postfix 2,11): core dump when
+	smtp_policy_maps specifies an invalid TLS level. Viktor
+	Dukhovni. File: smtp/smtp_tls_policy.c.
+
+20141103
+
+	Logging: when a connection is closed, log the request counts
+	for unimplemented STARTTLS or AUTH commands separately,
+	instead of logging such commands as "unknown". File:
+	smtpd/smtpd.c.
+
+20141106
+
+	Cleanup: set errno to ETIMEDOUT after postscreen handshake
+	timeout event, so that warnings report the correct error.
+	File: tlsproxy/tlsproxy.c.
diff --git a/postfix/README_FILES/BUILTIN_FILTER_README b/postfix/README_FILES/BUILTIN_FILTER_README
index de8fa7dd8..36740fdc5 100644
--- a/postfix/README_FILES/BUILTIN_FILTER_README
+++ b/postfix/README_FILES/BUILTIN_FILTER_README
@@ -52,6 +52,8 @@ Topics covered by this document:
   * Limitations of Postfix header/body checks
   * Preventing daily mail status reports from being blocked
   * Configuring header/body checks for mail from outside users only
+  * Configuring different header/body checks for MX service and submission
+    service
   * Configuring header/body checks for mail to some domains only
 
 WWhhaatt mmaaiill iiss ssuubbjjeecctteedd ttoo hheeaaddeerr//bbooddyy cchheecckkss
@@ -105,8 +107,9 @@ make the decision in the cleanup(8) server, as this program receives mail from
 so many different sources. Instead, header/body checks are requested by the
 source. Examples of how to turn off header/body checks for mail received with
 smtpd(8), qmqpd(8) or pickup(8) are given below under "Configuring header/body
-checks for mail from outside users only" and "Configuring header/body checks
-for mail to some domains only".
+checks for mail from outside users only", "Configuring different header/body
+checks for MX service and submission service", and "Configuring header/body
+checks for mail to some domains only".
 
 LLiimmiittaattiioonnss ooff PPoossttffiixx hheeaaddeerr//bbooddyy cchheecckkss
 
@@ -248,6 +251,50 @@ server IP addresses in master.cf:
         # =================================================================
         1.2.3.5:smtp  inet  n       -       n       -       -       smtpd
 
+CCoonnffiigguurriinngg ddiiffffeerreenntt hheeaaddeerr//bbooddyy cchheecckkss ffoorr MMXX sseerrvviiccee aanndd ssuubbmmiissssiioonn sseerrvviiccee
+
+If authorized user submissions require different header/body checks than mail
+from remote MTAs, then this is possible as long as you have separate mail
+streams for authorized users and for MX service.
+
+The example below assumes that authorized users connect to TCP port 587
+(submission) or 465 (smtps), and that remote MTAs connect to TCP port 25
+(smtp).
+
+First, we define a few "user-defined" parameters that will override settings
+for the submission and smtps services.
+
+    /etc/postfix/main.cf:
+        mua_cleanup_service_name = mua_cleanup
+        mua_header_checks = pcre:/etc/postfix/mua_header_checks
+        mua_body_checks = pcre:/etc/postfix/mua_body_checks
+
+Next, we define mua_cleanup as a dedicated cleanup service that will be used
+only by the submission and smtps services. This service uses the header_checks
+and body_checks overrides that were defined above.
+
+    /etc/postfix.master.cf:
+        # =================================================================
+        # service     type  private unpriv  chroot  wakeup  maxproc command
+        #                   (yes)   (yes)   (yes)   (never) (100)
+        # =================================================================
+        smtp          inet  n       -       n       -       -       smtpd
+        mua_cleanup   unix  n       -       n       -       0       cleanup
+            -o header_checks=$mua_header_checks
+            -o body_checks=$mua_body_checks
+        submission    inet  n       -       n       -       -       smtpd
+            -o cleanup_service_name=$mua_cleanup_service_name
+            -o syslog_name=postfix/submission
+            ...[see sample master.cf file for more]...
+        smtps         inet  n       -       n       -       -       smtpd
+            -o cleanup_service_name=$mua_cleanup_service_name
+            -o syslog_name=postfix/smtps
+            -o smtpd_tls_wrappermode=yes
+            ...[see sample master.cf file for more]...
+
+By keeping the "mua_xxx" parameter settings in main.cf, you keep your master.cf
+file simple, and you minimize the amount of duplication.
+
 CCoonnffiigguurriinngg hheeaaddeerr//bbooddyy cchheecckkss ffoorr mmaaiill ttoo ssoommee ddoommaaiinnss oonnllyy
 
