postfix-3.11-20250818

postfix/.indent.pro

@@ -248,6 +248,7 @@
 -TNBBIO
 -TNVTABLE_INFO
 -TOPTIONS
+-TOSSL_DGST
 -TPCF_DBMS_INFO
 -TPCF_DEPR_PARAM_INFO
 -TPCF_EVAL_CTX
@@ -260,6 +261,10 @@
 -TPCF_SERVICE_DEF
 -TPCF_SERVICE_PATTERN
 -TPCF_STRING_NV
+-TPEER_FROM_HAPROXY_CASE
+-TPEER_FROM_NON_SOCKET_CASE
+-TPEER_FROM_PASS_ATTR_CASE
+-TPEER_FROM_UNCONN_SOCKET_CASE
 -TPEER_NAME
 -TPGSQL_NAME
 -TPICKUP_INFO
@@ -358,6 +363,7 @@
 -TSTRING_LIST
 -TSTRING_TABLE
 -TSYS_EXITS_DETAIL
+-TTEST_BASE
 -TTEST_CASE
 -TTLSMGR_SCACHE
 -TTLSP_STATE
@@ -420,6 +426,7 @@
 -Td2i_X509_t
 -Tdane_digest
 -Tdane_mtype
+-Tdict_lookup_verify_data
 -Tfilter_ctx
 -Tgeneral_name_stack_t
 -Tiana_digest

postfix/HISTORY

@@ -28966,9 +28966,9 @@ Apologies for any names omitted.
 	tls/tls_misc.c.
 
 	Bugfix (defect introduced: Postfix 3.4, date 20181113): a
-	server with multiple TLS certificates could report for a
-	resumed TLS session, in logging and Received: message
-	headers, the wrong server-signature and server-digest names.
+	server with multiple TLS certificates could report, for a
+	resumed TLS session, the wrong server-signature and
+	server-digest names in logging and Received: message headers.
 	Viktor Dukhovni. File: tls/tls_misc.c.
 
 20250213
@@ -28982,4 +28982,596 @@ Apologies for any names omitted.
 	tls_config_file description. File: proto/postconf.proto.
 	The unused parameters will be deleted in Postfix 3.11.
 
