postfix-3.10.2

postfix-3.10.1
postfix-3.10.0
2025-08-24 10:58:39 +00:00 · 2025-04-23 11:22:05 +10:00 · 2025-02-25 12:15:13 +11:00 · 2025-02-18 13:47:31 +11:00
234 changed files with 2159 additions and 8338 deletions
--- a/postfix/.indent.pro
+++ b/postfix/.indent.pro
@ -248,7 +248,6 @@
 -TNBBIO
 -TNVTABLE_INFO
 -TOPTIONS
 -TOSSL_DGST
 -TPCF_DBMS_INFO
 -TPCF_DEPR_PARAM_INFO
 -TPCF_EVAL_CTX
@ -261,10 +260,6 @@
 -TPCF_SERVICE_DEF
 -TPCF_SERVICE_PATTERN
 -TPCF_STRING_NV
 -TPEER_FROM_HAPROXY_CASE
 -TPEER_FROM_NON_SOCKET_CASE
 -TPEER_FROM_PASS_ATTR_CASE
 -TPEER_FROM_UNCONN_SOCKET_CASE
 -TPEER_NAME
 -TPGSQL_NAME
 -TPICKUP_INFO
@ -363,7 +358,6 @@
 -TSTRING_LIST
 -TSTRING_TABLE
 -TSYS_EXITS_DETAIL
 -TTEST_BASE
 -TTEST_CASE
 -TTLSMGR_SCACHE
 -TTLSP_STATE
@ -426,7 +420,6 @@
 -Td2i_X509_t
 -Tdane_digest
 -Tdane_mtype
 -Tdict_lookup_verify_data
 -Tfilter_ctx
 -Tgeneral_name_stack_t
 -Tiana_digest
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -29003,9 +29003,14 @@ Apologies for any names omitted.
 	unnecessary 'dnssec_probe' warnings, on systems that disable
 	DNSSEC lookups (the default). File: smtp/smtp_addr.c.
 20250223
 	Documentation: updated link to Dovecot documentation. File:
 	proto/SASL_README.
 20250227
-	Improve and correct warning messages when converting (host
+	Improved and corrected error messages when converting (host
 	or service) information to (symbolic text, numerical text,
 	or binary) form. File: util/myaddrinfo.c.
@ -29016,562 +29021,11 @@ Apologies for any names omitted.
 	after an I/O error on an existing connection. Reported by
 	Oleksandr Kozmenko. File: xsasl/xsasl_dovecot_server.c.
 20240315
 	Code health: two typos canceled each other's effect. Fix
 	by Michael Tokarev. No change in compiler output. File:
 	util/vstring_vstream.c.
 20250316
-	Bugfix (defect introduced: date 19991116): when appending a
+	Bugfix (defect introduced: date 19991116): when appending
-	setting to a main.cf or master.cf file that did not end in
+	a setting to a main.cf or master.cf file that did not end
-	a newline character, the "postconf -e" command did not add
+	in a newline character, the "postconf -e" command did not
-	an extra newline character before appending the new setting,
+	add an extra newline character before appending the new
-	causing information to become garbled. Fix by Michael
+	setting, causing information to become garbled. Fix by
-	Tokarev. File: postconf/postconf_edit.c.
+	Michael Tokarev. File: postconf/postconf_edit.c.
 20250317
 	Documentation: added text to clarify the difference between
 	SMTP connection reuse and TLS session resumption, and that
 	these can be combined together. File: proto/TLSRPT_README.html.
 20250321
 	Safety: the SQLite client now logs a warning when a query
 	uses double quotes instead of the Postfix-recommended single
 	quotes. Oscar Bataille reported that the non-recommended
 	form is not protected against SQL injection. Files:
 	global/dict_sqlite.c, global/dict_sqlite_test.c.
 20250326
 	Updated myaddrinfo tests to also cover service/port conversion.
 	Files: util/myaddrinfo4.ref, util/myaddrinfo4.ref2,
 	util/myaddrinfo.c, util/myaddrinfo.ref, util/myaddrinfo.ref2.
 20260402
 	Documentation: updated guidance for using DNS-based reputation
 	services. File: proto/postconf.proto.
 20250404
 	Code health: simplified the conversions from IPv4 mapped
 	IPv6 addresses (::ffff:d.d.d.d) to their IPv4 form (d.d.d.d),
 	for both the binary form and human-readable form. Added
 	unit tests to show that the conversions work as expected.
 	Files: util/normalize_v4mapped_addr.[hc],
 	util/normalize_v4mapped_addr_test.c.
 20260406
 	Code health: overhauled the haproxy adapter to simplify
 	code and to avoid unnecessary conversions between binary
 	and human-readable forms. Added more unit tests for the v1
 	and v2 proxy protocols. A separate update will overhaul
 	the smtpd 'peer' lookups. Files: global/haproxy_srvr.c,
 	global/haproxy_srvr_test.c.
 20250408
 	Code health: replace explicit code with normalize_v4mapped_xxx()
 	call. File: util/sane_sockaddr_to_hostaddr.c.
 	Bit rot: sane_sockaddr_to_hostaddr() may modify its inputs.
 	smtp/smtp_tlsrpt.c, postscreen/postscreen_endpt.c
 20250411
 	Code health: simplified the Postfix SMTP server code to
 	find out the client and server IP addresses for an SMTP
 	connection. This takes advantage of the improved support
 	for address normalization and for haproxy load balancers.
 	Files: smtpd/smtpd_peer.c, smtpd/smtpd_haproxy.c.
 	Documentation: XCLIENT attribute availability. File:
 	proto/XCLIENT.
 20250418
 	Code health: added 16 unit tests for connection address and
 	port information received through haproxy or postscreen,
 	and improved error handling. Files: smtpd/smtpd_peer.c,
 	smtpd/smtpd_haproxy.c, smtpd/smtpd_peer_test.c.
 	Unit tests for 'direct' connections are deferred pending
 	support to mock or intercept system library function calls.
 20250419
 	Documentation: Postfix LMDB locking protocol description.
 	File: proto/lmdb_table.
 20250504
 	Logging: the memcache client truncated a memcached server
 	error message too aggressively. File: global/dict_memcache.c.
 	Code health: the dict_cache module did not expose a database
 	error to the caller. Files: util/dict_cache.[hc].
 	Code health: the verify(8) daemon now replies with 'address
 	verification status unavailable' when cache lookup fails
 	due to a database error, instead of replying with 'address
 	verification in progress'. File: verify/verify.c.
 	Code health: the verify(8) daemon no longer schedules an
 	address verification probe after a cache lookup for that
 	address failed due to a database error. File: verify/verify.c.
 20250523
 	Documentation: load balancer workaround for Postfix <= 3.9.
 	Files: proto/mysql_table, proto/pgsql_table.
 20250425
 	Documentation: TLSRPT_README typofix by Paul Menzel. File:
 	proto/TLSRPT_README.html.
 20250509
 	Documentation: in "enable_idna2003_compatibility" descriptions,
 	confused zeta with final sigma. Geert Hendrickx. Files:
 	proto/SMTPUTF8_README, proto/postconf.proto.
 	Feature: specify "key_digest = name-of-openssl-digest" to
 	run memcache lookup keys through the named OpenSSL digest
 	and convert the result to lowercase hexadecimal characters,
 	after processing the key_format feature. This prevents a
 	database access error when keys may exceed the memcache
 	server's key length limit (usually, 250 bytes). Files:
 20250523
 	Workaround: tweaked the timeout setting in postconf.proto
 	javascript. File: proto/postconf.html.prolog
 20250525
 	Code health: don't allow the postmap or postalias "-i"
 	option together with one of the (-d, -q, or -s) options on
 	the command line. Files: postmap/postmap.c, postalias/postalias.c,
 	postmap/mode_conflict_test.*, postalias/mode_conflict_test.*.
 	Testing: some postalias and postmap tests depended on the
 	installed main.cf file. Files: postalias/Makefile.in,
 	postmap/Makefile.in.
 	Testing: 'nosleep' preload module to eliminate the delay
 	after logging a fatal error and before terminating a program.
 	Files: testing/Makefile.in, testing/nosleep.c,
 	postalias/Makefile.in, postmap/Makefile.in
 20250526
 	Bugfix (defect introduced: Postfix 0.7.0, date 19990118):
 	postmap and postalias supported "-i" incremental updates
 	only for databases that support "bulk" create. With other
 	databases, the "-i" option was rejected with a misleading
 	error message "no 'map create' support". File: util/mkmap_open.c.
 	Usability: improved error message when a CDB table refuses
 	a delete or incremental update request (it complained about
 	some obscure POSIX open() flags). File: util/dict_cdb.c.
 	Cleanup: remove unnecessary newline characters in debug
 	logging. File: util/dict_db.c.
 	Debugging: added debug logging to the myflock() function.
 	File: util/myflock.c.
 20250601
 	Changed the default smtp_tlsrpt_skip_reused_handshakes
 	setting from "yes" to "no". The new default is enabled with
 	compatibility level >= 3.11. Files: smtp/smtp_tlsrpt.c,
 	global/mail_params.[hc], proto/COMPATIBILITY_README.html.
 20250608
 	Feature: specify "relocated_prefix_enable = no" to disable
 	the hard-coded prefix "5.1.6 User has moved to " that is
 	by default prepended to all relocated_maps lookup results.
 	This setting requires that the table contains responses
 	with both custom enhanced status code (X.Y.Z) and text.
 	Files: proto/postconf.proto, mantools/postlink,
 	global/mail_params.h, trivial-rewrite/trivial-rewrite.c,
 	trivial-rewrite/resolve.c.
 	This was tested against an unprivileged Postfix instance.
 	Support to spin up a disposable unprivileged Postfix instance
 	for testing will be made available later.
 20250609
 	Deprecation: smtp_tls_enforce_peername and
 	lmtp_tls_enforce_peername are now officially deprecated.
 	Files: proto/DEPRECATION_README.html, postconf/postconf_unused.c,
 	postconf/Makefile.in, postconf/test78.ref.
 20250614
 	Bugfix (defect introduced: Postfix 3.0, date 20140923):
 	Lookup tables specified inside the {} were left open after
 	unionmap:{} or pipemap:{} syntax error. Richard Hansen.
 	Files: util/dict_pipe.c, util/dict_union.c.
 20250617
 	Proper unit tests for the pipemap and unionmap implementations.
 	Files: testing/dict_test_helper.[hc], util/dict.[hc],
 	util/dict_pipe_test.c, util/dict_union_test.c. This obsoletes
 	the ad-hoc test files dict_pipe_test.{in,ref} and
 	dict_union_test.{in,ref} and corresponding Makefile targets.
 	Proper sharing of identical dictionary instances opened
 	with dict_pipe_open() and dict_union_open(), reusing the
 	sharing policy that was already implemented with maps_create().
 	Files: util/dict.c, util/dict.h, util/dict_pipe.c,
 	util/dict_union.c, global/maps.c.
 20250619
 	Bugfix (defect introduced: Postfix-3.10, date 20250117): the
 	Postfix SMTP client attempted to look up TLSA records even
 	with "TLS-Required: no". This could result in unnecessary
 	failures. Fix by Viktor Dukhovni & Wietse. Files: smtp/smtp.h,
 	smtp/smtp_policy.c, smtp/smtp_connect.c.
 	Bugfix (defect introduced: Postfix-3.10, date 20250117):
 	include the current TLS security level in the SMTP connection
 	cache lookup key for lookups by next-hop destination. The
 	idea is that to deliver a message without "TLS-Required:
 	no" header, the Postfix SMTP client must not reuse a
 	connection that was created during a burst of deliveries
 	of messages with "TLS-Required: no" to the same destination.
 	Including the TLS security level in the SMTP connection
 	cache lookup key will also prevent false connection reuse
 	when any future feature is added that overrides the TLS
 	security level based on message content or envelope metadata.
 	Files: smtp/smtp.h.
 	Likewise, include the current TLS security level in the TLS
 	client serverid field. File: smtp/smtp_proto.c.
 20250622
 	Bugfix (defect introduced: 20250509): added missing ``#ifdef
 	USE_TLS'' guards around memcache key_digest support. File:
 	global/dict_memcache.c.
 20250623
 	Feature: change the Postfix SMTP client smtp_tls_security_level
 	default value to "may" if Postfix was built with TLS support,
 	and the compatibility_level is 3.11 or higher. At lower
 	compatibility levels, change the default to "empty" and log
 	a backwards compatibility reminder. Files: global/mail_params.h,
 	smtp/smtp.c, tlsproxy/tlsproxy.c, proto/postconf.proto,
 	proto/COMPATIBILITY_README.html.
 	There is no equivalent change for Postfix server TLS security
 	levels, because changing the level alone is not sufficient.
 	Server-side TLS requires that at least one private key and
 	corresponding public-key certificate chain are configured.
 20250624
 	Feature: a new debug: pseudo lookup table. Specify
 	debug:maptype:mapname to encapsulate a maptype:mapname
 	lookup table and log all access. This builds on existing
 	but unused code to log table access. Richard Hansen
 	(rhansen@rhansen.org). Files: proto/DATABASE_README.html,
 	postconf/Makefile.in, /postconf/postconf.c,
 	postconf/postconf_dbms.c, postconf/test77-main.cf,
 	postconf/test77.ref, util/Makefile.in, util/dict_debug.c,
 	util/dict_debug.h, util/dict_debug_test.ref,
 	util/dict_debug_test.sh, util/dict_open.c.
 	Cleanup: To keep the dict_debug: code clean, Wietse removed
 	support for the DICT_FLAG_DEBUG feature that had not been
 	used for decades. Files: util/dict_debug.c, util/dict.c,
 	util/dict.h, src/global/dict_ldap.c, global/dict_mongodb.c,
 	global/dict_mysql.c, global/dict_pgsql.c, global/dict_proxy.c,
 	global/dict_sqlite.c, util/dict_cdb.c, util/dict_cidr.c,
 	util/dict_db.c, util/dict_dbm.c, util/dict_env.c,
 	util/dict_fail.c, util/dict_inline.c, util/dict_lmdb.c,
 	util/dict_ni.c, util/dict_nis.c, util/dict_nisplus.c,
 	util/dict_pcre.c, util/dict_pipe.c, util/dict_random.c,
 	util/dict_regexp.c, util/dict_sdbm.c, util/dict_sockmap.c,
 	util/dict_static.c, util/dict_surrogate.c, util/dict_tcp.c,
 	util/dict_thash.c, util/dict_union.c, util/dict_unix.c.
 20250626
 	Cleanup: removed explicit dictionary life-cycle management
 	complexity from dict_xxx_open() and maps_create(), and
 	centralized it under the generic dict_open() API. Files:
 	global/maps.c, util/dict.c, util/dict.h, util/dict_alloc.c,
 	util/dict_debug.c, util/dict_inline.c, util/dict_open.c,
 	util/dict_pipe.c, util/dict_test.c, util/dict_thash.c,
 	util/dict_union.c.
 20250627
 	Temporary workaround to avoid a potential breaking change:
 	allow the proxymap server to continue registering a dictionary
 	under a legacy name, in addition to the preferred name that
 	it is registered under by dict_open(). Files: util/dict.[hc],
 	proxymap/proxymap.c.
 	Cleanup: some unused test binaries failed to build.  Files:
 	global/own_inet_addr.c, global/data_redirect.c,
 	global/mynetworks.c.
 20250608
 	Cosmetic changes with better identifier names. Files:
 	util/dict.[hc], util/dict_alloc.c, util/dict_pipe.c,
 	util/dict_union.c
 	Cleanup: simplified the match_list parser, and added a unit
 	test for !maptype:mapname. Files: util/match_list.c,
 	global/namaddr_list.in, global/namaddr_list.ref.
 	Cleanup: simplified the rule parser in global/server_acl.c.
 	Unbroke dict_debug Valgrind checks. File: util/dict_debug_test.sh.
 20250710
 	Bugfix (defect introduced: postfix-2.2, date 20050203):
 	after detecting a lookup table change, and after starting
 	a new postscreen process, the old postscreen process logged
 	an ENOTSOCK error while attempting to accept a connection
 	on a socket that it was no longer listening on. This error
 	was introduced first in the multi_server skeleton code, and
 	was five years later duplicated in the event_server skeleton
 	that was created for postscreen. Problem reported by Florian
 	Piekert. Files: master/multi_server.c, master/event_server.c.
 20250713
 	Cleanup: allow "postmap -s" and "postalias -s" with proxied
 	tables. The proxymap protocol already supported this. Files:
 	postmap/postmap.c, postalias/postalias.c.
 	Cleanup: simplified the proxymap protocol and the proxymap
 	table sharing strategy. Share only table instances that
 	have identical client-side dictionary flags when opening a
 	table (instead of sharing tables that have a common subset
 	of flags). With each client request, propagate all client-side
 	dictionary flags to the server, and upon request completion,
 	propagate all resulting server-side dictionary flags to the
 	client. Files: dict.h, dict_proxy.c, proxymap/proxymap.c,
 	global/mail_proto.h.
 	Cleanup; stop hard-coding "dict->flags = DICT_FLAG_FIXED"
 	in dict_alloc.c. All tables already overwrote that information.
 	Debugging: the default import_environment now also imports
 	XDG_RUNTIME_DIR to support GUI debugging a Postfix daemon
 	process on some platforms (it already imported XAUTHORITY
 	and DISPLAY for X-based debuggers). These environment
 	variables are set only when Postfix is started 'by hand'.
 	File: global/mail_params.h.
 	Graceful degradation: when a proxymap or proxywrite server
 	denies access to a table, do not terminate the program.
 	Instead, return a surrogate object that fails all requests
 	with an informative message. File: global/dict_proxy.c.
 	Workaround: added an example to the smtp_reply_filter
 	documentation that works around Microsoft SASL server
 	implementations that send a non-empty initial GSSAPI
 	challenge. File: proto/postconf.proto.
 	Typo in COMPATIBILITY_README.html. Emmanuel Fusté.
 20250714
 	Uploaded the wrong postfix-3.11-20250713 tarball. Files:
 	master/event_server.c, master/multi_server.c.
 	Deleted an <openssl/engine.h> dependency, because the feature is
 	being removed from OpenSSL, and Postfix no longer needs it. File:
 	posttls-finger/posttls-finger.c.
 	Updated the proxymap(8) manpage and some internal documentation.
 	File: proxymap/proxymap.c.
 20250715
 	Cleanup: the proxymap 'open' service always returns the
 	dict->flags from a newly-initialized instance. This avoids
 	cross-talk between different clients. File: proxymap/proxymap.c.
 20250716
 	Bugfix (defect introduced: Postfix 2.7, date 20121223):
 	segfault in the internal: table iterator when the table
 	contained exactly one element. File: util/htable.c.
 	Technical debt: allow an element to be deleted before the
 	internal: table's first/next iterator has visited it. File:
 	util/htable.c.
 20250716
 	Bugfix (defect introduced: Postfix 2.8, date 20101230):
 	after detecting a cache table change and before starting a
 	new postscreen process, the old postscreen process did not
 	close the postscreen_cache_map, and therefore kept an
 	exclusive lock that could prevent a new postscreen process
 	from starting. Problem reported by Florian Piekert. File:
 	postscreen/postscreen.c.
 20250717
 	Workaround: Postfix daemons no longer automatically restart
 	after a btree:, dbm:, hash:, lmdb:, or sdbm: table file
 	modification time change, when they opened that table for
 	writing. Files: util/dict.c, util/dict_db.c, util/dict_dbm.c,
 	util/dict_lmdb.c, util/dict_sdbm.c.
 20250728
 	Documentation: in the postmap(1) manual page, fix the caveat
 	for the '-h' option. Robert Hansen. File: postmap/postmap.c.
 	Documentation: make MULTI_INSTANCE_README terminology
 	(default and non-default instances) consistent with
 	postmulti(1) terminology (primary and secondary instances).
 	Robert Hansen. File: proto/MULTI_INSTANCE_README.html.
 	Documentation: clarify vstring(3) handling of functions
 	that expect null-terminated inputs. File: util/vstring.c.
 	Bugfix (defect introduced: Postfix 3.6, date 20200710):
 	Postfix TLS client code logged "Untrusted TLS connection"
 	(wrong) instead of "Trusted TLS connection" (right), when
 	a server offered a trusted (valid PKI trust chain) certificate
 	that did not match the expected server name pattern. Viktor
 	Dukhovni. Files: tls/tls_client.c, tls/tls_verify.c.
 	Cleanup: the TLS client stores no more than one session
 	ticket per TLS connection (a remote TLS 1.3 server can send
 	multiple tickets). Viktor Dukhovni. File: tls/tls_client.c.
 20250729
 	Cleanup: more precise handling of session tickets in the
 	Postfix TLS server. Viktor Dukhovni. File: tls/tls_server.c.
 	Cleanup: TLS_SESS_STATE.rpt_reported should be a public member.
 	File: tls/tls.h
 	Cleanup: document that TLS_SESS_STATE.ticketed is now a
 	dual-purpose field. File: tls/tls.h.
 	Support for the 'll' (long long, etc.) and 'j' (intmax_t,
 	etc.) format modifiers. These may appear in the expansion
 	of the C99 PRI?MAX macros. File: util/vbuf_print.c.
 	Y2038 compatibility for 32-bit computer systems: 'long'
 	will be too small for the YP_LAST_MODIFIED field in a NIS
 	or NISPLUS mail.aliases map. Jiaying Song, Wind River. File:
 	postalias/postalias.c. There is more time-handling code in
 	Postfix that would need to be converted to int64_t, or to
 	long long which just like time_t is a 64-bit type on many
 	ILP32 and LP64 systems.
 20250730
 	Bugfix (defect introduced: Postfix 3.6, date 20200710):
 	Postfix TLS client code logged "Untrusted TLS connection"
 	(wrong) instead of "Trusted TLS connection" (right) for a
 	resumed TLS session, when a server offered a trusted (valid
 	PKI trust chain) certificate that did not match the expected
 	server name pattern. Viktor Dukhovni. Files: tls/tls_client.c,
 	tls/tls_verify.c.
 	Cleanup: make the manpage extraction tooling smarter about
 	section headings, and remove the now unnecessary explicit
 	".SH" formatting requests. This produces zero visible change
 	in formatted Postfix manpages. Files: mantools/srctoman,
 	src/global/config_known_tcp_ports.c, postmulti/postmulti.c,
 	tls/tls_misc.c.
 	Regenerate all manpages, causing parameter summaries to be
 	updated with new descriptions from postconf(5). Files:
 	conf/postfix-tls-script, discard/discard.c, error/error.c,
 	oqmgr/qmgr.c, postmulti/postmulti.c, qmgr/qmgr.c,
 	virtual/virtual.c.
 20250801
 	Bugfix (defect introduced: Postfix 3.7): incorrect backwards
 	compatible support for the legacy configuration parameters
 	tlsproxy_client_level and tlsproxy_client_policy. This
 	disabled the tlsproxy TLS client role when a legacy parameter
 	was set. Reported by John Doe, diagnosed by Viktor Dukhovni.
 	File: global/mail_params.h.
 	Bugfix (defect introduced: Postfix 3.4): with the TLS client
 	role disabled by configuration, the tlsproxy daemon
 	dereferenced a null pointer while handling a tlsproxy client
 	request. Reported by John Doe. File: tlsproxy/tlsproxy.c.
 	Bugfix (defect introduced: 20250713): the import_environment
 	change did not have space between POSTLOG_HOSTNAME and
 	XDG_RUNTIME_DIR, breaking maillog_file support and graphical
 	debugging. File: global/mail_params.h.
 20250801
 	Feature: smtpd_reject_filter_maps can selectively replace a
 	reject response from the Postfix SMTP server, or from a
 	program that replies through the Postfix SMTP server. Files:
 	smtpd/smtpd.c, smtpd/smtpd_chat.c, global/mail_params.h,
 	proto/postconf.proto, mantools/postlink.
 20250803
 	Cleanup: when "tls_required_enable = yes" and a message
 	contains a "TLS-Required: no" header", the Postfix SMTP
 	client now also ignores the recipient-side TLSRPT policy,
 	in addition to the already ignored recipient-side MTA-STS
 	and DANE policies. This prevents TLSRPT notifications for
 	all SMTP deliveries that do not require TLS. File:
 	smtp/smtp_connect.c.
 20250806
 	Documentation: updated the smtpd_hide_client_session
 	description with specific reference to RFC 5321 section
 	4.4. File: proto/postconf.proto.
 20250807
 	Bugfix (defect introduced: 20250803): "TLS-Required: no"
 	was no longer in effect for deliveries over UNIX-domain
 	sockets (which are supported for LMTP only). Viktor Dukhovni.
 	File: smtp/smtp_connect.c.
 20250808
 	Cleanup: simplify the code to determine if "TLS-Required:
 	no" is in effect, and improve the tls_required_enable
 	documentation. This will be back-ported to Postfix 3.10.
 	Files: Makefile.in, smtp/smtp.h smtp/smtp_connect.c,
 	smtp/smtp_tls_policy.c, proto/postconf.proto.
 20250816
 	Bugfix (defect introduced: Postfix 3.0, date 20140731): the
 	smtpd 'disconnect' command counts did not count malformed
 	commands with "bad syntax" and "bad UTF-8 syntax" errors.
 	File: smtpd/smtpd.c.
--- a/postfix/Makefile.in
+++ b/postfix/Makefile.in
@ -12,7 +12,7 @@ DIRS	= src/util src/global src/dns src/tls src/xsasl src/master src/milter \
 	src/postsuper src/qmqpd src/spawn src/flush src/verify \
 	src/virtual src/proxymap src/anvil src/scache src/discard src/tlsmgr \
 	src/postmulti src/postscreen src/dnsblog src/tlsproxy \
-	src/posttls-finger src/postlogd src/testing
+	src/posttls-finger src/postlogd
 MANDIRS	= proto man html
 LIBEXEC	= libexec/post-install libexec/postfix-script libexec/postfix-wrapper \
 	libexec/postmulti-script libexec/postfix-tls-script
@ -115,8 +115,7 @@ manpages:
 	done </dev/null
 # Some checks require a bin/postconf executable.
-pre-release-checks: update typo-check double-check \
+pre-release-checks: typo-check double-check missing-proxy-read-maps-check \
 	missing-proxy-read-maps-check \
 	postlink-check postfix-files-check \
 	postconf-unimplemented-check postconf-undocumented-check \
 	check-table-proto check-see-postconf-d-output \
--- a/postfix/README_FILES/COMPATIBILITY_README
+++ b/postfix/README_FILES/COMPATIBILITY_README
@ -57,13 +57,6 @@ Logged with compatibility_level < 3.6:
  * Using backwards-compatible default setting respectful_logging=no
 Logged with compatibility_level < 3.11:
  * using backwards-compatible default setting
    smtp_tlsrpt_skip_reused_handshakes=yes
  * using backwards-compatible default setting xxx_security_level=(empty)
 If such a message is logged in the context of a legitimate request, the system
 administrator should make the backwards-compatible setting permanent in main.cf
 or master.cf, as detailed in the sections that follow.
@ -79,9 +72,9 @@ could result in unexpected non-delivery of email after Postfix is updated from
 an older version. The backwards-compatibility safety net is designed to prevent
 such surprises.
-As long as the append_dot_mydomain parameter is left unspecified at its
+As long as the append_dot_mydomain parameter is left at its implicit default
-implicit default value, and the compatibility_level setting is less than 1,
+value, and the compatibility_level setting is less than 1, Postfix may log one
-Postfix may log one of the following messages:
+of the following messages:
  * Messages about missing "localhost" in mydestination or other address class:
@ -117,9 +110,9 @@ the chroot feature enabled after updating Postfix from an older version. The
 backwards-compatibility safety net is designed allow the administrator to
 choose if they want to keep the old behavior.
-As long as a master.cf chroot field is left unspecified at its implicit default
+As long as a master.cf chroot field is left at its implicit default value, and
-value, and the compatibility_level setting is less than 1, Postfix may log the
+the compatibility_level setting is less than 1, Postfix may log the following
-following message while it reads the master.cf file:
+message while it reads the master.cf file:
    postfix/master[27664]: /etc/postfix/master.cf: line 72: using
        backwards-compatible default setting chroot=y
@ -144,8 +137,8 @@ denied' errors after Postfix is updated from an older Postfix version. The
 backwards-compatibility safety net is designed to prevent such surprises.
 When the compatibility_level less than 1, and the smtpd_relay_restrictions
-parameter is left unspecified at its implicit default setting, Postfix may log
+parameter is left at its implicit default setting, Postfix may log the
-the following message:
+following message:
    postfix/smtpd[38463]: using backwards-compatible default setting
        "smtpd_relay_restrictions = (empty)" to avoid "Relay access
@ -167,10 +160,10 @@ that don't request SMTPUTF8 support, after Postfix is updated from an older
 version. The backwards-compatibility safety net is designed to prevent such
 surprises.
-As long as the smtputf8_enable parameter is left unspecified at its implicit
+As long as the smtputf8_enable parameter is left at its implicit default value,
-default value, and the compatibility_level setting is less than 1, Postfix logs
+and the compatibility_level setting is less than 1, Postfix logs a warning each
-a warning each time an SMTP command uses a non-ASCII address localpart without
+time an SMTP command uses a non-ASCII address localpart without requesting
-requesting SMTPUTF8 support:
+SMTPUTF8 support:
    postfix/smtpd[27560]: using backwards-compatible default setting
        smtputf8_enable=no to accept non-ASCII sender address
@ -195,9 +188,9 @@ could cause unexpected 'access denied' errors after Postfix is updated from an
 older version. The backwards-compatibility safety net is designed to prevent
 such surprises.
-As long as the mynetworks and mynetworks_style parameters are left unspecified
+As long as the mynetworks and mynetworks_style parameters are left at their
-at their implicit default values, and the compatibility_level setting is less
+implicit default values, and the compatibility_level setting is less than 2,
-than 2, the Postfix SMTP server may log one of the following messages:
+the Postfix SMTP server may log one of the following messages:
    postfix/smtpd[17375]: using backwards-compatible default setting
        mynetworks_style=subnet to permit request from client
@ -221,9 +214,9 @@ value. This could result in unexpected 'Relay access denied' errors or ETRN
 errors after Postfix is updated from an older version. The backwards-
 compatibility safety net is designed to prevent such surprises.
-As long as the relay_domains parameter is left unspecified at its implicit
+As long as the relay_domains parameter is left at its implicit default value,
-default value, and the compatibility_level setting is less than 2, Postfix may
+and the compatibility_level setting is less than 2, Postfix may log one of the
-log one of the following messages.
+following messages.
  * Messages about accepting mail for a remote domain:
@ -270,10 +263,10 @@ deprecated) setting, you should consider switching to "sha256". This will
 require updating any associated lookup table keys with the "sha256" digests of
 the expected client certificate or public key.
-As long as the smtpd_tls_fingerprint_digest parameter is left unspecified at
+As long as the smtpd_tls_fingerprint_digest parameter is left at its implicit
-its implicit default value, and the compatibility_level setting is less than
+default value, and the compatibility_level setting is less than 3.6, Postfix
-3.6, Postfix logs a warning each time a client certificate or public key
+logs a warning each time a client certificate or public key fingerprint is
-fingerprint is (potentially) used for access control:
+(potentially) used for access control:
    postfix/smtpd[27560]: using backwards-compatible default setting
        smtpd_tls_fingerprint_digest=md5 to compute certificate fingerprints
@ -306,10 +299,10 @@ table to specify matching "sha256" digests of the expected server certificates
 or public keys.
 As long as the smtp_tls_fingerprint_digest (or LMTP equivalent) parameter is
-left unspecified at its implicit default value, and the compatibility_level
+left at its implicit default value, and the compatibility_level setting is less
-setting is less than 3.6, Postfix logs a warning each time the "fingerprint"
+than 3.6, Postfix logs a warning each time the "fingerprint" security level is
-security level is used to specify matching "md5" digests of trusted server
+used to specify matching "md5" digests of trusted server certificates or public
-certificates or public keys:
+keys:
    postfix/smtp[27560]: using backwards-compatible default setting
        smtp_tls_fingerprint_digest=md5 to compute certificate fingerprints
@ -339,8 +332,8 @@ behavior.
 To maintain compatibility with earlier versions, Postfix will keep evaluating
 smtpd_recipient_restrictions before smtpd_relay_restrictions, as long as the
 compatibility_level is less than 3.6, and the
-smtpd_relay_before_recipient_restrictions parameter is left unspecified at its
+smtpd_relay_before_recipient_restrictions parameter is left at its implicit
-implicit default setting. As a reminder, Postfix may log the following message:
+default setting. As a reminder, Postfix may log the following message:
    postfix/smtpd[54696]: using backwards-compatible default setting
        smtpd_relay_before_recipient_restrictions=no to reject recipient
@ -363,10 +356,10 @@ backwards-compatible default values, the changes in logging could affect
 logfile analysis tools.
 To avoid breaking existing logfile analysis tools, Postfix will keep logging
-the deprecated form, as long as the respectful_logging parameter is left
+the deprecated form, as long as the respectful_logging parameter is left at its
-unspecified at its implicit default value, and the compatibility_level setting
+implicit default value, and the compatibility_level setting is less than 3.6.
-is less than 3.6. As a reminder, Postfix may log the following when a remote
+As a reminder, Postfix may log the following when a remote SMTP client is
-SMTP client is allowlisted or denylisted:
+allowlisted or denylisted:
    postfix/postscreen[22642]: Using backwards-compatible default setting
        respectful_logging=no for client [address]:port
@ -378,59 +371,6 @@ administrator should make the backwards-compatible setting "respectful_logging
    # ppoossttccoonnff ""rreessppeeccttffuull__llooggggiinngg == nnoo""
    # ppoossttffiixx rreellooaadd
 UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg
 ssmmttpp__ttllssrrpptt__sskkiipp__rreeuusseedd__hhaannddsshhaakkeess==yyeess
 Postfix version 3.11 changes the default value for
 smtp_tlsrpt_skip_reused_handshakes from "yes" to "no". The backwards-
 compatibility safety net is designed to prevent an unexpected change in
 reporting behavior when Postfix is updated from an older version.
 As long as the smtp_tlsrpt_skip_reused_handshakes parameter is left unspecified
 at its implicit default value, and the compatibility_level setting is less than
 3.11, Postfix will log a reminder that it is using the backwards-compatible
 default:
    postfix/smtp[388157] using backwards-compatible default setting
        smtp_tlsrpt_skip_reused_handshakes=yes
 To keep the old default setting, the system administrator should make the
 backwards-compatible setting "smtp_tlsrpt_skip_reused_handshakes = yes"
 permanent in main.cf:
    # ppoossttccoonnff ssmmttpp__ttllssrrpptt__sskkiipp__rreeuusseedd__hhaannddsshhaakkeess==yyeess
    # ppoossttffiixx rreellooaadd
 UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg xxxxxx__sseeccuurriittyy__lleevveell==((eemmppttyy))
 Postfix version 3.11 changes the default value for client TLS security levels
 from "empty" to "may". The backwards-compatibility safety net is designed to
 prevent an unexpected change in mail sending behavior when Postfix is updated
 from an older version.
 There is no equivalent change for Postfix server TLS security levels, because
 changing the level alone is not sufficient. Server-side TLS requires that at
 least one private key and one public-key certificate chain are configured.
 As long as a TLS security level parameter is left unspecified at its implicit
 default value, and the compatibility_level setting is less than 3.11, Postfix
 will log one of the following reminders that it is using the backwards-
 compatible default:
    postfix/smtp[...] using backwards-compatible default setting
        smtp_tls_security_level=(empty)
    postfix/tlsproxy[...] using backwards-compatible default setting
        tlsproxy_client_security_level=(empty)
 To keep the old default setting, the system administrator should make the
 backwards-compatible empty setting permanent in main.cf:
    # ppoossttccoonnff xxxxxx__sseeccuurriittyy__lleevveell==
    # ppoossttffiixx rreellooaadd
 where xxx is taken from the above compatibility message.
 TTuurrnniinngg ooffff tthhee bbaacckkwwaarrddss--ccoommppaattiibbiilliittyy ssaaffeettyy nneett
 Backwards compatibility is turned off by updating the compatibility_level
--- a/postfix/README_FILES/DATABASE_README
+++ b/postfix/README_FILES/DATABASE_README
@ -200,15 +200,6 @@ To find out what database types your Postfix system supports, use the "ppooss
        databases are maintained by Postfix daemons. The lookup table name as
        used in "dbm:table" is the database file name without the ".dir" or
        ".pag" suffix.
    ddeebbuugg
        An adapter for another table that causes all accesses to be logged.
        Example usage: "debug:hash:/etc/postfix/example". The formats of the
        log messages are unspecified and subject to change. Warning: If a query
        or the underlying table contains sensitive information (such as a
        password), that information might be logged.
        This feature is available with Postfix 3.11 and later.
    eennvviirroonn
        The UNIX process environment array. The lookup key is the variable
        name. The lookup table name in "environ:table" is ignored.
--- a/postfix/README_FILES/DEPRECATION_README
+++ b/postfix/README_FILES/DEPRECATION_README
@ -58,8 +58,6 @@ the "obsolete feature" name for a more detailed description.
    |                           |ooff     |iinn vveerrssiioonn|                         |
    |                           |vveerrssiioonn|          |                         |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |xxx_tls_enforce_peername   |  3.11 |      -   |xxx_tls_security_level   |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |disable_dns_lookups        |   3.9 |      -   |smtp_dns_support_level   |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |xxx_use_tls                |   3.9 |      -   |xxx_tls_security_level   |
@ -85,33 +83,6 @@ the "obsolete feature" name for a more detailed description.
    |                           |       |          |permit_sasl_authenticated|
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 OObbssoolleettee TTLLSS ppeeeerr nnaammee mmaattcchh ccoonnffiigguurraattiioonn
 The postconf(1) command logs one of the following:
  * support for parameter "lmtp_tls_enforce_peername" will be removed; instead,
    specify "lmtp_tls_security_level"
  * support for parameter "smtp_tls_enforce_peername" will be removed; instead,
    specify "smtp_tls_security_level"
 There are similarly-named parameters and warnings for postscreen(8) and
 tlsproxy(8), but those parameters should rarely be specified by hand.
 Replace obsolete configuration with its replacement:
     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
    |GGooaall                   |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn|
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |                       |                      |xxx_security_level =     |
    |Enforce peer name match|xxx_enforce_peername =|verify                   |
    |with server certificate|yes                   |xxx_security_level =     |
    |                       |                      |secure                   |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |Disable peer name match|xxx_enforce_peername =|xxx_security_level = may |
    |with server certificate|no                    |xxx_security_level =     |
    |                       |                      |encrypt                  |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 OObbssoolleettee DDNNSS oonn//ooffff ccoonnffiigguurraattiioonn
 The postconf(1) command logs the following:
--- a/postfix/README_FILES/MULTI_INSTANCE_README
+++ b/postfix/README_FILES/MULTI_INSTANCE_README
@ -16,7 +16,7 @@ Topics covered in this document:
  * Null-client instances versus service instances
  * Multi-instance walk-through
  * Components of a Postfix system
-  * The primary Postfix instance
+  * The default Postfix instance
  * Instance groups
  * Multi-instance configuration parameters
  * Using the postmulti(1) command
@ -64,7 +64,7 @@ that multiple instances will be easier to use than ever before.
 NNuullll--cclliieenntt iinnssttaanncceess vveerrssuuss sseerrvviiccee iinnssttaanncceess
 In the multi-instance approach to configuring Postfix, the first simplification
-is with the primary local-submission Postfix instance.
+is with the default local-submission Postfix instance.
 Most UNIX systems require support for email submission with the sendmail(1)
 command so that system processes such as cron jobs can send status reports, and
@ -103,7 +103,7 @@ scrutiny, locally submitted messages are typically limited to mail from cron
 jobs and other system services. In this regard the border MTA is not different
 from other Unix hosts in your environment. For this reason, it will submit
 locally-generated email to the internal mail hub. We start the construction of
-the border mail server with the primary instance, which will be a local-
+the border mail server with the default instance, which will be a local-
 submission null client:
    /etc/postfix/main.cf:
@ -213,7 +213,7 @@ before the input instance can be fully tested, and when the system boots, the
 and input instances into a single instance group named "mta".
 Just once, when adding the first secondary instance, enable multi-instance
-support in the primary (null-client) instance:
+support in the default (null-client) instance:
    # postmulti -e init
@ -223,7 +223,7 @@ Then create the output instance:
 The instance configuration directory defaults to /etc/postfix-out, more
 precisely, the "postfix-out" subdirectory of the parent directory of the
-primary-instance configuration directory. The new instance will be created in a
+default-instance configuration directory. The new instance will be created in a
 "disabled" state:
    /etc/postfix-out/main.cf
@ -240,7 +240,7 @@ primary-instance configuration directory. The new instance will be created in a
 This instance has a "stock" master.cf file, and its queue and data directories,
 also named "postfix-out", will be located in the same parent directories as the
-corresponding directories of the primary instance (e.g., /var/spool/postfix-out
+corresponding directories of the default instance (e.g., /var/spool/postfix-out
 and /var/lib/postfix-out).
 While this instance is immediately safe to start, it is not yet usefully
@ -367,7 +367,7 @@ instance group:
 The new instance configuration directory defaults to /etc/postfix-in, more
 precisely, the "postfix-in" subdirectory of the parent directory of the
-primary-instance configuration directory. The new instance will be created in a
+default-instance configuration directory. The new instance will be created in a
 "disabled" state:
    /etc/postfix-in/main.cf
@ -520,7 +520,7 @@ set in main.cf is $config_directory, as this defines the location of the
 main.cf file itself.