 The following information applies to Postfix 2.1. Earlier Postfix versions do
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 48a65e460..d688042f7 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -10,6 +10,8 @@ Wish list:
 
 	Update smtputf8_enable in postconf(5)
 
+	Clobber ORCPT when sender is owner-mumble?
+
 	Add milter_mumble_macros to the list of per-macro features.
 
 	The pickup daemon logs warnings only when the cleanup daemon
@@ -36,11 +38,6 @@ Wish list:
 	lookups for the invidual addresses, converting back and
 	forth between external and internal forms.
 
-	Include <3htPpS5B6bzbcpM@spike.porcupine.org> example with
-	filter policies for different mail streams. Correction:
-	filter should be content_filter. Posted Wed, 10 Sep 2014
-	09:53:52 -0400 (EDT).
-
 	Clarify that receive_override_options have no effect with
 	smtpd_proxy_filter.
 
@@ -51,17 +48,14 @@ Wish list:
 	comparison specifically for UTF-8. Use libicu functions
 	instead.
 
-	The postfix-mumble@postfix.org list manager sends list mail
-	with ORCPT=rfc822;postfix-mumble-outgoing.  The local
-	delivery agent drops the ORCPT when the alias has an
-	owner-alias, so what is going on here?
-
 	When downgrading message/global to 7bit, is quoted-printable
 	the appropriate encoding? Should it be base64?
 
 	Should we encode headers with RFC 2047, when that is the
 	only reason that Postfix cannot deliver to a non-UTF8SMTP
-	server?
+	server? Probably not in the general case. What about 
+	Postfix as a gateway server that converts UTF8SMTP
+	for delivery to non-UTF8SMTP environments?
 
 	Document and test restriction_classes example for 
 	smtpd_policy_service_default_action.
@@ -333,14 +327,6 @@ Wish list:
 	whitelisting database before the primary MX connection is
 	closed, because a client may still make a mistake.
 
-	Simplify postscreen logic. Individual "fail" flags help to
-	avoid repeated testing/logging the same mistake.  Individual
-	"pass" flags provide evidence that the client didn't skip
-	tests by hanging up early. The current global "noforward"
-	flag implements the wrong model: instead we need an indicator
-	that a client has passed all tests or that all mistakes
-	were forgiven.
-
 	In the SMTP server, check if the connection is closed before
 	replying to ".", and discard the message if the reply can't
 	be sent. This reduces the time window for RFC 1047 message
diff --git a/postfix/html/BUILTIN_FILTER_README.html b/postfix/html/BUILTIN_FILTER_README.html
index 0e75f9f71..35882242d 100644
--- a/postfix/html/BUILTIN_FILTER_README.html
+++ b/postfix/html/BUILTIN_FILTER_README.html
@@ -126,6 +126,8 @@ same message repeatedly. </p>
 
 <li><a href="#remote_only">Configuring header/body checks for mail from outside users only</a>
 
+<li><a href="#mx_submission">Configuring different header/body checks for MX service and submission service</a>
+
 <li><a href="#domain_except">Configuring header/body checks for mail to some domains only</a>
 
 </ul>
@@ -209,7 +211,9 @@ header/body checks are requested by the source.  Examples of how
 to turn off header/body checks for mail received with <a href="smtpd.8.html">smtpd(8)</a>,
 <a href="qmqpd.8.html">qmqpd(8)</a> or <a href="pickup.8.html">pickup(8)</a> are given below under "<a
 href="#remote_only">Configuring header/body checks for mail from
-outside users only</a>" and "<a href="#domain_except">Configuring
+outside users only</a>", "<a href="#mx_submission">Configuring
+different header/body checks for MX service and submission
+service</a>", and "<a href="#domain_except">Configuring
 header/body checks for mail to some domains only</a>".  </p>
 