-	Postfix 3.10 code freeze.
+20250215
+
+	Safety: added a TLSRPT library version check. Log a warning
+	when the run-time TLSRPT library API version is not compatible
+	with the build-time TLSRPT API version, where 'compatible'
+	is defined according to the rules of semantic versioning.
+	This completes the Postfix 3.10 stable release.
+
+20250216
+
+	Bugfix (defect introduced: Postfix 3.10): Postfix SMTP
+	client segfault while reporting a 'certificate expired'
+	event. Problem reported by Oemer Gueven. File: tls/tls_verify.c.
+
+20250221
+
+	Bugfix (defect introduced: 20250210): a recent 'fix' for the
+	default smtp_tls_dane_insecure_mx_policy setting resulted in
+	unnecessary 'dnssec_probe' warnings, on systems that disable
+	DNSSEC lookups (the default). File: smtp/smtp_addr.c.
+
+20250227
+
+	Improve and correct warning messages when converting (host
+	or service) information to (symbolic text, numerical text,
+	or binary) form. File: util/myaddrinfo.c.
+
+20250304
+
+	Bugfix (defect introduced: Postfix 2.3, date 20051222): the
+	Dovecot auth client did not attempt to create a new connection
+	after an I/O error on an existing connection. Reported by
+	Oleksandr Kozmenko. File: xsasl/xsasl_dovecot_server.c.
+
+20240315
+
+	Code health: two typos canceled each other's effect. Fix
+	by Michael Tokarev. No change in compiler output. File:
+	util/vstring_vstream.c.
+
+20250316
+
+	Bugfix (defect introduced: date 19991116): when appending a
+	setting to a main.cf or master.cf file that did not end in
+	a newline character, the "postconf -e" command did not add
+	an extra newline character before appending the new setting,
+	causing information to become garbled. Fix by Michael
+	Tokarev. File: postconf/postconf_edit.c.
+
+20250317
+
+	Documentation: added text to clarify the difference between
+	SMTP connection reuse and TLS session resumption, and that
+	these can be combined together. File: proto/TLSRPT_README.html.
+
+20250321
+
+	Safety: the SQLite client now logs a warning when a query
+	uses double quotes instead of the Postfix-recommended single
+	quotes. Oscar Bataille reported that the non-recommended
+	form is not protected against SQL injection. Files:
+	global/dict_sqlite.c, global/dict_sqlite_test.c.
+
+20250326
+
+	Updated myaddrinfo tests to also cover service/port conversion.
+	Files: util/myaddrinfo4.ref, util/myaddrinfo4.ref2,
+	util/myaddrinfo.c, util/myaddrinfo.ref, util/myaddrinfo.ref2.
+
+20260402
+
+	Documentation: updated guidance for using DNS-based reputation
+	services. File: proto/postconf.proto.
+
+20250404
+
+	Code health: simplified the conversions from IPv4 mapped
+	IPv6 addresses (::ffff:d.d.d.d) to their IPv4 form (d.d.d.d),
+	for both the binary form and human-readable form. Added
+	unit tests to show that the conversions work as expected.
+	Files: util/normalize_v4mapped_addr.[hc],
+	util/normalize_v4mapped_addr_test.c.
+
+20260406
+
+	Code health: overhauled the haproxy adapter to simplify
+	code and to avoid unnecessary conversions between binary
+	and human-readable forms. Added more unit tests for the v1
+	and v2 proxy protocols. A separate update will overhaul
+	the smtpd 'peer' lookups. Files: global/haproxy_srvr.c,
+	global/haproxy_srvr_test.c.
+
+20250408
+
+	Code health: replace explicit code with normalize_v4mapped_xxx()
+	call. File: util/sane_sockaddr_to_hostaddr.c.
+
+	Bit rot: sane_sockaddr_to_hostaddr() may modify its inputs.
+	smtp/smtp_tlsrpt.c, postscreen/postscreen_endpt.c
+
+20250411
+
+	Code health: simplified the Postfix SMTP server code to
+	find out the client and server IP addresses for an SMTP
+	connection. This takes advantage of the improved support
+	for address normalization and for haproxy load balancers.
+	Files: smtpd/smtpd_peer.c, smtpd/smtpd_haproxy.c.
+
+	Documentation: XCLIENT attribute availability. File:
+	proto/XCLIENT.
+
+20250418
+
+	Code health: added 16 unit tests for connection address and
+	port information received through haproxy or postscreen,
+	and improved error handling. Files: smtpd/smtpd_peer.c,
+	smtpd/smtpd_haproxy.c, smtpd/smtpd_peer_test.c.
+
+	Unit tests for 'direct' connections are deferred pending
+	support to mock or intercept system library function calls.
+
+20250419
+
+	Documentation: Postfix LMDB locking protocol description.
+	File: proto/lmdb_table.
+
+20250504
+
+	Logging: the memcache client truncated a memcached server
+	error message too aggressively. File: global/dict_memcache.c.
+
+	Code health: the dict_cache module did not expose a database
+	error to the caller. Files: util/dict_cache.[hc].