 Though config_directory cannot be set in main.cf, postfix(1) and most of the
-other command-line Postfix utilities allow you to specify a secondary
+other command-line Postfix utilities allow you to specify a non-default
 configuration directory via a command line option (typically --cc) or via the
 MAIL_CONFIG environment variable. In this way, it is possible to have multiple
 configuration directories on the same machine, and to have multiple running
@ -535,27 +535,27 @@ Each combination of configuration directory, together with the queue directory
 and data directory (specified in the corresponding main.cf file) make up a
 Postfix iinnssttaannccee.
-TThhee pprriimmaarryy PPoossttffiixx iinnssttaannccee
+TThhee ddeeffaauulltt PPoossttffiixx iinnssttaannccee
 One Postfix instance is special: this is the instance whose configuration
 directory is the default one compiled into the Postfix utilities. The location
 of the default configuration directory is typically /etc/postfix, and can be
 queried via the "postconf -d config_directory" command. We call the instance
-with this configuration directory the "primary instance".
+with this configuration directory the "default instance".
-The primary instance is responsible for local mail submission. The setgid
+The default instance is responsible for local mail submission. The setgid
 postdrop(1) utility is used by the sendmail(1) local submission program to
 spool messages into the mmaaiillddrroopp sub-directory of the queue directory of the
-primary instance.
+default instance.
 Even in the rare case when "sendmail -C" is used to submit local mail into a
-secondary Postfix instance, for security reasons, postdrop(1) will consult the
+non-default Postfix instance, for security reasons, postdrop(1) will consult
-primary main.cf file to check the validity of the requested non-default
+the default main.cf file to check the validity of the requested non-default
 configuration directory.
-So, while in most other respects, all instances are equal, the primary instance
+So, while in most other respects, all instances are equal, the default instance
-is "more equal than others". You may choose to create secondary instances, but
+is "more equal than others". You may choose to create additional instances, but
-you must have at least the primary instance, with its configuration directory
+you must have at least the default instance, with its configuration directory
 in the default compiled-in location.
 IInnssttaannccee ggrroouuppss
@ -575,9 +575,9 @@ the related instances should be members of a single instance group (however,
 the content filter usually has its own start/stop procedure that is separate
 from any Postfix instance).
-The primary instance main.cf file's $multi_instance_directories configuration
+The default instance main.cf file's $multi_instance_directories configuration
 parameter lists the configuration directories of all secondary (non-default)
-instances. Together with the primary instance, these secondary instances are
+instances. Together with the default instance, these secondary instances are
 managed by the multi-instance manager. Instances are started in the order
 listed, and stopped in the opposite order. For instances that are members of a
 service "group", you should arrange to start the service back-to-front, with
@ -587,16 +587,16 @@ started.
 MMuullttii--iinnssttaannccee ccoonnffiigguurraattiioonn ppaarraammeetteerrss
 multi_instance_wrapper
-    This primary-instance configuration parameter must be set to a suitable
+    This default-instance configuration parameter must be set to a suitable
    multi-instance manager's "wrapper" program that controls the starting,
    stopping, etc. of a multi-instance Postfix system. To use the postmulti(1)
    manager described in this document, this parameter should be set with the
    "postmulti -e init" command.
 multi_instance_directories
-    This primary-instance configuration parameter specifies an optional list of
+    This default-instance configuration parameter specifies an optional list of
    the secondary instances controlled via the multi-instance manager.
-    Instances are listed in their "start" order, with the primary instance
+    Instances are listed in their "start" order, with the default instance
    always started first (if enabled). If $multi_instance_directories is left
    empty, the postfix(1) command runs with multi-instance support turned off,
    and none of the multi_instance_ configuration parameters will have any
@ -672,37 +672,37 @@ IInniittiiaalliizziinngg tthhee mmuullttii--iinnssttaa
 Before postmulti(1) is used for the first time, you must install it as the
 multi_instance_wrapper for your Postfix system and enable multi-instance
-operation of the primary Postfix instance. You can then proceed to add new or
+operation of the default Postfix instance. You can then proceed to add new or
 existing instances to the multi-instance configuration. This initial
 installation is accomplished as follows:
        # postmulti -e init
-This updates the primary instance main.cf file as follows:
+This updates the default instance main.cf file as follows:
        # Use postmulti(1) as a postfix-wrapper(5)
        #
        multi_instance_wrapper = ${command_directory}/postmulti -p --
-        # Configure the primary instance to start when in multi-instance mode
+        # Configure the default instance to start when in multi-instance mode
        #
        multi_instance_enable = yes
-If you prefer, you can make these changes by editing the primary main.cf
+If you prefer, you can make these changes by editing the default main.cf
 directly, or by using "postconf -e".
 LLiissttiinngg mmaannaaggeedd iinnssttaanncceess
-The list of managed instances consists of the primary instance and the
+The list of managed instances consists of the default instance and the
-secondary instances whose configuration directories are listed (in start order)
+additional instances whose configuration directories are listed (in start
-under the multi_instance_directories parameter of the primary main.cf
+order) under the multi_instance_directories parameter of the default main.cf
 configuration file.
 You can list selected instances, groups of instances or all instances by
 specifying only the instance matching options with the "-l" option. The "-a"
 option is assumed if no other instance selection options are specified (this
 behavior changes with the "-e" option). As a special case, even if it has an
-explicit name, the primary instance can always be selected via "-i -".
+explicit name, the default instance can always be selected via "-i -".
    # postmulti -l -a
    # postmulti -l -g a_group
@ -732,8 +732,8 @@ either the instance name or the instance group is not set, it is shown as a "-
 When selecting an existing instance via the "-i" option, you can always use the
 full pathname of its configuration directory instead of the instance (short)
-name. This is the only way to select a secondary nameless instance. The primary
+name. This is the only way to select a non-default nameless instance. The
-instance can be selected via "-i -", whether it has a name or not.
+default instance can be selected via "-i -", whether it has a name or not.
 To list instances in reverse start order, include the "-R" option together with
 the instance selection options.
@ -826,9 +826,9 @@ possibilities:
 CCrreeaattiinngg aa nneeww PPoossttffiixx iinnssttaannccee
-The postmulti(1) command can be used to create secondary Postfix instances. New
+The postmulti(1) command can be used to create additional Postfix instances.
-instances are created with local submission and all "inet" services disabled
+New instances are created with local submission and all "inet" services
-via the following non-default parameter settings in the main.cf file:
+disabled via the following non-default parameter settings in the main.cf file:
    authorized_submit_users =
    master_service_disable = inet
@ -839,8 +839,8 @@ will also not accept any mail until they are fully configured, at which point
 you can do away with one or both of the above safety measures.
 The postmulti(1) command encourages a preferred way of organizing the
-configuration directories, queue directories and data directories of secondary
+configuration directories, queue directories and data directories of non-
-instances. If the primary instance settings are:
+default instances. If the default instance settings are:
    config_directory = /conf-path/postfix
    queue_directory = /queue-path/postfix
@ -885,7 +885,7 @@ existing instances. By default, the configuration directories of newly managed
 instances are appended to the instance list. You can use the "-i" or "-g" or "-
 a" options to insert the new instance before the specified instance or group,
 or at the beginning of the instance list (multi_instance_directories parameter
-of the primary instance).
+of the default instance).
 If you do specify a name (use "-I" with a name that is not "-") for the new
 instance, you may omit any of the 3 instance installation parameters whose
--- a/postfix/README_FILES/SMTPUTF8_README
+++ b/postfix/README_FILES/SMTPUTF8_README
@ -278,8 +278,8 @@ current versions of the Firefox and Chrome web browsers. Specify
 "enable_idna2003_compatibility = yes" to get the historical behavior.
 This affects the conversion of domain names that contain for example the German
-sz (ß) and the Greek (final) sigma (ς). See https://unicode.org/cldr/utility/
+sz (ß) and the Greek zeta (ς). See https://unicode.org/cldr/utility/idna.jsp
-idna.jsp for more examples.
+for more examples.
 CCrreeddiittss
--- a/postfix/README_FILES/TLSRPT_README
+++ b/postfix/README_FILES/TLSRPT_README
@ -7,7 +7,6 @@ TTaabbllee ooff CCoonntteennttss
  * Introduction
  * Building Postfix with TLSRPT support
  * Turning on TLSRPT
  * Connection reuse versus session resumption
  * TLSRPT Status logging
  * Delivering TLSRPT summaries via email
  * MTA-STS Support via smtp_tls_policy_maps
@ -28,7 +27,7 @@ A policy for domain example.com could look like this:
 Instead of mailto:, a policy may specify an https: destination.
-The diagram below shows how successful or failed Postfix TLS handshake events
+The diagram below shows how Postfix TLS handshake success and failure events
 are collected and processed into daily summary reports.
     Postfix SMTP and      TLSRPT client     TLSRPT collector,    Email or HTTP
@ -50,8 +49,8 @@ TLSRPT information, are implemented and maintained by sys4 at https://
 github.com/sys4/libtlsrpt and https://github.com/sys4/tlsrpt-reporter,
 respectively.
-The Postfix implementation supports TLSRPT for domains with DANE (Postfix
+The Postfix implementation supports TLSRPT or domains with DANE (Postfix built-
-built-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
+in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
 The Postfix smtp(8) client process implements the SMTP client engine. With
 "smtp_tls_connection_reuse = no", the smtp(8) client process also implements
@ -125,36 +124,6 @@ Notes:
 For details on how to run the TLSRPT collection and reporting infrastructure,
 see the documentation at https://github.com/sys4/tlsrpt-reporter.
 CCoonnnneeccttiioonn rreeuussee vveerrssuuss sseessssiioonn rreessuummppttiioonn
 The Postfix SMTP client implements two kinds of reuse:
  * SSMMTTPP CCoonnnneeccttiioonn rreeuussee:: a Postfix SMTP client creates a new SMTP connection,
    sends one email message, and saves the connection instead of closing it.
    Later, some SMTP client reuses that connection, sends an email message, and
    saves or closes the connection depending on whether it has reached some
    reuse limit. Each connection can be used by only one Postfix SMTP client at
    a time.
  * TTLLSS SSeessssiioonn rreessuummppttiioonn:: a Postfix SMTP client saves the result from a "new"
    TLS handshake. Later, one or more SMTP clients create a new SMTP connection
    and resume the saved TLS session on their new connection.
 Of course there is a third case:
  * CCoommbbiinneedd rreeuussee aanndd rreessuummppttiioonn:: a Postfix SMTP client creates a new SMTP
    connection, sends one email message, saves the result from a "new" TLS
    handshake, and also saves the connection instead of closing it. Later, one
    SMTP client reuses (and saves) that connection, one client at a time, and
    one or more clients create a new SMTP connection and resume the saved TLS
    session on their new connection.
 In all cases, there is no TLS handshake when a saved SMTP connection is reused,
 and there is no "new" TLS handshake when a saved TLS session is resumed.
 As described next, Postfix will by default log and generate only a TLSRPT event
 for a "new" TLS handshake.
 TTLLSSRRPPTT SSttaattuuss llooggggiinngg
 With TLSRPT support turned on, the Postfix TLSRPT client will not only report
@ -188,11 +157,11 @@ Notes:
    Untrusted TTLLSS ccoonnnneeccttiioonn rreeuusseedd to mail.example.com[ipaddr]:25:
        TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-  * With TLSRPT enabled, the Postfix SMTP client reports the TLSRPT status for
+  * By default, Postfix does not report the TLSRPT status for a TLS handshake
-    all TLS handshakes (the default as of Postfix 3.11). Specify
+    that reuses a previously-negotiated TLS session (there would be no new
-    "smtp_tlsrpt_skip_reused_handshakes = yes" (the default with Postfix 3.10)
+    information to report). Specify "smtp_tlsrpt_skip_reused_handshakes = no"
-    to skip reporting TLS handshakes that reuse a previously-negotiated TLS
+    to report the TLSRPT status for all TLS handshakes. This may be useful for
-    session as there would be no new information to report.
+    troubleshooting.
  * Postfix logging for certificate verification failures may differ between
    new or reused TLS sessions.
@ -256,7 +225,7 @@ Options:
 MMTTAA--SSTTSS SSuuppppoorrtt vviiaa ssmmttpp__ttllss__ppoolliiccyy__mmaappss
-Postfix supports MTA-STS through an smtp_tls_policy_maps policy plugin, which
+Postfix supports MTA-STS though an smtp_tls_policy_maps policy plugin, which
 replies with a TLS security level and name=value attributes with certificate
 matching requirements. Postfix 3.10 and later extend the policy plugin response
 with additional name=value attributes that are needed for TLSRPT.
--- a/postfix/README_FILES/XCLIENT_README
+++ b/postfix/README_FILES/XCLIENT_README
@ -100,8 +100,8 @@ Note 3: Postfix implementations prior to version 2.3 do not xtext encode
 attribute values. Servers that wish to interoperate with these older
 implementations should be prepared to receive unencoded information.
-Note 4: The PORT attribute is implemented in Postfix 2.5 and later; the LOGIN
+Note 4: Some Postfix implementations do not implement the PORT or LOGIN
-attribute in Postfix 2.9 and later.
+attributes.
 XXCCLLIIEENNTT SSeerrvveerr rreessppoonnssee
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -1,4 +1,4 @@
-This is the Postfix 3.11 experimental release.
+This is the Postfix 3.10 stable release.
 The stable Postfix release is called postfix-3.10.x where 3=major
 release number, 10=minor release number, x=patchlevel. The stable
@ -13,7 +13,7 @@ instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
-If you upgrade from Postfix 3.9 or earlier, please read RELEASE_NOTES-3.10
+If you upgrade from Postfix 3.8 or earlier, please read RELEASE_NOTES-3.9
 before proceeding.
 Dual license
@ -25,3 +25,176 @@ now also distributed with the more recent Eclipse Public License
 (EPL) 2.0. Recipients can choose to take the software under the
 license of their choice. Those who are more comfortable with the
 IPL can continue with that license.
 Major changes - tls
 -------------------
 [Forward compatibility 20250212] Support for OpenSSL 3.5 post-quantum
 cryptography. To manage algorithm selection, OpenSSL introduces new
 TLS group syntax that Postfix will not attempt to imitate. Instead,
 Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
 parameter values to have an empty value. When both are set empty,
 the algorithm selection can be managed through OpenSSL configuration.
 For more, look for "Post-quantum" in the postconf(5) manpage.
 [Feature 20250117] Support for the RFC 8689 "TLS-Required: no"
 message header to request delivery of messages such as TLSRPT
 summaries even if the preferred TLS security policy cannot be
 enforced. This limits the Postfix SMTP client to "smtp_tls_security_level
 = may" which does not authenticate server certificates and which
 allows falling back to plaintext.
 Support for the REQUIRETLS SMTP service extension remains future work.
 [Feature 20240926] Support for the TLSRPT protocol (defined in RFC
 8460). With this, a domain can publish a policy in DNS, and request
 daily summary reports for successful and failed SMTP-over-TLS
 connections to that domain's MX hosts.
 Postfix supports TLSRPT summaries for DANE (built-in) and MTA-STS
 (via an smtp_tls_policy_maps plugin). For details, see TLSRPT_README.
 Major changes - privacy
 -----------------------
 [Feature 20250205] With "smtpd_hide_client_session = yes", the
 Postfix SMTP server generates a Received: header without client
 session info This setting may be used with the MUA submission
 services (port 465 and 587), but it must not be used with the MTA
 service (port 25).
 Depending on the number of recipients, a redacted Received: header
 has one of the following forms:
 Received: by mail.example.com (Postfix) id postfix-queue-id
        for <user@example.com>; Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
 Received: by mail.example.com (Postfix) id postfix-queue-id
        Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
 The redacted form hides that a message was received with SMTP, and
 therefore it does not need to provide the information required by
 RFC 5321. It only has to satisfy RFC 5322.
 Major changes - rfc2047
 -----------------------
 [Feature 20250105] Support for automatic RFC 2047 encoding of
 non-ASCII "full name" information in Postfix-generated From: message
 headers.  Encoding non-ASCII full names can avoid the need to use
 SMTPUTF8, and therefore can avoid incompatibility with sites that
 do not support SMTPUTF8.
 The encoded result looks like "=?charset?Q?gibberish?=: for
 quoted-printable encoding, or "=?charset?B?gibberish?=" for base64
 encoding. Postfix uses quoted-printable for a full name that is
 short or mostly ASCII, and uses base64 otherwise.
 Background: when a message without a From: header is submitted with
 the Postfix sendmail(1) command, Postfix may add a From: header and
 use the sender's full name specified with the Postfix sendmail(1)
 "-F" option, with the sendmail(1) "NAME" environment variable, or
 with the GECOS field in the UNIX password database.
 This introduces a new configuration parameter "full_name_encoding_charset"
 (default: utf8) which specifies the character set of the full name
 information in the Postfix sendmail(1) "-F" option or "NAME"
 environment variable, or in the GECOS field in the UNIX password
 database. The parameter value becomes part of the encoded full name,
 and informs a Mail User Agent how to display the decoded gibberish.
 Major changes - bugfix
 ----------------------
 [Incompat 20241130] The spawn(8) daemon failed to enforce the command
 time limit. It was sending the SIGKILL signal using the wrong
 effective UID and GID. The pipe(8) daemon has always done this
 right.
 Major changes - database
 ------------------------
 [Feature 20250207] When mysql: or pgsql: configuration specifies
 a single host, assume that it is a load balancer and reconnect
 immediately after a single failure, instead of failing all requests
 for 60s.
 [Feature 20250114] first/next iterator support for cdb: tables, and
 other cdb: table code cleanups by Michael Tokarev.
 [Feature 20241024] In a pgsql: client configuration, the setting
 "dbname" is required, but ignored when the setting "hosts" contains
 an URI with a database name.
 [Feature 20241025] The Postfix pgsql: client configuration now
 allows any well-formed URI prefix as a pgsql: client connection
 target (the PostgreSQL URI parser decides what is allowed). The
 dbname setting is now optional if the hosts setting specifies only
 URIs.
 Major changes - internal protocol
 ---------------------------------
 [Incompat 20250116] Postfix needs "postfix reload" after upgrade,
 because of a change in the delivery agent protocol. If this step
 is skipped, Postfix delivery agents will log a warning:
    unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
 where xxx is the delivery agent service name.
 Major changes - milter
 ----------------------
 [Incompat 20250106] The logging of the Milter 'quarantine' action
 has changed.  Instead of logging "milter triggers HOLD action", it
 logs the reason given by a Milter application, or "default_action"
 if a Milter application was unavailable and the milter_default_action
 parameter or per-Milter "default_action" property specifies
 "quarantine".
 [Feature 20250106] The Postfix Milter implementation now logs the
 reason for a 'quarantine' action, instead of "milter triggers HOLD
 action".
 - If the quarantine action was requested by a Milter application,
  Postfix will log the reason given by the application.
 - If the quarantine action was requested with the "milter_default_action"
  parameter setting or with a per-Milter "default_action" property,
  Postfix will log "default_action".
 Major changes - logging
 -----------------------
 [Feature 20250106] The Postfix Milter implementation now logs the
 reason for a 'quarantine' action, instead of "milter triggers HOLD
 action".
 - If the quarantine action was requested by a Milter application,
  Postfix will log the reason given by the application.
 - If the quarantine action was requested with the "milter_default_action"
  parameter setting or with a per-Milter "default_action" property,
  Postfix will log "default_action".
 [Incompat 20250105] The SMTP server now logs the queue ID (or
 "NOQUEUE") when a connection ends abnormally (timeout, lost connection,
 or too many errors).
 [Feature 20250105] The SMTP server now logs the queue ID (or
 "NOQUEUE") when a connection ends abnormally (timeout, lost connection,
 or too many errors).
 [Incompat 20241104] The cleanup server now logs "queueid: canceled"
 when a message transaction is started but not completed.
 [Feature 20241104] The cleanup server now logs "queueid: canceled"
 when a message transaction is started but not completed. This
 provides a clear signal to logfile collation tools.
 [Incompat 20241031] the Dovecot SASL client logging for "Invalid
 authentication mechanism" now includes the name of that mechanism.
 [Incompat 20241023] Postfix SMTP server 'reject' logging now shows
 the sasl_method, sasl_username, and sasl_sender if available.
--- a/postfix/RELEASE_NOTES-3.10
+++ b/postfix/RELEASE_NOTES-3.10
@ -1,200 +0,0 @@
 This is the Postfix 3.10 stable release.
 The stable Postfix release is called postfix-3.10.x where 3=major
 release number, 10=minor release number, x=patchlevel. The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
 postfix-3.11-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day). Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 3.8 or earlier, please read RELEASE_NOTES-3.9
 before proceeding.
 Dual license
 ------------
 As of Postfix 3.2.5 this software is distributed with a dual license:
 in addition to the historical IBM Public License (IPL) 1.0, it is
 now also distributed with the more recent Eclipse Public License
 (EPL) 2.0. Recipients can choose to take the software under the
 license of their choice. Those who are more comfortable with the
 IPL can continue with that license.
 Major changes - tls
 -------------------
 [Forward compatibility 20250212] Support for OpenSSL 3.5 post-quantum
 cryptography. To manage algorithm selection, OpenSSL introduces new
 TLS group syntax that Postfix will not attempt to imitate. Instead,
 Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
 parameter values to have an empty value. When both are set empty,
 the algorithm selection can be managed through OpenSSL configuration.
 For more, look for "Post-quantum" in the postconf(5) manpage.
 [Feature 20250117] Support for the RFC 8689 "TLS-Required: no"
 message header to request delivery of messages such as TLSRPT
 summaries even if the preferred TLS security policy cannot be
 enforced. This limits the Postfix SMTP client to "smtp_tls_security_level
 = may" which does not authenticate server certificates and which
 allows falling back to plaintext.
 Support for the REQUIRETLS SMTP service extension remains future work.
 [Feature 20240926] Support for the TLSRPT protocol (defined in RFC
 8460). With this, a domain can publish a policy in DNS, and request
 daily summary reports for successful and failed SMTP-over-TLS
 connections to that domain's MX hosts.
 Postfix supports TLSRPT summaries for DANE (built-in) and MTA-STS
 (via an smtp_tls_policy_maps plugin). For details, see TLSRPT_README.
 Major changes - privacy
 -----------------------
 [Feature 20250205] With "smtpd_hide_client_session = yes", the
 Postfix SMTP server generates a Received: header without client
 session info This setting may be used with the MUA submission
 services (port 465 and 587), but it must not be used with the MTA
 service (port 25).
 Depending on the number of recipients, a redacted Received: header
 has one of the following forms:
 Received: by mail.example.com (Postfix) id postfix-queue-id
        for <user@example.com>; Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
 Received: by mail.example.com (Postfix) id postfix-queue-id
        Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
 The redacted form hides that a message was received with SMTP, and
 therefore it does not need to provide the information required by
 RFC 5321. It only has to satisfy RFC 5322.
 Major changes - rfc2047
 -----------------------
 [Feature 20250105] Support for automatic RFC 2047 encoding of
 non-ASCII "full name" information in Postfix-generated From: message
 headers.  Encoding non-ASCII full names can avoid the need to use
 SMTPUTF8, and therefore can avoid incompatibility with sites that
 do not support SMTPUTF8.
 The encoded result looks like "=?charset?Q?gibberish?=: for
 quoted-printable encoding, or "=?charset?B?gibberish?=" for base64
 encoding. Postfix uses quoted-printable for a full name that is
 short or mostly ASCII, and uses base64 otherwise.
 Background: when a message without a From: header is submitted with
 the Postfix sendmail(1) command, Postfix may add a From: header and
 use the sender's full name specified with the Postfix sendmail(1)
 "-F" option, with the sendmail(1) "NAME" environment variable, or
 with the GECOS field in the UNIX password database.
 This introduces a new configuration parameter "full_name_encoding_charset"
 (default: utf8) which specifies the character set of the full name
 information in the Postfix sendmail(1) "-F" option or "NAME"
 environment variable, or in the GECOS field in the UNIX password
 database. The parameter value becomes part of the encoded full name,
 and informs a Mail User Agent how to display the decoded gibberish.
 Major changes - bugfix
 ----------------------
 [Incompat 20241130] The spawn(8) daemon failed to enforce the command
 time limit. It was sending the SIGKILL signal using the wrong
 effective UID and GID. The pipe(8) daemon has always done this
 right.
 Major changes - database
 ------------------------
 [Feature 20250207] When mysql: or pgsql: configuration specifies
 a single host, assume that it is a load balancer and reconnect
 immediately after a single failure, instead of failing all requests
 for 60s.
 [Feature 20250114] first/next iterator support for cdb: tables, and
 other cdb: table code cleanups by Michael Tokarev.
 [Feature 20241024] In a pgsql: client configuration, the setting
 "dbname" is required, but ignored when the setting "hosts" contains
 an URI with a database name.
 [Feature 20241025] The Postfix pgsql: client configuration now
 allows any well-formed URI prefix as a pgsql: client connection
 target (the PostgreSQL URI parser decides what is allowed). The
 dbname setting is now optional if the hosts setting specifies only
 URIs.
 Major changes - internal protocol
 ---------------------------------
 [Incompat 20250116] Postfix needs "postfix reload" after upgrade,
 because of a change in the delivery agent protocol. If this step
 is skipped, Postfix delivery agents will log a warning:
    unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
 where xxx is the delivery agent service name.
 Major changes - milter
 ----------------------
 [Incompat 20250106] The logging of the Milter 'quarantine' action
 has changed.  Instead of logging "milter triggers HOLD action", it
 logs the reason given by a Milter application, or "default_action"
 if a Milter application was unavailable and the milter_default_action
 parameter or per-Milter "default_action" property specifies
 "quarantine".
 [Feature 20250106] The Postfix Milter implementation now logs the
 reason for a 'quarantine' action, instead of "milter triggers HOLD
 action".
 - If the quarantine action was requested by a Milter application,
  Postfix will log the reason given by the application.
 - If the quarantine action was requested with the "milter_default_action"
  parameter setting or with a per-Milter "default_action" property,
  Postfix will log "default_action".
 Major changes - logging
 -----------------------
 [Feature 20250106] The Postfix Milter implementation now logs the
 reason for a 'quarantine' action, instead of "milter triggers HOLD
 action".
 - If the quarantine action was requested by a Milter application,
  Postfix will log the reason given by the application.
 - If the quarantine action was requested with the "milter_default_action"
  parameter setting or with a per-Milter "default_action" property,
  Postfix will log "default_action".
 [Incompat 20250105] The SMTP server now logs the queue ID (or
 "NOQUEUE") when a connection ends abnormally (timeout, lost connection,
 or too many errors).
 [Feature 20250105] The SMTP server now logs the queue ID (or
 "NOQUEUE") when a connection ends abnormally (timeout, lost connection,
 or too many errors).
 [Incompat 20241104] The cleanup server now logs "queueid: canceled"
 when a message transaction is started but not completed.
 [Feature 20241104] The cleanup server now logs "queueid: canceled"
 when a message transaction is started but not completed. This
 provides a clear signal to logfile collation tools.
 [Incompat 20241031] the Dovecot SASL client logging for "Invalid
 authentication mechanism" now includes the name of that mechanism.
 [Incompat 20241023] Postfix SMTP server 'reject' logging now shows
 the sasl_method, sasl_username, and sasl_sender if available.
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@ -31,7 +31,7 @@
 #
 # The level below is what should be used with new (not upgrade) installs.
 #
-compatibility_level = 3.11
+compatibility_level = 3.10
 # SOFT BOUNCE
 #
--- a/postfix/conf/postfix-tls-script
+++ b/postfix/conf/postfix-tls-script
@ -177,7 +177,7 @@
 #	The location of the OpenSSL command line program \fBopenssl\fR(1).
 # .IP "\fBsmtp_tls_loglevel (0)\fR"
 #	Enable additional Postfix SMTP client logging of TLS activity.
-# .IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
+# .IP "\fBsmtp_tls_security_level (empty)\fR"
 #	The default SMTP TLS security level for the Postfix SMTP client.
 # .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
 #	Name of the file containing the optional Postfix SMTP client
--- a/postfix/conf/relocated
+++ b/postfix/conf/relocated
@ -38,10 +38,9 @@
 #        lookup fields can match both upper and lower case.
 # 
 # TABLE FORMAT
-#        o      By default, Postfix will prepend a hard-coded  pre-
+#        The input format for the postmap(1) command is as follows:
-#               fix  "5.1.6  User  has moved to " to a table lookup
+# 
-#               result, and the format for a table entry is as fol-
+#        o      An entry has one of the following form:
 #               lows:
 # 
 #                    pattern      new_location
 # 
@ -49,15 +48,6 @@
 #               such as an  email  address,  or  perhaps  a  street
 #               address or telephone number.
 # 
 #        o      Postfix  3.11  and later can optionally disable the
 #               hard-coded prefix. Specify "relocated_prefix_enable
 #               =   no"  in  main.cf,  and  specify  relocated_maps
 #               entries with your own RFC  3463-compliant  enhanced
 #               status code and text, for example:
 # 
 #                    pattern      5.2.0 Mailbox is unavailable
 #                    pattern      5.2.1 Mailbox is disabled
 # 
 #        o      Empty  lines and whitespace-only lines are ignored,
 #               as are lines whose first  non-whitespace  character
 #               is a `#'.
@ -138,31 +128,25 @@
 #               Optional lookup tables with new contact information
 #               for users or domains that no longer exist.
 # 
 #        Available with Postfix version 3.11 and later:
 # 
 #        relocated_prefix_enable (yes)
 #               Prepend  the  prefix  "5.1.6 User has moved to " to
 #               all relocated_maps lookup results.
 # 
 #        Other parameters of interest:
 # 
 #        inet_interfaces (all)
-#               The local network  interface  addresses  that  this
+#               The  local  network  interface  addresses that this
 #               mail system receives mail on.
 # 
 #        mydestination  ($myhostname,  localhost.$mydomain,  local-
 #        host)
-#               The  list  of  domains  that  are delivered via the
+#               The list of domains  that  are  delivered  via  the
 #               $local_transport mail delivery transport.
 # 
 #        myorigin ($myhostname)
 #               The domain name that locally-posted mail appears to
-#               come  from,  and that locally posted mail is deliv-
+#               come from, and that locally posted mail  is  deliv-
 #               ered to.
 # 
 #        proxy_interfaces (empty)
-#               The remote network interface  addresses  that  this
+#               The  remote  network  interface addresses that this
-#               mail  system  receives mail on by way of a proxy or
+#               mail system receives mail on by way of a  proxy  or
 #               network address translation unit.
 # 
 # SEE ALSO
@ -171,13 +155,13 @@
 #        postconf(5), configuration parameters
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        DATABASE_README, Postfix lookup table overview
 #        ADDRESS_REWRITING_README, address rewriting guide
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
--- a/postfix/html/COMPATIBILITY_README.html
+++ b/postfix/html/COMPATIBILITY_README.html
@ -102,20 +102,6 @@ default setting respectful_logging=no</a> </p>
 </ul>
 <p> Logged with <a href="postconf.5.html#compatibility_level">compatibility_level</a> &lt; 3.11: </p>
 <ul>
 <li> <p> <a href="#tlsrpt_reused"> using backwards-compatible default
 setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </p>
 <li> <p> <a href="#xxx_tls_level"> using backwards-compatible default
 setting <i>xxx</i>_security_level=(empty)</a> </p>
 </ul>
 <p>
 <p> If such a message is logged in the context of a legitimate
 request, the system administrator should make the backwards-compatible
 setting permanent in <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a>, as detailed in the
@ -134,8 +120,7 @@ to "no". This could result in unexpected non-delivery of email after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
-<p> As long as the <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameter is left unspecified
+<p> As long as the <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameter is left at
 at
 its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is
 less than 1, Postfix may log one of the following messages:</p>
@ -193,7 +178,7 @@ after updating Postfix from an older version. The backwards-compatibility
 safety net is designed allow the administrator to choose if they
 want to keep the old behavior. </p>
-<p> As long as a <a href="master.5.html">master.cf</a> chroot field is left unspecified at its
+<p> As long as a <a href="master.5.html">master.cf</a> chroot field is left at its
 implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting
 is less than 1, Postfix may log the following message while it
 reads the <a href="master.5.html">master.cf</a> file: </p>
@ -233,8 +218,7 @@ from an older Postfix version. The backwards-compatibility safety
 net is designed to prevent such surprises. </p>
 <p> When the <a href="postconf.5.html#compatibility_level">compatibility_level</a> less than 1, and the
-<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter is left unspecified at its
+<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter is left at its implicit default
 implicit default
 setting, Postfix may log the following message: </p>
 <blockquote>
@ -266,8 +250,7 @@ addresses from clients that don't request SMTPUTF8 support, after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
-<p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left unspecified
+<p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left at its implicit
 at its implicit
 default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is
 less than 1, Postfix logs a warning each time an SMTP command uses a
 non-ASCII address localpart without requesting SMTPUTF8 support: </p>
@ -310,8 +293,7 @@ Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 <p> As long as the <a href="postconf.5.html#mynetworks">mynetworks</a> and <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> parameters are
-left unspecified at their implicit default values, and the
+left at their implicit default values, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a>
 <a href="postconf.5.html#compatibility_level">compatibility_level</a>
 setting is less than 2, the Postfix SMTP server may log one of the
 following messages: </p>
@ -351,8 +333,7 @@ denied' errors or ETRN errors after Postfix is updated from an older
 version. The backwards-compatibility safety net is designed to
 prevent such surprises. </p>
-<p> As long as the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter is left unspecified at
+<p> As long as the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter is left at its implicit
 its implicit
 default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is less than 2,
 Postfix may log one of the following messages.  </p>
@ -427,8 +408,7 @@ secure digest of the client certificate.  </p>
 with the "sha256" digests of the expected client certificate or public
 key.  </p>
-<p> As long as the <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter is left
+<p> As long as the <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter is left at its
 unspecified at its
 implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is less than
 3.6, Postfix logs a warning each time a client certificate or public key
 fingerprint is (potentially) used for access control: </p>
@ -475,8 +455,7 @@ policies in the TLS policy table to specify matching "sha256" digests of
 the expected server certificates or public keys.  </p>
 <p> As long as the <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (or LMTP equivalent)
-parameter is left unspecified at its implicit default value, and
+parameter is left at its implicit default value, and the
 the
 <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is less than 3.6, Postfix logs a warning each
 time the "fingerprint" security level is used to specify matching "md5"
 digests of trusted server certificates or public keys: </p>
@ -520,8 +499,7 @@ command, and both support the same features. </p> </blockquote>
 keep evaluating <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> before
 <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>, as long as the <a href="postconf.5.html#compatibility_level">compatibility_level</a> is
 less than 3.6, and the <a href="postconf.5.html#smtpd_relay_before_recipient_restrictions">smtpd_relay_before_recipient_restrictions</a>
-parameter is left unspecified at its implicit default setting. As
+parameter is left at its implicit default setting. As a reminder,
 a reminder,
 Postfix may log the following message: </p>
 <blockquote>
@ -555,8 +533,7 @@ the changes in logging could affect logfile analysis tools. </p>
 <p> To avoid breaking existing logfile analysis tools, Postfix will keep
 logging the deprecated form, as long as the <a href="postconf.5.html#respectful_logging">respectful_logging</a> parameter
-is left unspecified at its implicit default value, and the
+is left at its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a>
 <a href="postconf.5.html#compatibility_level">compatibility_level</a>
 setting is less than 3.6. As a reminder, Postfix may log the following
 when a remote SMTP client is allowlisted or denylisted: </p>
@ -578,83 +555,6 @@ system administrator should make the backwards-compatible setting
 </pre>
 </blockquote>
 <h2> <a name="tlsrpt_reused"> Using backwards-compatible
 default setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </h2>
 <p> Postfix version 3.11 changes the default value for
 <a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> from "yes" to "no". The
 backwards-compatibility safety net is designed to prevent an
 unexpected change in reporting behavior when Postfix is updated
 from an older version. </p>
 <p> As long as the <a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> parameter is
 left unspecified at its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a>
 setting is less than 3.11, Postfix will log a reminder that it is
 using the backwards-compatible default: </p>
 <blockquote>
 <pre>
 postfix/smtp[388157] using backwards-compatible default setting
    <a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>=yes
 </pre>
 </blockquote>
 <p> To keep the old default setting, the system administrator should
 make the backwards-compatible setting "<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>
 = yes" permanent in <a href="postconf.5.html">main.cf</a>:
 <blockquote>
 <pre>
 # <b>postconf <a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>=yes</b>
 # <b>postfix reload</b>
 </pre>
 </blockquote>
 <h2> <a name="xxx_tls_level"> Using backwards-compatible
 default setting <i>xxx</i>_security_level=(empty)</a> </h2>
 <p> Postfix version 3.11 changes the default value for client TLS
 security levels from "empty" to "may". The backwards-compatibility
 safety net is designed to prevent an unexpected change in mail
 sending behavior when Postfix is updated from an older version.
 </p>
 <p> There is no equivalent change for Postfix server TLS security
 levels, because changing the level alone is not sufficient. Server-side
 TLS requires that at least one private key and one public-key
 certificate chain are configured. </p>
 <p> As long as a TLS security level parameter is left unspecified
 at its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting
 is less than 3.11, Postfix will log one of the following reminders
 that it is using the backwards-compatible default: </p>
 <blockquote>
 <pre>
 postfix/smtp[...] using backwards-compatible default setting
    <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>=(empty)
 </pre>
 </blockquote>
 <blockquote>
 <pre>
 postfix/tlsproxy[...] using backwards-compatible default setting
    <a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a>=(empty)
 </pre>
 </blockquote>
 <p> To keep the old default setting, the system administrator should
 make the backwards-compatible empty setting permanent in <a href="postconf.5.html">main.cf</a>: </p>
 <blockquote>
 <pre>
 # <b>postconf <i>xxx</i>_security_level=</b>
 # <b>postfix reload</b>
 </pre>
 </blockquote>
 <p> where <i>xxx</i> is taken from the above compatibility message. </p>
 <h2> <a name="turnoff">Turning off the backwards-compatibility safety net</a> </h2>
 <p> Backwards compatibility is turned off by updating the
--- a/postfix/html/DATABASE_README.html
+++ b/postfix/html/DATABASE_README.html
@ -293,19 +293,6 @@ databases are maintained by Postfix daemons. The lookup table name
 as used in "<a href="DATABASE_README.html#types">dbm</a>:table" is the database file name without the ".dir"
 or ".pag" suffix.  </dd>
 <dt> <b>debug</b> </dt>
 <dd>
 <p> An adapter for another table that causes all accesses to be
 logged.  Example usage: "debug:<a href="DATABASE_README.html#types">hash</a>:/etc/postfix/example".  The
 formats of the log messages are unspecified and subject to change.
 Warning: If a query or the underlying table contains sensitive
 information (such as a password), that information might be
 logged. </p>
 <p> This feature is available with Postfix 3.11 and later. </p>
 </dd>
 <dt> <b>environ</b> </dt>
 <dd> The UNIX process environment array. The lookup key is the
--- a/postfix/html/DEPRECATION_README.html
+++ b/postfix/html/DEPRECATION_README.html
@ -104,16 +104,11 @@ detailed description. </p>
 </th> <th> Removed <br> in version </th> <th> Replacement </th>
 </tr>
 <tr> <td> <a href="#xxx_tls_enforce_peername">
 <i>xxx</i>_tls_enforce_peername </a> </td> <td align="center"> 3.11
 </td> <td align="center"> - </td> <td> <i>xxx</i>_tls_security_level
 </td> </tr>
 <tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a>
 </td> <td align="center"> 3.9 </td> <td align="center"> - </td>
 <td> <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> </td> </tr>
-<tr> <td> <a href="#xxx_use_tls"> <i>xxx</i>_use_tls </a> </td>
+<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_use_tls </a> </td>
 <td align="center"> 3.9 </td> <td align="center"> - </td> <td>
 <i>xxx</i>_tls_security_level </td> </tr>
@ -154,45 +149,6 @@ smtpd_tls_dh1024_param_file </a> </td> <td align="center"> 3.9 </td>
 </blockquote>
 <h3> <a name="xxx_tls_enforce_peername"> Obsolete TLS peer name
 match configuration </a> </h3>
 <p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p>
 <ul>
 <li> support for parameter "<a href="postconf.5.html#lmtp_tls_enforce_peername">lmtp_tls_enforce_peername</a>" will be
 removed; instead, specify "<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a>"
 <li> support for parameter "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>" will be
 removed; instead, specify "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>"
 </ul>
 <p> There are similarly-named parameters and warnings for <a href="postscreen.8.html">postscreen(8)</a>
 and <a href="tlsproxy.8.html">tlsproxy(8)</a>, but those parameters should rarely be specified
 by hand. </p>
 <p> Replace obsolete configuration with its replacement: </p>
 <blockquote>
 <table border="1">
 <tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
 <tr> <td> Enforce peer name match with server certificate </td>
 <td> <i>xxx</i>_enforce_peername = yes </td> <td> <i>xxx</i>_security_level
 = verify <br> <i>xxx</i>_security_level = secure </td> </tr>
 <tr> <td> Disable peer name match with server certificate </td>
 <td> <i>xxx</i>_enforce_peername = no </td> <td> <i>xxx</i>_security_level
 = may <br> <i>xxx</i>_security_level = encrypt </td> </tr>
 </table>
 </blockquote>
 <h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration
 </a> </h3>
--- a/postfix/html/MULTI_INSTANCE_README.html
+++ b/postfix/html/MULTI_INSTANCE_README.html
@ -40,7 +40,7 @@ management framework, and on how to deploy a custom instance manager.
 <li><a href="#parts"> Components of a Postfix system </a> 
-<li><a href="#default"> The primary Postfix instance </a> 
+<li><a href="#default"> The default Postfix instance </a> 
 <li><a href="#group"> Instance groups </a>
@ -102,7 +102,7 @@ use than ever before. </p>
 <h2><a name="split"> Null-client instances versus service instances </a></h2>
 <p> In the multi-instance approach to configuring Postfix, the first
-simplification is with the primary local-submission Postfix instance.