 <h2><a name="limitations">Limitations of Postfix header/body checks </a></h2>
@@ -393,6 +397,61 @@ header/body filtering turned on via <a href="postconf.5.html">main.cf</a>. </p>
 
 </ul>
 
+<h2><a name="mx_submission">Configuring different header/body checks for MX service and submission service</a></h2>
+
+<p> If authorized user submissions require different header/body
+checks than mail from remote MTAs, then this is possible as long
+as you have separate mail streams for authorized users and for MX
+service. </p>
+
+<p> The example below assumes that authorized users connect to TCP
+port 587 (submission) or 465 (smtps), and that remote MTAs connect
+to TCP port 25 (smtp). </p>
+
+<p> First, we define a few "user-defined" parameters that will
+override settings for the submission and smtps services. </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    mua_cleanup_service_name = mua_cleanup
+    mua_header_checks = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/mua_header_checks
+    mua_body_checks = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/mua_body_checks
+</pre>
+</blockquote>
+
+<p> Next, we define mua_cleanup as a dedicated cleanup service that
+will be used only by the submission and smtps services.  This service
+uses the <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a> overrides that were defined
+above. </p>
+
+<blockquote>
+<pre>
+/etc/postfix.<a href="master.5.html">master.cf</a>:
+    # =================================================================
+    # service     type  private unpriv  chroot  wakeup  maxproc command
+    #                   (yes)   (yes)   (yes)   (never) (100)
+    # =================================================================
+    smtp          inet  n       -       n       -       -       smtpd
+    mua_cleanup   unix  n       -       n       -       0       cleanup
+        -o <a href="postconf.5.html#header_checks">header_checks</a>=$mua_header_checks
+        -o <a href="postconf.5.html#body_checks">body_checks</a>=$mua_body_checks
+    submission    inet  n       -       n       -       -       smtpd
+        -o <a href="postconf.5.html#cleanup_service_name">cleanup_service_name</a>=$mua_cleanup_service_name
+        -o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/submission
+        <i>...[see sample <a href="master.5.html">master.cf</a> file for more]...</i>
+    smtps         inet  n       -       n       -       -       smtpd
+        -o <a href="postconf.5.html#cleanup_service_name">cleanup_service_name</a>=$mua_cleanup_service_name
+        -o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/smtps
+        -o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes
+        <i>...[see sample <a href="master.5.html">master.cf</a> file for more]...</i>
+</pre>
+</blockquote>
+
+<p> By keeping the "mua_xxx" parameter settings in <a href="postconf.5.html">main.cf</a>, you
+keep your <a href="master.5.html">master.cf</a> file simple, and you minimize the amount
+of duplication. </p>
+
 <h2><a name="domain_except">Configuring header/body checks for mail to some domains only</a></h2>
 
 <p> The following information applies to Postfix 2.1. Earlier
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index e4e47d80d..839386b98 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -17486,13 +17486,13 @@ gives timeout errors.  </p>
 </DD>
 
 <DT><b><a name="tls_session_ticket_cipher">tls_session_ticket_cipher</a>
-(default: aes-128-cbc)</b></DT><DD>
+(default: Postfix &ge; 2.12: aes-256-cbc, postfix &lt 2.12: aes-128-cbc)</b></DT><DD>
 
 <p> Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.  This
-algorithm must use CBC mode, have a 128-bit initialization vector
-(IV), and must have a key length between 128 and 256 bits.  The
-default is aes-128-cbc.  Sensible alternatives include aes-192-cbc
-and aes-256-cbc.  </p>
+algorithm must use CBC mode, have a 128-bit block size, and must
+have a key length between 128 and 256 bits.  The default is
+aes-256-cbc.  Overriding the default to choose a different algorithm
+is discouraged.  </p>
 
 <p> Setting this parameter empty disables session ticket support
 in the Postfix SMTP server.  Another way to disable session ticket
diff --git a/postfix/html/smtp-sink.1.html b/postfix/html/smtp-sink.1.html
index 8c676de7c..e58394ec3 100644
--- a/postfix/html/smtp-sink.1.html
+++ b/postfix/html/smtp-sink.1.html
@@ -116,6 +116,8 @@ SMTP-SINK(1)                                                      SMTP-SINK(1)
        <b>-n</b> <i>count</i>
               Terminate after <i>count</i> sessions.
 