+
+	Code health: the verify(8) daemon now replies with 'address
+	verification status unavailable' when cache lookup fails
+	due to a database error, instead of replying with 'address
+	verification in progress'. File: verify/verify.c.
+
+	Code health: the verify(8) daemon no longer schedules an
+	address verification probe after a cache lookup for that
+	address failed due to a database error. File: verify/verify.c.
+
+20250523
+
+	Documentation: load balancer workaround for Postfix <= 3.9.
+	Files: proto/mysql_table, proto/pgsql_table.
+
+20250425
+
+	Documentation: TLSRPT_README typofix by Paul Menzel. File:
+	proto/TLSRPT_README.html.
+
+20250509
+
+	Documentation: in "enable_idna2003_compatibility" descriptions,
+	confused zeta with final sigma. Geert Hendrickx. Files:
+	proto/SMTPUTF8_README, proto/postconf.proto.
+
+	Feature: specify "key_digest = name-of-openssl-digest" to
+	run memcache lookup keys through the named OpenSSL digest
+	and convert the result to lowercase hexadecimal characters,
+	after processing the key_format feature. This prevents a
+	database access error when keys may exceed the memcache
+	server's key length limit (usually, 250 bytes). Files:
+
+20250523
+
+	Workaround: tweaked the timeout setting in postconf.proto
+	javascript. File: proto/postconf.html.prolog
+
+20250525
+
+	Code health: don't allow the postmap or postalias "-i"
+	option together with one of the (-d, -q, or -s) options on
+	the command line. Files: postmap/postmap.c, postalias/postalias.c,
+	postmap/mode_conflict_test.*, postalias/mode_conflict_test.*.
+
+	Testing: some postalias and postmap tests depended on the
+	installed main.cf file. Files: postalias/Makefile.in,
+	postmap/Makefile.in.
+
+	Testing: 'nosleep' preload module to eliminate the delay
+	after logging a fatal error and before terminating a program.
+	Files: testing/Makefile.in, testing/nosleep.c,
+	postalias/Makefile.in, postmap/Makefile.in
+
+20250526
+
+	Bugfix (defect introduced: Postfix 0.7.0, date 19990118):
+	postmap and postalias supported "-i" incremental updates
+	only for databases that support "bulk" create. With other
+	databases, the "-i" option was rejected with a misleading
+	error message "no 'map create' support". File: util/mkmap_open.c.
+
+	Usability: improved error message when a CDB table refuses
+	a delete or incremental update request (it complained about
+	some obscure POSIX open() flags). File: util/dict_cdb.c.
+
+	Cleanup: remove unnecessary newline characters in debug
+	logging. File: util/dict_db.c.
+
+	Debugging: added debug logging to the myflock() function.
+	File: util/myflock.c.
+
+20250601
+
+	Changed the default smtp_tlsrpt_skip_reused_handshakes
+	setting from "yes" to "no". The new default is enabled with
+	compatibility level >= 3.11. Files: smtp/smtp_tlsrpt.c,
+	global/mail_params.[hc], proto/COMPATIBILITY_README.html.
+
+20250608
+
+	Feature: specify "relocated_prefix_enable = no" to disable
+	the hard-coded prefix "5.1.6 User has moved to " that is
+	by default prepended to all relocated_maps lookup results.
+	This setting requires that the table contains responses
+	with both custom enhanced status code (X.Y.Z) and text.
+	Files: proto/postconf.proto, mantools/postlink,
+	global/mail_params.h, trivial-rewrite/trivial-rewrite.c,
+	trivial-rewrite/resolve.c.
+
+	This was tested against an unprivileged Postfix instance.
+	Support to spin up a disposable unprivileged Postfix instance
+	for testing will be made available later.
+
+20250609
+
+	Deprecation: smtp_tls_enforce_peername and
+	lmtp_tls_enforce_peername are now officially deprecated.
+	Files: proto/DEPRECATION_README.html, postconf/postconf_unused.c,
+	postconf/Makefile.in, postconf/test78.ref.
+
+20250614
+
+	Bugfix (defect introduced: Postfix 3.0, date 20140923):
+	Lookup tables specified inside the {} were left open after
+	unionmap:{} or pipemap:{} syntax error. Richard Hansen.
+	Files: util/dict_pipe.c, util/dict_union.c.
+
+20250617
+
+	Proper unit tests for the pipemap and unionmap implementations.
+	Files: testing/dict_test_helper.[hc], util/dict.[hc],
+	util/dict_pipe_test.c, util/dict_union_test.c. This obsoletes
+	the ad-hoc test files dict_pipe_test.{in,ref} and
+	dict_union_test.{in,ref} and corresponding Makefile targets.
+
+	Proper sharing of identical dictionary instances opened
+	with dict_pipe_open() and dict_union_open(), reusing the
+	sharing policy that was already implemented with maps_create().
+	Files: util/dict.c, util/dict.h, util/dict_pipe.c,
+	util/dict_union.c, global/maps.c.