+simplification is with the default local-submission Postfix instance.
 </p>
 <p> Most UNIX systems require support for email submission with the
@ -152,7 +152,7 @@ limited to mail from cron jobs and other system services. In this
 regard the border MTA is not different from other Unix hosts in
 your environment. For this reason, it will submit locally-generated
 email to the internal mail hub. We start the construction of the
-border mail server with the <a href="#default">primary</a>
+border mail server with the <a href="#default_instance">default</a>
 instance, which will be a local-submission <a
 href="STANDARD_CONFIGURATION_README.html#null_client">null client</a>:
 </p>
@ -283,7 +283,7 @@ must start before the input instance. We will put the output and
 input instances into a single instance group named "mta".  </p>
 <p> Just once, when adding the first secondary instance, enable
-multi-instance support in the primary (null-client) instance: </p>
+multi-instance support in the default (null-client) instance: </p>
 <blockquote>
 <pre>
@ -301,7 +301,7 @@ multi-instance support in the primary (null-client) instance: </p>
 <p> The instance configuration directory defaults to /etc/postfix-out,
 more precisely, the "postfix-out" subdirectory of the parent directory
-of the primary-instance configuration directory. The new instance will
+of the default-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 <blockquote>
@ -323,7 +323,7 @@ be created in a "disabled" state: </p>
 <p> This instance has a "stock" <a href="master.5.html">master.cf</a> file, and its queue and
 data directories, also named "postfix-out", will be located in the
 same parent directories as the corresponding directories of the
-primary instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
+default instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
 </p>
 <p> While this instance is immediately safe to start, it is not yet
@ -472,7 +472,7 @@ also part of the "mta" instance group: </p>
 <p> The new instance configuration directory defaults to /etc/postfix-in,
 more precisely, the "postfix-in" subdirectory of the parent directory
-of the primary-instance configuration directory. The new instance will
+of the default-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 <blockquote>
@ -658,7 +658,7 @@ all but one may be optionally set to a non-default value via the
 <p> Though <a href="postconf.5.html#config_directory">config_directory</a> cannot be set in <a href="postconf.5.html">main.cf</a>, <a href="postfix.1.html">postfix(1)</a> and
 most of the other command-line Postfix utilities allow you to specify a
-secondary configuration directory via a command line option (typically
+non-default configuration directory via a command line option (typically
 <b>-c</b>) or via the MAIL_CONFIG environment variable. In this way,
 it is possible to have multiple configuration directories on the same
 machine, and to have multiple running <a href="master.8.html">master(8)</a> daemons each with its
@ -672,28 +672,28 @@ directories, queue directories or data directories. </p>
 directory and data directory (specified in the corresponding <a href="postconf.5.html">main.cf</a> file)
 make up a Postfix <b>instance</b>. </p>
-<h2><a name="default"> The primary Postfix instance </a></h2>
+<h2><a name="default"> The default Postfix instance </a></h2>
 <p> One Postfix instance is special: this is the instance whose
 configuration directory is the default one compiled into the Postfix
 utilities. The location of the default configuration directory is
 typically /etc/postfix, and can be queried via the "postconf -d
 <a href="postconf.5.html#config_directory">config_directory</a>" command.  We call the instance with this configuration
-directory the "primary instance". </p>
+directory the "default instance". </p>
-<p> The primary instance is responsible for local mail submission. The
+<p> The default instance is responsible for local mail submission. The
 setgid <a href="postdrop.1.html">postdrop(1)</a> utility is used by the <a href="sendmail.1.html">sendmail(1)</a> local submission
 program to spool messages into the <b>maildrop</b> sub-directory of the
-queue directory of the primary instance. </p>
+queue directory of the default instance. </p>
 <p> Even in the rare case when "sendmail -C" is used to submit local mail
-into a secondary Postfix instance, for security reasons, <a href="postdrop.1.html">postdrop(1)</a>
+into a non-default Postfix instance, for security reasons, <a href="postdrop.1.html">postdrop(1)</a>
-will consult the primary <a href="postconf.5.html">main.cf</a> file to check the validity of the
+will consult the default <a href="postconf.5.html">main.cf</a> file to check the validity of the
 requested non-default configuration directory. </p>
 <p> So, while in most other respects, all instances are equal, the
-primary instance is "more equal than others". You may choose to create
+default instance is "more equal than others". You may choose to create
-secondary instances, but you must have at least the primary instance,
+additional instances, but you must have at least the default instance,
 with its configuration directory in the default compiled-in location. </p>
 <h2><a name="group"> Instance groups </a></h2>
@ -715,9 +715,9 @@ of a single instance group (however, the content filter usually has
 its own start/stop procedure that is separate from any Postfix
 instance).  </p>
-<p> The primary instance <a href="postconf.5.html">main.cf</a> file's $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
+<p> The default instance <a href="postconf.5.html">main.cf</a> file's $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
 configuration parameter lists the configuration directories of all
-secondary (non-default) instances. Together with the primary instance,
+secondary (non-default) instances. Together with the default instance,
 these secondary instances are managed by the multi-instance manager.
 Instances are started in the order listed, and stopped in the
 opposite order. For instances that are members of a service "group",
@ -731,7 +731,7 @@ stages are started. </p>
 <dt> <a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> </dt> 
-<dd> <p> This primary-instance configuration parameter must be set
+<dd> <p> This default-instance configuration parameter must be set
 to a suitable multi-instance manager's "wrapper" program that
 controls the starting, stopping, etc. of a multi-instance Postfix
 system. To use the <a href="postmulti.1.html">postmulti(1)</a> manager described in this document,
@ -740,10 +740,10 @@ this parameter should be set with the "<a href="#init">postmulti
 <dt> <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> </dt>
-<dd> <p> This primary-instance configuration parameter specifies
+<dd> <p> This default-instance configuration parameter specifies
 an optional list of the secondary instances controlled via the
 multi-instance manager. Instances are listed in their "start" order,
-with the primary instance always started first (if enabled). If
+with the default instance always started first (if enabled). If
 $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> is left empty, the <a href="postfix.1.html">postfix(1)</a> command
 runs with multi-instance support turned off, and none of the
 multi_instance_ configuration parameters will have any effect. </p>
@ -842,7 +842,7 @@ automatically. See below. </p>
 <p> Before <a href="postmulti.1.html">postmulti(1)</a> is used for the first time, you must install
 it as the <a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> for your Postfix system and enable
-multi-instance operation of the primary Postfix instance. You can then
+multi-instance operation of the default Postfix instance. You can then
 proceed to add <a href="#create">new</a> or <a href="#import">existing</a>
 instances to the multi-instance configuration. This initial installation
 is accomplished as follows: </p>
@ -853,7 +853,7 @@ is accomplished as follows: </p>
 </pre>
 </blockquote>
-<p> This updates the primary instance <a href="postconf.5.html">main.cf</a> file as follows: </p>
+<p> This updates the default instance <a href="postconf.5.html">main.cf</a> file as follows: </p>
 <blockquote>
 <pre>
@ -861,28 +861,28 @@ is accomplished as follows: </p>
    #
    <a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> = ${<a href="postconf.5.html#command_directory">command_directory</a>}/postmulti -p --
-    # Configure the primary instance to start when in multi-instance mode
+    # Configure the default instance to start when in multi-instance mode
    #
    <a href="postconf.5.html#multi_instance_enable">multi_instance_enable</a> = yes
 </pre>
 </blockquote>
-<p> If you prefer, you can make these changes by editing the primary
+<p> If you prefer, you can make these changes by editing the default
 <a href="postconf.5.html">main.cf</a> directly, or by using "postconf -e". </p>
 <h3><a name="list"> Listing managed instances </a></h3>
-<p> The list of managed instances consists of the primary instance and
+<p> The list of managed instances consists of the default instance and
-the secondary instances whose configuration directories are listed
+the additional instances whose configuration directories are listed
 (in start order) under the <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> parameter of the
-primary <a href="postconf.5.html">main.cf</a> configuration file.  </p>
+default <a href="postconf.5.html">main.cf</a> configuration file.  </p>
 <p> You can list selected instances, groups of instances or all
 instances by specifying only the instance matching options with the
 "-l" option.  The "-a" option is assumed if no other instance
 selection options are specified (this behavior changes with the
 "-e" option).  As a special case, even if it has an explicit name,
-the primary instance can always be selected via "-i -". </p>
+the default instance can always be selected via "-i -". </p>
 <blockquote>
 <pre>
@ -926,7 +926,7 @@ set, it is shown as a "-". </p>
 <p> When selecting an existing instance via the "-i" option, you
 can always use the full pathname of its configuration directory
 instead of the instance (short) name. This is the only way to select
-a secondary nameless instance. The primary instance can be selected
+a non-default nameless instance. The default instance can be selected
 via "-i -", whether it has a name or not. </p>
 <p> To list instances in reverse start order, include the "-R"
@ -1052,7 +1052,7 @@ $ postmulti -x sh -c 'echo "-- $MAIL_CONFIG"; postconf -n'
 <h3><a name="create"> Creating a new Postfix instance </a></h3>
-<p> The <a href="postmulti.1.html">postmulti(1)</a> command can be used to create secondary Postfix
+<p> The <a href="postmulti.1.html">postmulti(1)</a> command can be used to create additional Postfix
 instances. New instances are created with local submission and all "inet"
 services disabled via the following non-default parameter settings in
 the <a href="postconf.5.html">main.cf</a> file: </p>
@ -1072,7 +1072,7 @@ the above safety measures. </p>
 <p> The <a href="postmulti.1.html">postmulti(1)</a> command encourages a preferred way of organizing
 the configuration directories, queue directories and data directories
-of secondary instances. If the primary instance settings are: </p>
+of non-default instances. If the default instance settings are: </p>
 <blockquote>
 <pre>
@ -1140,7 +1140,7 @@ the configuration directories of newly managed instances are appended
 to the instance list. You can use the "-i" or "-g" or "-a" options to
 insert the new instance before the specified instance or group, or at
 the beginning of the instance list (<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> parameter
-of the primary instance). </p>
+of the default instance). </p>
 <p> If you do specify a name (use "-I" with a name that is not "-")
 for the new instance, you may omit any of the 3 instance installation
--- a/postfix/html/SMTPUTF8_README.html
+++ b/postfix/html/SMTPUTF8_README.html
@ -375,7 +375,7 @@ Firefox and Chrome web browsers. Specify "<a href="postconf.5.html#enable_idna20
 = yes" to get the historical behavior. </p>
 <p> This affects the conversion of domain names that contain for
-example the German sz (ß) and the Greek (final) sigma (ς). See
+example the German sz (ß) and the Greek zeta (ς). See
 <a href="https://unicode.org/cldr/utility/idna.jsp">https://unicode.org/cldr/utility/idna.jsp</a> for more examples. </p>
 <h2> <a name="credits">Credits</a> </h2>
--- a/postfix/html/TLSRPT_README.html
+++ b/postfix/html/TLSRPT_README.html
@ -25,7 +25,6 @@
 <li> <a href="#intro"> Introduction </a> </li>
 <li> <a href="#building"> Building Postfix with TLSRPT support </a>
 <li> <a href="#using"> Turning on TLSRPT </a> </li>
 <li> <a href="#reusing"> Connection reuse versus session resumption </a> </li>
 <li> <a href="#logging"> TLSRPT Status logging </a> </li>
 <li> <a href="#delivering"> Delivering TLSRPT summaries via email</a> </li>
 <li> <a href="#mta-sts"> MTA-STS Support via smtp_tls_policy_maps </a> </li>
@ -53,8 +52,8 @@ _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:smtp-tls-report@example.c
 <p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
 destination. </p>
-<p> The diagram below shows how successful or failed Postfix TLS
+<p> The diagram below shows how Postfix TLS handshake success and
-handshake events are collected and processed into daily summary
+failure events are collected and processed into daily summary
 reports. </p>
 <blockquote>
@ -100,7 +99,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> and
 <a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>, respectively. </p>
-<p> The Postfix implementation supports TLSRPT for domains with DANE
+<p> The Postfix implementation supports TLSRPT or domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
@ -204,49 +203,6 @@ programs should create sockets there. </p>
 infrastructure, see the documentation at
 <a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>.
 <h2> <a name="reusing"> Connection reuse versus session resumption
 </a> </h2>
 <p> The Postfix SMTP client implements two kinds of reuse: </p>
 <ul>
 <li> <p> <b> SMTP Connection reuse: </b> a Postfix SMTP client
 creates a new SMTP connection, sends one email message, and saves
 the connection instead of closing it. Later, some SMTP client reuses
 that connection, sends an email message, and saves or closes the
 connection depending on whether it has reached some reuse limit.
 Each connection can be used by only one Postfix SMTP client at a
 time. </p>
 <li> <p> <b> TLS Session resumption: </b> a Postfix SMTP client
 saves the result from a "new" TLS handshake. Later, one or more
 SMTP clients create a new SMTP connection and resume the saved TLS
 session on their new connection. <p>
 </ul>
 <p> Of course there is a third case: </p>
 <ul>
 <li> <p> <b> Combined reuse and resumption: </b> a Postfix SMTP
 client creates a new SMTP connection, sends one email message, saves
 the result from a "new" TLS handshake, and also saves the connection
 instead of closing it. Later, one SMTP client reuses (and saves)
 that connection, one client at a time, and one or more clients
 create a new SMTP connection and resume the saved TLS session on
 their new connection. <p>
 </ul>
 <p> In all cases, there is no TLS handshake when a saved SMTP connection
 is reused, and there is no "new" TLS handshake when a saved TLS session
 is resumed. </p>
 <p> As described next, Postfix will by default log and generate only a
 TLSRPT event for a "new" TLS handshake.  </p>
 <h2> <a name="logging"> TLSRPT Status logging </a> </h2>
 <p> With TLSRPT support turned on, the Postfix TLSRPT client will
@ -286,12 +242,12 @@ Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
    TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 </pre>
-<li> <p> With TLSRPT enabled, the Postfix SMTP client reports the
+<li> <p> By default, Postfix does not report the TLSRPT status for
-TLSRPT status for all TLS handshakes (the default as of Postfix
+a TLS handshake that reuses a previously-negotiated TLS session
-3.11).  Specify "<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = yes" (the
+(there would be no new information to report). Specify
-default with Postfix 3.10) to skip reporting TLS handshakes that
+"<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = no" to report the TLSRPT
-reuse a previously-negotiated TLS session as there would be no new
+status for all TLS handshakes. This may be useful for troubleshooting.
-information to report. </p>
+</p>
 <li> <p> Postfix logging for certificate verification failures may
 differ between new or reused TLS sessions. </p>
@ -373,7 +329,7 @@ generator's sender address): </p>
 <h2> <a name="mta-sts"> MTA-STS Support via smtp_tls_policy_maps
 </a></h2>
-<p> Postfix supports MTA-STS through an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
+<p> Postfix supports MTA-STS though an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
 plugin, which replies with a TLS security level and name=value
 attributes with certificate matching requirements. Postfix 3.10 and
 later extend the policy plugin response with additional name=value
--- a/postfix/html/XCLIENT_README.html
+++ b/postfix/html/XCLIENT_README.html
@ -145,8 +145,8 @@ xtext encode attribute values. Servers that wish to interoperate
 with these older implementations should be prepared to receive
 unencoded information. </p>
-<p> Note 4: The PORT attribute is implemented in Postfix 2.5 and
+<p> Note 4: Some Postfix implementations do not implement the PORT
-later; the LOGIN attribute in Postfix 2.9 and later. </p>
+or LOGIN attributes.  </p>
 <h2>XCLIENT Server response</h2>
--- a/postfix/html/discard.8.html
+++ b/postfix/html/discard.8.html
@ -60,7 +60,7 @@ DISCARD(8)                                                          DISCARD(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The maximal number of digits after the decimal point  when  log-
-              ging delay values.
+              ging sub-second delay values.
       <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
              The  sender  address of postmaster notifications that are gener-
--- a/postfix/html/error.8.html
+++ b/postfix/html/error.8.html
@ -70,7 +70,7 @@ ERROR(8)                                                              ERROR(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging delay values.
+              ging sub-second delay values.
       <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
              The sender address of postmaster notifications that  are  gener-
--- a/postfix/html/lmdb_table.5.html
+++ b/postfix/html/lmdb_table.5.html
@ -56,25 +56,24 @@ LMDB_TABLE(5)                                                    LMDB_TABLE(5)
 <b><a name="synchronization">SYNCHRONIZATION</a></b>
       The Postfix LMDB adapter does not use LMDB's built-in  locking  scheme,
-       because  that would require world-writable lockfiles and therefore vio-
+       because  that  would require world-writable lockfiles and would violate
-       late the Postfix security model.  Instead, Postfix uses fcntl(2)  locks
+       the Postfix security model.  Instead, Postfix uses fcntl(2) locks  with
-       with whole-file granularity.  Programs that use LMDB's built-in locking
+       whole-file granularity.  Programs that use LMDB's built-in locking pro-
-       protocol will corrupt a Postfix LMDB database or will read garbage.
+       tocol will corrupt a Postfix LMDB database or will read garbage.
       Every Postfix LMDB database read or write transaction must be protected
-       from  start  to end with a shared or exclusive fcntl(2) lock. A process
+       from  start  to end with a shared or exclusive fcntl(2) lock.  A writer
-       may atomically downgrade an exclusive lock  to  a  shared  lock  before
+       may atomically downgrade an exclusive lock to a  shared  lock,  but  it
-       opening a database read transaction, but it must hold an exclusive lock
+       must hold an exclusive lock while opening another write transaction.
       while opening a write transaction.
-       Note that fcntl(2) locks do not protect transactions  within  the  same
+       Note  that  fcntl(2)  locks do not protect transactions within the same
-       process  against each other.  If a program cannot avoid making simulta-
+       process against each other.  If a program cannot avoid making  simulta-
-       neous database requests, then it must  protect  its  transactions  with
+       neous  database  requests,  then  it must protect its transactions with
       in-process locks, in addition to the per-process fcntl(2) locks.
 <b><a name="configuration_parameters">CONFIGURATION PARAMETERS</a></b>
-       Short-lived  programs  automatically  pick up changes to <a href="postconf.5.html">main.cf</a>.  With
+       Short-lived programs automatically pick up changes  to  <a href="postconf.5.html">main.cf</a>.   With
-       long-running daemon programs, Use the command "<b>postfix reload</b>" after  a
+       long-running  daemon programs, Use the command "<b>postfix reload</b>" after a
       configuration change.
       <b><a href="postconf.5.html#lmdb_map_size">lmdb_map_size</a> (16777216)</b>
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@ -511,7 +511,7 @@ SMTP(8)                                                                SMTP(8)
       Detailed  information  about STARTTLS configuration may be found in the
       <a href="TLS_README.html">TLS_README</a> document.
-       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (Postfix</b> &gt;<b>= 3.11: may; Postfix</b> &lt; <b>3.11: empty)</b>
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
              The default SMTP TLS security level for the Postfix SMTP client.
       <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
@ -757,50 +757,50 @@ SMTP(8)                                                                SMTP(8)
              The pathname of a UNIX-domain datagram socket that is managed by
              a local TLSRPT reporting service.
-       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (Postfix</b> &gt;<b>= 3.11: no, Postfix  3.10:</b>
+       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
-       <b>yes)</b>
+              Do not report the TLSRPT status for TLS protocol handshakes that
-              When set to "yes", report the TLSRPT status only for  "new"  TLS
+              reuse  a  previously-negotiated  TLS  session  (there  is no new
-              sessions.
+              information to report).
       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
              Enable  support  for  the  "TLS-Required:  no"  message  header,
              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
-       The following configuration parameters  exist  for  compatibility  with
+       The  following  configuration  parameters  exist for compatibility with
-       Postfix  versions  before  2.3.  Support for these will be removed in a
+       Postfix versions before 2.3. Support for these will  be  removed  in  a
       future release.
       <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic mode: use TLS when a remote SMTP server  announces
+              Opportunistic  mode: use TLS when a remote SMTP server announces
              STARTTLS support, otherwise send the mail in the clear.
       <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
+              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
              encryption, and never send mail in the clear.
       <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With mandatory TLS encryption,  require  that  the  remote  SMTP
+              With  mandatory  TLS  encryption,  require  that the remote SMTP
-              server  hostname  matches  the  information  in  the remote SMTP
+              server hostname matches  the  information  in  the  remote  SMTP
              server certificate.
       <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional lookup tables with the Postfix SMTP  client  TLS  usage
+              Optional  lookup  tables  with the Postfix SMTP client TLS usage
-              policy  by  next-hop destination and by remote SMTP server host-
+              policy by next-hop destination and by remote SMTP  server  host-
              name.
       <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
+              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
              cipher list.
 <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
       <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The  Postfix SMTP client time limit for completing a TCP connec-
+              The Postfix SMTP client time limit for completing a TCP  connec-
              tion, or zero (use the operating system built-in time limit).
       <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the HELO or  EHLO
+              The  Postfix SMTP client time limit for sending the HELO or EHLO
-              command,  and  for  receiving  the  initial  remote  SMTP server
+              command, and  for  receiving  the  initial  remote  SMTP  server
              response.
       <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -812,19 +812,19 @@ SMTP(8)                                                                SMTP(8)
              mand, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
+              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
              command, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
+              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
              command, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
+              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
              command, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The  Postfix SMTP client time limit for sending the SMTP message
+              The Postfix SMTP client time limit for sending the SMTP  message
              content.
       <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -838,13 +838,13 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 2.1 and later:
       <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The maximal number of MX (mail exchanger) IP addresses that  can
+              The  maximal number of MX (mail exchanger) IP addresses that can
-              result  from Postfix SMTP client mail exchanger lookups, or zero
+              result from Postfix SMTP client mail exchanger lookups, or  zero
              (no limit).
       <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The maximal number of SMTP sessions per delivery request  before
+              The  maximal number of SMTP sessions per delivery request before
-              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
+              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
              <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
       <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -854,17 +854,17 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 2.2 and earlier:
       <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
              seconds.
       Available in Postfix version 2.2 and later:
       <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently enable SMTP connection  caching  for  the  specified
+              Permanently  enable  SMTP  connection  caching for the specified
              destinations.
       <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily  enable  SMTP connection caching while a destination
+              Temporarily enable SMTP connection caching while  a  destination
              has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
       <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -878,23 +878,23 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 2.3 and later:
       <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time limit for connection cache connect, send or receive  opera-
+              Time  limit for connection cache connect, send or receive opera-
              tions.
       Available in Postfix version 2.9 - 3.6:
       <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time limit per read or write system call, to  a  time  limit  to
+              time  limit  per  read  or write system call, to a time limit to
-              send  or  receive  a complete record (an SMTP command line, SMTP
+              send or receive a complete record (an SMTP  command  line,  SMTP
-              response line, SMTP message content line, or TLS  protocol  mes-
+              response  line,  SMTP message content line, or TLS protocol mes-
              sage).
       Available in Postfix version 2.11 and later:
       <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When  SMTP  connection  caching  is enabled, the number of times
+              When SMTP connection caching is enabled,  the  number  of  times
-              that an SMTP session may be reused before it is closed, or  zero
+              that  an SMTP session may be reused before it is closed, or zero
              (no limit).
       Available in Postfix version 3.4 and later:
@ -905,13 +905,13 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 3.7 and later:
       <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
-              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time limit per plaintext or TLS read or write call,  to  a  com-
+              time  limit  per  plaintext or TLS read or write call, to a com-
-              bined  time  limit  for  sending a complete SMTP request and for
+              bined time limit for sending a complete  SMTP  request  and  for
              receiving a complete SMTP response.
       <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
-              The minimum plaintext data transfer  rate  in  bytes/second  for
+              The  minimum  plaintext  data  transfer rate in bytes/second for
              DATA    requests,    when    deadlines    are    enabled    with
              <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -919,54 +919,54 @@ SMTP(8)                                                                SMTP(8)
       <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a>   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
       <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A transport-specific override for  the  <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+              A  transport-specific  override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
              <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
              name of the message delivery transport.
       <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a>     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
       <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
              A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
              name of the message delivery transport.
 <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
       Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
       <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable preliminary SMTPUTF8 support for the protocols  described
+              Enable  preliminary SMTPUTF8 support for the protocols described
              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
       <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect  that  a message requires SMTPUTF8 support for the speci-
+              Detect that a message requires SMTPUTF8 support for  the  speci-
              fied mail origin classes.
       Available in Postfix version 3.2 and later:
       <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable  'transitional'  compatibility   between   IDNA2003   and
+              Enable   'transitional'   compatibility   between  IDNA2003  and
-              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
+              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
              form that is used for DNS lookups.
 <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
       <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment in verbose logging level when a  nexthop  destina-
+              The  increment  in verbose logging level when a nexthop destina-
-              tion,  remote client or server name or network address matches a
+              tion, remote client or server name or network address matches  a
              pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
       <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional list of nexthop destination, remote  client  or  server
+              Optional  list  of  nexthop destination, remote client or server
-              name  or  network  address  patterns that, if matched, cause the
+              name or network address patterns that,  if  matched,  cause  the
-              verbose logging level to increase by  the  amount  specified  in
+              verbose  logging  level  to  increase by the amount specified in
              $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
       <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster notifications about mail delivery
+              The recipient of postmaster notifications  about  mail  delivery
              problems that are caused by policy, resource, software or proto-
              col errors.
       <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What   categories  of  Postfix-generated  mail  are  subject  to
+              What  categories  of  Postfix-generated  mail  are  subject   to
-              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
              <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
       <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -974,46 +974,46 @@ SMTP(8)                                                                SMTP(8)
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
       <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where  the  Postfix  SMTP  client  should  deliver  mail when it
+              Where the Postfix  SMTP  client  should  deliver  mail  when  it
              detects a "mail loops back to myself" error condition.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
+              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
              figuration files.
       <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much  time  a  Postfix  daemon process may take to handle a
+              How much time a Postfix daemon process  may  take  to  handle  a
              request before it is terminated by a built-in watchdog timer.
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The maximal number of digits after the decimal point  when  log-
+              The  maximal  number of digits after the decimal point when log-
              ging delay values.
       <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
              Disable DNS lookups in the Postfix SMTP and LMTP clients.
       <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The  local  network  interface  addresses  that this mail system
+              The local network interface  addresses  that  this  mail  system
              receives mail on.
       <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
-              The Internet protocols Postfix will attempt to use  when  making
+              The  Internet  protocols Postfix will attempt to use when making
              or accepting connections.
       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The  time  limit  for  sending  or receiving information over an
+              The time limit for sending  or  receiving  information  over  an
              internal communication channel.
       <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When a remote LMTP server announces no DSN support, assume  that
+              When  a remote LMTP server announces no DSN support, assume that
-              the  server performs final delivery, and send "delivered" deliv-
+              the server performs final delivery, and send "delivered"  deliv-
              ery status notifications instead of "relayed".
       <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
              The default TCP port that the Postfix LMTP client connects to.
       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time that an idle Postfix  daemon  process
+              The  maximum  amount of time that an idle Postfix daemon process
              waits for an incoming connection before terminating voluntarily.
       <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1027,21 +1027,21 @@ SMTP(8)                                                                SMTP(8)
              The process name of a Postfix command or daemon process.
       <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The  remote  network  interface  addresses that this mail system
+              The remote network interface addresses  that  this  mail  system
-              receives mail on by way of a proxy or network  address  transla-
+              receives  mail  on by way of a proxy or network address transla-
              tion unit.
       <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
              The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client will try first, when a  destination  has  IPv6  and  IPv4
+              client  will  try  first,  when  a destination has IPv6 and IPv4
              addresses with equal MX preference.
       <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
              client should bind to when making an IPv4 connection.
       <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
              client should bind to when making an IPv6 connection.
       <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1061,7 +1061,7 @@ SMTP(8)                                                                SMTP(8)
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A prefix that  is  prepended  to  the  process  name  in  syslog
+              A  prefix  that  is  prepended  to  the  process  name in syslog
              records, so that, for example, "smtpd" becomes "prefix/smtpd".
       Available with Postfix 2.2 and earlier:
@ -1073,14 +1073,14 @@ SMTP(8)                                                                SMTP(8)
       Available with Postfix 2.3 and later:
       <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional list of relay destinations that will be  used  when  an
+              Optional  list  of  relay destinations that will be used when an
-              SMTP  destination  is not found, or when delivery fails due to a
+              SMTP destination is not found, or when delivery fails due  to  a
              non-permanent error.
       Available with Postfix 3.0 and later:
       <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In the context of email address verification, the SMTP  protocol
+              In  the context of email address verification, the SMTP protocol
              stage that determines whether an email address is deliverable.
       Available with Postfix 3.1 and later:
@ -1102,7 +1102,7 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix 3.7 and later:
       <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
-              Defer delivery when the Postfix SMTP  client  cannot  apply  the
+              Defer  delivery  when  the  Postfix SMTP client cannot apply the
              <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
 <b><a name="see_also">SEE ALSO</a></b>
--- a/postfix/html/memcache_table.5.html
+++ b/postfix/html/memcache_table.5.html
@ -99,30 +99,18 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
              time. Smaller values are relative to the time of the update.
 <b><a name="memcache_key_parameters">MEMCACHE KEY PARAMETERS</a></b>
       <b>key_digest (default: empty)</b>
              After processing the <b>key_format</b> setting, and  before  sending  a
              request  to  the  memcache server, run the key through the named
              message digest algorithm and convert  the  result  to  lowercase
              hexadecimal  characters.  This  prevents a database access error
              when keys may exceed the  memcache  server's  key  length  limit
              (usually, 250 bytes). Specify the name of a message digest algo-
              rithm that is supported by OpenSSL, for example, <b>sha256</b>.
              This feature  is  available  in  Postfix  3.11  and  later,  and
              requires that Postfix is built with TLS support.
       <b>key_format (default: %s)</b>
-              Format  of  the lookup and update keys that the Postfix memcache
+              Format of the lookup and update keys that the  Postfix  memcache
-              client sends to the memcache server.  By default, these are  the
+              client  sends to the memcache server.  By default, these are the
-              same  as  the  lookup  and  update keys that the memcache client
+              same as the lookup and update  keys  that  the  memcache  client
              receives from Postfix applications.
-              NOTE 1: The <b>key_format</b> feature is not used for  <b>backup</b>  database
+              NOTE  1:  The <b>key_format</b> feature is not used for <b>backup</b> database
              requests.
-              NOTE  2:  When multiple tables share the same memcache database,
+              NOTE 2: When multiple tables share the same  memcache  database,
-              each table should prepend its own unique string  to  the  lookup
+              each  table  should  prepend its own unique string to the lookup
-              key.   Otherwise,  automatic  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  or  <a href="verify.8.html"><b>verify</b>(8)</a> cache
+              key.  Otherwise,  automatic  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  or  <a href="verify.8.html"><b>verify</b>(8)</a>  cache
              cleanup may not work.
              Examples:
@ -138,37 +126,37 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
              <b>%s</b>     This is replaced by the memcache client input key.
              <b>%u</b>     When the input key is an address of the form user@domain,
-                     <b>%u</b>  is  replaced  by  the  SQL  quoted  local part of the
+                     <b>%u</b> is replaced by  the  SQL  quoted  local  part  of  the
-                     address.  Otherwise, <b>%u</b> is replaced by the entire  search
+                     address.   Otherwise, <b>%u</b> is replaced by the entire search
-                     string.   If the localpart is empty, a lookup is silently
+                     string.  If the localpart is empty, a lookup is  silently
-                     suppressed and returns no results (an update  is  skipped
+                     suppressed  and  returns no results (an update is skipped
                     with a warning).
              <b>%d</b>     When the input key is an address of the form user@domain,
                     <b>%d</b> is replaced by the domain part of the address.  Other-
-                     wise,  a  lookup  is  silently  suppressed and returns no
+                     wise, a lookup is  silently  suppressed  and  returns  no
                     results (an update is skipped with a warning).
              <b>%[SUD]</b> The upper-case equivalents of the above expansions behave
-                     in   the   <b>key_format</b>   parameter  identically  to  their
+                     in  the  <b>key_format</b>  parameter   identically   to   their
                     lower-case counter-parts.
-              <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced  by  the  corre-
+              <b>%[1-9]</b> The  patterns  %1,  %2, ... %9 are replaced by the corre-
-                     sponding  most  significant  component of the input key's
+                     sponding most significant component of  the  input  key's
-                     domain. If the input key is  <i>user@mail.example.com</i>,  then
+                     domain.  If  the input key is <i>user@mail.example.com</i>, then
                     %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key
-                     is unqualified or does not have enough domain  components
+                     is  unqualified or does not have enough domain components
-                     to  satisfy  all  the  specified  patterns,  a  lookup is
+                     to satisfy  all  the  specified  patterns,  a  lookup  is
-                     silently suppressed and returns no results (an update  is
+                     silently  suppressed and returns no results (an update is
                     skipped with a warning).
       <b>domain (default: no domain list)</b>
-              This  feature  can  significantly  reduce  database server load.
+              This feature can  significantly  reduce  database  server  load.
-              Specify a list of domain names, paths to files, or  "<a href="DATABASE_README.html">type:table</a>"
+              Specify  a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>"
-              databases.   When  specified,  only  fully qualified search keys
+              databases.  When specified, only  fully  qualified  search  keys
-              with a *non-empty* localpart and a matching domain are  eligible
+              with  a *non-empty* localpart and a matching domain are eligible
-              for  lookup  or update: bare 'user' lookups, bare domain lookups
+              for lookup or update: bare 'user' lookups, bare  domain  lookups
-              and "@domain" lookups are silently skipped (updates are  skipped
+              and  "@domain" lookups are silently skipped (updates are skipped
              with a warning).  Example:
                  domain = example.com, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains
@ -181,30 +169,30 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
              The maximal memcache reply line length in bytes.
       <b>max_try (default: 2)</b>
-              The  number of times to try a memcache command before giving up.
+              The number of times to try a memcache command before giving  up.
-              The memcache client does not retry a command when  the  memcache
+              The  memcache  client does not retry a command when the memcache
              server accepts no connection.
       <b>retry_pause (default: 1)</b>
              The time in seconds before retrying a failed memcache command.
       <b>timeout (default: 2)</b>
-              The  time limit for sending a memcache command and for receiving
+              The time limit for sending a memcache command and for  receiving
              a memcache reply.
 <b><a name="bugs">BUGS</a></b>
-       The Postfix memcache  client  cannot  be  used  for  security-sensitive
+       The  Postfix  memcache  client  cannot  be  used for security-sensitive
       tables such as <b><a href="postconf.5.html#alias_maps">alias_maps</a></b> (these may contain "<i>|command</i> and "<i>/file/name</i>"
-       destinations), or <b><a href="postconf.5.html#virtual_uid_maps">virtual_uid_maps</a></b>, <b><a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a></b> and  <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mail</a>-</b>
+       destinations),  or <b><a href="postconf.5.html#virtual_uid_maps">virtual_uid_maps</a></b>, <b><a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a></b> and <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mail</a>-</b>
-       <b><a href="postconf.5.html#virtual_mailbox_maps">box_maps</a></b> (these specify UNIX process privileges for "<i>/file/name</i>" desti-
+       <b><a href="postconf.5.html#virtual_mailbox_maps">box_maps</a></b> (these specify UNIX process privileges or "<i>/file/name</i>"  desti-
-       nations).  In a typical deployment a memcache database is  writable  by
+       nations).   In  a typical deployment a memcache database is writable by
-       any  process  that  can talk to the memcache server; in contrast, secu-
+       any process that can talk to the memcache server;  in  contrast,  secu-
-       rity-sensitive tables must never be writable by the unprivileged  Post-
+       rity-sensitive  tables must never be writable by the unprivileged Post-
       fix user.
       The Postfix memcache client requires additional configuration when used
-       as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache.  For details see  the  <b>backup</b>  and
+       as  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  or  <a href="verify.8.html"><b>verify</b>(8)</a> cache.  For details see the <b>backup</b> and
-       <b>ttl</b>  parameter  discussions  in  the  MEMCACHE  MAIN PARAMETERS section
+       <b>ttl</b> parameter discussions  in  the  MEMCACHE  MAIN  PARAMETERS  section
       above.
 <b><a name="see_also">SEE ALSO</a></b>
--- a/postfix/html/mysql_table.5.html
+++ b/postfix/html/mysql_table.5.html
@ -61,15 +61,16 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
              TCP you have to specify
                  hosts = 127.0.0.1
-              NOTE:  if  the  <b>hosts</b>  setting  specifies  only one server, this
+              NOTE:  if  the  <b>hosts</b>  setting specifies one server, this client
-              client assumes that the target  is  a  load  balancer  and  will
+              assumes that the target is a load balancer  and  will  reconnect
-              reconnect  immediately after a single failure. With Postfix ver-
+              immediately  after  a  single  failure,  instead  of failing all
-              sions 3.9 and earlier, specify the same server twice.
+              requests temporarily. With older versions of this client,  spec-
              ify the same server twice.
       <b>user</b>
       <b>password</b>
-              The user name and password to log into the mysql server.   Exam-
+              The  user name and password to log into the mysql server.  Exam-
              ple:
                  user = someone
                  password = some_password
@ -78,15 +79,15 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
                  dbname = customer_database
       <b>charset (default: utf8mb4)</b>
-              The  default  MySQL  client character set; this also implies the
+              The default MySQL client character set; this  also  implies  the
              collation order.
-              This parameter is available with Postfix 3.9  and  later.   With
+              This  parameter  is  available with Postfix 3.9 and later.  With
-              earlier  Postfix  versions,  the default was chosen by the MySQL
+              earlier Postfix versions, the default was chosen  by  the  MySQL
              implementation (<b>utf8mb4</b> as of MySQL 8.0, <b>latin1</b> historically).
       <b>idle_interval (default: 60)</b>
-              The number of seconds after which an  idle  database  connection
+              The  number  of  seconds after which an idle database connection
              will be closed.
              This feature is available in Postfix 3.9 and later.
@ -95,10 +96,11 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
              The number of seconds that a database connection will be skipped
              after an error.
-              NOTE: if the <b>hosts</b>  setting  specifies  only  one  server,  this
+              NOTE:  if  the  <b>hosts</b>  setting specifies one server, this client
-              client  assumes  that  the  target  is  a load balancer and will
+              assumes that the target is a load balancer  and  will  reconnect
-              reconnect immediately after a single failure. With Postfix  ver-
+              immediately  after  a  single  failure,  instead  of failing all
-              sions 3.9 and earlier, specify the same server twice.
+              requests temporarily. With older versions of this client,  spec-
              ify the same server twice.
              This feature is available in Postfix 3.9 and later.
--- a/postfix/html/oqmgr.8.html
+++ b/postfix/html/oqmgr.8.html
@ -348,7 +348,7 @@ OQMGR(8)                                                              OQMGR(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging delay values.
+              ging sub-second delay values.
       <b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
              Log warnings about problematic configuration settings, and  pro-
--- a/postfix/html/pgsql_table.5.html
+++ b/postfix/html/pgsql_table.5.html
@ -65,15 +65,16 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
              URI, the Postfix PostgreSQL client will ignore the <b>dbname</b>, <b>user</b>,
              and <b>password</b> settings for that connection.
-              NOTE: if the <b>hosts</b>  setting  specifies  only  one  server,  this
+              NOTE: if the <b>hosts</b> setting specifies  one  server,  this  client
-              client  assumes  that  the  target  is  a load balancer and will
+              assumes  that  the  target is a load balancer and will reconnect
-              reconnect immediately after a single failure. With Postfix  ver-
+              immediately after a  single  failure,  instead  of  failing  all
-              sions 3.9 and earlier, specify the same server twice.
+              requests  temporarily. With older versions of this client, spec-
              ify the same server twice.
       <b>user</b>
       <b>password</b>
-              The  user name and password to log into the pgsql server.  Exam-
+              The user name and password to log into the pgsql server.   Exam-
              ple:
                  user = someone
                  password = some_password
@ -84,25 +85,25 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
       <b>dbname</b> The database name on the servers. Example:
                  dbname = customer_database
-              The  <b>dbname</b>  setting  is  ignored for <b>hosts</b> connections that are
+              The <b>dbname</b> setting is ignored for  <b>hosts</b>  connections  that  are
              specified as an URI.
              The <b>dbname</b> setting is required with Postfix 3.10 and later, when
-              <b>hosts</b>  specifies  any  non-URI connection; it is always required
+              <b>hosts</b> specifies any non-URI connection; it  is  always  required
              with earlier Postfix versions.
       <b>encoding</b>
-              The encoding used by the database client.  The  default  setting
+              The  encoding  used  by the database client. The default setting
              is:
                  encoding = UTF8
-              Historically,  the  database client was hard coded to use LATIN1
+              Historically, the database client was hard coded to  use  LATIN1
              in an attempt to disable multibyte character support.
              This feature is available in Postfix 3.8 and later.
       <b>idle_interval (default: 60)</b>
-              The number of seconds after which an  idle  database  connection
+              The  number  of  seconds after which an idle database connection
              will be closed.
              This feature is available in Postfix 3.9 and later.
@ -111,10 +112,11 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
              The number of seconds that a database connection will be skipped
              after an error.
-              NOTE: if the <b>hosts</b>  setting  specifies  only  one  server,  this
+              NOTE:  if  the  <b>hosts</b>  setting specifies one server, this client
-              client  assumes  that  the  target  is  a load balancer and will
+              assumes that the target is a load balancer  and  will  reconnect
-              reconnect immediately after a single failure. With Postfix  ver-
+              immediately  after  a  single  failure,  instead  of failing all
-              sions 3.9 and earlier, specify the same server twice.
+              requests temporarily. With older versions of this client,  spec-
              ify the same server twice.
              This feature is available in Postfix 3.9 and later.