+       <b>-N</b>     Do not announce support for DSN.
+
        <b>-p</b>     Do not announce support for ESMTP command pipelining.
 
        <b>-P</b>     Change the server greeting so that it appears to come through  a
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 7e6a24269..61ac92c30 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -541,7 +541,8 @@ SMTPD(8)                                                              SMTPD(8)
 
        Available in Postfix version 2.12 and later:
 
-       <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (aes-128-cbc)</b>
+       <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> &amp;<b>ge; 2.12: aes-256-cbc, postfix</b>  &amp;<b>lt</b>
+       <b>2.12: aes-128-cbc)</b>
               Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
diff --git a/postfix/man/man1/smtp-sink.1 b/postfix/man/man1/smtp-sink.1
index 7013c9299..da45ae7fd 100644
--- a/postfix/man/man1/smtp-sink.1
+++ b/postfix/man/man1/smtp-sink.1
@@ -112,6 +112,8 @@ connections will stay queued in the TCP/IP stack.
 Terminate after receiving \fIcount\fR messages.
 .IP "\fB-n \fIcount\fR"
 Terminate after \fIcount\fR sessions.
+.IP \fB-N\fR
+Do not announce support for DSN.
 .IP \fB-p\fR
 Do not announce support for ESMTP command pipelining.
 .IP \fB-P\fR
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index daeebcb9c..121cc5fbb 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -12024,12 +12024,12 @@ Note: on OpenBSD systems specify /dev/arandom when /dev/urandom
 gives timeout errors.
 .PP
 This feature is available in Postfix 2.2 and later.
-.SH tls_session_ticket_cipher (default: aes-128-cbc)
+.SH tls_session_ticket_cipher (default: Postfix >= 2.12: aes-256-cbc, postfix &lt 2.12: aes-128-cbc)
 Algorithm used to encrypt RFC5077 TLS session tickets.  This
-algorithm must use CBC mode, have a 128-bit initialization vector
-(IV), and must have a key length between 128 and 256 bits.  The
-default is aes-128-cbc.  Sensible alternatives include aes-192-cbc
-and aes-256-cbc.
+algorithm must use CBC mode, have a 128-bit block size, and must
+have a key length between 128 and 256 bits.  The default is
+aes-256-cbc.  Overriding the default to choose a different algorithm
+is discouraged.
 .PP
 Setting this parameter empty disables session ticket support
 in the Postfix SMTP server.  Another way to disable session ticket
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 9ede39e7c..0a8d7c151 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -489,7 +489,7 @@ Available in Postfix version 2.11 and later:
 The name of the \fBtlsmgr\fR(8) service entry in master.cf.
 .PP
 Available in Postfix version 2.12 and later:
-.IP "\fBtls_session_ticket_cipher (aes-128-cbc)\fR"
+.IP "\fBtls_session_ticket_cipher (Postfix &ge; 2.12: aes-256-cbc, postfix &lt 2.12: aes-128-cbc)\fR"
 Algorithm used to encrypt RFC5077 TLS session tickets.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
diff --git a/postfix/proto/BUILTIN_FILTER_README.html b/postfix/proto/BUILTIN_FILTER_README.html
index af959d298..4cccb87e4 100644
--- a/postfix/proto/BUILTIN_FILTER_README.html
+++ b/postfix/proto/BUILTIN_FILTER_README.html
@@ -126,6 +126,8 @@ same message repeatedly. </p>
 
 <li><a href="#remote_only">Configuring header/body checks for mail from outside users only</a>
 
+<li><a href="#mx_submission">Configuring different header/body checks for MX service and submission service</a>
+
 <li><a href="#domain_except">Configuring header/body checks for mail to some domains only</a>
 