+
+20250619
+
+	Bugfix (defect introduced: Postfix-3.10, date 20250117): the
+	Postfix SMTP client attempted to look up TLSA records even
+	with "TLS-Required: no". This could result in unnecessary
+	failures. Fix by Viktor Dukhovni & Wietse. Files: smtp/smtp.h,
+	smtp/smtp_policy.c, smtp/smtp_connect.c.
+
+	Bugfix (defect introduced: Postfix-3.10, date 20250117):
+	include the current TLS security level in the SMTP connection
+	cache lookup key for lookups by next-hop destination. The
+	idea is that to deliver a message without "TLS-Required:
+	no" header, the Postfix SMTP client must not reuse a
+	connection that was created during a burst of deliveries
+	of messages with "TLS-Required: no" to the same destination.
+	Including the TLS security level in the SMTP connection
+	cache lookup key will also prevent false connection reuse
+	when any future feature is added that overrides the TLS
+	security level based on message content or envelope metadata.
+	Files: smtp/smtp.h.
+
+	Likewise, include the current TLS security level in the TLS
+	client serverid field. File: smtp/smtp_proto.c.
+
+20250622
+
+	Bugfix (defect introduced: 20250509): added missing ``#ifdef
+	USE_TLS'' guards around memcache key_digest support. File:
+	global/dict_memcache.c.
+
+20250623
+
+	Feature: change the Postfix SMTP client smtp_tls_security_level
+	default value to "may" if Postfix was built with TLS support,
+	and the compatibility_level is 3.11 or higher. At lower
+	compatibility levels, change the default to "empty" and log
+	a backwards compatibility reminder. Files: global/mail_params.h,
+	smtp/smtp.c, tlsproxy/tlsproxy.c, proto/postconf.proto,
+	proto/COMPATIBILITY_README.html.
+
+	There is no equivalent change for Postfix server TLS security
+	levels, because changing the level alone is not sufficient.
+	Server-side TLS requires that at least one private key and
+	corresponding public-key certificate chain are configured.
+
+20250624
+
+	Feature: a new debug: pseudo lookup table. Specify
+	debug:maptype:mapname to encapsulate a maptype:mapname
+	lookup table and log all access. This builds on existing
+	but unused code to log table access. Richard Hansen
+	(rhansen@rhansen.org). Files: proto/DATABASE_README.html,
+	postconf/Makefile.in, /postconf/postconf.c,
+	postconf/postconf_dbms.c, postconf/test77-main.cf,
+	postconf/test77.ref, util/Makefile.in, util/dict_debug.c,
+	util/dict_debug.h, util/dict_debug_test.ref,
+	util/dict_debug_test.sh, util/dict_open.c.
+
+	Cleanup: To keep the dict_debug: code clean, Wietse removed
+	support for the DICT_FLAG_DEBUG feature that had not been
+	used for decades. Files: util/dict_debug.c, util/dict.c,
+	util/dict.h, src/global/dict_ldap.c, global/dict_mongodb.c,
+	global/dict_mysql.c, global/dict_pgsql.c, global/dict_proxy.c,
+	global/dict_sqlite.c, util/dict_cdb.c, util/dict_cidr.c,
+	util/dict_db.c, util/dict_dbm.c, util/dict_env.c,
+	util/dict_fail.c, util/dict_inline.c, util/dict_lmdb.c,
+	util/dict_ni.c, util/dict_nis.c, util/dict_nisplus.c,
+	util/dict_pcre.c, util/dict_pipe.c, util/dict_random.c,
+	util/dict_regexp.c, util/dict_sdbm.c, util/dict_sockmap.c,
+	util/dict_static.c, util/dict_surrogate.c, util/dict_tcp.c,
+	util/dict_thash.c, util/dict_union.c, util/dict_unix.c.
+
+20250626
+
+	Cleanup: removed explicit dictionary life-cycle management
+	complexity from dict_xxx_open() and maps_create(), and
+	centralized it under the generic dict_open() API. Files:
+	global/maps.c, util/dict.c, util/dict.h, util/dict_alloc.c,
+	util/dict_debug.c, util/dict_inline.c, util/dict_open.c,
+	util/dict_pipe.c, util/dict_test.c, util/dict_thash.c,
+	util/dict_union.c.
+
+20250627
+
+	Temporary workaround to avoid a potential breaking change:
+	allow the proxymap server to continue registering a dictionary
+	under a legacy name, in addition to the preferred name that
+	it is registered under by dict_open(). Files: util/dict.[hc],
+	proxymap/proxymap.c.
+
+	Cleanup: some unused test binaries failed to build.  Files:
+	global/own_inet_addr.c, global/data_redirect.c,
+	global/mynetworks.c.
+
+20250608
+
+	Cosmetic changes with better identifier names. Files:
+	util/dict.[hc], util/dict_alloc.c, util/dict_pipe.c,
+	util/dict_union.c
+
+	Cleanup: simplified the match_list parser, and added a unit
+	test for !maptype:mapname. Files: util/match_list.c,
+	global/namaddr_list.in, global/namaddr_list.ref.
+
+	Cleanup: simplified the rule parser in global/server_acl.c.
+
+	Unbroke dict_debug Valgrind checks. File: util/dict_debug_test.sh.
+
+20250710
+