--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@ -226,16 +226,6 @@ POSTCONF(1)                                                        POSTCONF(1)
              <b>dbm</b>    An indexed file type based on hashing.  Available on sys-
                     tems with support for DBM databases.
              <b>debug</b>  An  adapter for another table that causes all accesses to
                     be logged.  The table name syntax is <i>type</i><b>:</b><i>name</i>.   Example
                     usage:  <b>debug:<a href="DATABASE_README.html#types">hash</a>:/etc/postfix/example</b>.   The formats of
                     the log messages are unspecified and subject  to  change.
                     Warning: If a query or the underlying table contains sen-
                     sitive information (such as a password), that information
                     might be logged.
                     This feature is available with Postfix 3.11 and later.
              <b>environ</b>
                     The UNIX process environment array. The lookup key is the
                     environment variable name; the  table  name  is  ignored.
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -20,7 +20,7 @@ if (hash && isChrome) {
    setTimeout(function() {
        window.location.hash = "";
        window.location.hash = hash;
-    }, 1500);
+    }, 1000);
 }
 </script>
@ -3349,7 +3349,7 @@ with older Postfix versions).  </p>
 when converting UTF-8 domain names to/from the ASCII form that is
 used for DNS lookups. Specify "yes" for compatibility with Postfix
 &le; 3.1 (not recommended). This affects the conversion of domain
-names that contain for example the German sz and the Greek sigma.
+names that contain for example the German sz and the Greek zeta.
 See <a href="https://unicode.org/cldr/utility/idna.jsp">https://unicode.org/cldr/utility/idna.jsp</a> for more examples.
 </p>
@ -4236,20 +4236,15 @@ environment.  Examples of relevant environment variables: </p>
 <dd>Needed to make "<b>postfix -c</b>" work. </dd>
 <dt><b>POSTLOG_HOSTNAME</b></dt>
 <dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
 process initialization. </dd>
 <dt><b>POSTLOG_SERVICE</b></dt>
 <dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
 process initialization. </dd>
-<dt><b>XDG_RUNTIME_DIR</b></dt>
+<dt><b>POSTLOG_HOSTNAME</b></dt>
-<dd>Needed for debugging Postfix daemons with an XDG-style debugger.
+<dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
-</dd>
+process initialization. </dd>
 </dl>
@ -8883,10 +8878,6 @@ clients,
 and <a href="postscreen.8.html">postscreen(8)</a> will update an SMTP client's DNSBL score with
 each non-error reply as described below. </p>
 <p> NOTE: Always respect the usage policies of reputation services.
 Avoid public or ISP resolvers, unless the queries use your unique
 API key. </p>
 <p> Caution: when postscreen rejects mail, its SMTP response contains
 the DNSBL
 domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to hide
@ -10527,30 +10518,6 @@ Examples:
 </pre>
 </DD>
 <DT><b><a name="relocated_prefix_enable">relocated_prefix_enable</a>
 (default: yes)</b></DT><DD>
 <p> Prepend the prefix "<b>5.1.6 User has moved to </b>" to all
 <a href="postconf.5.html#relocated_maps">relocated_maps</a> lookup results. With "<a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> =
 no", all lookup results must contain a valid <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> compliant
 enhanced status code and text (format: "[45].number.number text...").
 <p>
 Example:
 </p>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#relocated_maps">relocated_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/relocated
    <a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> = no
 <br>
 <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/relocated:
    user@example.com 5.2.1 User account is disabled
 </pre>
 </DD>
 <DT><b><a name="remote_header_rewrite_domain">remote_header_rewrite_domain</a>
@ -12502,12 +12469,6 @@ line. </p>
 <pre>
 /etc/postfix/reply_filter:
    # Some Microsoft servers violate <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> section 4, causing Postfix
    # to complain with "non-empty initial GSSAPI challenge from server"
    /^334\s+GSSAPI\s+supported/ 334
 </pre>
 <pre>
    # Transform garbage into "250-filler..." so that it looks like
    # one line from a multi-line reply. It does not matter what we
    # substitute here as long it has the right syntax.  The Postfix
@ -14464,16 +14425,14 @@ example.net     secure match=example.com:.example.com
 </DD>
 <DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
-(default: Postfix &ge; 3.11: may; Postfix &lt; 3.11: empty)</b></DT><DD>
+(default: empty)</b></DT><DD>
 <p> The default SMTP TLS security level for the Postfix SMTP client.
 When a non-empty value is specified, this overrides the obsolete
 parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>;
-when no value is specified for those obsolete parameters, the default
+when no value is specified for <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> or the obsolete
-SMTP TLS security level is <a href="TLS_README.html#client_tls_may">may</a>
+parameters, the default SMTP TLS security level is
-(<a href="postconf.5.html#compatibility_level">compatibility_level</a> &ge; 3.11) or <a
+<a href="TLS_README.html#client_tls_none">none</a>. </p>
 href="TLS_README.html#client_tls_none">none</a>
 (<a href="postconf.5.html#compatibility_level">compatibility_level</a> &lt; 3.11). </p>
 <p> Specify one of the following security levels: </p>
@ -14907,11 +14866,13 @@ requirements for MTA-STS <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls
 </DD>
 <DT><b><a name="smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>
-(default: Postfix &ge; 3.11: no, Postfix 3.10: yes)</b></DT><DD>
+(default: yes)</b></DT><DD>
-<p> When set to "yes", report the TLSRPT status only for "new" TLS
+<p> Do not report the TLSRPT status for TLS protocol handshakes
-sessions. When set to "no", also report the TLSRPT status for TLS
+that reuse a previously-negotiated TLS session (there is no new
-protocol handshakes that reuse a previously-negotiated TLS session.
+information to report). Report the TLSRPT status only for "new" TLS
 sessions. Set this to "no" to log the TLSRPT status of all TLS
 handshakes, for example to troubleshoot Postfix TLSRPT support.
 </p>
 <p> Note: if an SMTP over TLS connection is reused, there is no
@ -15592,12 +15553,7 @@ The <a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> para
 rejected requests (default:  554), the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a>  parameter
 specifies the default server reply, and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a>  parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
-<br>
+This feature is available in Postfix 2.0 and later.  </dd>
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking the key in SMTP server
 responses). <br>
 This feature is available in Postfix 2.0 and later. </dd>
 <dt><b><a name="permit_dnswl_client">permit_dnswl_client <i>dnswl_domain=d.d.d.d</i></a></b></dt>
@ -15609,12 +15565,8 @@ If no "<i>=d.d.d.d</i>" is specified, accept the request when the
 reversed client network address is listed with any A record under
 <i>dnswl_domain</i>. <br> For safety, <a href="postconf.5.html#permit_dnswl_client">permit_dnswl_client</a> is silently
 ignored when it would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>.  The
-result is DEFER_IF_REJECT when allowlist lookup fails. <br>
+result is DEFER_IF_REJECT when allowlist lookup fails.  This feature
-NOTE: Always respect the usage policies of reputation services. Avoid
+is available in Postfix 2.8 and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
 server responses). <br>
 This feature is available in Postfix 2.8 and later. </dd>
 <dt><b><a name="reject_rhsbl_client">reject_rhsbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
@ -15627,14 +15579,9 @@ number..number ranges (Postfix version 2.8 and later).  If no
 hostname is listed with
 any A record under <i>rbl_domain</i>. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>
 description above for additional RBL related configuration parameters.
 <br>
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
 server responses). <br>
 This feature is available in Postfix 2.0 and later; with Postfix
 version 2.8 and later, <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> will usually
-produce better results. </dd>
+produce better results.  </dd>
 <dt><b><a name="permit_rhswl_client">permit_rhswl_client <i>rhswl_domain=d.d.d.d</i></a></b></dt>
@ -15650,12 +15597,8 @@ allowlisting should be used only to reduce false positives in e.g.
 DNS-based blocklists, and not for making access rule exceptions.
 <br> For safety, <a href="postconf.5.html#permit_rhswl_client">permit_rhswl_client</a> is silently ignored when it
 would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>.  The result is DEFER_IF_REJECT
-when allowlist lookup fails. <br>
+when allowlist lookup fails.  This feature is available in Postfix
-NOTE: Always respect the usage policies of reputation services. Avoid
+2.8 and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
 server responses). <br>
 This feature is available in Postfix 2.8 and later.</dd>
 <dt><b><a name="reject_rhsbl_reverse_client">reject_rhsbl_reverse_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
@ -15666,12 +15609,8 @@ one or more ";"-separated numbers or number..number ranges.
 If no "<i>=d.d.d.d</i>" is specified, reject the request when the
 unverified reverse client hostname is listed with any A record under
 <i>rbl_domain</i>. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> description above for
-additional RBL related configuration parameters. <br>
+additional RBL related configuration parameters.  This feature is
-NOTE: Always respect the usage policies of reputation services. Avoid
+available in Postfix 2.8 and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
 server responses). <br>
 This feature is available in Postfix 2.8 and later. </dd>
 <dt><b><a name="reject_unknown_client_hostname">reject_unknown_client_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_client)</dt>
@ -16573,12 +16512,8 @@ listed with any A record under <i>rbl_domain</i>. See the
 parameters.  Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully
 enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a
 client can simply skip <a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> by not sending HELO or
-EHLO). <br>
+EHLO). This feature is available in Postfix 2.0
-NOTE: Always respect the usage policies of reputation services. Avoid
+and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
 server responses). <br>
 This feature is available in Postfix 2.0 and later. </dd>
 <dt><b><a name="reject_unknown_helo_hostname">reject_unknown_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_hostname)</dt>
@ -16637,7 +16572,7 @@ SMTP server's Received: message header. </p>
 <li> <p> The default setting, "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = no",
 must be used for the port 25 MTA service. It provides information
-that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. </p>
+that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. </p>
 <li> <p> The setting "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@ -16660,9 +16595,8 @@ Received: by mail.example.com (Postfix) id postfix-queue-id
 </blockquote>
 <p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the FROM clause according
+and therefore it does not need to provide the information required by
-to <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. The redacted form still meets <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>
+<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. The form does still meet <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> requirements. </p>
 requirements. </p>
 <p> This feature is available in Postfix &ge; 3.10. </p>
@ -17297,12 +17231,8 @@ any A record under <i>rbl_domain</i>. <br> The <a href="postconf.5.html#maps_rbl
 parameter specifies the response code for rejected requests (default:
 554); the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> parameter specifies the default server
 reply; and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> parameter specifies tables with server
-replies indexed by <i>rbl_domain</i>. <br>
+replies indexed by <i>rbl_domain</i>.  This feature is available
-NOTE: Always respect the usage policies of reputation services. Avoid
+in Postfix version 2.0 and later.</dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
 server responses). <br>
 This feature is available in Postfix version 2.0 and later.</dd>
 <dt><b><a name="reject_unauth_destination">reject_unauth_destination</a></b></dt>
@ -17394,58 +17324,6 @@ Example:
 </pre>
 </DD>
 <DT><b><a name="smtpd_reject_filter_maps">smtpd_reject_filter_maps</a>
 (default: empty)</b></DT><DD>
 <p> An optional filter that can replace a reject response from the
 Postfix SMTP server itself, or from a program that replies through
 the Postfix SMTP server. The filter is applied before the optional
 reject footers are appended. Typically, the filter will be a <a href="regexp_table.5.html">regexp</a>:
 or <a href="pcre_table.5.html">pcre</a>: table, where the left-hand side specifies a pattern, and
 the right-hand side specifies replacement text. </p>
 <p> The input is a server response that starts with a 4XX or 5XX
 reply code (see <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>), usually followed by an enhanced status
 code (see <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>) and text. The filter returns replacement text
 or indicates that there was no match. This feature cannot be used
 to change a reject reply into a non-reject one or vice versa. </p>
 <p> LIMITATION: <a href="postconf.5.html#smtpd_reject_filter_maps">smtpd_reject_filter_maps</a> will not replace text that
 was already logged before the Postfix SMTP server replies to the
 remote SMTP client. To help with logfile analysis, the Postfix SMTP
 server logs both the unmodified reply (logged below as "reject
 filter in") and the replacement reply (logged below as "reject
 filter out").
 <p> Example: </p>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#smtpd_reject_filter_maps">smtpd_reject_filter_maps</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/smtpd_reject_filter
 </pre>
 <pre>
 /etc/postfix/smtpd_reject_filter:
    # Replace soft reject with hard reject.
    /^451 4(\.6\.0 Alias expansion error)/ 550 5${1}
 </pre>
 <pre>
    # Silly rule for demo purposes.
    /^(4.+[^.])\.*$/ $1. See you later.
 </pre>
 <pre>
 /var/log/maillog:
    NOQUEUE: reject filter in: 451 4.6.0 Alias expansion error
    NOQUEUE: reject filter out: 550 5.6.0 Alias expansion error
 </pre>
 <p> This feature is available in Postfix &ge; 3.11. </p>
 </DD>
 <DT><b><a name="smtpd_reject_footer">smtpd_reject_footer</a>
@ -18204,11 +18082,6 @@ listed with any A record under <i>rbl_domain</i>. <br> The
 rejected requests (default:  554); the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> parameter
 specifies the default server reply; and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
 <br>
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
 server responses). <br>
 This feature is available in Postfix 2.0 and later.</dd>
 <dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt>
@ -20846,8 +20719,7 @@ gives timeout errors.  </p>
 <p> Enable support for the "TLS-Required: no" message header, defined
 in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. By adding this header to a message, a sender requests
-no enforcement of TLS policy. This disables TLS policy lookup, and
+no enforcement of TLS policy. This limits the Postfix SMTP client
 limits the Postfix SMTP client
 TLS security level to "may", that is, do not verify remote SMTP
 server certificates, and fall back to plaintext if TLS is unavailable.
 If a message contains a "TLS-Required: no" header, then Postfix
--- a/postfix/html/postfix-tls.1.html
+++ b/postfix/html/postfix-tls.1.html
@ -182,7 +182,7 @@ POSTFIX-TLS(1)                                                  POSTFIX-TLS(1)
       <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
              Enable additional Postfix SMTP client logging of TLS activity.
-       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (Postfix</b> &gt;<b>= 3.11: may; Postfix</b> &lt; <b>3.11: empty)</b>
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
              The default SMTP TLS security level for the Postfix SMTP client.
       <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
--- a/postfix/html/postmap.1.html
+++ b/postfix/html/postmap.1.html
@ -120,7 +120,7 @@ POSTMAP(1)                                                          POSTMAP(1)
              also generates header-style  lookup  keys  for  attachment  MIME
              headers and for attached message/* headers.
-              NOTE:  with  "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>  = yes", the <b>-h</b> option option dis-
+              NOTE:  with  "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>  = yes", the <b>-b</b> option option dis-
              ables UTF-8 syntax checks on  query  keys  and  lookup  results.
              Specify the <b>-U</b> option to force UTF-8 syntax checks anyway.
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@ -222,7 +222,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
              text..." response, in an attempt to confuse bad SMTP clients  so
              that they speak before their turn (pre-greet).
-       <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, <a href="STRESS_README.html">overload</a>: 2s)</b>
+       <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b>
              The  amount  of  time  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP
              client to send a command before its turn, and for DNS  blocklist
              lookup results to arrive (default: up to 2 seconds under stress,
@ -359,7 +359,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
              The  limit  on the total number of commands per SMTP session for
              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
-       <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, <a href="STRESS_README.html">overload</a>: 10s)</b>
+       <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b>
              The  time  limit  to  read   an   entire   command   line   with
              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
@ -405,7 +405,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The maximal number of digits after the decimal point  when  log-
-              ging delay values.
+              ging sub-second delay values.
       <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
              The location of all postfix administrative commands.
@ -468,8 +468,5 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
       111 8th Avenue
       New York, NY 10011, USA
       Wietse Venema
       porcupine.org
                                                                 POSTSCREEN(8)
 </pre> </body> </html>
--- a/postfix/html/proxymap.8.html
+++ b/postfix/html/proxymap.8.html
@ -45,60 +45,51 @@ PROXYMAP(8)                                                        PROXYMAP(8)
       The <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server implements the following requests:
-       <b>open</b> <i>maptype:mapname instance-flags</i>
+       <b>open</b> <i>maptype:mapname flags</i>
-              Open the table with type <i>maptype</i> and name <i>mapname</i>, with  initial
+              Open the table with type <i>maptype</i> and name <i>mapname</i>, as controlled
-              dictionary  flags  <i>instance-flags</i>. The reply contains the actual
+              by  <i>flags</i>.  The  reply  includes the <i>maptype</i> dependent flags (to
-              dictionary flags (for example, to distinguish a fixed-string ta-
+              distinguish a fixed string table from a regular  expression  ta-
-              ble from a regular-expression table).
+              ble).
-       <b>lookup</b> <i>maptype:mapname instance-flags request-flags key</i>
+       <b>lookup</b> <i>maptype:mapname flags key</i>
-              Look  up  the data stored under the requested key using the dic-
+              Look  up  the data stored under the requested key.  The reply is
-              tionary flags in <i>request-flags</i>.  The reply contains the  request
+              the request completion status code and the lookup result  value.
-              completion  status code, the resulting dictionary flags, and the
+              The  <i>maptype:mapname</i>  and  <i>flags</i>  are  the same as with the <b>open</b>
              lookup result value.  The <i>maptype:mapname</i> and <i>instance-flags</i> are
              the same as with the <b>open</b> request.
       <b>update</b> <i>maptype:mapname instance-flags request-flags key value</i>
              Update the data stored under the requested key using the dictio-
              nary flags in <i>request-flags</i>.  The  reply  contains  the  request
              completion  status code and the resulting dictionary flags.  The
              <i>maptype:mapname</i> and <i>instance-flags</i> are the same as with the <b>open</b>
              request.
-              To  implement  single-updater maps, specify a process limit of 1
+       <b>update</b> <i>maptype:mapname flags key value</i>
              Update the data stored under the requested key.   The  reply  is
              the  request  completion  status  code.  The <i>maptype:mapname</i> and
              <i>flags</i> are the same as with the <b>open</b> request.
              To implement single-updater maps, specify a process limit  of  1
              in the <a href="master.5.html">master.cf</a> file entry for the <b>proxywrite</b> service.
              This request is supported in Postfix 2.5 and later.
-       <b>delete</b> <i>maptype:mapname instance-flags request-flags key</i>
+       <b>delete</b> <i>maptype:mapname flags key</i>
-              Delete the data stored under the requested key, using  the  dic-
+              Delete  the  data  stored under the requested key.  The reply is
-              tionary  flags in <i>request-flags</i>.  The reply contains the request
+              the request completion status  code.   The  <i>maptype:mapname</i>  and
-              completion status code and the resulting dictionary flags.   The
+              <i>flags</i> are the same as with the <b>open</b> request.
              <i>maptype:mapname</i> and <i>instance-flags</i> are the same as with the <b>open</b>
              request.
              This request is supported in Postfix 2.5 and later.
-       <b>sequence</b> <i>maptype:mapname instance-flags request-flags function</i>
+       <b>sequence</b> <i>maptype:mapname flags function</i>
-              Iterate over the specified database, using the dictionary  flags
+              Iterate  over  the  specified  database.  The <i>function</i> is one of
-              in  <i>request-flags</i>.  The <i>function</i> is either DICT_SEQ_FUN_FIRST or
+              DICT_SEQ_FUN_FIRST  or  DICT_SEQ_FUN_NEXT.   The  reply  is  the
-              DICT_SEQ_FUN_NEXT.  The reply contains  the  request  completion
+              request  completion  status  code  and  a  lookup key and result
-              status  code,  the  resulting dictionary flags, and a lookup key
+              value, if found.
              and  result   value   if   found.    The   <i>maptype:mapname</i>   and
              <i>instance-flags</i> are the same as with the <b>open</b> request.
              This request is supported in Postfix 2.9 and later.
       Not implemented: close
              There is no <b>close</b> request, nor are tables implicitly closed when
              a client disconnects. The purpose is to share tables among  mul-
              tiple  client  processes.  Due  to the absence of an explicit or
              implicit <b>close</b>, updates are forced to be synchronous.
       The request completion status is one of OK, RETRY, NOKEY (lookup failed
       because  the  key  was not found), BAD (malformed request) or DENY (the
       table is not approved for proxy read or update access).
       There is no <b>close</b> command, nor are  tables  implicitly  closed  when  a
       client  disconnects.  The  purpose  is  to  share tables among multiple
       client processes.
 <b><a name="server_process_management">SERVER PROCESS MANAGEMENT</a></b>
       <a href="proxymap.8.html"><b>proxymap</b>(8)</a> servers run under control by the Postfix <a href="master.8.html"><b>master</b>(8)</a>  server.
       Each  server  can  handle  multiple simultaneous connections.  When all
@ -228,8 +219,5 @@ PROXYMAP(8)                                                        PROXYMAP(8)
       111 8th Avenue
       New York, NY 10011, USA
       Wietse Venema
       porcupine.org
                                                                   PROXYMAP(8)
 </pre> </body> </html>
--- a/postfix/html/qmgr.8.html
+++ b/postfix/html/qmgr.8.html
@ -426,7 +426,7 @@ QMGR(8)                                                                QMGR(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging delay values.
+              ging sub-second delay values.
       <b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
              Log warnings about problematic configuration settings, and  pro-
--- a/postfix/html/relocated.5.html
+++ b/postfix/html/relocated.5.html
@ -5,7 +5,7 @@
 <link rel='stylesheet' type='text/css' href='postfix-doc.css'>
 <title> Postfix manual - relocated(5) </title>
 </head> <body> <pre>
-<i>RELOCATED</i>(5)                  File Formats Manual                 <i>RELOCATED</i>(5)
+RELOCATED(5)                                                      RELOCATED(5)
 <b><a name="name">NAME</a></b>
       relocated - Postfix relocated table format
@ -19,44 +19,36 @@
       Normally, the <a href="relocated.5.html"><b>relocated</b>(5)</a> table is  specified  as  a  text  file  that
       serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command.  The result, an indexed file
-       in <b>dbm</b> or <b>db</b> format, is used for fast searching by the mail system. Ex-
+       in <b>dbm</b> or <b>db</b> format, is used for fast searching  by  the  mail  system.
-       ecute  the  command  "<b>postmap /etc/postfix/relocated</b>" to rebuild an in-
+       Execute  the  command  "<b>postmap  /etc/postfix/relocated</b>"  to rebuild an
-       dexed file after changing the corresponding relocated table.
+       indexed file after changing the corresponding relocated table.
       When the table is provided via other means such as NIS,  LDAP  or  SQL,
       the same lookups are done as for ordinary indexed files.
       Alternatively,  the  table  can be provided as a regular-expression map
-       where patterns are given as regular expressions, or lookups can be  di-
+       where patterns are given as regular  expressions,  or  lookups  can  be
-       rected  to a TCP-based server. In those case, the lookups are done in a
+       directed  to a TCP-based server. In those case, the lookups are done in
-       slightly different way as described below under "REGULAR EXPRESSION TA-
+       a slightly different way as described below under  "REGULAR  EXPRESSION
-       BLES" or "TCP-BASED TABLES".
+       TABLES" or "TCP-BASED TABLES".
       Table lookups are case insensitive.
 <b><a name="case_folding">CASE FOLDING</a></b>
-       The search string is folded to lowercase before database lookup. As  of
+       The  search string is folded to lowercase before database lookup. As of
-       Postfix  2.3,  the search string is not case folded with database types
+       Postfix 2.3, the search string is not case folded with  database  types
-       such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both  upper  and
+       such  as  <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both upper and
       lower case.
 <b><a name="table_format">TABLE FORMAT</a></b>
-       <b>o</b>      By default, Postfix will prepend a hard-coded prefix "5.1.6 User
+       The input format for the <a href="postmap.1.html"><b>postmap</b>(1)</a> command is as follows:
-              has  moved  to  " to a table lookup result, and the format for a
+
-              table entry is as follows:
+       <b>o</b>      An entry has one of the following form:
                   <i>pattern      new</i><b>_</b><i>location</i>
              Where <i>new</i><b>_</b><i>location</i> specifies  contact  information  such  as  an
-              email address, or perhaps a street address or telephone number.
+              email  address, or perhaps a street address or telephone number.
       <b>o</b>      Postfix  3.11  and  later  can optionally disable the hard-coded
              prefix. Specify "<a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> = no" in  <a href="postconf.5.html">main.cf</a>,  and
              specify  <a href="postconf.5.html#relocated_maps">relocated_maps</a> entries with your own <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>-compliant
              enhanced status code and text, for example:
                   <i>pattern</i>      5.2.0 Mailbox is unavailable
                   <i>pattern</i>      5.2.1 Mailbox is disabled
       <b>o</b>      Empty lines and whitespace-only lines are ignored, as are  lines
              whose first non-whitespace character is a `#'.
@ -74,11 +66,11 @@
              forms.
       <i>user</i>   Matches <i>user</i>@<i>site</i> when <i>site</i> is $<b><a href="postconf.5.html#myorigin">myorigin</a></b>, when <i>site</i> is listed in
-              $<b><a href="postconf.5.html#mydestination">mydestination</a></b>,  or  when  <i>site</i> is listed in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or
+              $<b><a href="postconf.5.html#mydestination">mydestination</a></b>, or when <i>site</i> is listed  in  $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>  or
              $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>.
       @<i>domain</i>
-              Matches other addresses in <i>domain</i>.  This  form  has  the  lowest
+              Matches  other  addresses  in  <i>domain</i>.  This form has the lowest
              precedence.
 <b><a name="address_extension">ADDRESS EXTENSION</a></b>
@ -94,26 +86,26 @@
       of the TCP client/server table lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.  This
       feature is available in Postfix 2.5 and later.
-       Each pattern is a regular expression that is applied to the entire  ad-
+       Each  pattern  is  a  regular  expression that is applied to the entire
-       dress  being looked up. Thus, <i>user@domain</i> mail addresses are not broken
+       address being looked up. Thus, <i>user@domain</i> mail addresses are not  bro-
-       up into their <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i>  bro-
+       ken  up  into their <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i>
-       ken up into <i>user</i> and <i>foo</i>.
+       broken up into <i>user</i> and <i>foo</i>.
-       Patterns  are  applied  in the order as specified in the table, until a
+       Patterns are applied in the order as specified in the  table,  until  a
       pattern is found that matches the search string.
-       Results are the same as with indexed file lookups, with the  additional
+       Results  are the same as with indexed file lookups, with the additional
-       feature  that parenthesized substrings from the pattern can be interpo-
+       feature that parenthesized substrings from the pattern can be  interpo-
       lated as <b>$1</b>, <b>$2</b> and so on.
 <b><a name="tcp-based_tables">TCP-BASED TABLES</a></b>
-       This section describes how the table lookups change  when  lookups  are
+       This  section  describes  how the table lookups change when lookups are
-       directed   to  a  TCP-based  server.  For  a  description  of  the  TCP
+       directed  to  a  TCP-based  server.  For  a  description  of  the   TCP
-       client/server lookup  protocol,  see  <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.   This  feature  is
+       client/server  lookup  protocol,  see  <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.   This  feature is
       available in Postfix 2.5 and later.
-       Each  lookup operation uses the entire address once.  Thus, <i>user@domain</i>
+       Each lookup operation uses the entire address once.  Thus,  <i>user@domain</i>
-       mail addresses are not broken up  into  their  <i>user</i>  and  <i>@domain</i>  con-
+       mail  addresses  are  not  broken  up  into their <i>user</i> and <i>@domain</i> con-
       stituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
       Results are the same as with indexed file lookups.
@ -122,38 +114,32 @@
       The table format does not understand quoting conventions.
 <b><a name="configuration_parameters">CONFIGURATION PARAMETERS</a></b>
-       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant.  The text be-
+       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are  especially  relevant.   The  text
-       low provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details
+       below  provides  only  a  parameter  summary.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more
-       including examples.
+       details including examples.
       <b><a href="postconf.5.html#relocated_maps">relocated_maps</a> (empty)</b>
              Optional lookup tables with new contact information for users or
              domains that no longer exist.
       Available with Postfix version 3.11 and later:
       <b><a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> (yes)</b>
              Prepend  the  prefix  "<b>5.1.6  User  has  moved to</b> " to all relo-
              cated_maps lookup results.
       Other parameters of interest:
       <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The local network interface addresses that this mail system  re-
+              The  local  network  interface  addresses  that this mail system
-              ceives mail on.
+              receives mail on.
       <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b>
-              The  list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a>
+              The list of domains that are delivered via the  $<a href="postconf.5.html#local_transport">local_transport</a>
              mail delivery transport.
       <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The domain name that locally-posted mail appears to  come  from,
+              The  domain  name that locally-posted mail appears to come from,
              and that locally posted mail is delivered to.
       <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The remote network interface addresses that this mail system re-
+              The remote network interface addresses  that  this  mail  system
-              ceives  mail on by way of a proxy or network address translation
+              receives  mail  on by way of a proxy or network address transla-
-              unit.
+              tion unit.
 <b><a name="see_also">SEE ALSO</a></b>
       <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver
@ -178,5 +164,5 @@
       111 8th Avenue
       New York, NY 10011, USA
-                                                                  <i>RELOCATED</i>(5)
+                                                                  RELOCATED(5)
 </pre> </body> </html>
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@ -511,7 +511,7 @@ SMTP(8)                                                                SMTP(8)
       Detailed  information  about STARTTLS configuration may be found in the
       <a href="TLS_README.html">TLS_README</a> document.
-       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (Postfix</b> &gt;<b>= 3.11: may; Postfix</b> &lt; <b>3.11: empty)</b>
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
              The default SMTP TLS security level for the Postfix SMTP client.
       <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
@ -757,50 +757,50 @@ SMTP(8)                                                                SMTP(8)
              The pathname of a UNIX-domain datagram socket that is managed by
              a local TLSRPT reporting service.
-       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (Postfix</b> &gt;<b>= 3.11: no, Postfix  3.10:</b>
+       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
-       <b>yes)</b>
+              Do not report the TLSRPT status for TLS protocol handshakes that
-              When set to "yes", report the TLSRPT status only for  "new"  TLS
+              reuse  a  previously-negotiated  TLS  session  (there  is no new
-              sessions.
+              information to report).
       <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
              Enable  support  for  the  "TLS-Required:  no"  message  header,
              defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
-       The following configuration parameters  exist  for  compatibility  with
+       The  following  configuration  parameters  exist for compatibility with
-       Postfix  versions  before  2.3.  Support for these will be removed in a
+       Postfix versions before 2.3. Support for these will  be  removed  in  a
       future release.
       <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic mode: use TLS when a remote SMTP server  announces
+              Opportunistic  mode: use TLS when a remote SMTP server announces
              STARTTLS support, otherwise send the mail in the clear.
       <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
+              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
              encryption, and never send mail in the clear.
       <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With mandatory TLS encryption,  require  that  the  remote  SMTP
+              With  mandatory  TLS  encryption,  require  that the remote SMTP
-              server  hostname  matches  the  information  in  the remote SMTP
+              server hostname matches  the  information  in  the  remote  SMTP
              server certificate.
       <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional lookup tables with the Postfix SMTP  client  TLS  usage
+              Optional  lookup  tables  with the Postfix SMTP client TLS usage
-              policy  by  next-hop destination and by remote SMTP server host-
+              policy by next-hop destination and by remote SMTP  server  host-
              name.
       <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
+              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
              cipher list.
 <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
       <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The  Postfix SMTP client time limit for completing a TCP connec-
+              The Postfix SMTP client time limit for completing a TCP  connec-
              tion, or zero (use the operating system built-in time limit).
       <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the HELO or  EHLO
+              The  Postfix SMTP client time limit for sending the HELO or EHLO
-              command,  and  for  receiving  the  initial  remote  SMTP server
+              command, and  for  receiving  the  initial  remote  SMTP  server
              response.
       <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -812,19 +812,19 @@ SMTP(8)                                                                SMTP(8)
              mand, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
+              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
              command, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
+              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
              command, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
+              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
              command, and for receiving the remote SMTP server response.
       <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The  Postfix SMTP client time limit for sending the SMTP message
+              The Postfix SMTP client time limit for sending the SMTP  message
              content.
       <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -838,13 +838,13 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 2.1 and later:
       <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The maximal number of MX (mail exchanger) IP addresses that  can
+              The  maximal number of MX (mail exchanger) IP addresses that can
-              result  from Postfix SMTP client mail exchanger lookups, or zero
+              result from Postfix SMTP client mail exchanger lookups, or  zero
              (no limit).
       <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The maximal number of SMTP sessions per delivery request  before
+              The  maximal number of SMTP sessions per delivery request before
-              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
+              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
              <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
       <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -854,17 +854,17 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 2.2 and earlier:
       <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
              seconds.
       Available in Postfix version 2.2 and later:
       <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently enable SMTP connection  caching  for  the  specified
+              Permanently  enable  SMTP  connection  caching for the specified
              destinations.
       <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily  enable  SMTP connection caching while a destination
+              Temporarily enable SMTP connection caching while  a  destination
              has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
       <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -878,23 +878,23 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 2.3 and later:
       <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time limit for connection cache connect, send or receive  opera-
+              Time  limit for connection cache connect, send or receive opera-
              tions.
       Available in Postfix version 2.9 - 3.6:
       <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time limit per read or write system call, to  a  time  limit  to
+              time  limit  per  read  or write system call, to a time limit to
-              send  or  receive  a complete record (an SMTP command line, SMTP
+              send or receive a complete record (an SMTP  command  line,  SMTP
-              response line, SMTP message content line, or TLS  protocol  mes-
+              response  line,  SMTP message content line, or TLS protocol mes-
              sage).
       Available in Postfix version 2.11 and later:
       <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When  SMTP  connection  caching  is enabled, the number of times
+              When SMTP connection caching is enabled,  the  number  of  times
-              that an SMTP session may be reused before it is closed, or  zero
+              that  an SMTP session may be reused before it is closed, or zero
              (no limit).
       Available in Postfix version 3.4 and later:
@ -905,13 +905,13 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix version 3.7 and later:
       <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
-              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time limit per plaintext or TLS read or write call,  to  a  com-
+              time  limit  per  plaintext or TLS read or write call, to a com-
-              bined  time  limit  for  sending a complete SMTP request and for
+              bined time limit for sending a complete  SMTP  request  and  for
              receiving a complete SMTP response.
       <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
-              The minimum plaintext data transfer  rate  in  bytes/second  for
+              The  minimum  plaintext  data  transfer rate in bytes/second for
              DATA    requests,    when    deadlines    are    enabled    with
              <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
@ -919,54 +919,54 @@ SMTP(8)                                                                SMTP(8)
       <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a>   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
       <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A transport-specific override for  the  <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+              A  transport-specific  override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
              <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
              name of the message delivery transport.
       <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a>     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
       <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
              A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
              name of the message delivery transport.
 <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
       Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
       <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable preliminary SMTPUTF8 support for the protocols  described
+              Enable  preliminary SMTPUTF8 support for the protocols described
              in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
       <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect  that  a message requires SMTPUTF8 support for the speci-
+              Detect that a message requires SMTPUTF8 support for  the  speci-
              fied mail origin classes.
       Available in Postfix version 3.2 and later:
       <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable  'transitional'  compatibility   between   IDNA2003   and
+              Enable   'transitional'   compatibility   between  IDNA2003  and
-              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
+              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
              form that is used for DNS lookups.
 <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
       <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment in verbose logging level when a  nexthop  destina-
+              The  increment  in verbose logging level when a nexthop destina-
-              tion,  remote client or server name or network address matches a
+              tion, remote client or server name or network address matches  a
              pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
       <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional list of nexthop destination, remote  client  or  server
+              Optional  list  of  nexthop destination, remote client or server
-              name  or  network  address  patterns that, if matched, cause the
+              name or network address patterns that,  if  matched,  cause  the
-              verbose logging level to increase by  the  amount  specified  in
+              verbose  logging  level  to  increase by the amount specified in
              $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
       <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster notifications about mail delivery
+              The recipient of postmaster notifications  about  mail  delivery
              problems that are caused by policy, resource, software or proto-
              col errors.
       <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What   categories  of  Postfix-generated  mail  are  subject  to
+              What  categories  of  Postfix-generated  mail  are  subject   to
-              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
              <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
       <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@ -974,46 +974,46 @@ SMTP(8)                                                                SMTP(8)
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
       <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where  the  Postfix  SMTP  client  should  deliver  mail when it
+              Where the Postfix  SMTP  client  should  deliver  mail  when  it
              detects a "mail loops back to myself" error condition.
       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
+              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
              figuration files.
       <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much  time  a  Postfix  daemon process may take to handle a
+              How much time a Postfix daemon process  may  take  to  handle  a
              request before it is terminated by a built-in watchdog timer.
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The maximal number of digits after the decimal point  when  log-
+              The  maximal  number of digits after the decimal point when log-
              ging delay values.
       <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
              Disable DNS lookups in the Postfix SMTP and LMTP clients.
       <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The  local  network  interface  addresses  that this mail system
+              The local network interface  addresses  that  this  mail  system
              receives mail on.
       <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
-              The Internet protocols Postfix will attempt to use  when  making
+              The  Internet  protocols Postfix will attempt to use when making
              or accepting connections.
       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The  time  limit  for  sending  or receiving information over an
+              The time limit for sending  or  receiving  information  over  an
              internal communication channel.
       <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When a remote LMTP server announces no DSN support, assume  that
+              When  a remote LMTP server announces no DSN support, assume that
-              the  server performs final delivery, and send "delivered" deliv-
+              the server performs final delivery, and send "delivered"  deliv-
              ery status notifications instead of "relayed".
       <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
              The default TCP port that the Postfix LMTP client connects to.
       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time that an idle Postfix  daemon  process
+              The  maximum  amount of time that an idle Postfix daemon process
              waits for an incoming connection before terminating voluntarily.
       <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -1027,21 +1027,21 @@ SMTP(8)                                                                SMTP(8)
              The process name of a Postfix command or daemon process.
       <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The  remote  network  interface  addresses that this mail system
+              The remote network interface addresses  that  this  mail  system
-              receives mail on by way of a proxy or network  address  transla-
+              receives  mail  on by way of a proxy or network address transla-
              tion unit.
       <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
              The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client will try first, when a  destination  has  IPv6  and  IPv4
+              client  will  try  first,  when  a destination has IPv6 and IPv4
              addresses with equal MX preference.
       <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
              client should bind to when making an IPv4 connection.
       <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
              client should bind to when making an IPv6 connection.
       <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -1061,7 +1061,7 @@ SMTP(8)                                                                SMTP(8)
              The syslog facility of Postfix logging.
       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A prefix that  is  prepended  to  the  process  name  in  syslog
+              A  prefix  that  is  prepended  to  the  process  name in syslog
              records, so that, for example, "smtpd" becomes "prefix/smtpd".
       Available with Postfix 2.2 and earlier:
@ -1073,14 +1073,14 @@ SMTP(8)                                                                SMTP(8)
       Available with Postfix 2.3 and later:
       <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional list of relay destinations that will be  used  when  an
+              Optional  list  of  relay destinations that will be used when an
-              SMTP  destination  is not found, or when delivery fails due to a
+              SMTP destination is not found, or when delivery fails due  to  a
              non-permanent error.
       Available with Postfix 3.0 and later:
       <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In the context of email address verification, the SMTP  protocol
+              In  the context of email address verification, the SMTP protocol
              stage that determines whether an email address is deliverable.
       Available with Postfix 3.1 and later:
@ -1102,7 +1102,7 @@ SMTP(8)                                                                SMTP(8)
       Available in Postfix 3.7 and later:
       <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
-              Defer delivery when the Postfix SMTP  client  cannot  apply  the
+              Defer  delivery  when  the  Postfix SMTP client cannot apply the
              <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
 <b><a name="see_also">SEE ALSO</a></b>
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@ -1437,13 +1437,6 @@ SMTPD(8)                                                              SMTPD(8)
              Do  not  include  SMTP client session information in the Postfix
              SMTP server's Received: message header.
       Available in Postfix version 3.11 and later:
       <b><a href="postconf.5.html#smtpd_reject_filter_maps">smtpd_reject_filter_maps</a> (empty)</b>
              An optional filter that can replace a reject response  from  the
              Postfix  SMTP  server  itself,  or  from  a program that replies
              through the Postfix SMTP server.
 <b><a name="see_also">SEE ALSO</a></b>
       <a href="anvil.8.html">anvil(8)</a>, connection/rate limiting
       <a href="cleanup.8.html">cleanup(8)</a>, message canonicalization
--- a/postfix/html/virtual.8.html
+++ b/postfix/html/virtual.8.html
@ -233,7 +233,7 @@ VIRTUAL(8)                                                          VIRTUAL(8)
       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number of digits after the decimal point when log-
-              ging delay values.
+              ging sub-second delay values.
       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
              The time limit for sending  or  receiving  information  over  an
--- a/postfix/makedefs
+++ b/postfix/makedefs
@ -975,7 +975,7 @@ case "$CC" in
 esac
 # Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
 # Non-production: needs thorough testing, or major changes are still
 # needed before the code stabilizes.
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@ -258,16 +258,6 @@ This feature is available with Postfix 2.2 and later.
 .IP \fBdbm\fR
 An indexed file type based on hashing.  Available on systems
 with support for DBM databases.
 .IP \fBdebug\fR
 An adapter for another table that causes all accesses to be
 logged.  The table name syntax is \fItype\fB:\fIname\fR.
 Example usage: \fBdebug:hash:/etc/postfix/example\fR.  The
 formats of the log messages are unspecified and subject to
 change.  Warning: If a query or the underlying table contains
 sensitive information (such as a password), that information
 might be logged.
 This feature is available with Postfix 3.11 and later.
 .IP \fBenviron\fR
 The UNIX process environment array. The lookup key is the
 environment variable name; the table name is ignored.  Originally
--- a/postfix/man/man1/postfix-tls.1
+++ b/postfix/man/man1/postfix-tls.1
@ -185,7 +185,7 @@ configuration files.