 </ul>
@@ -209,7 +211,9 @@ header/body checks are requested by the source.  Examples of how
 to turn off header/body checks for mail received with smtpd(8),
 qmqpd(8) or pickup(8) are given below under "<a
 href="#remote_only">Configuring header/body checks for mail from
-outside users only</a>" and "<a href="#domain_except">Configuring
+outside users only</a>", "<a href="#mx_submission">Configuring
+different header/body checks for MX service and submission
+service</a>", and "<a href="#domain_except">Configuring
 header/body checks for mail to some domains only</a>".  </p>
 
 <h2><a name="limitations">Limitations of Postfix header/body checks </a></h2>
@@ -393,6 +397,61 @@ header/body filtering turned on via main.cf. </p>
 
 </ul>
 
+<h2><a name="mx_submission">Configuring different header/body checks for MX service and submission service</a></h2>
+
+<p> If authorized user submissions require different header/body
+checks than mail from remote MTAs, then this is possible as long
+as you have separate mail streams for authorized users and for MX
+service. </p>
+
+<p> The example below assumes that authorized users connect to TCP
+port 587 (submission) or 465 (smtps), and that remote MTAs connect
+to TCP port 25 (smtp). </p>
+
+<p> First, we define a few "user-defined" parameters that will
+override settings for the submission and smtps services. </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    mua_cleanup_service_name = mua_cleanup
+    mua_header_checks = pcre:/etc/postfix/mua_header_checks
+    mua_body_checks = pcre:/etc/postfix/mua_body_checks
+</pre>
+</blockquote>
+
+<p> Next, we define mua_cleanup as a dedicated cleanup service that
+will be used only by the submission and smtps services.  This service
+uses the header_checks and body_checks overrides that were defined
+above. </p>
+
+<blockquote>
+<pre>
+/etc/postfix.master.cf:
+    # =================================================================
+    # service     type  private unpriv  chroot  wakeup  maxproc command
+    #                   (yes)   (yes)   (yes)   (never) (100)
+    # =================================================================
+    smtp          inet  n       -       n       -       -       smtpd
+    mua_cleanup   unix  n       -       n       -       0       cleanup
+        -o header_checks=$mua_header_checks
+        -o body_checks=$mua_body_checks
+    submission    inet  n       -       n       -       -       smtpd
+        -o cleanup_service_name=$mua_cleanup_service_name
+        -o syslog_name=postfix/submission
+        <i>...[see sample master.cf file for more]...</i>
+    smtps         inet  n       -       n       -       -       smtpd
+        -o cleanup_service_name=$mua_cleanup_service_name
+        -o syslog_name=postfix/smtps
+        -o smtpd_tls_wrappermode=yes
+        <i>...[see sample master.cf file for more]...</i>
+</pre>
+</blockquote>
+
+<p> By keeping the "mua_xxx" parameter settings in main.cf, you
+keep your master.cf file simple, and you minimize the amount
+of duplication. </p>
+
 <h2><a name="domain_except">Configuring header/body checks for mail to some domains only</a></h2>
 
 <p> The following information applies to Postfix 2.1. Earlier
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index d48128065..8624f3c67 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -15899,13 +15899,13 @@ anchor assertion) TLSA records. </p>
 
 <p> This feature is available in Postfix 2.11 and later. </p>
 
-%PARAM tls_session_ticket_cipher aes-128-cbc
+%PARAM tls_session_ticket_cipher Postfix &ge; 2.12: aes-256-cbc, postfix &lt 2.12: aes-128-cbc
 
 <p> Algorithm used to encrypt RFC5077 TLS session tickets.  This
-algorithm must use CBC mode, have a 128-bit initialization vector
-(IV), and must have a key length between 128 and 256 bits.  The
-default is aes-128-cbc.  Sensible alternatives include aes-192-cbc
-and aes-256-cbc.  </p>
+algorithm must use CBC mode, have a 128-bit block size, and must
+have a key length between 128 and 256 bits.  The default is
+aes-256-cbc.  Overriding the default to choose a different algorithm
+is discouraged.  </p>
 