+	Bugfix (defect introduced: postfix-2.2, date 20050203):
+	after detecting a lookup table change, and after starting
+	a new postscreen process, the old postscreen process logged
+	an ENOTSOCK error while attempting to accept a connection
+	on a socket that it was no longer listening on. This error
+	was introduced first in the multi_server skeleton code, and
+	was five years later duplicated in the event_server skeleton
+	that was created for postscreen. Problem reported by Florian
+	Piekert. Files: master/multi_server.c, master/event_server.c.
+
+20250713
+
+	Cleanup: allow "postmap -s" and "postalias -s" with proxied
+	tables. The proxymap protocol already supported this. Files:
+	postmap/postmap.c, postalias/postalias.c.
+
+	Cleanup: simplified the proxymap protocol and the proxymap
+	table sharing strategy. Share only table instances that
+	have identical client-side dictionary flags when opening a
+	table (instead of sharing tables that have a common subset
+	of flags). With each client request, propagate all client-side
+	dictionary flags to the server, and upon request completion,
+	propagate all resulting server-side dictionary flags to the
+	client. Files: dict.h, dict_proxy.c, proxymap/proxymap.c,
+	global/mail_proto.h.
+
+	Cleanup; stop hard-coding "dict->flags = DICT_FLAG_FIXED"
+	in dict_alloc.c. All tables already overwrote that information.
+
+	Debugging: the default import_environment now also imports
+	XDG_RUNTIME_DIR to support GUI debugging a Postfix daemon
+	process on some platforms (it already imported XAUTHORITY
+	and DISPLAY for X-based debuggers). These environment
+	variables are set only when Postfix is started 'by hand'.
+	File: global/mail_params.h.
+
+	Graceful degradation: when a proxymap or proxywrite server
+	denies access to a table, do not terminate the program.
+	Instead, return a surrogate object that fails all requests
+	with an informative message. File: global/dict_proxy.c.
+
+	Workaround: added an example to the smtp_reply_filter
+	documentation that works around Microsoft SASL server
+	implementations that send a non-empty initial GSSAPI
+	challenge. File: proto/postconf.proto.
+
+	Typo in COMPATIBILITY_README.html. Emmanuel Fusté.
+
+20250714
+
+	Uploaded the wrong postfix-3.11-20250713 tarball. Files:
+	master/event_server.c, master/multi_server.c.
+
+	Deleted an <openssl/engine.h> dependency, because the feature is
+	being removed from OpenSSL, and Postfix no longer needs it. File:
+	posttls-finger/posttls-finger.c.
+
+	Updated the proxymap(8) manpage and some internal documentation.
+	File: proxymap/proxymap.c.
+
+20250715
+
+	Cleanup: the proxymap 'open' service always returns the
+	dict->flags from a newly-initialized instance. This avoids
+	cross-talk between different clients. File: proxymap/proxymap.c.
+
+20250716
+
+	Bugfix (defect introduced: Postfix 2.7, date 20121223):
+	segfault in the internal: table iterator when the table
+	contained exactly one element. File: util/htable.c.
+
+	Technical debt: allow an element to be deleted before the
+	internal: table's first/next iterator has visited it. File:
+	util/htable.c.
+
+20250716
+
+	Bugfix (defect introduced: Postfix 2.8, date 20101230):
+	after detecting a cache table change and before starting a
+	new postscreen process, the old postscreen process did not
+	close the postscreen_cache_map, and therefore kept an
+	exclusive lock that could prevent a new postscreen process
+	from starting. Problem reported by Florian Piekert. File:
+	postscreen/postscreen.c.
+
+20250717
+
+	Workaround: Postfix daemons no longer automatically restart
+	after a btree:, dbm:, hash:, lmdb:, or sdbm: table file
+	modification time change, when they opened that table for
+	writing. Files: util/dict.c, util/dict_db.c, util/dict_dbm.c,
+	util/dict_lmdb.c, util/dict_sdbm.c.
+
+20250728
+
+	Documentation: in the postmap(1) manual page, fix the caveat
+	for the '-h' option. Robert Hansen. File: postmap/postmap.c.
+
+	Documentation: make MULTI_INSTANCE_README terminology
+	(default and non-default instances) consistent with
+	postmulti(1) terminology (primary and secondary instances).
+	Robert Hansen. File: proto/MULTI_INSTANCE_README.html.
+
+	Documentation: clarify vstring(3) handling of functions
+	that expect null-terminated inputs. File: util/vstring.c.
+
+	Bugfix (defect introduced: Postfix 3.6, date 20200710):
+	Postfix TLS client code logged "Untrusted TLS connection"
+	(wrong) instead of "Trusted TLS connection" (right), when
+	a server offered a trusted (valid PKI trust chain) certificate