 The location of the OpenSSL command line program \fBopenssl\fR(1).
 .IP "\fBsmtp_tls_loglevel (0)\fR"
 Enable additional Postfix SMTP client logging of TLS activity.
-.IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
+.IP "\fBsmtp_tls_security_level (empty)\fR"
 The default SMTP TLS security level for the Postfix SMTP client.
 .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
 Name of the file containing the optional Postfix SMTP client
--- a/postfix/man/man1/postmap.1
+++ b/postfix/man/man1/postmap.1
@ -136,7 +136,7 @@ parsing with \fB\-m\fR. With this, the \fB\-h\fR option also
 generates header\-style lookup keys for attachment MIME
 headers and for attached message/* headers.
 .sp
-NOTE: with "smtputf8_enable = yes", the \fB\-h\fR option
+NOTE: with "smtputf8_enable = yes", the \fB\-b\fR option
 option disables UTF\-8 syntax checks on query keys and
 lookup results. Specify the \fB\-U\fR option to force UTF\-8
 syntax checks anyway.
--- a/postfix/man/man1/postmulti.1
+++ b/postfix/man/man1/postmulti.1
@ -95,10 +95,6 @@ command is performed just for the primary instance.
 .PP
 Iterator mode implements the following command options:
 .SH "Instance selection"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-a\fR
 Perform the operation on all instances. This is the default.
 .IP "\fB\-g \fIgroup\fR"
@ -115,18 +111,10 @@ are started before "source" instances.
 .sp
 This option cannot be used with \fB\-p\fR.
 .SH "List mode"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-l\fR
 List Postfix instances with their instance name, instance
 group name, enable/disable status and configuration directory.
-.SH "Postfix-wrapper mode"
+.SH "Postfix\-wrapper mode"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-p \fIpostfix\-command\fR"
 Invoke \fBpostfix(1)\fR to execute \fIpostfix\-command\fR.
 This option implements the \fBpostfix\-wrapper\fR(5) interface.
@ -158,10 +146,6 @@ invoke \fBpostmulti\fR(1) as follows:
 # postmulti \-g msa \-p start
 .RE
 .SH "Command mode"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-x \fIunix\-command\fR"
 Execute the specified \fIunix\-command\fR for all Postfix instances.
 The command runs with appropriate environment settings for
@ -170,10 +154,6 @@ config_directory, queue_directory, data_directory,
 multi_instance_name, multi_instance_group and
 multi_instance_enable.
 .SH "Other options"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple
 \fB\-v\fR options make the software increasingly verbose.
@ -188,10 +168,6 @@ multi\-instance status of an existing instance.
 .PP
 The following options are implemented:
 .SH "Existing instance selection"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-a\fR
 When creating or importing an instance, place the new
 instance at the front of the secondary instance list.
@ -207,10 +183,6 @@ With other life\-cycle operations, apply the operation to
 the named existing instance.  Specify "\-" to select the
 primary Postfix instance.
 .SH "New or existing instance name assignment"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-I \fIname\fR"
 Assign the specified instance \fIname\fR to an existing
 instance, newly\-created instance, or imported instance.
@ -222,10 +194,6 @@ likelihood of name collisions with system files.
 Assign the specified \fIgroup\fR name to an existing instance
 or to a newly created or imported instance.
 .SH "Instance creation/deletion/status change"
 .na
 .nf
 .ad
 .fi
 .IP "\fB\-e \fIaction\fR"
 "Edit" managed instances. The following actions are supported:
 .RS
@ -347,10 +315,6 @@ the instance will not be started etc. with "postfix start",
 "postmulti \-p start" and so on. The instance can still be
 started etc. with "postfix \-c config\-directory start".
 .SH "Other options"
 .na
 .nf
 .ad
 .fi
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple
 \fB\-v\fR options make the software increasingly verbose.
--- a/postfix/man/man5/lmdb_table.5
+++ b/postfix/man/man5/lmdb_table.5
@ -72,17 +72,16 @@ postscreen(8) services.
 .fi
 The Postfix LMDB adapter does not use LMDB's built\-in locking
 scheme, because that would require world\-writable lockfiles
-and therefore violate the Postfix security model.  Instead,
+and would violate the Postfix security model.  Instead,
 Postfix uses fcntl(2) locks with whole\-file granularity.
 Programs that use LMDB's built\-in locking protocol will
 corrupt a Postfix LMDB database or will read garbage.
 Every Postfix LMDB database read or write transaction must
 be protected from start to end with a shared or exclusive
-fcntl(2) lock. A process may atomically downgrade an exclusive
+fcntl(2) lock.  A writer may atomically downgrade an exclusive
-lock to a shared lock before opening a database read transaction,
+lock to a shared lock, but it must hold an exclusive lock
-but it must hold an exclusive lock while opening a write
+while opening another write transaction.
 transaction.
 Note that fcntl(2) locks do not protect transactions within
 the same process against each other.  If a program cannot
--- a/postfix/man/man5/memcache_table.5
+++ b/postfix/man/man5/memcache_table.5
@ -112,17 +112,6 @@ time. Smaller values are relative to the time of the update.
 .nf
 .ad
 .fi
 .IP "\fBkey_digest (default: empty)\fB"
 After processing the \fBkey_format\fR setting, and before sending
 a request to the memcache server, run the key through the named
 message digest algorithm and convert the result to lowercase
 hexadecimal characters. This prevents a database access error
 when keys may exceed the memcache server's key length limit
 (usually, 250 bytes). Specify the name of a message digest
 algorithm that is supported by OpenSSL, for example, \fBsha256\fR.
 This feature is available in Postfix 3.11 and later, and requires
 that Postfix is built with TLS support.
 .IP "\fBkey_format (default: %s)\fB"
 Format of the lookup and update keys that the Postfix
 memcache client sends to the memcache server.
@ -218,7 +207,7 @@ tables such as \fBalias_maps\fR (these may contain
 "\fI|command\fR and "\fI/file/name\fR" destinations), or
 \fBvirtual_uid_maps\fR, \fBvirtual_gid_maps\fR and
 \fBvirtual_mailbox_maps\fR (these specify UNIX process
-privileges for "\fI/file/name\fR" destinations).  In a typical
+privileges or "\fI/file/name\fR" destinations).  In a typical
 deployment a memcache database is writable by any process
 that can talk to the memcache server; in contrast,
 security\-sensitive tables must never be writable by the
--- a/postfix/man/man5/mysql_table.5
+++ b/postfix/man/man5/mysql_table.5
@ -77,10 +77,11 @@ localhost over TCP you have to specify
    hosts = 127.0.0.1
 .fi
-NOTE: if the \fBhosts\fR setting specifies only one server,
+NOTE: if the \fBhosts\fR setting specifies one server, this client
-this client assumes that the target is a load balancer and
+assumes that the target is a load balancer and will reconnect
-will reconnect immediately after a single failure. With Postfix
+immediately after a single failure, instead of failing all
-versions 3.9 and earlier, specify the same server twice.
+requests temporarily. With older versions of this client,
 specify the same server twice.
 .IP "\fBuser\fR"
 .IP "\fBpassword\fR"
 The user name and password to log into the mysql server.
@ -111,10 +112,11 @@ This feature is available in Postfix 3.9 and later.
 The number of seconds that a database connection will be
 skipped after an error.
-NOTE: if the \fBhosts\fR setting specifies only one server,
+NOTE: if the \fBhosts\fR setting specifies one server, this client
-this client assumes that the target is a load balancer and
+assumes that the target is a load balancer and will reconnect
-will reconnect immediately after a single failure. With Postfix
+immediately after a single failure, instead of failing all
-versions 3.9 and earlier, specify the same server twice.
+requests temporarily. With older versions of this client,
 specify the same server twice.
 This feature is available in Postfix 3.9 and later.
 .IP "\fBquery\fR"
--- a/postfix/man/man5/pgsql_table.5
+++ b/postfix/man/man5/pgsql_table.5
@ -81,10 +81,11 @@ NOTE: if the \fBhosts\fR setting specifies a PostgreSQL connection
 URI, the Postfix PostgreSQL client will ignore the \fBdbname\fR,
 \fBuser\fR, and \fBpassword\fR settings for that connection.
-NOTE: if the \fBhosts\fR setting specifies only one server,
+NOTE: if the \fBhosts\fR setting specifies one server, this client
-this client assumes that the target is a load balancer and
+assumes that the target is a load balancer and will reconnect
-will reconnect immediately after a single failure. With Postfix
+immediately after a single failure, instead of failing all
-versions 3.9 and earlier, specify the same server twice.
+requests temporarily. With older versions of this client,
 specify the same server twice.
 .IP "\fBuser\fR"
 .IP "\fBpassword\fR"
 The user name and password to log into the pgsql server.
@ -128,10 +129,11 @@ This feature is available in Postfix 3.9 and later.
 The number of seconds that a database connection will be
 skipped after an error.
-NOTE: if the \fBhosts\fR setting specifies only one server,
+NOTE: if the \fBhosts\fR setting specifies one server, this client
-this client assumes that the target is a load balancer and
+assumes that the target is a load balancer and will reconnect
-will reconnect immediately after a single failure. With Postfix
+immediately after a single failure, instead of failing all
-versions 3.9 and earlier, specify the same server twice.
+requests temporarily. With older versions of this client,
 specify the same server twice.
 This feature is available in Postfix 3.9 and later.
 .IP "\fBquery\fR"
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -2079,7 +2079,7 @@ Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
 when converting UTF\-8 domain names to/from the ASCII form that is
 used for DNS lookups. Specify "yes" for compatibility with Postfix
 <= 3.1 (not recommended). This affects the conversion of domain
-names that contain for example the German sz and the Greek sigma.
+names that contain for example the German sz and the Greek zeta.
 See https://unicode.org/cldr/utility/idna.jsp for more examples.
 .PP
 This feature is available in Postfix 3.2 and later.
@ -2633,16 +2633,13 @@ Needed for debugging Postfix daemons with an X\-windows debugger.
 .IP "\fBMAIL_CONFIG\fR"
 Needed to make "\fBpostfix \-c\fR" work.
 .br
 .IP "\fBPOSTLOG_HOSTNAME\fR"
 Needed to make "\fBmaillog_file\fR" work during daemon
 process initialization.
 .br
 .IP "\fBPOSTLOG_SERVICE\fR"
 Needed to make "\fBmaillog_file\fR" work during daemon
 process initialization.
 .br
-.IP "\fBXDG_RUNTIME_DIR\fR"
+.IP "\fBPOSTLOG_HOSTNAME\fR"
-Needed for debugging Postfix daemons with an XDG\-style debugger.
+Needed to make "\fBmaillog_file\fR" work during daemon
 process initialization.
 .br
 .br
 .PP
@ -5508,10 +5505,6 @@ clients,
 and \fBpostscreen\fR(8) will update an SMTP client's DNSBL score with
 each non\-error reply as described below.
 .PP
 NOTE: Always respect the usage policies of reputation services.
 Avoid public or ISP resolvers, unless the queries use your unique
 API key.
 .PP
 Caution: when postscreen rejects mail, its SMTP response contains
 the DNSBL
 domain name. Use the postscreen_dnsbl_reply_map feature to hide
@ -6546,24 +6539,6 @@ relocated_maps = dbm:/etc/postfix/relocated
 relocated_maps = hash:/etc/postfix/relocated
 .fi
 .ad
 .SH relocated_prefix_enable (default: yes)
 Prepend the prefix "\fB5.1.6 User has moved to \fR" to all
 relocated_maps lookup results. With "relocated_prefix_enable =
 no", all lookup results must contain a valid RFC 3463 compliant
 enhanced status code and text (format: "[45].number.number text...").
 .PP
 Example:
 .PP
 .nf
 .na
 /etc/postfix/main.cf:
    relocated_maps = hash:/etc/postfix/relocated
    relocated_prefix_enable = no
 .br
 hash:/etc/postfix/relocated:
    user@example.com 5.2.1 User account is disabled
 .fi
 .ad
 .SH remote_header_rewrite_domain (default: empty)
 Rewrite or add message headers in mail from remote clients if
 the remote_header_rewrite_domain parameter value is non\-empty,
@ -7895,14 +7870,6 @@ Examples:
 .nf
 .na
 /etc/postfix/reply_filter:
    # Some Microsoft servers violate RFC 2554 section 4, causing Postfix
    # to complain with "non\-empty initial GSSAPI challenge from server"
    /^334\es+GSSAPI\es+supported/ 334
 .fi
 .ad
 .PP
 .nf
 .na
    # Transform garbage into "250\-filler..." so that it looks like
    # one line from a multi\-line reply. It does not matter what we
    # substitute here as long it has the right syntax.  The Postfix
@ -9552,14 +9519,13 @@ example.net     secure match=example.com:.example.com
 .in -4
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_security_level (default: Postfix >= 3.11: may; Postfix < 3.11: empty)
+.SH smtp_tls_security_level (default: empty)
 The default SMTP TLS security level for the Postfix SMTP client.
 When a non\-empty value is specified, this overrides the obsolete
 parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername;
-when no value is specified for those obsolete parameters, the default
+when no value is specified for smtp_tls_enforce_peername or the obsolete
-SMTP TLS security level is may
+parameters, the default SMTP TLS security level is
-(compatibility_level >= 3.11) or none
+none.
 (compatibility_level < 3.11).
 .PP
 Specify one of the following security levels:
 .IP "\fBnone\fR"
@ -9951,10 +9917,12 @@ See TLSRPT_README for configuration examples and additional
 requirements for MTA\-STS smtp_tls_policy_maps plugins.
 .PP
 This feature is available in Postfix >= 3.10.
-.SH smtp_tlsrpt_skip_reused_handshakes (default: Postfix >= 3.11: no, Postfix 3.10: yes)
+.SH smtp_tlsrpt_skip_reused_handshakes (default: yes)
-When set to "yes", report the TLSRPT status only for "new" TLS
+Do not report the TLSRPT status for TLS protocol handshakes
-sessions. When set to "no", also report the TLSRPT status for TLS
+that reuse a previously\-negotiated TLS session (there is no new
-protocol handshakes that reuse a previously\-negotiated TLS session.
+information to report). Report the TLSRPT status only for "new" TLS
 sessions. Set this to "no" to log the TLSRPT status of all TLS
 handshakes, for example to troubleshoot Postfix TLSRPT support.
 .PP
 Note: if an SMTP over TLS connection is reused, there is no
 second etc. TLS handshake to report.
@ -10413,12 +10381,6 @@ The maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554), the default_rbl_reply  parameter
 specifies the default server reply, and the rbl_reply_maps  parameter
 specifies tables with server replies indexed by \fIrbl_domain\fR.
 .br
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking the key in SMTP server
 responses).
 .br
 This feature is available in Postfix 2.0 and later.
 .br
 .IP "\fBpermit_dnswl_client \fIdnswl_domain=d.d.d.d\fR\fR"
@ -10432,14 +10394,8 @@ reversed client network address is listed with any A record under
 .br
 For safety, permit_dnswl_client is silently
 ignored when it would override reject_unauth_destination.  The
-result is DEFER_IF_REJECT when allowlist lookup fails.
+result is DEFER_IF_REJECT when allowlist lookup fails.  This feature
-.br
+is available in Postfix 2.8 and later.
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP
 server responses).
 .br
 This feature is available in Postfix 2.8 and later.
 .br
 .IP "\fBreject_rhsbl_client \fIrbl_domain=d.d.d.d\fR\fR"
 Reject the request when the client hostname is listed with the
@ -10451,12 +10407,6 @@ number..number ranges (Postfix version 2.8 and later).  If no
 hostname is listed with
 any A record under \fIrbl_domain\fR. See the reject_rbl_client
 description above for additional RBL related configuration parameters.
 .br
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP
 server responses).
 .br
 This feature is available in Postfix 2.0 and later; with Postfix
 version 2.8 and later, reject_rhsbl_reverse_client will usually
 produce better results.
@ -10476,14 +10426,8 @@ DNS\-based blocklists, and not for making access rule exceptions.
 .br
 For safety, permit_rhswl_client is silently ignored when it
 would override reject_unauth_destination.  The result is DEFER_IF_REJECT
-when allowlist lookup fails.
+when allowlist lookup fails.  This feature is available in Postfix
-.br
+2.8 and later.
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP
 server responses).
 .br
 This feature is available in Postfix 2.8 and later.
 .br
 .IP "\fBreject_rhsbl_reverse_client \fIrbl_domain=d.d.d.d\fR\fR"
 Reject the request when the unverified reverse client hostname
@ -10493,14 +10437,8 @@ one or more ";"\-separated numbers or number..number ranges.
 If no "\fI=d.d.d.d\fR" is specified, reject the request when the
 unverified reverse client hostname is listed with any A record under
 \fIrbl_domain\fR. See the reject_rbl_client description above for
-additional RBL related configuration parameters.
+additional RBL related configuration parameters.  This feature is
-.br
+available in Postfix 2.8 and later.
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP
 server responses).
 .br
 This feature is available in Postfix 2.8 and later.
 .br
 .IP "\fBreject_unknown_client_hostname\fR (with Postfix < 2.3: reject_unknown_client)"
 Reject the request when 1) the client IP address\->name mapping
@ -11217,14 +11155,8 @@ reject_rbl_client description for additional RBL related configuration
 parameters.  Note: specify "smtpd_helo_required = yes" to fully
 enforce this restriction (without "smtpd_helo_required = yes", a
 client can simply skip reject_rhsbl_helo by not sending HELO or
-EHLO).
+EHLO). This feature is available in Postfix 2.0
-.br
+and later.
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP
 server responses).
 .br
 This feature is available in Postfix 2.0 and later.
 .br
 .IP "\fBreject_unknown_helo_hostname\fR (with Postfix < 2.3: reject_unknown_hostname)"
 Reject the request when the HELO or EHLO hostname has no DNS A
@ -11272,7 +11204,7 @@ SMTP server's Received: message header.
 .IP \(bu
 The default setting, "smtpd_hide_client_session = no",
 must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321 section 4.4.
+that is required by RFC 5321.
 .IP \(bu
 The setting "smtpd_hide_client_session = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@ -11296,9 +11228,8 @@ Received: by mail.example.com (Postfix) id postfix\-queue\-id
 .in -4
 .PP
 The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the FROM clause according
+and therefore it does not need to provide the information required by
-to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+RFC 5321. The form does still meet RFC 5322 requirements.
 requirements.
 .PP
 This feature is available in Postfix >= 3.10.
 .SH smtpd_history_flush_threshold (default: 100)
@ -11722,14 +11653,8 @@ The maps_rbl_reject_code
 parameter specifies the response code for rejected requests (default:
 554); the default_rbl_reply parameter specifies the default server
 reply; and the rbl_reply_maps parameter specifies tables with server
-replies indexed by \fIrbl_domain\fR.
+replies indexed by \fIrbl_domain\fR.  This feature is available
-.br
+in Postfix version 2.0 and later.
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP
 server responses).
 .br
 This feature is available in Postfix version 2.0 and later.
 .br
 .IP "\fBreject_unauth_destination\fR"
 Reject the request unless one of the following is true:
@ -11816,60 +11741,6 @@ Example:
 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
 .fi
 .ad
 .SH smtpd_reject_filter_maps (default: empty)
 An optional filter that can replace a reject response from the
 Postfix SMTP server itself, or from a program that replies through
 the Postfix SMTP server. The filter is applied before the optional
 reject footers are appended. Typically, the filter will be a regexp:
 or pcre: table, where the left\-hand side specifies a pattern, and
 the right\-hand side specifies replacement text.
 .PP
 The input is a server response that starts with a 4XX or 5XX
 reply code (see RFC 5321), usually followed by an enhanced status
 code (see RFC 3463) and text. The filter returns replacement text
 or indicates that there was no match. This feature cannot be used
 to change a reject reply into a non\-reject one or vice versa.
 .PP
 LIMITATION: smtpd_reject_filter_maps will not replace text that
 was already logged before the Postfix SMTP server replies to the
 remote SMTP client. To help with logfile analysis, the Postfix SMTP
 server logs both the unmodified reply (logged below as "reject
 filter in") and the replacement reply (logged below as "reject
 filter out").
 .PP
 Example:
 .PP
 .nf
 .na
 /etc/postfix/main.cf:
    smtpd_reject_filter_maps = regexp:/etc/postfix/smtpd_reject_filter
 .fi
 .ad
 .PP
 .nf
 .na
 /etc/postfix/smtpd_reject_filter:
    # Replace soft reject with hard reject.
    /^451 4(\e.6\e.0 Alias expansion error)/ 550 5${1}
 .fi
 .ad
 .PP
 .nf
 .na
    # Silly rule for demo purposes.
    /^(4.+[^.])\e.*$/ $1. See you later.
 .fi
 .ad
 .PP
 .nf
 .na
 /var/log/maillog:
    NOQUEUE: reject filter in: 451 4.6.0 Alias expansion error
    NOQUEUE: reject filter out: 550 5.6.0 Alias expansion error
 .fi
 .ad
 .PP
 This feature is available in Postfix >= 3.11.
 .SH smtpd_reject_footer (default: empty)
 Optional information that is appended after each Postfix SMTP
 server
@ -12427,12 +12298,6 @@ maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554); the default_rbl_reply parameter
 specifies the default server reply; and the rbl_reply_maps parameter
 specifies tables with server replies indexed by \fIrbl_domain\fR.
 .br
 NOTE: Always respect the usage policies of reputation services. Avoid
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP
 server responses).
 .br
 This feature is available in Postfix 2.0 and later.
 .br
 .IP "\fBreject_sender_login_mismatch\fR"
@ -14581,8 +14446,7 @@ This feature is available in Postfix 2.2 and later.
 .SH tls_required_enable (default: yes)
 Enable support for the "TLS\-Required: no" message header, defined
 in RFC 8689. By adding this header to a message, a sender requests
-no enforcement of TLS policy. This disables TLS policy lookup, and
+no enforcement of TLS policy. This limits the Postfix SMTP client
 limits the Postfix SMTP client
 TLS security level to "may", that is, do not verify remote SMTP
 server certificates, and fall back to plaintext if TLS is unavailable.
 If a message contains a "TLS\-Required: no" header, then Postfix
--- a/postfix/man/man5/relocated.5
+++ b/postfix/man/man5/relocated.5
@ -46,10 +46,9 @@ lookup fields can match both upper and lower case.
 .nf
 .ad
 .fi
 The input format for the \fBpostmap\fR(1) command is as follows:
 .IP \(bu
-By default, Postfix will prepend a hard\-coded prefix "5.1.6 User
+An entry has one of the following form:
 has moved to " to a table lookup result, and the format for a
 table entry is as follows:
 .nf
     \fIpattern      new_location\fR
@ -58,16 +57,6 @@ table entry is as follows:
 Where \fInew_location\fR specifies contact information such as
 an email address, or perhaps a street address or telephone number.
 .IP \(bu
 Postfix 3.11 and later can optionally disable the hard\-coded
 prefix. Specify "relocated_prefix_enable = no" in main.cf, and
 specify relocated_maps entries with your own RFC 3463\-compliant
 enhanced status code and text, for example:
 .nf
     \fIpattern\fR      5.2.0 Mailbox is unavailable
     \fIpattern\fR      5.2.1 Mailbox is disabled
 .fi
 .IP \(bu
 Empty lines and whitespace\-only lines are ignored, as
 are lines whose first non\-whitespace character is a `#'.
 .IP \(bu
@ -156,11 +145,6 @@ The text below provides only a parameter summary. See
 Optional lookup tables with new contact information for users or
 domains that no longer exist.
 .PP
 Available with Postfix version 3.11 and later:
 .IP "\fBrelocated_prefix_enable (yes)\fR"
 Prepend the prefix "\fB5.1.6 User has moved to \fR" to all
 relocated_maps lookup results.
 .PP
 Other parameters of interest:
 .IP "\fBinet_interfaces (all)\fR"
 The local network interface addresses that this mail system
--- a/postfix/man/man8/discard.8
+++ b/postfix/man/man8/discard.8
@ -67,7 +67,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-delay values.
+sub\-second delay values.
 .IP "\fBdouble_bounce_sender (double\-bounce)\fR"
 The sender address of postmaster notifications that are generated
 by the mail system.
--- a/postfix/man/man8/error.8
+++ b/postfix/man/man8/error.8
@ -75,7 +75,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-delay values.
+sub\-second delay values.
 .IP "\fBdouble_bounce_sender (double\-bounce)\fR"
 The sender address of postmaster notifications that are generated
 by the mail system.
--- a/postfix/man/man8/oqmgr.8
+++ b/postfix/man/man8/oqmgr.8
@ -347,7 +347,7 @@ The names of message delivery transports that should not deliver mail
 unless someone issues "\fBsendmail \-q\fR" or equivalent.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-delay values.
+sub\-second delay values.
 .IP "\fBhelpful_warnings (yes)\fR"
 Log warnings about problematic configuration settings, and provide
 helpful suggestions.
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@ -410,7 +410,7 @@ The default location of the Postfix main.cf and master.cf
 configuration files.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-delay values.
+sub\-second delay values.
 .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
 The location of all postfix administrative commands.
 .IP "\fBmax_idle (100s)\fR"
@ -480,6 +480,3 @@ Wietse Venema
 Google, Inc.
 111 8th Avenue
 New York, NY 10011, USA
 Wietse Venema
 porcupine.org
--- a/postfix/man/man8/proxymap.8
+++ b/postfix/man/man8/proxymap.8
@ -46,24 +46,21 @@ that do not reliably support multiple writers (i.e. all
 file\-based tables that are not based on \fBlmdb\fR).
 .PP
 The \fBproxymap\fR(8) server implements the following requests:
-.IP "\fBopen\fR \fImaptype:mapname instance\-flags\fR"
+.IP "\fBopen\fR \fImaptype:mapname flags\fR"
 Open the table with type \fImaptype\fR and name \fImapname\fR,
-with initial dictionary flags \fIinstance\-flags\fR. The reply
+as controlled by \fIflags\fR. The reply includes the \fImaptype\fR
-contains the actual dictionary flags (for example, to distinguish
+dependent flags (to distinguish a fixed string table from a regular
-a fixed\-string table from a regular\-expression table).
+expression table).
-.IP "\fBlookup\fR \fImaptype:mapname instance\-flags request\-flags key\fR"
+.IP "\fBlookup\fR \fImaptype:mapname flags key\fR"
-Look up the data stored under the requested key using the
+Look up the data stored under the requested key.
-dictionary flags in \fIrequest\-flags\fR.
+The reply is the request completion status code and
-The reply contains the request completion status code, the
+the lookup result value.
-resulting dictionary flags, and the lookup result value.
+The \fImaptype:mapname\fR and \fIflags\fR are the same
 The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
 as with the \fBopen\fR request.
-.IP "\fBupdate\fR \fImaptype:mapname instance\-flags request\-flags key value\fR"
+.IP "\fBupdate\fR \fImaptype:mapname flags key value\fR"
-Update the data stored under the requested key using the
+Update the data stored under the requested key.
-dictionary flags in \fIrequest\-flags\fR.
+The reply is the request completion status code.
-The reply contains the request completion status code and the
+The \fImaptype:mapname\fR and \fIflags\fR are the same
 resulting dictionary flags.
 The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
 as with the \fBopen\fR request.
 .sp
 To implement single\-updater maps, specify a process limit
@ -71,36 +68,29 @@ of 1 in the master.cf file entry for the \fBproxywrite\fR
 service.
 .sp
 This request is supported in Postfix 2.5 and later.
-.IP "\fBdelete\fR \fImaptype:mapname instance\-flags request\-flags key\fR"
+.IP "\fBdelete\fR \fImaptype:mapname flags key\fR"
-Delete the data stored under the requested key, using the
+Delete the data stored under the requested key.
-dictionary flags in \fIrequest\-flags\fR.
+The reply is the request completion status code.
-The reply contains the request completion status code and the
+The \fImaptype:mapname\fR and \fIflags\fR are the same
 resulting dictionary flags.
 The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
 as with the \fBopen\fR request.
 .sp
 This request is supported in Postfix 2.5 and later.
-.IP "\fBsequence\fR \fImaptype:mapname instance\-flags request\-flags function\fR"
+.IP "\fBsequence\fR \fImaptype:mapname flags function\fR"
-Iterate over the specified database, using the dictionary flags
+Iterate over the specified database. The \fIfunction\fR
-in \fIrequest\-flags\fR. The \fIfunction\fR is either
+is one of DICT_SEQ_FUN_FIRST or DICT_SEQ_FUN_NEXT.
-DICT_SEQ_FUN_FIRST or DICT_SEQ_FUN_NEXT.
+The reply is the request completion status code and
-The reply contains the request completion status code, the
+a lookup key and result value, if found.
 resulting dictionary flags, and a lookup key and result value
 if found.
 The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
 as with the \fBopen\fR request.
 .sp
 This request is supported in Postfix 2.9 and later.
 .IP "Not implemented: close"
 There is no \fBclose\fR request, nor are tables implicitly closed
 when a client disconnects. The purpose is to share tables among
 multiple client processes. Due to the absence of an explicit or
 implicit \fBclose\fR, updates are forced to be synchronous.
 .PP
 The request completion status is one of OK, RETRY, NOKEY
 (lookup failed because the key was not found), BAD (malformed
 request) or DENY (the table is not approved for proxy read
 or update access).
 There is no \fBclose\fR command, nor are tables implicitly closed
 when a client disconnects. The purpose is to share tables among
 multiple client processes.
 .SH "SERVER PROCESS MANAGEMENT"
 .na
 .nf
@ -251,6 +241,3 @@ Wietse Venema
 Google, Inc.
 111 8th Avenue
 New York, NY 10011, USA
 Wietse Venema
 porcupine.org
--- a/postfix/man/man8/qmgr.8
+++ b/postfix/man/man8/qmgr.8
@ -411,7 +411,7 @@ The names of message delivery transports that should not deliver mail
 unless someone issues "\fBsendmail \-q\fR" or equivalent.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-delay values.
+sub\-second delay values.
 .IP "\fBhelpful_warnings (yes)\fR"
 Log warnings about problematic configuration settings, and provide
 helpful suggestions.
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@ -492,7 +492,7 @@ results.
 .fi
 Detailed information about STARTTLS configuration may be found
 in the TLS_README document.
-.IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
+.IP "\fBsmtp_tls_security_level (empty)\fR"
 The default SMTP TLS security level for the Postfix SMTP client.
 .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
 The SASL authentication security options that the Postfix SMTP
@ -681,9 +681,10 @@ Enable support for RFC 8460 TLSRPT notifications.
 .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
 The pathname of a UNIX\-domain datagram socket that is managed
 by a local TLSRPT reporting service.
-.IP "\fBsmtp_tlsrpt_skip_reused_handshakes (Postfix >= 3.11: no, Postfix 3.10: yes)\fR"
+.IP "\fBsmtp_tlsrpt_skip_reused_handshakes (yes)\fR"
-When set to "yes", report the TLSRPT status only for "new" TLS
+Do not report the TLSRPT status for TLS protocol handshakes
-sessions.
+that reuse a previously\-negotiated TLS session (there is no new
 information to report).
 .IP "\fBtls_required_enable (yes)\fR"
 Enable support for the "TLS\-Required: no" message header, defined
 in RFC 8689.
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@ -1237,12 +1237,6 @@ Available in Postfix 3.10 and later:
 .IP "\fBsmtpd_hide_client_session (no)\fR"
 Do not include SMTP client session information in the Postfix
 SMTP server's Received: message header.
 .PP
 Available in Postfix version 3.11 and later:
 .IP "\fBsmtpd_reject_filter_maps (empty)\fR"
 An optional filter that can replace a reject response from the
 Postfix SMTP server itself, or from a program that replies through
 the Postfix SMTP server.
 .SH "SEE ALSO"
 .na
 .nf
--- a/postfix/man/man8/virtual.8
+++ b/postfix/man/man8/virtual.8
@ -263,7 +263,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-delay values.
+sub\-second delay values.
 .IP "\fBipc_timeout (3600s)\fR"
 The time limit for sending or receiving information over an internal
 communication channel.
--- a/postfix/mantools/check-spell-proto-html
+++ b/postfix/mantools/check-spell-proto-html
@ -4,4 +4,4 @@
 LANG=C; export LANG
-mantools/dehtml proto/*html proto/*.proto | tr '+' ' ' | spell | grep -F -vxf proto/stop | grep -F -vxf proto/stop.spell-proto-html
+mantools/dehtml proto/*html proto/*.proto | spell | grep -F -vxf proto/stop | grep -F -vxf proto/stop.spell-proto-html
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -443,7 +443,6 @@ while (<>) {
    s;\brelay_transport\b;<a href="postconf.5.html#relay_transport">$&</a>;g;
    s;\brelay[-</bB>]*\n*[ <bB>]*host\b;<a href="postconf.5.html#relayhost">$&</a>;g;
    s;\brelocated_maps\b;<a href="postconf.5.html#relocated_maps">$&</a>;g;
    s;\brelocated_prefix_enable\b;<a href="postconf.5.html#relocated_prefix_enable">$&</a>;g;
    s;\brequire_home_directory\b;<a href="postconf.5.html#require_home_directory">$&</a>;g;
    s;\bresolve_dequoted_address\b;<a href="postconf.5.html#resolve_dequoted_address">$&</a>;g;
    s;\brewrite_service_name\b;<a href="postconf.5.html#rewrite_service_name">$&</a>;g;
@ -770,7 +769,6 @@ while (<>) {
    s;\bsmtpd_use_tls\b;<a href="postconf.5.html#smtpd_use_tls">$&</a>;g;
    s;\bsmtpd_reject_footer\b;<a href="postconf.5.html#smtpd_reject_footer">$&</a>;g;
    s;\bsmtpd_reject_footer_maps\b;<a href="postconf.5.html#smtpd_reject_footer_maps">$&</a>;g;
    s;\bsmtpd_reject_filter_maps\b;<a href="postconf.5.html#smtpd_reject_filter_maps">$&</a>;g;
    s;\bsmtpd_per_record_deadline\b;<a href="postconf.5.html#smtpd_per_record_deadline">$&</a>;g;
    s;\bsmtpd_per_request_deadline\b;<a href="postconf.5.html#smtpd_per_request_deadline">$&</a>;g;
    s;\bsmtpd_min_data_rate\b;<a href="postconf.5.html#smtpd_min_data_rate">$&</a>;g;
--- a/postfix/mantools/srctoman
+++ b/postfix/mantools/srctoman
@ -92,7 +92,7 @@ do
 	/^HISTORY/s//.SH &\
 .ad\
 .fi/
-	/^[A-Z][A-Za-z][A-Za-z].*$/s//.SH "&"\
+	/^[A-Z][A-Z][A-Z][^a-z]*$/s//.SH "&"\
 .na\
 .nf/
 	p
--- a/postfix/proto/COMPATIBILITY_README.html
+++ b/postfix/proto/COMPATIBILITY_README.html
@ -102,20 +102,6 @@ default setting respectful_logging=no</a> </p>
 </ul>
 <p> Logged with compatibility_level &lt; 3.11: </p>
 <ul>
 <li> <p> <a href="#tlsrpt_reused"> using backwards-compatible default
 setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </p>
 <li> <p> <a href="#xxx_tls_level"> using backwards-compatible default
 setting <i>xxx</i>_security_level=(empty)</a> </p>
 </ul>
 <p>
 <p> If such a message is logged in the context of a legitimate
 request, the system administrator should make the backwards-compatible
 setting permanent in main.cf or master.cf, as detailed in the
@ -134,8 +120,7 @@ to "no". This could result in unexpected non-delivery of email after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
-<p> As long as the append_dot_mydomain parameter is left unspecified
+<p> As long as the append_dot_mydomain parameter is left at
 at
 its implicit default value, and the compatibility_level setting is
 less than 1, Postfix may log one of the following messages:</p>
@ -193,7 +178,7 @@ after updating Postfix from an older version. The backwards-compatibility
 safety net is designed allow the administrator to choose if they
 want to keep the old behavior. </p>
-<p> As long as a master.cf chroot field is left unspecified at its
+<p> As long as a master.cf chroot field is left at its
 implicit default value, and the compatibility_level setting
 is less than 1, Postfix may log the following message while it
 reads the master.cf file: </p>
@ -233,8 +218,7 @@ from an older Postfix version. The backwards-compatibility safety
 net is designed to prevent such surprises. </p>
 <p> When the compatibility_level less than 1, and the
-smtpd_relay_restrictions parameter is left unspecified at its
+smtpd_relay_restrictions parameter is left at its implicit default
 implicit default
 setting, Postfix may log the following message: </p>
 <blockquote>
@ -266,8 +250,7 @@ addresses from clients that don't request SMTPUTF8 support, after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
-<p> As long as the smtputf8_enable parameter is left unspecified
+<p> As long as the smtputf8_enable parameter is left at its implicit
 at its implicit
 default value, and the compatibility_level setting is
 less than 1, Postfix logs a warning each time an SMTP command uses a
 non-ASCII address localpart without requesting SMTPUTF8 support: </p>
@ -310,8 +293,7 @@ Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 <p> As long as the mynetworks and mynetworks_style parameters are
-left unspecified at their implicit default values, and the
+left at their implicit default values, and the compatibility_level
 compatibility_level
 setting is less than 2, the Postfix SMTP server may log one of the
 following messages: </p>
@ -351,8 +333,7 @@ denied' errors or ETRN errors after Postfix is updated from an older
 version. The backwards-compatibility safety net is designed to
 prevent such surprises. </p>
-<p> As long as the relay_domains parameter is left unspecified at
+<p> As long as the relay_domains parameter is left at its implicit
 its implicit
 default value, and the compatibility_level setting is less than 2,
 Postfix may log one of the following messages.  </p>
@ -427,8 +408,7 @@ secure digest of the client certificate.  </p>
 with the "sha256" digests of the expected client certificate or public
 key.  </p>
-<p> As long as the smtpd_tls_fingerprint_digest parameter is left
+<p> As long as the smtpd_tls_fingerprint_digest parameter is left at its
 unspecified at its
 implicit default value, and the compatibility_level setting is less than
 3.6, Postfix logs a warning each time a client certificate or public key
 fingerprint is (potentially) used for access control: </p>
@ -475,8 +455,7 @@ policies in the TLS policy table to specify matching "sha256" digests of
 the expected server certificates or public keys.  </p>
 <p> As long as the smtp_tls_fingerprint_digest (or LMTP equivalent)
-parameter is left unspecified at its implicit default value, and
+parameter is left at its implicit default value, and the
 the
 compatibility_level setting is less than 3.6, Postfix logs a warning each
 time the "fingerprint" security level is used to specify matching "md5"
 digests of trusted server certificates or public keys: </p>
@ -520,8 +499,7 @@ command, and both support the same features. </p> </blockquote>
 keep evaluating smtpd_recipient_restrictions before
 smtpd_relay_restrictions, as long as the compatibility_level is
 less than 3.6, and the smtpd_relay_before_recipient_restrictions
-parameter is left unspecified at its implicit default setting. As
+parameter is left at its implicit default setting. As a reminder,
 a reminder,
 Postfix may log the following message: </p>
 <blockquote>
@ -555,8 +533,7 @@ the changes in logging could affect logfile analysis tools. </p>
 <p> To avoid breaking existing logfile analysis tools, Postfix will keep
 logging the deprecated form, as long as the respectful_logging parameter
-is left unspecified at its implicit default value, and the
+is left at its implicit default value, and the compatibility_level
 compatibility_level
 setting is less than 3.6. As a reminder, Postfix may log the following
 when a remote SMTP client is allowlisted or denylisted: </p>
@ -578,83 +555,6 @@ system administrator should make the backwards-compatible setting
 </pre>
 </blockquote>
 <h2> <a name="tlsrpt_reused"> Using backwards-compatible
 default setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </h2>
 <p> Postfix version 3.11 changes the default value for
 smtp_tlsrpt_skip_reused_handshakes from "yes" to "no". The
 backwards-compatibility safety net is designed to prevent an
 unexpected change in reporting behavior when Postfix is updated
 from an older version. </p>
 <p> As long as the smtp_tlsrpt_skip_reused_handshakes parameter is
 left unspecified at its implicit default value, and the compatibility_level
 setting is less than 3.11, Postfix will log a reminder that it is
 using the backwards-compatible default: </p>
 <blockquote>
 <pre>
 postfix/smtp[388157] using backwards-compatible default setting
    smtp_tlsrpt_skip_reused_handshakes=yes
 </pre>
 </blockquote>
 <p> To keep the old default setting, the system administrator should
 make the backwards-compatible setting "smtp_tlsrpt_skip_reused_handshakes
 = yes" permanent in main.cf:
 <blockquote>
 <pre>
 # <b>postconf smtp_tlsrpt_skip_reused_handshakes=yes</b>
 # <b>postfix reload</b>
 </pre>
 </blockquote>
 <h2> <a name="xxx_tls_level"> Using backwards-compatible
 default setting <i>xxx</i>_security_level=(empty)</a> </h2>
 <p> Postfix version 3.11 changes the default value for client TLS
 security levels from "empty" to "may". The backwards-compatibility
 safety net is designed to prevent an unexpected change in mail
 sending behavior when Postfix is updated from an older version.