 <p> Setting this parameter empty disables session ticket support
 in the Postfix SMTP server.  Another way to disable session ticket
diff --git a/postfix/src/cleanup/cleanup_addr.c b/postfix/src/cleanup/cleanup_addr.c
index f869f0357..c2fce82e9 100644
--- a/postfix/src/cleanup/cleanup_addr.c
+++ b/postfix/src/cleanup/cleanup_addr.c
@@ -204,6 +204,11 @@ void    cleanup_addr_recipient(CLEANUP_STATE *state, const char *buf)
 	if (state->flags & CLEANUP_FLAG_AUTOUTF8)
 	    state->smtputf8 |= SMTPUTF8_FLAG_REQUESTED;
     }
+    /* Fix 20141024: Don't fake up a "bare" DSN original rcpt in smtp(8). */
+    if (state->dsn_orcpt == 0 && *STR(clean_addr) != 0)
+	state->dsn_orcpt = concatenate((!allascii(STR(clean_addr))
+			   && (state->smtputf8 & SMTPUTF8_FLAG_REQUESTED)) ?
+		      "utf-8" : "rfc822", ";", STR(clean_addr), (char *) 0);
     cleanup_out_recipient(state, state->dsn_orcpt, state->dsn_notify,
 			  state->orig_rcpt, STR(clean_addr));
     if (state->recip)				/* This can happen */
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 383873e9f..a7b0fdb56 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2329,7 +2329,12 @@ extern int var_local_rcpt_code;
 				" $" VAR_RCPT_BCC_MAPS \
 				" $" VAR_SMTP_GENERIC_MAPS \
 				" $" VAR_LMTP_GENERIC_MAPS \
-				" $" VAR_ALIAS_MAPS
+				" $" VAR_ALIAS_MAPS \
+				" $" VAR_CLIENT_CHECKS \
+				" $" VAR_HELO_CHECKS \
+				" $" VAR_MAIL_CHECKS \
+				" $" VAR_RELAY_CHECKS \
+				" $" VAR_RCPT_CHECKS
 extern char *var_proxy_read_maps;
 
 #define VAR_PROXY_WRITE_MAPS	"proxy_write_maps"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index d51041b05..b0576b604 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20141020"
+#define MAIL_RELEASE_DATE	"20141106"
 #define MAIL_VERSION_NUMBER	"2.12"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c
index 6ae7ade9e..618ce577a 100644
--- a/postfix/src/smtp/smtp_tls_policy.c
+++ b/postfix/src/smtp/smtp_tls_policy.c
@@ -518,9 +518,11 @@ static void *policy_create(const char *unused_key, void *context)
     switch (site_level) {
     default:
 	tls->level = site_level;
+	/* FALLTHROUGH */
     case TLS_LEV_NOTFOUND:
 	break;
     case TLS_LEV_INVALID:
+	tls->level = site_level;
 	return ((void *) tls);
     }
 
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 924340b20..c4b34aedc 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -455,7 +455,7 @@
 /*	The name of the \fBtlsmgr\fR(8) service entry in master.cf.
 /* .PP
 /*	Available in Postfix version 2.12 and later:
-/* .IP "\fBtls_session_ticket_cipher (aes-128-cbc)\fR"
+/* .IP "\fBtls_session_ticket_cipher (Postfix &ge; 2.12: aes-256-cbc, postfix &lt 2.12: aes-128-cbc)\fR"
 /*	Algorithm used to encrypt RFC5077 TLS session tickets.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
@@ -4614,6 +4614,22 @@ static void tls_reset(SMTPD_STATE *state)
 