+	that did not match the expected server name pattern. Viktor
+	Dukhovni. Files: tls/tls_client.c, tls/tls_verify.c.
+
+	Cleanup: the TLS client stores no more than one session
+	ticket per TLS connection (a remote TLS 1.3 server can send
+	multiple tickets). Viktor Dukhovni. File: tls/tls_client.c.
+
+20250729
+
+	Cleanup: more precise handling of session tickets in the
+	Postfix TLS server. Viktor Dukhovni. File: tls/tls_server.c.
+
+	Cleanup: TLS_SESS_STATE.rpt_reported should be a public member.
+	File: tls/tls.h
+
+	Cleanup: document that TLS_SESS_STATE.ticketed is now a
+	dual-purpose field. File: tls/tls.h.
+
+	Support for the 'll' (long long, etc.) and 'j' (intmax_t,
+	etc.) format modifiers. These may appear in the expansion
+	of the C99 PRI?MAX macros. File: util/vbuf_print.c.
+
+	Y2038 compatibility for 32-bit computer systems: 'long'
+	will be too small for the YP_LAST_MODIFIED field in a NIS
+	or NISPLUS mail.aliases map. Jiaying Song, Wind River. File:
+	postalias/postalias.c. There is more time-handling code in
+	Postfix that would need to be converted to int64_t, or to
+	long long which just like time_t is a 64-bit type on many
+	ILP32 and LP64 systems.
+
+20250730
+
+	Bugfix (defect introduced: Postfix 3.6, date 20200710):
+	Postfix TLS client code logged "Untrusted TLS connection"
+	(wrong) instead of "Trusted TLS connection" (right) for a
+	resumed TLS session, when a server offered a trusted (valid
+	PKI trust chain) certificate that did not match the expected
+	server name pattern. Viktor Dukhovni. Files: tls/tls_client.c,
+	tls/tls_verify.c.
+
+	Cleanup: make the manpage extraction tooling smarter about
+	section headings, and remove the now unnecessary explicit
+	".SH" formatting requests. This produces zero visible change
+	in formatted Postfix manpages. Files: mantools/srctoman,
+	src/global/config_known_tcp_ports.c, postmulti/postmulti.c,
+	tls/tls_misc.c.
+
+	Regenerate all manpages, causing parameter summaries to be
+	updated with new descriptions from postconf(5). Files:
+	conf/postfix-tls-script, discard/discard.c, error/error.c,
+	oqmgr/qmgr.c, postmulti/postmulti.c, qmgr/qmgr.c,
+	virtual/virtual.c.
+
+20250801
+
+	Bugfix (defect introduced: Postfix 3.7): incorrect backwards
+	compatible support for the legacy configuration parameters
+	tlsproxy_client_level and tlsproxy_client_policy. This
+	disabled the tlsproxy TLS client role when a legacy parameter
+	was set. Reported by John Doe, diagnosed by Viktor Dukhovni.
+	File: global/mail_params.h.
+
+	Bugfix (defect introduced: Postfix 3.4): with the TLS client
+	role disabled by configuration, the tlsproxy daemon
+	dereferenced a null pointer while handling a tlsproxy client
+	request. Reported by John Doe. File: tlsproxy/tlsproxy.c.
+
+	Bugfix (defect introduced: 20250713): the import_environment
+	change did not have space between POSTLOG_HOSTNAME and
+	XDG_RUNTIME_DIR, breaking maillog_file support and graphical
+	debugging. File: global/mail_params.h.
+
+20250801
+
+	Feature: smtpd_reject_filter_maps can selectively replace a
+	reject response from the Postfix SMTP server, or from a
+	program that replies through the Postfix SMTP server. Files:
+	smtpd/smtpd.c, smtpd/smtpd_chat.c, global/mail_params.h,
+	proto/postconf.proto, mantools/postlink.
+
+20250803
+
+	Cleanup: when "tls_required_enable = yes" and a message
+	contains a "TLS-Required: no" header", the Postfix SMTP
+	client now also ignores the recipient-side TLSRPT policy,
+	in addition to the already ignored recipient-side MTA-STS
+	and DANE policies. This prevents TLSRPT notifications for
+	all SMTP deliveries that do not require TLS. File:
+	smtp/smtp_connect.c.
+
+20250806
+
+	Documentation: updated the smtpd_hide_client_session
+	description with specific reference to RFC 5321 section
+	4.4. File: proto/postconf.proto.
+
+20250807
+
+	Bugfix (defect introduced: 20250803): "TLS-Required: no"
+	was no longer in effect for deliveries over UNIX-domain
+	sockets (which are supported for LMTP only). Viktor Dukhovni.
+	File: smtp/smtp_connect.c.
+
+20250808
+
+	Cleanup: simplify the code to determine if "TLS-Required:
+	no" is in effect, and improve the tls_required_enable
+	documentation. This will be back-ported to Postfix 3.10.
+	Files: Makefile.in, smtp/smtp.h smtp/smtp_connect.c,
+	smtp/smtp_tls_policy.c, proto/postconf.proto.
+
+20250816
+
+	Bugfix (defect introduced: Postfix 3.0, date 20140731): the
+	smtpd 'disconnect' command counts did not count malformed
+	commands with "bad syntax" and "bad UTF-8 syntax" errors.
+	File: smtpd/smtpd.c.