 </p>
 <p> There is no equivalent change for Postfix server TLS security
 levels, because changing the level alone is not sufficient. Server-side
 TLS requires that at least one private key and one public-key
 certificate chain are configured. </p>
 <p> As long as a TLS security level parameter is left unspecified
 at its implicit default value, and the compatibility_level setting
 is less than 3.11, Postfix will log one of the following reminders
 that it is using the backwards-compatible default: </p>
 <blockquote>
 <pre>
 postfix/smtp[...] using backwards-compatible default setting
    smtp_tls_security_level=(empty)
 </pre>
 </blockquote>
 <blockquote>
 <pre>
 postfix/tlsproxy[...] using backwards-compatible default setting
    tlsproxy_client_security_level=(empty)
 </pre>
 </blockquote>
 <p> To keep the old default setting, the system administrator should
 make the backwards-compatible empty setting permanent in main.cf: </p>
 <blockquote>
 <pre>
 # <b>postconf <i>xxx</i>_security_level=</b>
 # <b>postfix reload</b>
 </pre>
 </blockquote>
 <p> where <i>xxx</i> is taken from the above compatibility message. </p>
 <h2> <a name="turnoff">Turning off the backwards-compatibility safety net</a> </h2>
 <p> Backwards compatibility is turned off by updating the
--- a/postfix/proto/DATABASE_README.html
+++ b/postfix/proto/DATABASE_README.html
@ -293,19 +293,6 @@ databases are maintained by Postfix daemons. The lookup table name
 as used in "dbm:table" is the database file name without the ".dir"
 or ".pag" suffix.  </dd>
 <dt> <b>debug</b> </dt>
 <dd>
 <p> An adapter for another table that causes all accesses to be
 logged.  Example usage: "debug:hash:/etc/postfix/example".  The
 formats of the log messages are unspecified and subject to change.
 Warning: If a query or the underlying table contains sensitive
 information (such as a password), that information might be
 logged. </p>
 <p> This feature is available with Postfix 3.11 and later. </p>
 </dd>
 <dt> <b>environ</b> </dt>
 <dd> The UNIX process environment array. The lookup key is the
--- a/postfix/proto/DEPRECATION_README.html
+++ b/postfix/proto/DEPRECATION_README.html
@ -104,16 +104,11 @@ detailed description. </p>
 </th> <th> Removed <br> in version </th> <th> Replacement </th>
 </tr>
 <tr> <td> <a href="#xxx_tls_enforce_peername">
 <i>xxx</i>_tls_enforce_peername </a> </td> <td align="center"> 3.11
 </td> <td align="center"> - </td> <td> <i>xxx</i>_tls_security_level
 </td> </tr>
 <tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a>
 </td> <td align="center"> 3.9 </td> <td align="center"> - </td>
 <td> smtp_dns_support_level </td> </tr>
-<tr> <td> <a href="#xxx_use_tls"> <i>xxx</i>_use_tls </a> </td>
+<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_use_tls </a> </td>
 <td align="center"> 3.9 </td> <td align="center"> - </td> <td>
 <i>xxx</i>_tls_security_level </td> </tr>
@ -154,45 +149,6 @@ reject_rbl_client </td> </tr>
 </blockquote>
 <h3> <a name="xxx_tls_enforce_peername"> Obsolete TLS peer name
 match configuration </a> </h3>
 <p> The postconf(1) command logs one of the following: </p>
 <ul>
 <li> support for parameter "lmtp_tls_enforce_peername" will be
 removed; instead, specify "lmtp_tls_security_level"
 <li> support for parameter "smtp_tls_enforce_peername" will be
 removed; instead, specify "smtp_tls_security_level"
 </ul>
 <p> There are similarly-named parameters and warnings for postscreen(8)
 and tlsproxy(8), but those parameters should rarely be specified
 by hand. </p>
 <p> Replace obsolete configuration with its replacement: </p>
 <blockquote>
 <table border="1">
 <tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
 <tr> <td> Enforce peer name match with server certificate </td>
 <td> <i>xxx</i>_enforce_peername = yes </td> <td> <i>xxx</i>_security_level
 = verify <br> <i>xxx</i>_security_level = secure </td> </tr>
 <tr> <td> Disable peer name match with server certificate </td>
 <td> <i>xxx</i>_enforce_peername = no </td> <td> <i>xxx</i>_security_level
 = may <br> <i>xxx</i>_security_level = encrypt </td> </tr>
 </table>
 </blockquote>
 <h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration
 </a> </h3>
--- a/postfix/proto/MULTI_INSTANCE_README.html
+++ b/postfix/proto/MULTI_INSTANCE_README.html
@ -40,7 +40,7 @@ management framework, and on how to deploy a custom instance manager.
 <li><a href="#parts"> Components of a Postfix system </a> 
-<li><a href="#default"> The primary Postfix instance </a> 
+<li><a href="#default"> The default Postfix instance </a> 
 <li><a href="#group"> Instance groups </a>
@ -102,7 +102,7 @@ use than ever before. </p>
 <h2><a name="split"> Null-client instances versus service instances </a></h2>
 <p> In the multi-instance approach to configuring Postfix, the first
-simplification is with the primary local-submission Postfix instance.
+simplification is with the default local-submission Postfix instance.
 </p>
 <p> Most UNIX systems require support for email submission with the
@ -152,7 +152,7 @@ limited to mail from cron jobs and other system services. In this
 regard the border MTA is not different from other Unix hosts in
 your environment. For this reason, it will submit locally-generated
 email to the internal mail hub. We start the construction of the
-border mail server with the <a href="#default">primary</a>
+border mail server with the <a href="#default_instance">default</a>
 instance, which will be a local-submission <a
 href="STANDARD_CONFIGURATION_README.html#null_client">null client</a>:
 </p>
@ -283,7 +283,7 @@ must start before the input instance. We will put the output and
 input instances into a single instance group named "mta".  </p>
 <p> Just once, when adding the first secondary instance, enable
-multi-instance support in the primary (null-client) instance: </p>
+multi-instance support in the default (null-client) instance: </p>
 <blockquote>
 <pre>
@ -301,7 +301,7 @@ multi-instance support in the primary (null-client) instance: </p>
 <p> The instance configuration directory defaults to /etc/postfix-out,
 more precisely, the "postfix-out" subdirectory of the parent directory
-of the primary-instance configuration directory. The new instance will
+of the default-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 <blockquote>
@ -323,7 +323,7 @@ be created in a "disabled" state: </p>
 <p> This instance has a "stock" master.cf file, and its queue and
 data directories, also named "postfix-out", will be located in the
 same parent directories as the corresponding directories of the
-primary instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
+default instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
 </p>
 <p> While this instance is immediately safe to start, it is not yet
@ -472,7 +472,7 @@ also part of the "mta" instance group: </p>
 <p> The new instance configuration directory defaults to /etc/postfix-in,
 more precisely, the "postfix-in" subdirectory of the parent directory
-of the primary-instance configuration directory. The new instance will
+of the default-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 <blockquote>
@ -658,7 +658,7 @@ main.cf file itself. </p>
 <p> Though config_directory cannot be set in main.cf, postfix(1) and
 most of the other command-line Postfix utilities allow you to specify a
-secondary configuration directory via a command line option (typically
+non-default configuration directory via a command line option (typically
 <b>-c</b>) or via the MAIL_CONFIG environment variable. In this way,
 it is possible to have multiple configuration directories on the same
 machine, and to have multiple running master(8) daemons each with its
@ -672,28 +672,28 @@ directories, queue directories or data directories. </p>
 directory and data directory (specified in the corresponding main.cf file)
 make up a Postfix <b>instance</b>. </p>
-<h2><a name="default"> The primary Postfix instance </a></h2>
+<h2><a name="default"> The default Postfix instance </a></h2>
 <p> One Postfix instance is special: this is the instance whose
 configuration directory is the default one compiled into the Postfix
 utilities. The location of the default configuration directory is
 typically /etc/postfix, and can be queried via the "postconf -d
 config_directory" command.  We call the instance with this configuration
-directory the "primary instance". </p>
+directory the "default instance". </p>
-<p> The primary instance is responsible for local mail submission. The
+<p> The default instance is responsible for local mail submission. The
 setgid postdrop(1) utility is used by the sendmail(1) local submission
 program to spool messages into the <b>maildrop</b> sub-directory of the
-queue directory of the primary instance. </p>
+queue directory of the default instance. </p>
 <p> Even in the rare case when "sendmail -C" is used to submit local mail
-into a secondary Postfix instance, for security reasons, postdrop(1)
+into a non-default Postfix instance, for security reasons, postdrop(1)
-will consult the primary main.cf file to check the validity of the
+will consult the default main.cf file to check the validity of the
 requested non-default configuration directory. </p>
 <p> So, while in most other respects, all instances are equal, the
-primary instance is "more equal than others". You may choose to create
+default instance is "more equal than others". You may choose to create
-secondary instances, but you must have at least the primary instance,
+additional instances, but you must have at least the default instance,
 with its configuration directory in the default compiled-in location. </p>
 <h2><a name="group"> Instance groups </a></h2>
@ -715,9 +715,9 @@ of a single instance group (however, the content filter usually has
 its own start/stop procedure that is separate from any Postfix
 instance).  </p>
-<p> The primary instance main.cf file's $multi_instance_directories
+<p> The default instance main.cf file's $multi_instance_directories
 configuration parameter lists the configuration directories of all
-secondary (non-default) instances. Together with the primary instance,
+secondary (non-default) instances. Together with the default instance,
 these secondary instances are managed by the multi-instance manager.
 Instances are started in the order listed, and stopped in the
 opposite order. For instances that are members of a service "group",
@ -731,7 +731,7 @@ stages are started. </p>
 <dt> multi_instance_wrapper </dt> 
-<dd> <p> This primary-instance configuration parameter must be set
+<dd> <p> This default-instance configuration parameter must be set
 to a suitable multi-instance manager's "wrapper" program that
 controls the starting, stopping, etc. of a multi-instance Postfix
 system. To use the postmulti(1) manager described in this document,
@ -740,10 +740,10 @@ this parameter should be set with the "<a href="#init">postmulti
 <dt> multi_instance_directories </dt>
-<dd> <p> This primary-instance configuration parameter specifies
+<dd> <p> This default-instance configuration parameter specifies
 an optional list of the secondary instances controlled via the
 multi-instance manager. Instances are listed in their "start" order,
-with the primary instance always started first (if enabled). If
+with the default instance always started first (if enabled). If
 $multi_instance_directories is left empty, the postfix(1) command
 runs with multi-instance support turned off, and none of the
 multi_instance_ configuration parameters will have any effect. </p>
@ -842,7 +842,7 @@ automatically. See below. </p>
 <p> Before postmulti(1) is used for the first time, you must install
 it as the multi_instance_wrapper for your Postfix system and enable
-multi-instance operation of the primary Postfix instance. You can then
+multi-instance operation of the default Postfix instance. You can then
 proceed to add <a href="#create">new</a> or <a href="#import">existing</a>
 instances to the multi-instance configuration. This initial installation
 is accomplished as follows: </p>
@ -853,7 +853,7 @@ is accomplished as follows: </p>
 </pre>
 </blockquote>
-<p> This updates the primary instance main.cf file as follows: </p>
+<p> This updates the default instance main.cf file as follows: </p>
 <blockquote>
 <pre>
@ -861,28 +861,28 @@ is accomplished as follows: </p>
    #
    multi_instance_wrapper = ${command_directory}/postmulti -p --
-    # Configure the primary instance to start when in multi-instance mode
+    # Configure the default instance to start when in multi-instance mode
    #
    multi_instance_enable = yes
 </pre>
 </blockquote>
-<p> If you prefer, you can make these changes by editing the primary
+<p> If you prefer, you can make these changes by editing the default
 main.cf directly, or by using "postconf -e". </p>
 <h3><a name="list"> Listing managed instances </a></h3>
-<p> The list of managed instances consists of the primary instance and
+<p> The list of managed instances consists of the default instance and
-the secondary instances whose configuration directories are listed
+the additional instances whose configuration directories are listed
 (in start order) under the multi_instance_directories parameter of the
-primary main.cf configuration file.  </p>
+default main.cf configuration file.  </p>
 <p> You can list selected instances, groups of instances or all
 instances by specifying only the instance matching options with the
 "-l" option.  The "-a" option is assumed if no other instance
 selection options are specified (this behavior changes with the
 "-e" option).  As a special case, even if it has an explicit name,
-the primary instance can always be selected via "-i -". </p>
+the default instance can always be selected via "-i -". </p>
 <blockquote>
 <pre>
@ -926,7 +926,7 @@ set, it is shown as a "-". </p>
 <p> When selecting an existing instance via the "-i" option, you
 can always use the full pathname of its configuration directory
 instead of the instance (short) name. This is the only way to select
-a secondary nameless instance. The primary instance can be selected
+a non-default nameless instance. The default instance can be selected
 via "-i -", whether it has a name or not. </p>
 <p> To list instances in reverse start order, include the "-R"
@ -1052,7 +1052,7 @@ $ postmulti -x sh -c 'echo "-- $MAIL_CONFIG"; postconf -n'
 <h3><a name="create"> Creating a new Postfix instance </a></h3>
-<p> The postmulti(1) command can be used to create secondary Postfix
+<p> The postmulti(1) command can be used to create additional Postfix
 instances. New instances are created with local submission and all "inet"
 services disabled via the following non-default parameter settings in
 the main.cf file: </p>
@ -1072,7 +1072,7 @@ the above safety measures. </p>
 <p> The postmulti(1) command encourages a preferred way of organizing
 the configuration directories, queue directories and data directories
-of secondary instances. If the primary instance settings are: </p>
+of non-default instances. If the default instance settings are: </p>
 <blockquote>
 <pre>
@ -1140,7 +1140,7 @@ the configuration directories of newly managed instances are appended
 to the instance list. You can use the "-i" or "-g" or "-a" options to
 insert the new instance before the specified instance or group, or at
 the beginning of the instance list (multi_instance_directories parameter
-of the primary instance). </p>
+of the default instance). </p>
 <p> If you do specify a name (use "-I" with a name that is not "-")
 for the new instance, you may omit any of the 3 instance installation
--- a/postfix/proto/SMTPUTF8_README.html
+++ b/postfix/proto/SMTPUTF8_README.html
@ -375,7 +375,7 @@ Firefox and Chrome web browsers. Specify "enable_idna2003_compatibility
 = yes" to get the historical behavior. </p>
 <p> This affects the conversion of domain names that contain for
-example the German sz (ß) and the Greek (final) sigma (ς). See
+example the German sz (ß) and the Greek zeta (ς). See
 https://unicode.org/cldr/utility/idna.jsp for more examples. </p>
 <h2> <a name="credits">Credits</a> </h2>
--- a/postfix/proto/TLSRPT_README.html
+++ b/postfix/proto/TLSRPT_README.html
@ -25,7 +25,6 @@
 <li> <a href="#intro"> Introduction </a> </li>
 <li> <a href="#building"> Building Postfix with TLSRPT support </a>
 <li> <a href="#using"> Turning on TLSRPT </a> </li>
 <li> <a href="#reusing"> Connection reuse versus session resumption </a> </li>
 <li> <a href="#logging"> TLSRPT Status logging </a> </li>
 <li> <a href="#delivering"> Delivering TLSRPT summaries via email</a> </li>
 <li> <a href="#mta-sts"> MTA-STS Support via smtp_tls_policy_maps </a> </li>
@ -53,8 +52,8 @@ _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:smtp-tls-report@example.c
 <p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
 destination. </p>
-<p> The diagram below shows how successful or failed Postfix TLS
+<p> The diagram below shows how Postfix TLS handshake success and
-handshake events are collected and processed into daily summary
+failure events are collected and processed into daily summary
 reports. </p>
 <blockquote>
@ -100,7 +99,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at https://github.com/sys4/libtlsrpt and
 https://github.com/sys4/tlsrpt-reporter, respectively. </p>
-<p> The Postfix implementation supports TLSRPT for domains with DANE
+<p> The Postfix implementation supports TLSRPT or domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
@ -204,49 +203,6 @@ programs should create sockets there. </p>
 infrastructure, see the documentation at
 https://github.com/sys4/tlsrpt-reporter.
 <h2> <a name="reusing"> Connection reuse versus session resumption
 </a> </h2>
 <p> The Postfix SMTP client implements two kinds of reuse: </p>
 <ul>
 <li> <p> <b> SMTP Connection reuse: </b> a Postfix SMTP client
 creates a new SMTP connection, sends one email message, and saves
 the connection instead of closing it. Later, some SMTP client reuses
 that connection, sends an email message, and saves or closes the
 connection depending on whether it has reached some reuse limit.
 Each connection can be used by only one Postfix SMTP client at a
 time. </p>
 <li> <p> <b> TLS Session resumption: </b> a Postfix SMTP client
 saves the result from a "new" TLS handshake. Later, one or more
 SMTP clients create a new SMTP connection and resume the saved TLS
 session on their new connection. <p>
 </ul>
 <p> Of course there is a third case: </p>
 <ul>
 <li> <p> <b> Combined reuse and resumption: </b> a Postfix SMTP
 client creates a new SMTP connection, sends one email message, saves
 the result from a "new" TLS handshake, and also saves the connection
 instead of closing it. Later, one SMTP client reuses (and saves)
 that connection, one client at a time, and one or more clients
 create a new SMTP connection and resume the saved TLS session on
 their new connection. <p>
 </ul>
 <p> In all cases, there is no TLS handshake when a saved SMTP connection
 is reused, and there is no "new" TLS handshake when a saved TLS session
 is resumed. </p>
 <p> As described next, Postfix will by default log and generate only a
 TLSRPT event for a "new" TLS handshake.  </p>
 <h2> <a name="logging"> TLSRPT Status logging </a> </h2>
 <p> With TLSRPT support turned on, the Postfix TLSRPT client will
@ -286,12 +242,12 @@ Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
    TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 </pre>
-<li> <p> With TLSRPT enabled, the Postfix SMTP client reports the
+<li> <p> By default, Postfix does not report the TLSRPT status for
-TLSRPT status for all TLS handshakes (the default as of Postfix
+a TLS handshake that reuses a previously-negotiated TLS session
-3.11).  Specify "smtp_tlsrpt_skip_reused_handshakes = yes" (the
+(there would be no new information to report). Specify
-default with Postfix 3.10) to skip reporting TLS handshakes that
+"smtp_tlsrpt_skip_reused_handshakes = no" to report the TLSRPT
-reuse a previously-negotiated TLS session as there would be no new
+status for all TLS handshakes. This may be useful for troubleshooting.
-information to report. </p>
+</p>
 <li> <p> Postfix logging for certificate verification failures may
 differ between new or reused TLS sessions. </p>
@ -373,7 +329,7 @@ generator's sender address): </p>
 <h2> <a name="mta-sts"> MTA-STS Support via smtp_tls_policy_maps
 </a></h2>
-<p> Postfix supports MTA-STS through an smtp_tls_policy_maps policy
+<p> Postfix supports MTA-STS though an smtp_tls_policy_maps policy
 plugin, which replies with a TLS security level and name=value
 attributes with certificate matching requirements. Postfix 3.10 and
 later extend the policy plugin response with additional name=value
--- a/postfix/proto/XCLIENT_README.html
+++ b/postfix/proto/XCLIENT_README.html
@ -145,8 +145,8 @@ xtext encode attribute values. Servers that wish to interoperate
 with these older implementations should be prepared to receive
 unencoded information. </p>
-<p> Note 4: The PORT attribute is implemented in Postfix 2.5 and
+<p> Note 4: Some Postfix implementations do not implement the PORT
-later; the LOGIN attribute in Postfix 2.9 and later. </p>
+or LOGIN attributes.  </p>
 <h2>XCLIENT Server response</h2>
--- a/postfix/proto/lmdb_table
+++ b/postfix/proto/lmdb_table
@ -60,17 +60,16 @@
 # .fi
 #	The Postfix LMDB adapter does not use LMDB's built-in locking
 #	scheme, because that would require world-writable lockfiles
-#	and therefore violate the Postfix security model.  Instead,
+#	and would violate the Postfix security model.  Instead,
 #	Postfix uses fcntl(2) locks with whole-file granularity.
 #	Programs that use LMDB's built-in locking protocol will
 #	corrupt a Postfix LMDB database or will read garbage.
 #
 #	Every Postfix LMDB database read or write transaction must
 #	be protected from start to end with a shared or exclusive
-#	fcntl(2) lock. A process may atomically downgrade an exclusive
+#	fcntl(2) lock.  A writer may atomically downgrade an exclusive
-#	lock to a shared lock before opening a database read transaction,
+#	lock to a shared lock, but it must hold an exclusive lock
-#	but it must hold an exclusive lock while opening a write
+#	while opening another write transaction.
 #	transaction.
 #
 #	Note that fcntl(2) locks do not protect transactions within
 #	the same process against each other.  If a program cannot
--- a/postfix/proto/memcache_table
+++ b/postfix/proto/memcache_table
@ -102,17 +102,6 @@
 # MEMCACHE KEY PARAMETERS
 # .ad
 # .fi
 # .IP "\fBkey_digest (default: empty)\fB"
 #	After processing the \fBkey_format\fR setting, and before sending
 #	a request to the memcache server, run the key through the named
 #	message digest algorithm and convert the result to lowercase
 #	hexadecimal characters. This prevents a database access error
 #	when keys may exceed the memcache server's key length limit
 #	(usually, 250 bytes). Specify the name of a message digest
 #	algorithm that is supported by OpenSSL, for example, \fBsha256\fR.
 #
 #	This feature is available in Postfix 3.11 and later, and requires
 #	that Postfix is built with TLS support.
 # .IP "\fBkey_format (default: %s)\fB"
 #	Format of the lookup and update keys that the Postfix
 #	memcache client sends to the memcache server.
@ -204,7 +193,7 @@
 #	"\fI|command\fR and "\fI/file/name\fR" destinations), or
 #	\fBvirtual_uid_maps\fR, \fBvirtual_gid_maps\fR and
 #	\fBvirtual_mailbox_maps\fR (these specify UNIX process
-#	privileges for "\fI/file/name\fR" destinations).  In a typical
+#	privileges or "\fI/file/name\fR" destinations).  In a typical
 #	deployment a memcache database is writable by any process
 #	that can talk to the memcache server; in contrast,
 #	security-sensitive tables must never be writable by the
--- a/postfix/proto/mysql_table
+++ b/postfix/proto/mysql_table
@ -67,10 +67,11 @@
 #	    hosts = 127.0.0.1
 # .fi
 #
-#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	this client assumes that the target is a load balancer and
+#	assumes that the target is a load balancer and will reconnect
-#	will reconnect immediately after a single failure. With Postfix
+#	immediately after a single failure, instead of failing all
-#	versions 3.9 and earlier, specify the same server twice.
+#	requests temporarily. With older versions of this client,
 #	specify the same server twice.
 # .IP "\fBuser\fR"
 # .IP "\fBpassword\fR"
 #	The user name and password to log into the mysql server.
@ -101,10 +102,11 @@
 #	The number of seconds that a database connection will be
 #	skipped after an error.
 #
-#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	this client assumes that the target is a load balancer and
+#	assumes that the target is a load balancer and will reconnect
-#	will reconnect immediately after a single failure. With Postfix
+#	immediately after a single failure, instead of failing all
-#	versions 3.9 and earlier, specify the same server twice.
+#	requests temporarily. With older versions of this client,
 #	specify the same server twice.
 #
 #	This feature is available in Postfix 3.9 and later.
 # .IP "\fBquery\fR"
--- a/postfix/proto/pgsql_table
+++ b/postfix/proto/pgsql_table
@ -71,10 +71,11 @@
 #	URI, the Postfix PostgreSQL client will ignore the \fBdbname\fR,
 #	\fBuser\fR, and \fBpassword\fR settings for that connection.
 #
-#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	this client assumes that the target is a load balancer and
+#	assumes that the target is a load balancer and will reconnect
-#	will reconnect immediately after a single failure. With Postfix
+#	immediately after a single failure, instead of failing all
-#	versions 3.9 and earlier, specify the same server twice.
+#	requests temporarily. With older versions of this client,
 #	specify the same server twice.
 # .IP "\fBuser\fR"
 # .IP "\fBpassword\fR"
 #	The user name and password to log into the pgsql server.
@ -118,10 +119,11 @@
 #	The number of seconds that a database connection will be
 #	skipped after an error.
 #
-#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	this client assumes that the target is a load balancer and
+#	assumes that the target is a load balancer and will reconnect
-#	will reconnect immediately after a single failure. With Postfix
+#	immediately after a single failure, instead of failing all
-#	versions 3.9 and earlier, specify the same server twice.
+#	requests temporarily. With older versions of this client,
 #	specify the same server twice.
 #
 #	This feature is available in Postfix 3.9 and later.
 # .IP "\fBquery\fR"
--- a/postfix/proto/postconf.html.prolog
+++ b/postfix/proto/postconf.html.prolog
@ -20,7 +20,7 @@ if (hash && isChrome) {
    setTimeout(function() {
        window.location.hash = "";
        window.location.hash = hash;
-    }, 1500);
+    }, 1000);
 }
 </script>
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -1984,20 +1984,15 @@ environment.  Examples of relevant environment variables: </p>
 <dd>Needed to make "<b>postfix -c</b>" work. </dd>
 <dt><b>POSTLOG_HOSTNAME</b></dt>
 <dd>Needed to make "<b>maillog_file</b>" work during daemon  
 process initialization. </dd>
 <dt><b>POSTLOG_SERVICE</b></dt>
 <dd>Needed to make "<b>maillog_file</b>" work during daemon 
 process initialization. </dd>
-<dt><b>XDG_RUNTIME_DIR</b></dt>
+<dt><b>POSTLOG_HOSTNAME</b></dt>
-<dd>Needed for debugging Postfix daemons with an XDG-style debugger.
+<dd>Needed to make "<b>maillog_file</b>" work during daemon  
-</dd>
+process initialization. </dd>
 </dl>
@ -4017,26 +4012,6 @@ relocated_maps = dbm:/etc/postfix/relocated
 relocated_maps = hash:/etc/postfix/relocated
 </pre>
 %PARAM relocated_prefix_enable  yes
 <p> Prepend the prefix "<b>5.1.6 User has moved to </b>" to all
 relocated_maps lookup results. With "relocated_prefix_enable =
 no", all lookup results must contain a valid RFC 3463 compliant
 enhanced status code and text (format: "[45].number.number text...").
 <p>
 Example:
 </p>
 <pre>
 /etc/postfix/main.cf:
    relocated_maps = hash:/etc/postfix/relocated
    relocated_prefix_enable = no
 <br>
 hash:/etc/postfix/relocated:
    user@example.com 5.2.1 User account is disabled
 </pre>
 %PARAM require_home_directory no
 <p>
@ -5496,12 +5471,7 @@ The maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554), the default_rbl_reply  parameter
 specifies the default server reply, and the rbl_reply_maps  parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
-<br>
+This feature is available in Postfix 2.0 and later.  </dd>
 NOTE: Always respect the usage policies of reputation services. Avoid 
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking the key in SMTP server
 responses). <br>
 This feature is available in Postfix 2.0 and later. </dd>
 <dt><b><a name="permit_dnswl_client">permit_dnswl_client <i>dnswl_domain=d.d.d.d</i></a></b></dt>
@ -5513,12 +5483,8 @@ If no "<i>=d.d.d.d</i>" is specified, accept the request when the
 reversed client network address is listed with any A record under
 <i>dnswl_domain</i>. <br> For safety, permit_dnswl_client is silently
 ignored when it would override reject_unauth_destination.  The
-result is DEFER_IF_REJECT when allowlist lookup fails. <br>
+result is DEFER_IF_REJECT when allowlist lookup fails.  This feature
-NOTE: Always respect the usage policies of reputation services. Avoid
+is available in Postfix 2.8 and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP 
 server responses). <br>
 This feature is available in Postfix 2.8 and later. </dd>
 <dt><b><a name="reject_rhsbl_client">reject_rhsbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
@ -5531,14 +5497,9 @@ number..number ranges (Postfix version 2.8 and later).  If no
 hostname is listed with
 any A record under <i>rbl_domain</i>. See the reject_rbl_client
 description above for additional RBL related configuration parameters.
 <br>
 NOTE: Always respect the usage policies of reputation services. Avoid 
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP 
 server responses). <br>
 This feature is available in Postfix 2.0 and later; with Postfix
 version 2.8 and later, reject_rhsbl_reverse_client will usually
-produce better results. </dd>
+produce better results.  </dd>
 <dt><b><a name="permit_rhswl_client">permit_rhswl_client <i>rhswl_domain=d.d.d.d</i></a></b></dt>
@ -5554,12 +5515,8 @@ allowlisting should be used only to reduce false positives in e.g.
 DNS-based blocklists, and not for making access rule exceptions.
 <br> For safety, permit_rhswl_client is silently ignored when it
 would override reject_unauth_destination.  The result is DEFER_IF_REJECT
-when allowlist lookup fails. <br>
+when allowlist lookup fails.  This feature is available in Postfix
-NOTE: Always respect the usage policies of reputation services. Avoid 
+2.8 and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP 
 server responses). <br>
 This feature is available in Postfix 2.8 and later.</dd>
 <dt><b><a name="reject_rhsbl_reverse_client">reject_rhsbl_reverse_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
@ -5570,12 +5527,8 @@ one or more ";"-separated numbers or number..number ranges.
 If no "<i>=d.d.d.d</i>" is specified, reject the request when the
 unverified reverse client hostname is listed with any A record under
 <i>rbl_domain</i>. See the reject_rbl_client description above for
-additional RBL related configuration parameters. <br>
+additional RBL related configuration parameters.  This feature is
-NOTE: Always respect the usage policies of reputation services. Avoid 
+available in Postfix 2.8 and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP 
 server responses). <br>
 This feature is available in Postfix 2.8 and later. </dd>
 <dt><b><a name="reject_unknown_client_hostname">reject_unknown_client_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_client)</dt>
@ -6081,12 +6034,8 @@ reject_rbl_client description for additional RBL related configuration
 parameters.  Note: specify "smtpd_helo_required = yes" to fully
 enforce this restriction (without "smtpd_helo_required = yes", a
 client can simply skip reject_rhsbl_helo by not sending HELO or
-EHLO). <br>
+EHLO). This feature is available in Postfix 2.0
-NOTE: Always respect the usage policies of reputation services. Avoid 
+and later.  </dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP 
 server responses). <br>
 This feature is available in Postfix 2.0 and later. </dd>
 <dt><b><a name="reject_unknown_helo_hostname">reject_unknown_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_hostname)</dt>
@ -6394,12 +6343,8 @@ any A record under <i>rbl_domain</i>. <br> The maps_rbl_reject_code
 parameter specifies the response code for rejected requests (default:
 554); the default_rbl_reply parameter specifies the default server
 reply; and the rbl_reply_maps parameter specifies tables with server
-replies indexed by <i>rbl_domain</i>. <br>
+replies indexed by <i>rbl_domain</i>.  This feature is available
-NOTE: Always respect the usage policies of reputation services. Avoid 
+in Postfix version 2.0 and later.</dd>
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP 
 server responses). <br>
 This feature is available in Postfix version 2.0 and later.</dd>
 <dt><b><a name="reject_unauth_destination">reject_unauth_destination</a></b></dt>
@ -6916,11 +6861,6 @@ maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554); the default_rbl_reply parameter
 specifies the default server reply; and the rbl_reply_maps parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
 <br>
 NOTE: Always respect the usage policies of reputation services. Avoid 
 public or ISP resolvers, unless the queries use your unique API key
 (see rbl_reply_maps for how to avoid leaking an API key in SMTP 
 server responses). <br>
 This feature is available in Postfix 2.0 and later.</dd>
 <dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt>
@ -12119,16 +12059,14 @@ smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 <p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM smtp_tls_security_level Postfix &ge; 3.11: may; Postfix &lt; 3.11: empty
+%PARAM smtp_tls_security_level
 <p> The default SMTP TLS security level for the Postfix SMTP client.
 When a non-empty value is specified, this overrides the obsolete
 parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername;
-when no value is specified for those obsolete parameters, the default
+when no value is specified for smtp_tls_enforce_peername or the obsolete
-SMTP TLS security level is <a href="TLS_README.html#client_tls_may">may</a>
+parameters, the default SMTP TLS security level is
-(compatibility_level &ge; 3.11) or <a
+<a href="TLS_README.html#client_tls_none">none</a>. </p>
 href="TLS_README.html#client_tls_none">none</a> 
 (compatibility_level &lt; 3.11). </p>
 <p> Specify one of the following security levels: </p>
@ -14761,10 +14699,6 @@ clients,
 and postscreen(8) will update an SMTP client's DNSBL score with
 each non-error reply as described below. </p>
 <p> NOTE: Always respect the usage policies of reputation services.
 Avoid public or ISP resolvers, unless the queries use your unique
 API key. </p>
 <p> Caution: when postscreen rejects mail, its SMTP response contains
 the DNSBL
 domain name. Use the postscreen_dnsbl_reply_map feature to hide
@ -15103,12 +15037,6 @@ line. </p>
 <pre>
 /etc/postfix/reply_filter:
    # Some Microsoft servers violate RFC 2554 section 4, causing Postfix
    # to complain with "non-empty initial GSSAPI challenge from server"
    /^334\s+GSSAPI\s+supported/ 334
 </pre>
 <pre>
    # Transform garbage into "250-filler..." so that it looks like
    # one line from a multi-line reply. It does not matter what we
    # substitute here as long it has the right syntax.  The Postfix
@ -17798,7 +17726,7 @@ Milter support should be disabled. </p>
 when converting UTF-8 domain names to/from the ASCII form that is
 used for DNS lookups. Specify "yes" for compatibility with Postfix
 &le; 3.1 (not recommended). This affects the conversion of domain
-names that contain for example the German sz and the Greek sigma.
+names that contain for example the German sz and the Greek zeta.
 See https://unicode.org/cldr/utility/idna.jsp for more examples.
 </p>
@ -19554,11 +19482,13 @@ requirements for MTA-STS smtp_tls_policy_maps plugins. </p>
 <p> This feature is available in Postfix &ge; 3.10. </p>
-%PARAM smtp_tlsrpt_skip_reused_handshakes Postfix &ge; 3.11: no, Postfix 3.10: yes
+%PARAM smtp_tlsrpt_skip_reused_handshakes yes
-<p> When set to "yes", report the TLSRPT status only for "new" TLS
+<p> Do not report the TLSRPT status for TLS protocol handshakes
-sessions. When set to "no", also report the TLSRPT status for TLS
+that reuse a previously-negotiated TLS session (there is no new
-protocol handshakes that reuse a previously-negotiated TLS session.
+information to report). Report the TLSRPT status only for "new" TLS
 sessions. Set this to "no" to log the TLSRPT status of all TLS
 handshakes, for example to troubleshoot Postfix TLSRPT support.
 </p>
 <p> Note: if an SMTP over TLS connection is reused, there is no
@ -19616,8 +19546,7 @@ including the netstring encapsulation. </p>
 <p> Enable support for the "TLS-Required: no" message header, defined
 in RFC 8689. By adding this header to a message, a sender requests
-no enforcement of TLS policy. This disables TLS policy lookup, and
+no enforcement of TLS policy. This limits the Postfix SMTP client
 limits the Postfix SMTP client
 TLS security level to "may", that is, do not verify remote SMTP
 server certificates, and fall back to plaintext if TLS is unavailable.
 If a message contains a "TLS-Required: no" header, then Postfix
@ -19635,7 +19564,7 @@ SMTP server's Received: message header. </p>
 <li> <p> The default setting, "smtpd_hide_client_session = no",
 must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321 section 4.4. </p>
+that is required by RFC 5321. </p>
 <li> <p> The setting "smtpd_hide_client_session = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@ -19658,56 +19587,7 @@ Received: by mail.example.com (Postfix) id postfix-queue-id
 </blockquote>
 <p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the FROM clause according
+and therefore it does not need to provide the information required by
-to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+RFC 5321. The form does still meet RFC 5322 requirements. </p>
 requirements. </p>
 <p> This feature is available in Postfix &ge; 3.10. </p>
 %PARAM smtpd_reject_filter_maps
 <p> An optional filter that can replace a reject response from the
 Postfix SMTP server itself, or from a program that replies through
 the Postfix SMTP server. The filter is applied before the optional
 reject footers are appended. Typically, the filter will be a regexp:
 or pcre: table, where the left-hand side specifies a pattern, and
 the right-hand side specifies replacement text. </p>
 <p> The input is a server response that starts with a 4XX or 5XX
 reply code (see RFC 5321), usually followed by an enhanced status
 code (see RFC 3463) and text. The filter returns replacement text
 or indicates that there was no match. This feature cannot be used
 to change a reject reply into a non-reject one or vice versa. </p>
 <p> LIMITATION: smtpd_reject_filter_maps will not replace text that
 was already logged before the Postfix SMTP server replies to the
 remote SMTP client. To help with logfile analysis, the Postfix SMTP
 server logs both the unmodified reply (logged below as "reject
 filter in") and the replacement reply (logged below as "reject
 filter out").
 <p> Example: </p>
 <pre>
 /etc/postfix/main.cf:
    smtpd_reject_filter_maps = regexp:/etc/postfix/smtpd_reject_filter
 </pre>
 <pre>
 /etc/postfix/smtpd_reject_filter:
    # Replace soft reject with hard reject.
    /^451 4(\.6\.0 Alias expansion error)/ 550 5${1}
 </pre>
 <pre>
    # Silly rule for demo purposes.
    /^(4.+[^.])\.*$/ $1. See you later.
 </pre>
 <pre>
 /var/log/maillog:
    NOQUEUE: reject filter in: 451 4.6.0 Alias expansion error
    NOQUEUE: reject filter out: 550 5.6.0 Alias expansion error
 </pre>
 <p> This feature is available in Postfix &ge; 3.11. </p>
--- a/postfix/proto/relocated
+++ b/postfix/proto/relocated
@ -36,10 +36,9 @@
 # TABLE FORMAT
 # .ad
 # .fi
 #	The input format for the \fBpostmap\fR(1) command is as follows:
 # .IP \(bu
-#	By default, Postfix will prepend a hard-coded prefix "5.1.6 User
+#	An entry has one of the following form:
 #	has moved to " to a table lookup result, and the format for a
 #	table entry is as follows:
 #
 # .nf
 #	     \fIpattern      new_location\fR
@ -48,16 +47,6 @@
 #	Where \fInew_location\fR specifies contact information such as
 #	an email address, or perhaps a street address or telephone number.
 # .IP \(bu
 #	Postfix 3.11 and later can optionally disable the hard-coded
 #	prefix. Specify "relocated_prefix_enable = no" in main.cf, and
 #	specify relocated_maps entries with your own RFC 3463-compliant
 #	enhanced status code and text, for example:
 #
 # .nf
 #	     \fIpattern\fR      5.2.0 Mailbox is unavailable
 #	     \fIpattern\fR      5.2.1 Mailbox is disabled
 # .fi
 # .IP \(bu
 #	Empty lines and whitespace-only lines are ignored, as
 #	are lines whose first non-whitespace character is a `#'.
 # .IP \(bu
@ -134,11 +123,6 @@
 #	Optional lookup tables with new contact information for users or
 #	domains that no longer exist.
 # .PP
 #	Available with Postfix version 3.11 and later:
 # .IP "\fBrelocated_prefix_enable (yes)\fR"
 #	Prepend the prefix "\fB5.1.6 User has moved to \fR" to all
 #	relocated_maps lookup results.
 # .PP
 #	Other parameters of interest:
 # .IP "\fBinet_interfaces (all)\fR"
 #	The local network interface addresses that this mail system
--- a/postfix/proto/stop
+++ b/postfix/proto/stop
@ -1672,16 +1672,3 @@ URIs
 bugfix
 MLKEM
 cleartext
 redacted
 subclassed
 nosleep
 preload
 memcached
 Geert
 Hendrickx
 typofix
 LD
 PRELOAD
 rhansen
 XDG
 crosstalk
--- a/postfix/proto/stop.double-cc
+++ b/postfix/proto/stop.double-cc
@ -343,6 +343,3 @@ additional_info  additional_info
 ignored  ignored 
 USE_TLSRPT  USE_TLSRPT 
 encoded  encoded text can contain only alpha digit 
 ossl_digest_new  ossl_digest_new returns NULL after error ossl_digest_data 
 Richard Hansen rhansen rhansen org 
 long long or long integer 
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@ -166,32 +166,3 @@ proto  proto socketmap_table
 global mail_params h smtpd smtpd c 
 global mail_params h proto postconf proto smtp smtp c 
 proto postconf proto proto TLS_README html 
 the command line Files postmap postmap c postalias postalias c 
 verification in progress File verify verify c 
 + address failed File verify verify c 
 address failed File verify verify c 
 address failed due to a database error File verify verify c 
 failures Fix by Viktor Dukhovni Wietse Files smtp smtp h 
 Files smtp smtp h 
 proto  proto COMPATIBILITY_README html 
 smtp smtp c tlsproxy tlsproxy c proto postconf proto 
 rhansen rhansen org Files proto DATABASE_README html 
 postconf Makefile in postconf postconf c 
 dict_open Files util dict hc proxymap proxymap c 
 proxymap proxymap c 
 postmap postmap c postalias postalias c 
 client Files dict h dict_proxy c proxymap proxymap c 
 cross talk between different clients File proxymap proxymap c 
 postscreen postscreen c 
 for the h option Robert Hansen File postmap postmap c 
 Support for the ll long long etc and j intmax_t 
 postalias postalias c There is more time handling code in
 long long which just like time_t is a 64 bit type on many
 File tls tls h
 dual purpose field File tls tls h 
 conf postfix tls script discard discard c error error c 
 oqmgr qmgr c postmulti postmulti c qmgr qmgr c 
 src global config_known_tcp_ports c postmulti postmulti c 
 virtual virtual c 
 request Reported by John Doe File tlsproxy tlsproxy c 
 smtpd smtpd c smtpd smtpd_chat c global mail_params h 
--- a/postfix/proto/stop.double-install-proto-text
+++ b/postfix/proto/stop.double-install-proto-text
@ -43,7 +43,3 @@ virtual  virtual alias domain anything right hand content does not matter
 Inbound SMTP smuggling strip extra CR in CR LF CR CR LF 
 Inbound SMTP smuggling don t strip extra CR in CR LF CR CR LF 
 CR LF CR CR LF to silence false alarms from test tools
 Prepend the prefix 5 1 6 User has moved to to all
 pattern number number number text 
 to  to the lookup result With Postfix 3 11 and later specify
 has moved to to a table lookup result and the format for a
--- a/postfix/proto/stop.double-proto-html
+++ b/postfix/proto/stop.double-proto-html
@ -364,4 +364,3 @@ Postfix  Postfix legacy TLS Support
 with cipher ECDHE RSA AES256 GCM SHA384 256 256 bits 
 TLSv1 2 with cipher ECDHE RSA AES256 GCM SHA384 256 256 bits 
 The recommended socket location is still to be determined A good socket location would be under the Postfix queue directory for example smtp_tlsrpt_socket_name run tlsrpt tlsrpt sock The advantage of using a relative name is that it
 enhanced status code and text format 45 number number text 
--- a/postfix/proto/stop.spell-cc
+++ b/postfix/proto/stop.spell-cc
@ -1858,13 +1858,3 @@ TINYCDB
 getdata
 XXXSENDOPTS
 xtra
 HAPROXY
 SRVR
 DGST
 DIGEST
 OSSL
 ossl
 deduplicates
 intmax
 lflag
 REPLYCODE
--- a/postfix/proto/stop.spell-history
+++ b/postfix/proto/stop.spell-history
@ -102,14 +102,3 @@ Schulze
 tlspol
 Gueven
 Oemer
 Kozmenko
 Oleksandr
 Bataille
 balancers
 Unbroke
 XDG
 ENOTSOCK
 FustÃ
 Jiaying
 PRI
 YP
--- a/postfix/src/discard/discard.c
+++ b/postfix/src/discard/discard.c
@ -53,7 +53,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	delay values.