 #endif
 
+/* unimpl_cmd - dummy for functionality that is not compiled in */
+
+static int unimpl_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
+{
+
+    /*
+     * When a connection is closed we want to log the request counts for
+     * unimplemented STARTTLS or AUTH commands separately, instead of logging
+     * those commands as "unknown". By handling unimplemented commands with
+     * this dummy function, we avoid messing up the command processing loop.
+     */
+    state->error_mask |= MAIL_ERROR_PROTOCOL;
+    smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
+    return (-1);
+}
+
  /*
   * The table of all SMTP commands that we know. Set the junk limit flag on
   * any command that can be repeated an arbitrary number of times without
@@ -4638,9 +4654,13 @@ static SMTPD_CMD smtpd_cmd_table[] = {
     {SMTPD_CMD_XFORWARD, xforward_cmd,},
 #ifdef USE_TLS
     {SMTPD_CMD_STARTTLS, starttls_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
+#else
+    {SMTPD_CMD_STARTTLS, unimpl_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
 #endif
 #ifdef USE_SASL_AUTH
     {SMTPD_CMD_AUTH, smtpd_sasl_auth_cmd,},
+#else
+    {SMTPD_CMD_AUTH, unimpl_cmd,},
 #endif
     {SMTPD_CMD_MAIL, mail_cmd,},
     {SMTPD_CMD_RCPT, rcpt_cmd,},
diff --git a/postfix/src/smtpstone/smtp-sink.c b/postfix/src/smtpstone/smtp-sink.c
index 68dd84039..8fd987c83 100644
--- a/postfix/src/smtpstone/smtp-sink.c
+++ b/postfix/src/smtpstone/smtp-sink.c
@@ -106,6 +106,8 @@
 /*	Terminate after receiving \fIcount\fR messages.
 /* .IP "\fB-n \fIcount\fR"
 /*	Terminate after \fIcount\fR sessions.
+/* .IP \fB-N\fR
+/*	Do not announce support for DSN.
 /* .IP \fB-p\fR
 /*	Do not announce support for ESMTP command pipelining.
 /* .IP \fB-P\fR
@@ -369,6 +371,7 @@ static int disable_saslauth;
 static int disable_xclient;
 static int disable_xforward;
 static int disable_enh_status;
+static int disable_dsn;
 static int max_client_count = DEF_MAX_CLIENT_COUNT;
 static int client_count;
 static int sock;
@@ -628,6 +631,8 @@ static void ehlo_response(SINK_STATE *state, const char *args)
 	smtp_printf(state->stream, "250-XFORWARD NAME ADDR PROTO HELO");
     if (!disable_enh_status)
 	smtp_printf(state->stream, "250-ENHANCEDSTATUSCODES");
+    if (!disable_dsn)
+	smtp_printf(state->stream, "250-DSN");
     /* RFC 821/2821/5321: Format is replycode<SPACE>optional-text<CRLF> */
     smtp_printf(state->stream, "250 ");
     SMTP_FLUSH(state->stream);
@@ -1422,7 +1427,7 @@ int     main(int argc, char **argv)
     /*
      * Parse JCL.
      */
-    while ((ch = GETOPT(argc, argv, "468aA:b:B:cCd:D:eEf:Fh:Ln:m:M:pPq:Q:r:R:s:S:t:T:u:vw:W:")) > 0) {
+    while ((ch = GETOPT(argc, argv, "468aA:b:B:cCd:D:eEf:Fh:Ln:m:M:NpPq:Q:r:R:s:S:t:T:u:vw:W:")) > 0) {
 	switch (ch) {
 	case '4':
 	    protocols = INET_PROTO_NAME_IPV4;
@@ -1499,6 +1504,9 @@ int     main(int argc, char **argv)
 	    if ((max_quit_count = atoi(optarg)) <= 0)
 		msg_fatal("bad quit count: %s", optarg);
 	    break;
+	case 'N':
+	    disable_dsn = 1;
+	    break;
 	case 'p':
 	    disable_pipelining = 1;
 	    break;
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index 1338d72fe..98f78b658 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -192,6 +192,7 @@
   * System library.
   */
 #include <sys_defs.h>
+#include <errno.h>
 
  /*
   * Utility library.
@@ -732,6 +733,8 @@ static void tlsp_get_fd_event(int event, char *context)
     event_disable_readwrite(plaintext_fd);
     if (event != EVENT_TIME)
 	event_cancel_timer(tlsp_get_fd_event, (char *) state);
+    else
+	errno = ETIMEDOUT;
 
     /*
      * Initialize plaintext-related session state.  Once we have this behind
@@ -796,6 +799,8 @@ static void tlsp_get_request_event(int event, char *context)
      */
     if (event != EVENT_TIME)
 	event_cancel_timer(tlsp_get_request_event, (char *) state);
+    else
+	errno = ETIMEDOUT;
 
     /*
      * We must send some data, after receiving the request attributes and