postfix/Makefile.in

@@ -12,7 +12,7 @@ DIRS	= src/util src/global src/dns src/tls src/xsasl src/master src/milter \
 	src/postsuper src/qmqpd src/spawn src/flush src/verify \
 	src/virtual src/proxymap src/anvil src/scache src/discard src/tlsmgr \
 	src/postmulti src/postscreen src/dnsblog src/tlsproxy \
-	src/posttls-finger src/postlogd
+	src/posttls-finger src/postlogd src/testing
 MANDIRS	= proto man html
 LIBEXEC	= libexec/post-install libexec/postfix-script libexec/postfix-wrapper \
 	libexec/postmulti-script libexec/postfix-tls-script
@@ -115,7 +115,8 @@ manpages:
 	done </dev/null
 
 # Some checks require a bin/postconf executable.
-pre-release-checks: typo-check double-check missing-proxy-read-maps-check \
+pre-release-checks: update typo-check double-check \
+	missing-proxy-read-maps-check \
 	postlink-check postfix-files-check \
 	postconf-unimplemented-check postconf-undocumented-check \
 	check-table-proto check-see-postconf-d-output \

postfix/README_FILES/COMPATIBILITY_README

@@ -57,6 +57,13 @@ Logged with compatibility_level < 3.6:
 
   * Using backwards-compatible default setting respectful_logging=no
 
+Logged with compatibility_level < 3.11:
+
+  * using backwards-compatible default setting
+    smtp_tlsrpt_skip_reused_handshakes=yes
+
+  * using backwards-compatible default setting xxx_security_level=(empty)
+
 If such a message is logged in the context of a legitimate request, the system
 administrator should make the backwards-compatible setting permanent in main.cf
 or master.cf, as detailed in the sections that follow.
@@ -72,9 +79,9 @@ could result in unexpected non-delivery of email after Postfix is updated from
 an older version. The backwards-compatibility safety net is designed to prevent
 such surprises.
 
-As long as the append_dot_mydomain parameter is left at its implicit default
-value, and the compatibility_level setting is less than 1, Postfix may log one
-of the following messages:
+As long as the append_dot_mydomain parameter is left unspecified at its
+implicit default value, and the compatibility_level setting is less than 1,
+Postfix may log one of the following messages:
 
   * Messages about missing "localhost" in mydestination or other address class:
 
@@ -110,9 +117,9 @@ the chroot feature enabled after updating Postfix from an older version. The
 backwards-compatibility safety net is designed allow the administrator to
 choose if they want to keep the old behavior.
 