+/*	sub-second delay values.
 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
 /*	The sender address of postmaster notifications that are generated
 /*	by the mail system.
--- a/postfix/src/error/error.c
+++ b/postfix/src/error/error.c
@ -61,7 +61,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	delay values.
+/*	sub-second delay values.
 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
 /*	The sender address of postmaster notifications that are generated
 /*	by the mail system.
--- a/postfix/src/global/Makefile.in
+++ b/postfix/src/global/Makefile.in
@ -129,9 +129,9 @@ TESTPROG= domain_list dot_lockfile mail_addr_crunch mail_addr_find \
 	data_redirect addr_match_list safe_ultostr verify_sender_addr \
 	mail_version mail_dict server_acl uxtext mail_parm_split \
 	fold_addr smtp_reply_footer mail_addr_map normalize_mailhost_addr \
-	haproxy_srvr_test map_search delivered_hdr login_sender_match \
+	haproxy_srvr map_search delivered_hdr login_sender_match \
 	compat_level config_known_tcp_ports hfrom_format rfc2047_code \
-	ascii_header_text sendopts_test dict_sqlite_test
+	ascii_header_text sendopts_test
 LIBS	= ../../lib/lib$(LIB_PREFIX)util$(LIB_SUFFIX)
 LIB_DIR	= ../../lib
@ -381,7 +381,7 @@ smtp_reply_footer: smtp_reply_footer.c $(LIB) $(LIBS)
 normalize_mailhost_addr: normalize_mailhost_addr.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
-haproxy_srvr_test: haproxy_srvr_test.c $(LIB) $(LIBS)
+haproxy_srvr: haproxy_srvr.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 map_search: map_search.c $(LIB) $(LIBS)
@ -408,10 +408,6 @@ ascii_header_text: ascii_header_text.c $(LIB) $(LIBS)
 sendopts_test: sendopts_test.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 dict_sqlite_test: dict_sqlite_test.c dict_sqlite.o $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c dict_sqlite.o $(LIB) $(LIBS) \
 	    $(SYSLIBS) $(AUXLIBS_SQLITE)
 config_known_tcp_ports: config_known_tcp_ports.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
@ -422,10 +418,10 @@ tests: tok822_test mime_tests strip_addr_test tok822_limit_test \
 	safe_ultostr_test mail_parm_split_test fold_addr_test \
 	smtp_reply_footer_test off_cvt_test mail_addr_crunch_test \
 	mail_addr_find_test mail_addr_map_test quote_822_local_test \
-	normalize_mailhost_addr_test test_haproxy_srvr map_search_test \
+	normalize_mailhost_addr_test haproxy_srvr_test map_search_test \
 	delivered_hdr_test login_sender_match_test compat_level_test \
 	config_known_tcp_ports_test hfrom_format_test rfc2047_code_test \
-	ascii_header_text_test test_sendopts test_dict_sqlite
+	ascii_header_text_test test_sendopts
 mime_tests: mime_test mime_nest mime_8bit mime_dom mime_trunc mime_cvt \
 	mime_cvt2 mime_cvt3 mime_garb1 mime_garb2 mime_garb3 mime_garb4
@ -743,8 +739,10 @@ normalize_mailhost_addr_test: update normalize_mailhost_addr
 	diff /dev/null normalize_mailhost_addr.tmp
 	rm -f normalize_mailhost_addr.tmp
-test_haproxy_srvr: update haproxy_srvr_test
+haproxy_srvr_test: update haproxy_srvr
-	$(SHLIB_ENV) $(VALGRIND) ./haproxy_srvr_test
+	-$(SHLIB_ENV) $(VALGRIND) ./haproxy_srvr >haproxy_srvr.tmp 2>&1
 	diff /dev/null haproxy_srvr.tmp
 	rm -f haproxy_srvr.tmp
 map_search_test: update map_search map_search.ref
 	-$(SHLIB_ENV) $(VALGRIND) ./map_search >map_search.tmp 2>&1
@ -796,10 +794,7 @@ ascii_header_text_test: update ascii_header_text
 	$(SHLIB_ENV) $(VALGRIND) ./ascii_header_text
 test_sendopts: update sendopts_test
-	$(SHLIB_ENV) $(VALGRIND) ./sendopts_test
+	-$(SHLIB_ENV) $(VALGRIND) ./sendopts_test
 test_dict_sqlite: update dict_sqlite_test
 	$(SHLIB_ENV) $(VALGRIND) ./dict_sqlite_test
 clean:
 	rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAPS)
@ -1223,12 +1218,10 @@ dict_memcache.o: ../../include/argv.h
 dict_memcache.o: ../../include/auto_clnt.h
 dict_memcache.o: ../../include/check_arg.h
 dict_memcache.o: ../../include/dict.h
 dict_memcache.o: ../../include/hex_code.h
 dict_memcache.o: ../../include/match_list.h
 dict_memcache.o: ../../include/msg.h
 dict_memcache.o: ../../include/myflock.h
 dict_memcache.o: ../../include/mymalloc.h
 dict_memcache.o: ../../include/ossl_digest.h
 dict_memcache.o: ../../include/stringops.h
 dict_memcache.o: ../../include/sys_defs.h
 dict_memcache.o: ../../include/vbuf.h
@ -1338,19 +1331,6 @@ dict_sqlite.o: db_common.h
 dict_sqlite.o: dict_sqlite.c
 dict_sqlite.o: dict_sqlite.h
 dict_sqlite.o: string_list.h
 dict_sqlite_test.o: ../../include/argv.h
 dict_sqlite_test.o: ../../include/check_arg.h
 dict_sqlite_test.o: ../../include/dict.h
 dict_sqlite_test.o: ../../include/msg.h
 dict_sqlite_test.o: ../../include/msg_vstream.h
 dict_sqlite_test.o: ../../include/myflock.h
 dict_sqlite_test.o: ../../include/stringops.h
 dict_sqlite_test.o: ../../include/sys_defs.h
 dict_sqlite_test.o: ../../include/vbuf.h
 dict_sqlite_test.o: ../../include/vstream.h
 dict_sqlite_test.o: ../../include/vstring.h
 dict_sqlite_test.o: dict_sqlite.h
 dict_sqlite_test.o: dict_sqlite_test.c
 domain_list.o: ../../include/argv.h
 domain_list.o: ../../include/check_arg.h
 domain_list.o: ../../include/match_list.h
@ -1532,7 +1512,6 @@ haproxy_srvr.o: ../../include/inet_proto.h
 haproxy_srvr.o: ../../include/msg.h
 haproxy_srvr.o: ../../include/myaddrinfo.h
 haproxy_srvr.o: ../../include/mymalloc.h
 haproxy_srvr.o: ../../include/normalize_v4mapped_addr.h
 haproxy_srvr.o: ../../include/sock_addr.h
 haproxy_srvr.o: ../../include/split_at.h
 haproxy_srvr.o: ../../include/stringops.h
@ -1542,18 +1521,6 @@ haproxy_srvr.o: ../../include/vbuf.h
 haproxy_srvr.o: ../../include/vstring.h
 haproxy_srvr.o: haproxy_srvr.c
 haproxy_srvr.o: haproxy_srvr.h
 haproxy_srvr_test.o: ../../include/check_arg.h
 haproxy_srvr_test.o: ../../include/msg.h
 haproxy_srvr_test.o: ../../include/msg_vstream.h
 haproxy_srvr_test.o: ../../include/myaddrinfo.h
 haproxy_srvr_test.o: ../../include/sock_addr.h
 haproxy_srvr_test.o: ../../include/stringops.h
 haproxy_srvr_test.o: ../../include/sys_defs.h
 haproxy_srvr_test.o: ../../include/vbuf.h
 haproxy_srvr_test.o: ../../include/vstream.h
 haproxy_srvr_test.o: ../../include/vstring.h
 haproxy_srvr_test.o: haproxy_srvr.h
 haproxy_srvr_test.o: haproxy_srvr_test.c
 header_body_checks.o: ../../include/argv.h
 header_body_checks.o: ../../include/check_arg.h
 header_body_checks.o: ../../include/dict.h
--- a/postfix/src/global/config_known_tcp_ports.c
+++ b/postfix/src/global/config_known_tcp_ports.c
@ -14,10 +14,10 @@
 /*	in the settings argument, and reports any warnings to the standard
 /*	error stream. The source argument is used to provide warning
 /*	context. It typically is a configuration parameter name.
-/* EXPECTED SYNTAX (ABNF)
+/* .SH EXPECTED SYNTAX (ABNF)
 /*	configuration = empty | name-to-port *("," name-to-port)
 /*	name-to-port = 1*(name "=") port
-/* EXAMPLES
+/* SH EXAMPLES
 /*	In the example below, the whitespace is optional.
 /*	smtp = 25, smtps = submissions = 465, submission = 587
 /* LICENSE
--- a/postfix/src/global/data_redirect.c
+++ b/postfix/src/global/data_redirect.c
@ -227,7 +227,7 @@ int     main(int argc, char **argv)
 	    vstream_fflush(VSTREAM_OUT);
 	    continue;
 	}
-	target = mystrtokq(&bufp, " \t", CHARS_BRACE);
+	target = mystrtokq(&bufp, " \t");
 	junk = mystrtok(&bufp, " \t");
 	if (strcmp(cmd, "file") == 0 && target && !junk) {
 	    data_redirect_file(result, target);
--- a/postfix/src/global/dict_ldap.c
+++ b/postfix/src/global/dict_ldap.c
@ -1876,7 +1876,7 @@ DICT   *dict_ldap_open(const char *ldapsource, int open_flags, int dict_flags)
     * Return the new dict_ldap structure.
     */
    dict_ldap->dict.owner = cfg_get_owner(dict_ldap->parser);
-    return (&dict_ldap->dict);
+    return (DICT_DEBUG (&dict_ldap->dict));
 }
 #endif
--- a/postfix/src/global/dict_memcache.c
+++ b/postfix/src/global/dict_memcache.c
@ -50,11 +50,9 @@
 /* Utility library. */
 #include <hex_code.h>
 #include <msg.h>
 #include <mymalloc.h>
 #include <dict.h>
 #include <ossl_digest.h>
 #include <vstring.h>
 #include <stringops.h>
 #include <auto_clnt.h>
@ -77,11 +75,6 @@ typedef struct {
    DICT    dict;			/* parent class */
    CFG_PARSER *parser;			/* common parameter parser */
    void   *dbc_ctxt;			/* db_common context */
    char   *key_digest;			/* digest the query key */
 #ifdef USE_TLS
    OSSL_DGST *key_dgst_eng;		/* digest engine */
    VSTRING *key_dgst_out;		/* digest result */
 #endif
    char   *key_format;			/* query key translation */
    int     timeout;			/* client timeout */
    int     mc_ttl;			/* memcache update expiration */
@ -106,7 +99,6 @@ typedef struct {
 #define DICT_MC_DEF_PORT	"11211"
 #define DICT_MC_DEF_MEMCACHE	"inet:" DICT_MC_DEF_HOST ":" DICT_MC_DEF_PORT
 #define DICT_MC_DEF_KEY_FMT	"%s"
 #define DICT_MC_DEF_KEY_DGST	""
 #define DICT_MC_DEF_MC_TTL	3600
 #define DICT_MC_DEF_MC_TIMEOUT	2
 #define DICT_MC_DEF_MC_FLAGS	0
@ -117,7 +109,6 @@ typedef struct {
 #define DICT_MC_NAME_MEMCACHE	"memcache"
 #define DICT_MC_NAME_BACKUP	"backup"
 #define DICT_MC_NAME_KEY_DGST	"key_digest"
 #define DICT_MC_NAME_KEY_FMT	"key_format"
 #define DICT_MC_NAME_MC_TTL	"ttl"
 #define DICT_MC_NAME_MC_TIMEOUT	"timeout"
@ -172,7 +163,7 @@ static int dict_memcache_set(DICT_MC *dict_mc, const char *value, int ttl)
 			 DICT_TYPE_MEMCACHE, dict_mc->dict.name);
 	} else if (strcmp(STR(dict_mc->clnt_buf), "STORED") != 0) {
 	    if (count > 0)
-		msg_warn("database %s:%s: update failed: %.100s",
+		msg_warn("database %s:%s: update failed: %.30s",
 			 DICT_TYPE_MEMCACHE, dict_mc->dict.name,
 			 STR(dict_mc->clnt_buf));
 	} else {
@ -294,20 +285,6 @@ static ssize_t dict_memcache_prepare_key(DICT_MC *dict_mc, const char *name)
    } else {
 	vstring_strcpy(dict_mc->key_buf, name);
    }
 #ifdef USE_TLS
    if (dict_mc->key_dgst_eng) {
 	if (ossl_digest_data(dict_mc->key_dgst_eng, STR(dict_mc->key_buf),
 			LEN(dict_mc->key_buf), dict_mc->key_dgst_out) < 0) {
 	    ossl_digest_log_errors(msg_warn);
 	    msg_warn("%s:%s: %s message digest failed",
 		     DICT_TYPE_MEMCACHE, dict_mc->dict.name,
 		     dict_mc->key_digest);
 	    return (-1);
 	}
 	hex_encode_opt(dict_mc->key_buf, STR(dict_mc->key_dgst_out),
 		     LEN(dict_mc->key_dgst_out), HEX_ENCODE_FLAG_LOWERCASE);
    }
 #endif
    /*
     * The length indicates whether the expansion is empty or not.
@ -338,10 +315,8 @@ static int dict_memcache_valid_key(DICT_MC *dict_mc,
 	DICT_MC_SKIP("domain mismatch");
    if (rc < 0)
 	DICT_ERR_VAL_RETURN(dict_mc, rc, 0);
-    if ((rc = dict_memcache_prepare_key(dict_mc, name)) == 0)
+    if (dict_memcache_prepare_key(dict_mc, name) == 0)
 	DICT_MC_SKIP("empty lookup key expansion");
    if (rc < 0)
 	DICT_ERR_VAL_RETURN(dict_mc, rc, 0);
    for (cp = (unsigned char *) STR(dict_mc->key_buf); *cp; cp++)
 	if (isascii(*cp) && isspace(*cp))
 	    DICT_MC_SKIP("name contains space");
@ -505,14 +480,6 @@ static void dict_memcache_close(DICT *dict)
    cfg_parser_free(dict_mc->parser);
    db_common_free_ctx(dict_mc->dbc_ctxt);
    if (dict_mc->key_digest)
 	myfree(dict_mc->key_digest);
 #ifdef USE_TLS
    if (dict_mc->key_dgst_eng)
 	ossl_digest_free(dict_mc->key_dgst_eng);
    if (dict_mc->key_dgst_out)
 	vstring_free(dict_mc->key_dgst_out);
 #endif
    if (dict_mc->key_format)
 	myfree(dict_mc->key_format);
    myfree(dict_mc->memcache);
@ -575,19 +542,6 @@ DICT   *dict_memcache_open(const char *name, int open_flags, int dict_flags)
     * Parse the configuration file.
     */
    dict_mc->parser = parser;
    dict_mc->key_digest = cfg_get_str(dict_mc->parser, DICT_MC_NAME_KEY_DGST,
 				      DICT_MC_DEF_KEY_DGST, 0, 0);
 #ifdef USE_TLS
    if (*dict_mc->key_digest) {
 	if ((dict_mc->key_dgst_eng = ossl_digest_new(dict_mc->key_digest)) == 0)
 	    /* See below for dict_surrogate() error propagation. */
 	    ossl_digest_log_errors(msg_warn);
 	dict_mc->key_dgst_out = vstring_alloc(1);
    } else {
 	dict_mc->key_dgst_eng = 0;
 	dict_mc->key_dgst_out = 0;
    }
 #endif
    dict_mc->key_format = cfg_get_str(dict_mc->parser, DICT_MC_NAME_KEY_FMT,
 				      DICT_MC_DEF_KEY_FMT, 0, 0);
    dict_mc->timeout = cfg_get_int(dict_mc->parser, DICT_MC_NAME_MC_TIMEOUT,
@ -640,27 +594,5 @@ DICT   *dict_memcache_open(const char *name, int open_flags, int dict_flags)
    dict_mc->dict.flags |= DICT_FLAG_MULTI_WRITER;
 #ifdef USE_TLS
    if (*dict_mc->key_digest && dict_mc->key_dgst_eng == 0) {
 	/* See above for ossl_digest_new() error detection. */
 	DICT   *d = dict_surrogate(DICT_TYPE_MEMCACHE, name,
 				   open_flags, dict_flags,
 				   "open %s: key digest %s is not available",
 				   name, dict_mc->key_digest);
 	dict_memcache_close(&dict_mc->dict);
 	return (d);
    }
 #else
    if (*dict_mc->key_digest) {
 	DICT   *d = dict_surrogate(DICT_TYPE_MEMCACHE, name,
 				   open_flags, dict_flags, "%s support "
 				   "requires build with -DUSE_TLS",
 				   DICT_MC_NAME_KEY_DGST);
 	dict_memcache_close(&dict_mc->dict);
 	return (d);
    }
 #endif
    return (&dict_mc->dict);
 }
--- a/postfix/src/global/dict_mongodb.c
+++ b/postfix/src/global/dict_mongodb.c
@ -564,7 +564,7 @@ DICT   *dict_mongodb_open(const char *name, int open_flags, int dict_flags)
    mongoc_uri_destroy(uri);
    mongoc_client_set_error_api(dict_mongodb->client, MONGOC_ERROR_API_VERSION_2);
-    return (&dict_mongodb->dict);
+    return (DICT_DEBUG (&dict_mongodb->dict));
 }
 #endif
--- a/postfix/src/global/dict_mysql.c
+++ b/postfix/src/global/dict_mysql.c
@ -759,7 +759,7 @@ static void mysql_parse_config(DICT_MYSQL *dict_mysql, const char *mysqlcf)
    }
    /* Don't blacklist the load balancer! */
    if (dict_mysql->hosts->argc == 1)
-	argv_add(dict_mysql->hosts, dict_mysql->hosts->argv[0], (char *) 0);
+        argv_add(dict_mysql->hosts, dict_mysql->hosts->argv[0], (char *) 0);
    myfree(hosts);
 }
@ -797,7 +797,7 @@ DICT   *dict_mysql_open(const char *name, int open_flags, int dict_flags)
    if (dict_mysql->pldb == NULL)
 	msg_fatal("couldn't initialize pldb!\n");
    dict_mysql->dict.owner = cfg_get_owner(dict_mysql->parser);
-    return (&dict_mysql->dict);
+    return (DICT_DEBUG (&dict_mysql->dict));
 }
 /*
--- a/postfix/src/global/dict_pgsql.c
+++ b/postfix/src/global/dict_pgsql.c
@ -744,7 +744,7 @@ DICT   *dict_pgsql_open(const char *name, int open_flags, int dict_flags)
 	return (ret);
    }
    dict_pgsql->dict.owner = cfg_get_owner(dict_pgsql->parser);
-    return (&dict_pgsql->dict);
+    return (DICT_DEBUG (&dict_pgsql->dict));
 }
 /* plpgsql_init - initialize a PGSQL database */
--- a/postfix/src/global/dict_proxy.c
+++ b/postfix/src/global/dict_proxy.c
@ -113,7 +113,6 @@ static int dict_proxy_sequence(DICT *dict, int function,
    VSTREAM *stream;
    int     status;
    int     count = 0;
    int     inst_flags;
    int     request_flags;
    /*
@ -127,8 +126,8 @@ static int dict_proxy_sequence(DICT *dict, int function,
    VSTRING_TERMINATE(dict_proxy->reskey);
    VSTRING_RESET(dict_proxy->result);
    VSTRING_TERMINATE(dict_proxy->result);
-    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict_proxy->inst_flags
-    request_flags = dict->flags;
+	| (dict->flags & DICT_FLAG_RQST_MASK);
    for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@ -137,17 +136,15 @@ static int dict_proxy_sequence(DICT *dict, int function,
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_SEQUENCE),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
 			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FUNC, function),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
 			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
 			 RECV_ATTR_STR(MAIL_ATTR_KEY, dict_proxy->reskey),
 			 RECV_ATTR_STR(MAIL_ATTR_VALUE, dict_proxy->result),
-			 ATTR_TYPE_END) != 4) {
+			 ATTR_TYPE_END) != 3) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno != ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
 	} else {
@ -197,7 +194,6 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
    VSTREAM *stream;
    int     status;
    int     count = 0;
    int     inst_flags;
    int     request_flags;
    /*
@ -209,8 +205,8 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
     */
    VSTRING_RESET(dict_proxy->result);
    VSTRING_TERMINATE(dict_proxy->result);
-    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict_proxy->inst_flags
-    request_flags = dict->flags;
+	| (dict->flags & DICT_FLAG_RQST_MASK);
    for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@ -219,16 +215,14 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_LOOKUP),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
 			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_STR(MAIL_ATTR_KEY, key),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
 			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
 			 RECV_ATTR_STR(MAIL_ATTR_VALUE, dict_proxy->result),
-			 ATTR_TYPE_END) != 3) {
+			 ATTR_TYPE_END) != 2) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno != ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
 	} else {
@ -273,7 +267,6 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
    VSTREAM *stream;
    int     status;
    int     count = 0;
    int     inst_flags;
    int     request_flags;
    /*
@ -283,8 +276,8 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
     * associated with a specific connection. Each lookup needs to specify
     * the table and the flags that were specified to dict_proxy_open().
     */
-    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict_proxy->inst_flags
-    request_flags = dict->flags;
+	| (dict->flags & DICT_FLAG_RQST_MASK);
    for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@ -293,7 +286,6 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_UPDATE),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
 			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_STR(MAIL_ATTR_KEY, key),
 			  SEND_ATTR_STR(MAIL_ATTR_VALUE, value),
@ -301,8 +293,7 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
-			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
+			 ATTR_TYPE_END) != 1) {
 			 ATTR_TYPE_END) != 2) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno != ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
 	} else {
@ -346,7 +337,6 @@ static int dict_proxy_delete(DICT *dict, const char *key)
    VSTREAM *stream;
    int     status;
    int     count = 0;
    int     inst_flags;
    int     request_flags;
    /*
@ -356,8 +346,8 @@ static int dict_proxy_delete(DICT *dict, const char *key)
     * associated with a specific connection. Each lookup needs to specify
     * the table and the flags that were specified to dict_proxy_open().
     */
-    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict_proxy->inst_flags
-    request_flags = dict->flags;
+	| (dict->flags & DICT_FLAG_RQST_MASK);
    for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@ -366,15 +356,13 @@ static int dict_proxy_delete(DICT *dict, const char *key)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_DELETE),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
 			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_STR(MAIL_ATTR_KEY, key),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
-			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
+			 ATTR_TYPE_END) != 1) {
 			 ATTR_TYPE_END) != 2) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno !=
 					     ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
@ -490,20 +478,16 @@ DICT   *dict_proxy_open(const char *map, int open_flags, int dict_flags)
    dict_proxy->dict.delete = dict_proxy_delete;
    dict_proxy->dict.sequence = dict_proxy_sequence;
    dict_proxy->dict.close = dict_proxy_close;
-    dict_proxy->inst_flags = dict_flags;
+    dict_proxy->inst_flags = (dict_flags & DICT_FLAG_INST_MASK);
    dict_proxy->reskey = vstring_alloc(10);
    dict_proxy->result = vstring_alloc(10);
    dict_proxy->clnt = *pstream;
    dict_proxy->service = service;
 #define DICT_PROXY_ERR_RETURN(d) do { \
 	DICT *_d = (d); \
 	dict_proxy_close(&dict_proxy->dict); \
 	return (_d); \
    } while (0)
    /*
     * Establish initial contact and get the map type specific flags.
     * 
     * XXX Should retrieve flags from local instance.
     */
    for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
@ -512,7 +496,7 @@ DICT   *dict_proxy_open(const char *map, int open_flags, int dict_flags)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_OPEN),
 		      SEND_ATTR_STR(MAIL_ATTR_TABLE, dict_proxy->dict.name),
-		 SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, dict_proxy->inst_flags),
+		     SEND_ATTR_INT(MAIL_ATTR_FLAGS, dict_proxy->inst_flags),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
@ -528,18 +512,15 @@ DICT   *dict_proxy_open(const char *map, int open_flags, int dict_flags)
 			 dict_flags_str(server_flags));
 	    switch (status) {
 	    case PROXY_STAT_BAD:
-		DICT_PROXY_ERR_RETURN(dict_surrogate(DICT_TYPE_PROXY,
+		msg_fatal("%s open failed for table \"%s\": invalid request",
-			      dict_proxy->dict.name, open_flags, dict_flags,
+			  dict_proxy->service, dict_proxy->dict.name);
 			 "%s open failed for table \"%s\": invalid request",
 			       dict_proxy->service, dict_proxy->dict.name));
 	    case PROXY_STAT_DENY:
-		DICT_PROXY_ERR_RETURN(dict_surrogate(DICT_TYPE_PROXY,
+		msg_fatal("%s service is not configured for table \"%s\"",
-			      dict_proxy->dict.name, open_flags, dict_flags,
+			  dict_proxy->service, dict_proxy->dict.name);
 			    "%s service is not configured for table \"%s\"",
 			       dict_proxy->service, dict_proxy->dict.name));
 	    case PROXY_STAT_OK:
-		dict_proxy->dict.flags = server_flags;
+		dict_proxy->dict.flags = (dict_flags & ~DICT_FLAG_IMPL_MASK)
-		return (&dict_proxy->dict);
+		    | (server_flags & DICT_FLAG_IMPL_MASK);
 		return (DICT_DEBUG (&dict_proxy->dict));
 	    default:
 		msg_warn("%s open failed for table \"%s\": unexpected status %d",
 			 dict_proxy->service, dict_proxy->dict.name, status);
--- a/postfix/src/global/dict_sqlite.c
+++ b/postfix/src/global/dict_sqlite.c
@ -34,13 +34,9 @@
 /*	Must be O_RDONLY.
 /* .IP dict_flags
 /*	See dict_open(3).
 /* DIAGNOSTICS
 /*	dict_sqlite_open() logs a warning when the query parameter value
 /*	does not use the recommended '' quotes to protect against SQL
 /*	injection (bad examples; no quotes or "" quotes).
 /* SEE ALSO
 /*	dict(3) generic dictionary manager
-/*	sqlite_table(5) Postfix sqlite client configuration
+/*	sqlite_table(5) sqlite client configuration
 /* AUTHOR(S)
 /*	Axel Steiner
 /*	ast@treibsand.com
@ -50,16 +46,12 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
 /*	Wietse Venema
 /*	porcupine.org
 /*--*/
 /* System library. */
 #include <sys_defs.h>
 #include <string.h>
 #include <ctype.h>
 #ifdef HAS_SQLITE
 #include <sqlite3.h>
@ -258,38 +250,6 @@ static const char *dict_sqlite_lookup(DICT *dict, const char *name)
 	    retval : 0);
 }
 /* flag_non_recommended_query - as the name says. */
 static void flag_non_recommended_query(const char *query,
 				               const char *sqlitecf)
 {
    const char *cp;
    int     in_quote;
    const int squote = '\'';
    const int dquote = '"';
    for (in_quote = 0, cp = query; *cp != 0; cp++) {
 	if (in_quote == 0) {
 	    if (*cp == squote || *cp == dquote)
 		in_quote = *cp;
 	} else if (*cp == in_quote) {
 	    in_quote = 0;
 	}
 	if (in_quote == squote)
 	    continue;
 	if (*cp == '%') {
 	    if (cp[1] == '%') {
 		cp += 1;
 	    } else if (ISALNUM(cp[1])) {
 		msg_warn("%s:%s: query >%s< contains >%.2s< without the "
 			 "recommended '' quotes", DICT_TYPE_SQLITE, sqlitecf,
 			 query, cp);
 		cp += 1;
 	    }
 	}
    }
 }
 /* sqlite_parse_config - parse sqlite configuration file */
 static void sqlite_parse_config(DICT_SQLITE *dict_sqlite, const char *sqlitecf)
@ -308,8 +268,6 @@ static void sqlite_parse_config(DICT_SQLITE *dict_sqlite, const char *sqlitecf)
 	db_common_sql_build_query(buf, dict_sqlite->parser);
 	dict_sqlite->query = vstring_export(buf);
    }
    /* Flag %[a-zA-Z0-9] if not protected with ''. */
    flag_non_recommended_query(dict_sqlite->query, sqlitecf);
    dict_sqlite->result_format =
 	cfg_get_str(dict_sqlite->parser, "result_format", "%s", 1, 0);
    dict_sqlite->expansion_limit =
@ -377,7 +335,7 @@ DICT   *dict_sqlite_open(const char *name, int open_flags, int dict_flags)
    }
    dict_sqlite->dict.owner = cfg_get_owner(dict_sqlite->parser);
-    return (&dict_sqlite->dict);
+    return (DICT_DEBUG (&dict_sqlite->dict));
 }
 #endif
--- a/postfix/src/global/dict_sqlite.h
+++ b/postfix/src/global/dict_sqlite.h
@ -23,6 +23,7 @@
 extern DICT *dict_sqlite_open(const char *, int, int);
 /* AUTHOR(S)
 /*	Axel Steiner
 /*	ast@treibsand.com
--- a/postfix/src/global/dict_sqlite_test.c
+++ b/postfix/src/global/dict_sqlite_test.c
@ -1,247 +0,0 @@
 /*++
 /* NAME
 /*	dict_sqlite_test 1t
 /* SUMMARY
 /*	dict_sqlite unit test
 /* SYNOPSIS
 /*	./dict_sqlite_test
 /* DESCRIPTION
 /*	dict_sqlite_test runs and logs each configured test, reports if
 /*	a test is a PASS or FAIL, and returns an exit status of zero if
 /*	all tests are a PASS.
 /*
 /*	Each test creates a temporary test database and a corresponding
 /*	Postfix sqlite client configuration file, both having unique
 /*	names. Otherwise, each test is hermetic.
 /* LICENSE
 /* .ad
 /* .fi
 /*	The Secure Mailer license must be distributed with this software.
 /* AUTHOR(S)
 /*	Wietse Venema porcupine.org
 /*--*/
 /*	
 /*
  * System library.
  */
 #include <sys_defs.h>
 #include <stdlib.h>
 #include <string.h>
 /*
  * Utility library.
  */
 #include <msg.h>
 #include <msg_vstream.h>
 #include <stringops.h>
 /*
  * Global library.
  */
 #include <dict_sqlite.h>
 /*
  * TODO(wietse) make this a proper VSTREAM interface or test helper API.
  */
 /* vstream_swap - capture output for testing */
 static void vstream_swap(VSTREAM *one, VSTREAM *two)
 {
    VSTREAM save;
    save = *one;
    *one = *two;
    *two = save;
 }
 /*
  * Override the printable.c module because it may break some tests.
  * 
  * TODO(wietse) move this to a fake_printable.c module that can override all
  * printable.c global symbols.
  */
 int     util_utf8_enable;
 char   *printable_except(char *string, int replacement, const char *except)
 {
    return (string);
 }
 /*
  * Scaffolding for dict_sqlite(3) tests.
  */
 /* create_and_populate_db - create an empty database and optionally populate */
 static void create_and_populate_db(char *dbpath, const char *commands)
 {
    int     fd;
    /*
     * Create an empty database file with a unique name. Assume that an
     * adversary cannot rename or remove the file.
     */
    if ((fd = mkstemp(dbpath)) < 0)
 	msg_fatal("mkstemp(\"%s\"): %m", dbpath);
    if (close(fd) < 0)
 	msg_fatal("close %s: %m", dbpath);
    /*
     * TODO(wietse) Open the database file, prepare and execute commands
     * to populate the database, and close the database.
     */
    if (commands) {
 	msg_fatal("commands are not yet supported");
    }
 }
 /* create_and_populate_cf - create sqlite_table(5) configuration file */
 static void create_and_populate_cf(char *cfpath, const char *dbpath,
 				          const char *cftext)
 {
    int     fd;
    VSTREAM *fp;
    /*
     * Create an empty sqlite_table(5) configuration file with a unique name.
     * Assume that an adversary cannot rename or remove the file.
     */
    if ((fd = mkstemp(cfpath)) < 0)
 	msg_fatal("mkstemp(\"%s\"): %m", cfpath);
    if ((fp = vstream_fdopen(fd, O_WRONLY)) == 0)
 	msg_fatal("vstream_fdopen: %m");
    (void) vstream_fprintf(fp, "%s\ndbpath = %s\n", cftext, dbpath);
    if (vstream_fclose(fp) != 0)
 	msg_fatal("vstream_fdclose: %m");
 }
 /*
  * Test structure. Some tests may come their own.
  */
 typedef struct TEST_CASE {
    const char *label;
    int     (*action) (const struct TEST_CASE *);
    const char *commands;		/* commands or null */
    const char *settings;		/* sqlite_table(5) */
    const char *exp_warning;		/* substring match or null */
 } TEST_CASE;
 #define PASS    (0)
 #define FAIL    (1)
 #define PATH_TEMPLATE	"/tmp/test-XXXXXXX"
 /* test_flag_non_recommended_query - flag non-recommended query payloads */
 static int test_flag_non_recommended_query(const TEST_CASE *tp)
 {
    static VSTRING *msg_buf;
    VSTREAM *memory_stream;
    const char template[] = PATH_TEMPLATE;
    char    dbpath[sizeof(template)];
    char    cfpath[sizeof(template)];
    DICT   *dict;
    if (msg_buf == 0)
 	msg_buf = vstring_alloc(100);
    /* Prepare scaffolding database and configuration files. */
    memcpy(dbpath, template, sizeof(dbpath));
    create_and_populate_db(dbpath, tp->commands);
    memcpy(cfpath, template, sizeof(cfpath));
    create_and_populate_cf(cfpath, dbpath, tp->settings);
    /* Run the test with custom STDERR stream. */
    VSTRING_RESET(msg_buf);
    VSTRING_TERMINATE(msg_buf);
    if ((memory_stream = vstream_memopen(msg_buf, O_WRONLY)) == 0)
 	msg_fatal("open memory stream: %m");
    vstream_swap(VSTREAM_ERR, memory_stream);
    if ((dict = dict_sqlite_open(cfpath, O_RDONLY, DICT_FLAG_UTF8_REQUEST)) != 0)
 	dict_close(dict);
    vstream_swap(memory_stream, VSTREAM_ERR);
    if (vstream_fclose(memory_stream))
 	msg_fatal("close memory stream: %m");
    /* Cleanup scaffolding database and configuration files. */
    if (unlink(dbpath) < 0)
 	msg_fatal("unlink %s: %m", dbpath);
    if (unlink(cfpath) < 0)
 	msg_fatal("unlink %s: %m", cfpath);
    /* Verify the results. */
    if (tp->exp_warning == 0 && VSTRING_LEN(msg_buf) > 0) {
 	msg_warn("got warning ``%s'', want ``null''", vstring_str(msg_buf));
 	return (FAIL);
    }
    if (tp->exp_warning != 0
 	&& strstr(vstring_str(msg_buf), tp->exp_warning) == 0) {
 	msg_warn("got warning ``%s'', want ``%s''",
 		 vstring_str(msg_buf), tp->exp_warning);
 	return (FAIL);
    }
    return (PASS);
 }
 /*
  * The list of test cases.
  */
 static const TEST_CASE test_cases[] = {
    /*
     * Tests to flag non-recommended query forms. These create an empty test
     * database, and open it with the dict_sqlite client without querying it.
     */
    {.label = "no_dynamic_payload",
 	.action = test_flag_non_recommended_query,
 	.settings = "query = select a from b where c = 5",
    },
    {.label = "dynamic_payload_inside_recommended_quotes",
 	.action = test_flag_non_recommended_query,
 	.settings = "query = select a from b where c = 'xx%syy'",
    },
    {.label = "dynamic_payload_without_quotes",
 	.action = test_flag_non_recommended_query,
 	.settings = "query = select s from b where c = xx%syy",
 	.exp_warning = "contains >%s< without the recommended '' quotes",
    },
    {.label = "payload_inside_double_quotes",
 	.action = test_flag_non_recommended_query,
 	.settings = "query = select s from b where c = \"xx%syy\"",
 	.exp_warning = "contains >%s< without the recommended '' quotes",
    },
    /*
     * TODO: Tests that actually populate a test database, and that query it
     * with the dict_sqlite client.
     */
    {0},
 };
 int     main(int argc, char **argv)
 {
    const TEST_CASE *tp;
    int     pass = 0;
    int     fail = 0;
    msg_vstream_init(sane_basename((VSTRING *) 0, argv[0]), VSTREAM_ERR);
    for (tp = test_cases; tp->label != 0; tp++) {
 	int     test_failed;
 	msg_info("RUN  %s", tp->label);
 	test_failed = tp->action(tp);
 	if (test_failed) {
 	    msg_info("FAIL %s", tp->label);
 	    fail++;
 	} else {
 	    msg_info("PASS %s", tp->label);
 	    pass++;
 	}
    }
    msg_info("PASS=%d FAIL=%d", pass, fail);
    exit(fail != 0);
 }
--- a/postfix/src/global/haproxy_srvr.c
+++ b/postfix/src/global/haproxy_srvr.c
@ -6,31 +6,6 @@
 /* SYNOPSIS
 /*	#include <haproxy_srvr.h>
 /*
 /*	const char *haproxy_srvr_parse_sa(
 /*	const char *str,
 /*	ssize_t	*str_len,
 /*	int	*non_proxy,
 /*	MAI_HOSTADDR_STR *smtp_client_addr,
 /*	MAI_SERVPORT_STR *smtp_client_port,
 /*	MAI_HOSTADDR_STR *smtp_server_addr,
 /*	MAI_SERVPORT_STR *smtp_server_port,
 /*	struct sockaddr *client_sa,
 /*	SOCKADDR_SIZE *client_sa_len,
 /*	struct sockaddr *server_sa,
 /*	SOCKADDR_SIZE *server_sa_len)
 /*
 /*	const char *haproxy_srvr_receive_sa(
 /*	int	fd,
 /*	int	*non_proxy,
 /*	MAI_HOSTADDR_STR *smtp_client_addr,
 /*	MAI_SERVPORT_STR *smtp_client_port,
 /*	MAI_HOSTADDR_STR *smtp_server_addr,
 /*	MAI_SERVPORT_STR *smtp_server_port,
 /*	struct sockaddr *client_sa,
 /*	SOCKADDR_SIZE *client_sa_len,
 /*	struct sockaddr *server_sa,
 /*	SOCKADDR_SIZE *server_sa_len)
 /* ABI COMPATIBILITY
 /*	const char *haproxy_srvr_parse(str, str_len, non_proxy,
 /*			smtp_client_addr, smtp_client_port,
 /*			smtp_server_addr, smtp_server_port)
@ -52,7 +27,7 @@
 /*	MAI_HOSTADDR_STR *smtp_server_addr,
 /*	MAI_SERVPORT_STR *smtp_server_port;
 /* DESCRIPTION
-/*	haproxy_srvr_parse_sa() parses a haproxy v1 or v2 protocol
+/*	haproxy_srvr_parse() parses a haproxy v1 or v2 protocol
 /*	message. The result is null in case of success, a pointer
 /*	to text (with the error type) in case of error. If both
 /*	IPv6 and IPv4 support are enabled, IPV4_IN_IPV6 address
@ -61,7 +36,7 @@
 /*	of bytes parsed, and the non_proxy argument is true or false
 /*	if the haproxy message specifies a non-proxied connection.
 /*
-/*	haproxy_srvr_receive_sa() receives and parses a haproxy protocol
+/*	haproxy_srvr_receive() receives and parses a haproxy protocol
 /*	handshake. This must be called before any I/O is done on
 /*	the specified file descriptor. The result is 0 in case of
 /*	success, -1 in case of error. All errors are logged.
@ -70,13 +45,6 @@
 /*	TCP over IPv6, and non-proxied connections. In the latter
 /*	case, the caller is responsible for any local or remote
 /*	address/port lookup.
 /*
 /*	The client or server sockaddr and length storage are updated
 /*	when their pointers are non-null.
 /*
 /*	haproxy_srvr_parse() and haproxy_srvr_receive() provide ABI
 /*	backwards compatibility, passing null pointers for the sockaddr
 /*	and length storage arguments.
 /* LICENSE
 /* .ad
 /* .fi
@ -91,9 +59,6 @@
 /*	Google, Inc.
 /*	111 8th Avenue
 /*	New York, NY 10011, USA
 /*
 /*	Wietse Venema
 /*	porcupine.org
 /*--*/
 /* System library. */
@ -117,13 +82,89 @@
 #include <inet_proto.h>
 #include <split_at.h>
 #include <sock_addr.h>
 #include <normalize_v4mapped_addr.h>
 /* Global library. */
 #define _HAPROXY_SRVR_INTERNAL_
 #include <haproxy_srvr.h>
 /* Application-specific. */
 /*
  * The haproxy protocol assumes that a haproxy header will normally not
  * exceed the default IPv4 TCP MSS, i.e. 576-40=536 bytes (the IPv6 default
  * is larger: 1280-60=1220). With a proxy header that contains IPv6
  * addresses, that leaves room for 536-52=484 bytes of TLVs. The Postfix
  * implementation does not support headers with UNIX-domain addresses.
  */
 #define HAPROXY_HEADER_MAX_LEN		536
 /*
  * Begin protocol v2 definitions from haproxy/include/types/connection.h.
  */
 #define PP2_SIGNATURE		"\r\n\r\n\0\r\nQUIT\n"
 #define PP2_SIGNATURE_LEN	12
 #define PP2_HEADER_LEN		16
 /* ver_cmd byte */
 #define PP2_CMD_LOCAL		0x00
 #define PP2_CMD_PROXY		0x01
 #define PP2_CMD_MASK		0x0F
 #define PP2_VERSION		0x20
 #define PP2_VERSION_MASK	0xF0
 /* fam byte */
 #define PP2_TRANS_UNSPEC	0x00
 #define PP2_TRANS_STREAM	0x01
 #define PP2_TRANS_DGRAM		0x02
 #define PP2_TRANS_MASK		0x0F
 #define PP2_FAM_UNSPEC		0x00
 #define PP2_FAM_INET		0x10
 #define PP2_FAM_INET6		0x20
 #define PP2_FAM_UNIX		0x30
 #define PP2_FAM_MASK		0xF0
 /* len field (2 bytes) */
 #define PP2_ADDR_LEN_UNSPEC	(0)
 #define PP2_ADDR_LEN_INET	(4 + 4 + 2 + 2)
 #define PP2_ADDR_LEN_INET6	(16 + 16 + 2 + 2)
 #define PP2_ADDR_LEN_UNIX	(108 + 108)
 #define PP2_HDR_LEN_UNSPEC	(PP2_HEADER_LEN + PP2_ADDR_LEN_UNSPEC)
 #define PP2_HDR_LEN_INET	(PP2_HEADER_LEN + PP2_ADDR_LEN_INET)
 #define PP2_HDR_LEN_INET6	(PP2_HEADER_LEN + PP2_ADDR_LEN_INET6)
 #define PP2_HDR_LEN_UNIX	(PP2_HEADER_LEN + PP2_ADDR_LEN_UNIX)
 struct proxy_hdr_v2 {
    uint8_t sig[PP2_SIGNATURE_LEN];	/* PP2_SIGNATURE */
    uint8_t ver_cmd;			/* protocol version | command */
    uint8_t fam;			/* protocol family and transport */
    uint16_t len;			/* length of remainder */
    union {
 	struct {			/* for TCP/UDP over IPv4, len = 12 */
 	    uint32_t src_addr;
 	    uint32_t dst_addr;
 	    uint16_t src_port;
 	    uint16_t dst_port;
 	}       ip4;
 	struct {			/* for TCP/UDP over IPv6, len = 36 */
 	    uint8_t src_addr[16];
 	    uint8_t dst_addr[16];
 	    uint16_t src_port;
 	    uint16_t dst_port;
 	}       ip6;
 	struct {			/* for AF_UNIX sockets, len = 216 */
 	    uint8_t src_addr[108];
 	    uint8_t dst_addr[108];
 	}       unx;
    }       addr;
 };
 /*
  * End protocol v2 definitions from haproxy/include/types/connection.h.
  */
 static const INET_PROTO_INFO *proto_info;
 #define STR_OR_NULL(str) ((str) ? (str) : "(null)")
@ -182,14 +223,10 @@ static int haproxy_srvr_parse_proto(const char *str, int *addr_family)
 /* haproxy_srvr_parse_addr - extract and validate IP address */
 static int haproxy_srvr_parse_addr(const char *str, MAI_HOSTADDR_STR *addr,
-				           int addr_family,
+				           int addr_family)
 				           struct sockaddr *sa,
 				           SOCKADDR_SIZE *sa_len)
 {
-    struct addrinfo *res;
+    struct addrinfo *res = 0;
    int     err;
    struct sockaddr_storage ss;
    SOCKADDR_SIZE ss_len;
    if (msg_verbose)
 	msg_info("haproxy_srvr_parse: addr=%s proto=%d",
@ -201,60 +238,30 @@ static int haproxy_srvr_parse_addr(const char *str, MAI_HOSTADDR_STR *addr,
    switch (addr_family) {
 #ifdef AF_INET6
    case AF_INET6:
-	if (!valid_ipv6_hostaddr(str, DONT_GRIPE))
+	err = !valid_ipv6_hostaddr(str, DONT_GRIPE);
 	    return (-1);
 	break;
 #endif
    case AF_INET:
-	if (!valid_ipv4_hostaddr(str, DONT_GRIPE))
+	err = !valid_ipv4_hostaddr(str, DONT_GRIPE);
 	    return (-1);
 	break;
    default:
 	msg_panic("haproxy_srvr_parse: unexpected address family: %d",
 		  addr_family);
    }
-
+    if (err == 0)
-    /*
+	err = (hostaddr_to_sockaddr(str, (char *) 0, 0, &res)
-     * Convert the printable address to canonical form. Don't rely on the
+	       || sane_sockaddr_to_hostaddr(res->ai_addr, res->ai_addrlen,
-     * proxy. This requires a conversion to binary form and back, even if a
+					  addr, (MAI_SERVPORT_STR *) 0, 0));
-     * caller such as postscreen does not need the binary form.
+    if (res)
-     */
+	freeaddrinfo(res);
-    if ((err = hostaddr_to_sockaddr(str, (char *) 0, 0, &res)) != 0) {
+    if (err)
 	msg_warn("haproxy_srvr_parse: hostaddr_to_sockaddr(\"%s\") failed: %s",
 		 str, MAI_STRERROR(err));
 	return (-1);
    }
    if (sa == 0) {
 	sa = (struct sockaddr *) &ss;
 	ss_len = sizeof(ss);
 	sa_len = &ss_len;
    } else {
 	if (sa_len == 0) 
 	    msg_panic("haproxy_srvr_parse: sockaddr length not specified");
    }
    if (*sa_len < res->ai_addrlen)
 	msg_panic("haproxy_srvr_parse: sockaddr size %d too small",
 		  (int) *sa_len);
    *sa_len = res->ai_addrlen;
    memcpy((void *) sa, res->ai_addr, res->ai_addrlen);
    freeaddrinfo(res);
 #ifdef AF_INET6
    if (sa->sa_family == AF_INET6)
 	normalize_v4mapped_sockaddr(sa, sa_len);
 #endif
    if ((err = sockaddr_to_hostaddr(sa, *sa_len,
 				    addr, (MAI_SERVPORT_STR *) 0, 0)) != 0) {
 	msg_warn("haproxy_srvr_parse: sockaddr_to_hostaddr() failed: %s",
 		 MAI_STRERROR(err));
 	return (-1);
    }
    return (0);
 }
 /* haproxy_srvr_parse_port - extract and validate TCP port */
-static int haproxy_srvr_parse_port(const char *str, MAI_SERVPORT_STR *port,
+static int haproxy_srvr_parse_port(const char *str, MAI_SERVPORT_STR *port)
 				           struct sockaddr *sa)
 {
    if (msg_verbose)
 	msg_info("haproxy_srvr_parse: port=%s", STR_OR_NULL(str));
@ -263,21 +270,6 @@ static int haproxy_srvr_parse_port(const char *str, MAI_SERVPORT_STR *port,
 	return (-1);
    } else {
 	memcpy(port->buf, str, strlen(str) + 1);
 	if (sa != 0) {
 	    switch (sa->sa_family) {
 #ifdef AF_INET6
 	    case AF_INET6:
 		SOCK_ADDR_IN6_PORT(sa) = htons(atoi(str));
 		break;
 #endif
 	    case AF_INET:
 		SOCK_ADDR_IN_PORT(sa) = htons(atoi(str));
 		break;
 	    default:
 		msg_panic("haproxy_srvr_parse: unexpected address family: %d",
 			  sa->sa_family);
 	    }
 	}
 	return (0);
    }
 }
@ -287,33 +279,16 @@ static int haproxy_srvr_parse_port(const char *str, MAI_SERVPORT_STR *port,
 static int haproxy_srvr_parse_v2_addr_v4(uint32_t sin_addr,
 					         unsigned sin_port,
 					         MAI_HOSTADDR_STR *addr,
-					         MAI_SERVPORT_STR *port,
+					         MAI_SERVPORT_STR *port)
 					         struct sockaddr *sa,
 					         SOCKADDR_SIZE *sa_len)
 {
    struct sockaddr_in sin;
    SOCKADDR_SIZE sin_len;
-    /*
+    memset((void *) &sin, 0, sizeof(sin));
-     * Convert the binary address and port to printable form.
+    sin.sin_family = AF_INET;
-     */
+    sin.sin_addr.s_addr = sin_addr;
-    if (sa == 0) {
+    sin.sin_port = sin_port;
-	sa = (struct sockaddr *) &sin;
+    if (sockaddr_to_hostaddr((struct sockaddr *) &sin, sizeof(sin),
-	sin_len = sizeof(sin);
+			     addr, port, 0) < 0)
 	sa_len = &sin_len;
    } else {
 	if (sa_len == 0) 
 	    msg_panic("haproxy_srvr_parse: sockaddr length not specified");
 	if (*sa_len < sizeof(sin))
 	    msg_panic("haproxy_srvr_parse: sockaddr size %d too small",
 		      (int) *sa_len);
 	*sa_len = sizeof(sin);
    }
    memset((void *) sa, 0, *sa_len);
    SOCK_ADDR_IN_FAMILY(sa) = AF_INET;
    SOCK_ADDR_IN_ADDR(sa).s_addr = sin_addr;
    SOCK_ADDR_IN_PORT(sa) = sin_port;
    if (sockaddr_to_hostaddr(sa, *sa_len, addr, port, 0) < 0)
 	return (-1);
    return (0);
 }
@ -325,35 +300,22 @@ static int haproxy_srvr_parse_v2_addr_v4(uint32_t sin_addr,
 static int haproxy_srvr_parse_v2_addr_v6(uint8_t *sin6_addr,
 					         unsigned sin6_port,
 					         MAI_HOSTADDR_STR *addr,
-					         MAI_SERVPORT_STR *port,
+					         MAI_SERVPORT_STR *port)
 					         struct sockaddr *sa,
 					         SOCKADDR_SIZE *sa_len)
 {
    struct sockaddr_in6 sin6;
    SOCKADDR_SIZE sin6_len;
-    /*
+    memset((void *) &sin6, 0, sizeof(sin6));
-     * Convert the binary address and port to printable form.
+    sin6.sin6_family = AF_INET6;
-     */
+    memcpy(&sin6.sin6_addr, sin6_addr, 16);
-    if (sa == 0) {
+    sin6.sin6_port = sin6_port;
-	sa = (struct sockaddr *) &sin6;
+    if (sockaddr_to_hostaddr((struct sockaddr *) &sin6,
-	sin6_len = sizeof(sin6);
+			     sizeof(sin6), addr, port, 0) < 0)
 	sa_len = &sin6_len;
    } else {
 	if (sa_len == 0)
 	    msg_panic("haproxy_srvr_parse: sockaddr length not specified");
 	if (*sa_len < sizeof(sin6))
 	    msg_panic("haproxy_srvr_parse: sockaddr size %d too small",
 		      (int) *sa_len);
 	*sa_len = sizeof(sin6);
    }
    memset((void *) sa, 0, *sa_len);
    SOCK_ADDR_IN6_FAMILY(sa) = AF_INET6;
    memcpy(&SOCK_ADDR_IN6_ADDR(sa), sin6_addr, sizeof(SOCK_ADDR_IN6_ADDR(sa)));
    SOCK_ADDR_IN6_PORT(sa) = sin6_port;
    normalize_v4mapped_sockaddr(sa, sa_len);
    if (sockaddr_to_hostaddr(sa, *sa_len, addr, port, 0) < 0)
 	return (-1);
    if (addr->buf[0] == ':'
 	&& strncasecmp("::ffff:", addr->buf, 7) == 0
 	&& strchr((char *) proto_info->sa_family_list, AF_INET) != 0)
 	memmove(addr->buf, addr->buf + 7,
 		strlen(addr->buf) + 1 - 7);
    return (0);
 }
@ -366,11 +328,7 @@ static const char *haproxy_srvr_parse_v2_hdr(const char *str, ssize_t *str_len,
 				         MAI_HOSTADDR_STR *smtp_client_addr,
 				         MAI_SERVPORT_STR *smtp_client_port,
 				         MAI_HOSTADDR_STR *smtp_server_addr,
-				         MAI_SERVPORT_STR *smtp_server_port,
+				         MAI_SERVPORT_STR *smtp_server_port)
 					         struct sockaddr *client_sa,
 				               SOCKADDR_SIZE *client_sa_len,
 					         struct sockaddr *server_sa,
 				               SOCKADDR_SIZE *server_sa_len)
 {
    const char myname[] = "haproxy_srvr_parse_v2_hdr";
    struct proxy_hdr_v2 *hdr_v2;
@ -399,18 +357,14 @@ static const char *haproxy_srvr_parse_v2_hdr(const char *str, ssize_t *str_len,
 		    return ("short address field");
 		if (haproxy_srvr_parse_v2_addr_v4(hdr_v2->addr.ip4.src_addr,
 						  hdr_v2->addr.ip4.src_port,
-					 smtp_client_addr, smtp_client_port,
+				    smtp_client_addr, smtp_client_port) < 0)
 					      client_sa, client_sa_len) < 0)
 		    return ("client network address conversion error");
 		if (msg_verbose)
 		    msg_info("%s: smtp_client_addr=%s smtp_client_port=%s",
 		      myname, smtp_client_addr->buf, smtp_client_port->buf);
 		if (haproxy_srvr_parse_v2_addr_v4(hdr_v2->addr.ip4.dst_addr,
 						  hdr_v2->addr.ip4.dst_port,
-						  smtp_server_addr,
+				    smtp_server_addr, smtp_server_port) < 0)
 						  smtp_server_port,
 						  server_sa,
 						  server_sa_len) < 0)
 		    return ("server network address conversion error");
 		if (msg_verbose)
 		    msg_info("%s: smtp_server_addr=%s smtp_server_port=%s",
@ -426,9 +380,7 @@ static const char *haproxy_srvr_parse_v2_hdr(const char *str, ssize_t *str_len,
 		if (haproxy_srvr_parse_v2_addr_v6(hdr_v2->addr.ip6.src_addr,
 						  hdr_v2->addr.ip6.src_port,
 						  smtp_client_addr,
-						  smtp_client_port,
+						  smtp_client_port) < 0)
 						  client_sa,
 						  client_sa_len) < 0)
 		    return ("client network address conversion error");
 		if (msg_verbose)
 		    msg_info("%s: smtp_client_addr=%s smtp_client_port=%s",
@ -436,9 +388,7 @@ static const char *haproxy_srvr_parse_v2_hdr(const char *str, ssize_t *str_len,
 		if (haproxy_srvr_parse_v2_addr_v6(hdr_v2->addr.ip6.dst_addr,
 						  hdr_v2->addr.ip6.dst_port,
 						  smtp_server_addr,
-						  smtp_server_port,
+						  smtp_server_port) < 0)
 						  server_sa,
 						  server_sa_len) < 0)
 		    return ("server network address conversion error");
 		if (msg_verbose)
 		    msg_info("%s: smtp_server_addr=%s smtp_server_port=%s",
@ -468,18 +418,14 @@ static const char *haproxy_srvr_parse_v2_hdr(const char *str, ssize_t *str_len,
    }
 }
-/* haproxy_srvr_parse_sa - parse haproxy line */
+/* haproxy_srvr_parse - parse haproxy line */
-const char *haproxy_srvr_parse_sa(const char *str, ssize_t *str_len,
+const char *haproxy_srvr_parse(const char *str, ssize_t *str_len,
-				          int *non_proxy,
+			               int *non_proxy,
-				          MAI_HOSTADDR_STR *smtp_client_addr,
+			               MAI_HOSTADDR_STR *smtp_client_addr,
-				          MAI_SERVPORT_STR *smtp_client_port,
+			               MAI_SERVPORT_STR *smtp_client_port,
-				          MAI_HOSTADDR_STR *smtp_server_addr,
+			               MAI_HOSTADDR_STR *smtp_server_addr,
-				          MAI_SERVPORT_STR *smtp_server_port,
+			               MAI_SERVPORT_STR *smtp_server_port)
 				          struct sockaddr *client_sa,
 				          SOCKADDR_SIZE *client_sa_len,
 				          struct sockaddr *server_sa,
 				          SOCKADDR_SIZE *server_sa_len)
 {
    const char *err;
@ -510,18 +456,14 @@ const char *haproxy_srvr_parse_sa(const char *str, ssize_t *str_len,
 	else if (haproxy_srvr_parse_proto(NEXT_TOKEN, &addr_family) < 0)
 	    err = "bad or missing protocol type";
 	else if (haproxy_srvr_parse_addr(NEXT_TOKEN, smtp_client_addr,
-					 addr_family, client_sa,
+					 addr_family) < 0)
 					 client_sa_len) < 0)
 	    err = "bad or missing client address";
 	else if (haproxy_srvr_parse_addr(NEXT_TOKEN, smtp_server_addr,
-					 addr_family, server_sa,
+					 addr_family) < 0)
 					 server_sa_len) < 0)
 	    err = "bad or missing server address";
-	else if (haproxy_srvr_parse_port(NEXT_TOKEN, smtp_client_port,
+	else if (haproxy_srvr_parse_port(NEXT_TOKEN, smtp_client_port) < 0)
 					 client_sa) < 0)
 	    err = "bad or missing client port";
-	else if (haproxy_srvr_parse_port(NEXT_TOKEN, smtp_server_port,
+	else if (haproxy_srvr_parse_port(NEXT_TOKEN, smtp_server_port) < 0)
 					 server_sa) < 0)
 	    err = "bad or missing server port";
 	else {
 	    err = 0;
@ -538,48 +480,17 @@ const char *haproxy_srvr_parse_sa(const char *str, ssize_t *str_len,
    else {
 	return (haproxy_srvr_parse_v2_hdr(str, str_len, non_proxy,
 					  smtp_client_addr, smtp_client_port,
-					  smtp_server_addr, smtp_server_port,
+				       smtp_server_addr, smtp_server_port));
 					  client_sa, client_sa_len,
 					  server_sa, server_sa_len));
    }
 }
-/* haproxy_srvr_parse - ABI compatibility */
+/* haproxy_srvr_receive - receive and parse haproxy protocol handshake */
-#undef haproxy_srvr_parse
+int     haproxy_srvr_receive(int fd, int *non_proxy,
-
+			             MAI_HOSTADDR_STR *smtp_client_addr,
-const char *haproxy_srvr_parse(const char *str, ssize_t *str_len,
+			             MAI_SERVPORT_STR *smtp_client_port,
-			               int *non_proxy,
+			             MAI_HOSTADDR_STR *smtp_server_addr,
-			               MAI_HOSTADDR_STR *smtp_client_addr,
+			             MAI_SERVPORT_STR *smtp_server_port)
 			               MAI_SERVPORT_STR *smtp_client_port,
 			               MAI_HOSTADDR_STR *smtp_server_addr,
 			               MAI_SERVPORT_STR *smtp_server_port);
 const char *haproxy_srvr_parse(const char *str, ssize_t *str_len,
 			               int *non_proxy,
 			               MAI_HOSTADDR_STR *smtp_client_addr,
 			               MAI_SERVPORT_STR *smtp_client_port,
 			               MAI_HOSTADDR_STR *smtp_server_addr,
 			               MAI_SERVPORT_STR *smtp_server_port)
 {
    return (haproxy_srvr_parse_sa(str, str_len, non_proxy,
 				  smtp_client_addr, smtp_client_port,
 				  smtp_server_addr, smtp_server_port,
 				  (struct sockaddr *) 0, (SOCKADDR_SIZE *) 0,
 			       (struct sockaddr *) 0, (SOCKADDR_SIZE *) 0));
 }
 /* haproxy_srvr_receive_sa - receive and parse haproxy protocol handshake */
 int     haproxy_srvr_receive_sa(int fd, int *non_proxy,
 				        MAI_HOSTADDR_STR *smtp_client_addr,
 				        MAI_SERVPORT_STR *smtp_client_port,
 				        MAI_HOSTADDR_STR *smtp_server_addr,
 				        MAI_SERVPORT_STR *smtp_server_port,
 				        struct sockaddr *client_sa,
 				        SOCKADDR_SIZE *client_sa_len,
 				        struct sockaddr *server_sa,
 				        SOCKADDR_SIZE *server_sa_len)
 {
    const char *err;
    VSTRING *escape_buf;
@ -602,11 +513,9 @@ int     haproxy_srvr_receive_sa(int fd, int *non_proxy,
     */
    read_buf[read_len] = 0;
-    if ((err = haproxy_srvr_parse_sa(read_buf, &read_len, non_proxy,
+    if ((err = haproxy_srvr_parse(read_buf, &read_len, non_proxy,
-				     smtp_client_addr, smtp_client_port,
+				  smtp_client_addr, smtp_client_port,
-				     smtp_server_addr, smtp_server_port,
+				smtp_server_addr, smtp_server_port)) != 0) {
 				     client_sa, client_sa_len,
 				     server_sa, server_sa_len)) != 0) {
 	escape_buf = vstring_alloc(read_len * 2);
 	escape(escape_buf, read_buf, read_len);
 	msg_warn("haproxy read: %s: %s", err, vstring_str(escape_buf));
@ -624,27 +533,356 @@ int     haproxy_srvr_receive_sa(int fd, int *non_proxy,
    return (0);
 }
-/* haproxy_srvr_receive - ABI compatibility */
+ /*
  * Test program.
  */
 #ifdef TEST
-#undef haproxy_srvr_receive
+ /*
  * Test cases with inputs and expected outputs. A request may contain
  * trailing garbage, and it may be too short. A v1 request may also contain
  * malformed address or port information.
  */
 typedef struct TEST_CASE {
    const char *haproxy_request;	/* v1 or v2 request including thrash */
    ssize_t haproxy_req_len;		/* request length including thrash */
    ssize_t exp_req_len;		/* parsed request length */
    int     exp_non_proxy;		/* request is not proxied */
    const char *exp_return;		/* expected error string */
    const char *exp_client_addr;	/* expected client address string */
    const char *exp_server_addr;	/* expected client port string */
    const char *exp_client_port;	/* expected client address string */
    const char *exp_server_port;	/* expected server port string */
 } TEST_CASE;
 static TEST_CASE v1_test_cases[] = {
    /* IPv6. */
    {"PROXY TCP6 fc:00:00:00:1:2:3:4 fc:00:00:00:4:3:2:1 123 321\n", 0, 0, 0, 0, "fc::1:2:3:4", "fc::4:3:2:1", "123", "321"},
    {"PROXY TCP6 FC:00:00:00:1:2:3:4 FC:00:00:00:4:3:2:1 123 321\n", 0, 0, 0, 0, "fc::1:2:3:4", "fc::4:3:2:1", "123", "321"},
    {"PROXY TCP6 1.2.3.4 4.3.2.1 123 321\n", 0, 0, 0, "bad or missing client address"},
    {"PROXY TCP6 fc:00:00:00:1:2:3:4 4.3.2.1 123 321\n", 0, 0, 0, "bad or missing server address"},
    /* IPv4 in IPv6. */
    {"PROXY TCP6 ::ffff:1.2.3.4 ::ffff:4.3.2.1 123 321\n", 0, 0, 0, 0, "1.2.3.4", "4.3.2.1", "123", "321"},
    {"PROXY TCP6 ::FFFF:1.2.3.4 ::FFFF:4.3.2.1 123 321\n", 0, 0, 0, 0, "1.2.3.4", "4.3.2.1", "123", "321"},
    {"PROXY TCP4 ::ffff:1.2.3.4 ::ffff:4.3.2.1 123 321\n", 0, 0, 0, "bad or missing client address"},
    {"PROXY TCP4 1.2.3.4 ::ffff:4.3.2.1 123 321\n", 0, 0, 0, "bad or missing server address"},
    /* IPv4. */
    {"PROXY TCP4 1.2.3.4 4.3.2.1 123 321\n", 0, 0, 0, 0, "1.2.3.4", "4.3.2.1", "123", "321"},
    {"PROXY TCP4 01.02.03.04 04.03.02.01 123 321\n", 0, 0, 0, 0, "1.2.3.4", "4.3.2.1", "123", "321"},
    {"PROXY TCP4 1.2.3.4 4.3.2.1 123456 321\n", 0, 0, 0, "bad or missing client port"},
    {"PROXY TCP4 1.2.3.4 4.3.2.1 123 654321\n", 0, 0, 0, "bad or missing server port"},
    {"PROXY TCP4 1.2.3.4 4.3.2.1 0123 321\n", 0, 0, 0, "bad or missing client port"},
    {"PROXY TCP4 1.2.3.4 4.3.2.1 123 0321\n", 0, 0, 0, "bad or missing server port"},
    /* Missing fields. */
    {"PROXY TCP6 fc:00:00:00:1:2:3:4 fc:00:00:00:4:3:2:1 123\n", 0, 0, 0, "bad or missing server port"},
    {"PROXY TCP6 fc:00:00:00:1:2:3:4 fc:00:00:00:4:3:2:1\n", 0, 0, 0, "bad or missing client port"},
    {"PROXY TCP6 fc:00:00:00:1:2:3:4\n", 0, 0, 0, "bad or missing server address"},
    {"PROXY TCP6\n", 0, 0, 0, "bad or missing client address"},
    {"PROXY TCP4 1.2.3.4 4.3.2.1 123\n", 0, 0, 0, "bad or missing server port"},
    {"PROXY TCP4 1.2.3.4 4.3.2.1\n", 0, 0, 0, "bad or missing client port"},
    {"PROXY TCP4 1.2.3.4\n", 0, 0, 0, "bad or missing server address"},
    {"PROXY TCP4\n", 0, 0, 0, "bad or missing client address"},
    /* Other. */
    {"PROXY BLAH\n", 0, 0, 0, "bad or missing protocol type"},
    {"PROXY\n", 0, 0, 0, "short protocol header"},
    {"BLAH\n", 0, 0, 0, "short protocol header"},
    {"\n", 0, 0, 0, "short protocol header"},
    {"", 0, 0, 0, "short protocol header"},
    0,
 };
-int     haproxy_srvr_receive(int fd, int *non_proxy,
+static struct proxy_hdr_v2 v2_local_request = {
-			             MAI_HOSTADDR_STR *smtp_client_addr,
+    PP2_SIGNATURE, PP2_VERSION | PP2_CMD_LOCAL,
-			             MAI_SERVPORT_STR *smtp_client_port,
+};
-			             MAI_HOSTADDR_STR *smtp_server_addr,
+static TEST_CASE v2_non_proxy_test = {
-			             MAI_SERVPORT_STR *smtp_server_port);
+    (char *) &v2_local_request, PP2_HEADER_LEN, PP2_HEADER_LEN, 1,
 };
-int     haproxy_srvr_receive(int fd, int *non_proxy,
+#define STR(x)	vstring_str(x)
-			             MAI_HOSTADDR_STR *smtp_client_addr,
+#define LEN(x)	VSTRING_LEN(x)
-			             MAI_SERVPORT_STR *smtp_client_port,
+
-			             MAI_HOSTADDR_STR *smtp_server_addr,
+/* evaluate_test_case - evaluate one test case */
-			             MAI_SERVPORT_STR *smtp_server_port)
+
 static int evaluate_test_case(const char *test_label,
 			              const TEST_CASE *test_case)
 {
-    return (haproxy_srvr_receive_sa(fd, non_proxy,
+    /* Actual results. */
-				    smtp_client_addr, smtp_client_port,
+    const char *act_return;
-				    smtp_server_addr, smtp_server_port,
+    ssize_t act_req_len;
-				    (struct sockaddr *) 0,
+    int     act_non_proxy;
-				    (SOCKADDR_SIZE *) 0,
+    MAI_HOSTADDR_STR act_smtp_client_addr;
-				    (struct sockaddr *) 0,
+    MAI_HOSTADDR_STR act_smtp_server_addr;
-				    (SOCKADDR_SIZE *) 0));
+    MAI_SERVPORT_STR act_smtp_client_port;
    MAI_SERVPORT_STR act_smtp_server_port;
    int     test_failed;
    if (msg_verbose)
 	msg_info("test case=%s exp_client_addr=%s exp_server_addr=%s "
 		 "exp_client_port=%s exp_server_port=%s",
 		 test_label, STR_OR_NULL(test_case->exp_client_addr),
 		 STR_OR_NULL(test_case->exp_server_addr),
 		 STR_OR_NULL(test_case->exp_client_port),
 		 STR_OR_NULL(test_case->exp_server_port));
    /*
     * Start the test.
     */
    test_failed = 0;
    act_req_len = test_case->haproxy_req_len;
    act_return =
 	haproxy_srvr_parse(test_case->haproxy_request, &act_req_len,
 			   &act_non_proxy,
 			   &act_smtp_client_addr, &act_smtp_client_port,
 			   &act_smtp_server_addr, &act_smtp_server_port);
    if (act_return != test_case->exp_return) {
 	msg_warn("test case %s return expected=%s actual=%s",
 		 test_label, STR_OR_NULL(test_case->exp_return),
 		 STR_OR_NULL(act_return));
 	test_failed = 1;
 	return (test_failed);
    }
    if (act_req_len != test_case->exp_req_len) {
 	msg_warn("test case %s str_len expected=%ld actual=%ld",
 		 test_label,
 		 (long) test_case->exp_req_len, (long) act_req_len);
 	test_failed = 1;
 	return (test_failed);
    }
    if (act_non_proxy != test_case->exp_non_proxy) {
 	msg_warn("test case %s non_proxy expected=%d actual=%d",
 		 test_label,
 		 test_case->exp_non_proxy, act_non_proxy);
 	test_failed = 1;
 	return (test_failed);
    }
    if (test_case->exp_non_proxy || test_case->exp_return != 0)
 	/* No expected address/port results. */
 	return (test_failed);
    /*
     * Compare address/port results against expected results.
     */
    if (strcmp(test_case->exp_client_addr, act_smtp_client_addr.buf)) {
 	msg_warn("test case %s client_addr  expected=%s actual=%s",
 		 test_label,
 		 test_case->exp_client_addr, act_smtp_client_addr.buf);
 	test_failed = 1;
    }
    if (strcmp(test_case->exp_server_addr, act_smtp_server_addr.buf)) {
 	msg_warn("test case %s server_addr  expected=%s actual=%s",
 		 test_label,
 		 test_case->exp_server_addr, act_smtp_server_addr.buf);
 	test_failed = 1;
    }
    if (strcmp(test_case->exp_client_port, act_smtp_client_port.buf)) {
 	msg_warn("test case %s client_port  expected=%s actual=%s",
 		 test_label,
 		 test_case->exp_client_port, act_smtp_client_port.buf);
 	test_failed = 1;
    }
    if (strcmp(test_case->exp_server_port, act_smtp_server_port.buf)) {
 	msg_warn("test case %s server_port  expected=%s actual=%s",
 		 test_label,
 		 test_case->exp_server_port, act_smtp_server_port.buf);
 	test_failed = 1;
    }
    return (test_failed);
 }
 /* convert_v1_proxy_req_to_v2 - convert well-formed v1 proxy request to v2 */
 static void convert_v1_proxy_req_to_v2(VSTRING *buf, const char *req,
 				               ssize_t req_len)
 {
    const char myname[] = "convert_v1_proxy_req_to_v2";
    const char *err;
    int     non_proxy;
    MAI_HOSTADDR_STR smtp_client_addr;
    MAI_SERVPORT_STR smtp_client_port;
    MAI_HOSTADDR_STR smtp_server_addr;
    MAI_SERVPORT_STR smtp_server_port;
    struct proxy_hdr_v2 *hdr_v2;
    struct addrinfo *src_res;
    struct addrinfo *dst_res;
    /*
     * Allocate buffer space for the largest possible protocol header, so we
     * don't have to worry about hidden realloc() calls.
     */
    VSTRING_RESET(buf);
    VSTRING_SPACE(buf, sizeof(struct proxy_hdr_v2));
    hdr_v2 = (struct proxy_hdr_v2 *) STR(buf);
    /*
     * Fill in the header,
     */
    memcpy(hdr_v2->sig, PP2_SIGNATURE, PP2_SIGNATURE_LEN);
    hdr_v2->ver_cmd = PP2_VERSION | PP2_CMD_PROXY;
    if ((err = haproxy_srvr_parse(req, &req_len, &non_proxy, &smtp_client_addr,
 				  &smtp_client_port, &smtp_server_addr,
 				  &smtp_server_port)) != 0 || non_proxy)
 	msg_fatal("%s: malformed or non-proxy request: %s",
 		  myname, req);
    if (hostaddr_to_sockaddr(smtp_client_addr.buf, smtp_client_port.buf, 0,
 			     &src_res) != 0)
 	msg_fatal("%s: unable to convert source address %s port %s",
 		  myname, smtp_client_addr.buf, smtp_client_port.buf);
    if (hostaddr_to_sockaddr(smtp_server_addr.buf, smtp_server_port.buf, 0,
 			     &dst_res) != 0)
 	msg_fatal("%s: unable to convert destination address %s port %s",
 		  myname, smtp_server_addr.buf, smtp_server_port.buf);
    if (src_res->ai_family != dst_res->ai_family)
 	msg_fatal("%s: mixed source/destination address families", myname);
 #ifdef AF_INET6
    if (src_res->ai_family == PF_INET6) {
 	hdr_v2->fam = PP2_FAM_INET6 | PP2_TRANS_STREAM;
 	hdr_v2->len = htons(PP2_ADDR_LEN_INET6);
 	memcpy(hdr_v2->addr.ip6.src_addr,
 	       &SOCK_ADDR_IN6_ADDR(src_res->ai_addr),
 	       sizeof(hdr_v2->addr.ip6.src_addr));
 	hdr_v2->addr.ip6.src_port = SOCK_ADDR_IN6_PORT(src_res->ai_addr);
 	memcpy(hdr_v2->addr.ip6.dst_addr,
 	       &SOCK_ADDR_IN6_ADDR(dst_res->ai_addr),
 	       sizeof(hdr_v2->addr.ip6.dst_addr));
 	hdr_v2->addr.ip6.dst_port = SOCK_ADDR_IN6_PORT(dst_res->ai_addr);
    } else
 #endif
    if (src_res->ai_family == PF_INET) {
 	hdr_v2->fam = PP2_FAM_INET | PP2_TRANS_STREAM;
 	hdr_v2->len = htons(PP2_ADDR_LEN_INET);
 	hdr_v2->addr.ip4.src_addr = SOCK_ADDR_IN_ADDR(src_res->ai_addr).s_addr;
 	hdr_v2->addr.ip4.src_port = SOCK_ADDR_IN_PORT(src_res->ai_addr);
 	hdr_v2->addr.ip4.dst_addr = SOCK_ADDR_IN_ADDR(dst_res->ai_addr).s_addr;
 	hdr_v2->addr.ip4.dst_port = SOCK_ADDR_IN_PORT(dst_res->ai_addr);
    } else {
 	msg_panic("unknown address family 0x%x", src_res->ai_family);
    }
    vstring_set_payload_size(buf, PP2_SIGNATURE_LEN + ntohs(hdr_v2->len));
    freeaddrinfo(src_res);
    freeaddrinfo(dst_res);
 }
 int     main(int argc, char **argv)
 {
    VSTRING *test_label;
    TEST_CASE *v1_test_case;
    TEST_CASE v2_test_case;
    TEST_CASE mutated_test_case;
    VSTRING *v2_request_buf;
    VSTRING *mutated_request_buf;
    /* Findings. */
    int     tests_failed = 0;
    int     test_failed;
    test_label = vstring_alloc(100);
    v2_request_buf = vstring_alloc(100);
    mutated_request_buf = vstring_alloc(100);
    for (tests_failed = 0, v1_test_case = v1_test_cases;
 	 v1_test_case->haproxy_request != 0;
 	 tests_failed += test_failed, v1_test_case++) {
 	/*
 	 * Fill in missing string length info in v1 test data.
 	 */
 	if (v1_test_case->haproxy_req_len == 0)
 	    v1_test_case->haproxy_req_len =
 		strlen(v1_test_case->haproxy_request);
 	if (v1_test_case->exp_req_len == 0)
 	    v1_test_case->exp_req_len = v1_test_case->haproxy_req_len;
 	/*
 	 * Evaluate each v1 test case.
 	 */
 	vstring_sprintf(test_label, "%d", (int) (v1_test_case - v1_test_cases));
 	test_failed = evaluate_test_case(STR(test_label), v1_test_case);
 	/*
 	 * If the v1 test input is malformed, skip the mutation tests.
 	 */
 	if (v1_test_case->exp_return != 0)
 	    continue;
 	/*
 	 * Mutation test: a well-formed v1 test case should still pass after
 	 * appending a byte, and should return the actual parsed header
 	 * length. The test uses the implicit VSTRING null safety byte.
 	 */
 	vstring_sprintf(test_label, "%d (one byte appended)",
 			(int) (v1_test_case - v1_test_cases));
 	mutated_test_case = *v1_test_case;
 	mutated_test_case.haproxy_req_len += 1;
 	/* reuse v1_test_case->exp_req_len */
 	test_failed += evaluate_test_case(STR(test_label), &mutated_test_case);
 	/*
 	 * Mutation test: a well-formed v1 test case should fail after
 	 * stripping the terminator.
 	 */
 	vstring_sprintf(test_label, "%d (last byte stripped)",
 			(int) (v1_test_case - v1_test_cases));
 	mutated_test_case = *v1_test_case;
 	mutated_test_case.exp_return = "missing protocol header terminator";
 	mutated_test_case.haproxy_req_len -= 1;
 	mutated_test_case.exp_req_len = mutated_test_case.haproxy_req_len;
 	test_failed += evaluate_test_case(STR(test_label), &mutated_test_case);
 	/*
 	 * A 'well-formed' v1 test case should pass after conversion to v2.
 	 */
 	vstring_sprintf(test_label, "%d (converted to v2)",
 			(int) (v1_test_case - v1_test_cases));
 	v2_test_case = *v1_test_case;
 	convert_v1_proxy_req_to_v2(v2_request_buf,
 				   v1_test_case->haproxy_request,
 				   v1_test_case->haproxy_req_len);
 	v2_test_case.haproxy_request = STR(v2_request_buf);
 	v2_test_case.haproxy_req_len = PP2_HEADER_LEN
 	    + ntohs(((struct proxy_hdr_v2 *) STR(v2_request_buf))->len);
 	v2_test_case.exp_req_len = v2_test_case.haproxy_req_len;
 	test_failed += evaluate_test_case(STR(test_label), &v2_test_case);
 	/*
 	 * Mutation test: a well-formed v2 test case should still pass after
 	 * appending a byte, and should return the actual parsed header
 	 * length. The test uses the implicit VSTRING null safety byte.
 	 */
 	vstring_sprintf(test_label, "%d (converted to v2, one byte appended)",
 			(int) (v1_test_case - v1_test_cases));
 	mutated_test_case = v2_test_case;
 	mutated_test_case.haproxy_req_len += 1;
 	/* reuse v2_test_case->exp_req_len */
 	test_failed += evaluate_test_case(STR(test_label), &mutated_test_case);
 	/*
 	 * Mutation test: a well-formed v2 test case should fail after
 	 * stripping one byte
 	 */
 	vstring_sprintf(test_label, "%d (converted to v2, last byte stripped)",
 			(int) (v1_test_case - v1_test_cases));
 	mutated_test_case = v2_test_case;
 	mutated_test_case.haproxy_req_len -= 1;
 	mutated_test_case.exp_req_len = mutated_test_case.haproxy_req_len;
 	mutated_test_case.exp_return = "short version 2 protocol header";
 	test_failed += evaluate_test_case(STR(test_label), &mutated_test_case);
    }
    /*
     * Additional V2-only tests.
     */
    test_failed +=
 	evaluate_test_case("v2 non-proxy request", &v2_non_proxy_test);
    /*
     * Clean up.
     */
    vstring_free(v2_request_buf);
    vstring_free(mutated_request_buf);
    vstring_free(test_label);
    if (tests_failed)
 	msg_info("tests failed: %d", tests_failed);
    exit(tests_failed != 0);
 }
 #endif
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Wietse Z Venema	ef01d8ffa9	postfix-3.10.2	2025-04-23 11:22:05 +10:00
Wietse Z Venema	186a72901f	postfix-3.10.1	2025-02-25 12:15:13 +11:00
Wietse Z Venema	8599da0f46	postfix-3.10.0	2025-02-18 13:47:31 +11:00
`@ -4,4 +4,4 @@`

	`LANG=C; export LANG`	`LANG=C; export LANG`

	`mantools/dehtml proto/html proto/.proto \| tr '+' ' ' \| spell \| grep -F -vxf proto/stop \| grep -F -vxf proto/stop.spell-proto-html`	`mantools/dehtml proto/html proto/.proto \| spell \| grep -F -vxf proto/stop \| grep -F -vxf proto/stop.spell-proto-html`