-As long as a master.cf chroot field is left at its implicit default value, and
-the compatibility_level setting is less than 1, Postfix may log the following
-message while it reads the master.cf file:
+As long as a master.cf chroot field is left unspecified at its implicit default
+value, and the compatibility_level setting is less than 1, Postfix may log the
+following message while it reads the master.cf file:
 
     postfix/master[27664]: /etc/postfix/master.cf: line 72: using
         backwards-compatible default setting chroot=y
@@ -137,8 +144,8 @@ denied' errors after Postfix is updated from an older Postfix version. The
 backwards-compatibility safety net is designed to prevent such surprises.
 
 When the compatibility_level less than 1, and the smtpd_relay_restrictions
-parameter is left at its implicit default setting, Postfix may log the
-following message:
+parameter is left unspecified at its implicit default setting, Postfix may log
+the following message:
 
     postfix/smtpd[38463]: using backwards-compatible default setting
         "smtpd_relay_restrictions = (empty)" to avoid "Relay access
@@ -160,10 +167,10 @@ that don't request SMTPUTF8 support, after Postfix is updated from an older
 version. The backwards-compatibility safety net is designed to prevent such
 surprises.
 
-As long as the smtputf8_enable parameter is left at its implicit default value,
-and the compatibility_level setting is less than 1, Postfix logs a warning each
-time an SMTP command uses a non-ASCII address localpart without requesting
-SMTPUTF8 support:
+As long as the smtputf8_enable parameter is left unspecified at its implicit
+default value, and the compatibility_level setting is less than 1, Postfix logs
+a warning each time an SMTP command uses a non-ASCII address localpart without
+requesting SMTPUTF8 support:
 
     postfix/smtpd[27560]: using backwards-compatible default setting
         smtputf8_enable=no to accept non-ASCII sender address
@@ -188,9 +195,9 @@ could cause unexpected 'access denied' errors after Postfix is updated from an
 older version. The backwards-compatibility safety net is designed to prevent
 such surprises.
 
-As long as the mynetworks and mynetworks_style parameters are left at their
-implicit default values, and the compatibility_level setting is less than 2,
-the Postfix SMTP server may log one of the following messages:
+As long as the mynetworks and mynetworks_style parameters are left unspecified
+at their implicit default values, and the compatibility_level setting is less
+than 2, the Postfix SMTP server may log one of the following messages:
 
     postfix/smtpd[17375]: using backwards-compatible default setting
         mynetworks_style=subnet to permit request from client
@@ -214,9 +221,9 @@ value. This could result in unexpected 'Relay access denied' errors or ETRN
 errors after Postfix is updated from an older version. The backwards-
 compatibility safety net is designed to prevent such surprises.
 
-As long as the relay_domains parameter is left at its implicit default value,
-and the compatibility_level setting is less than 2, Postfix may log one of the
-following messages.
+As long as the relay_domains parameter is left unspecified at its implicit
+default value, and the compatibility_level setting is less than 2, Postfix may
+log one of the following messages.
 
   * Messages about accepting mail for a remote domain:
 
@@ -263,10 +270,10 @@ deprecated) setting, you should consider switching to "sha256". This will
 require updating any associated lookup table keys with the "sha256" digests of
 the expected client certificate or public key.
 
-As long as the smtpd_tls_fingerprint_digest parameter is left at its implicit
-default value, and the compatibility_level setting is less than 3.6, Postfix
-logs a warning each time a client certificate or public key fingerprint is
-(potentially) used for access control:
+As long as the smtpd_tls_fingerprint_digest parameter is left unspecified at
+its implicit default value, and the compatibility_level setting is less than
+3.6, Postfix logs a warning each time a client certificate or public key
+fingerprint is (potentially) used for access control:
 
     postfix/smtpd[27560]: using backwards-compatible default setting
         smtpd_tls_fingerprint_digest=md5 to compute certificate fingerprints
@@ -299,10 +306,10 @@ table to specify matching "sha256" digests of the expected server certificates
 or public keys.
 
 As long as the smtp_tls_fingerprint_digest (or LMTP equivalent) parameter is
-left at its implicit default value, and the compatibility_level setting is less
-than 3.6, Postfix logs a warning each time the "fingerprint" security level is
-used to specify matching "md5" digests of trusted server certificates or public
-keys:
+left unspecified at its implicit default value, and the compatibility_level
+setting is less than 3.6, Postfix logs a warning each time the "fingerprint"
+security level is used to specify matching "md5" digests of trusted server
+certificates or public keys:
 
     postfix/smtp[27560]: using backwards-compatible default setting
         smtp_tls_fingerprint_digest=md5 to compute certificate fingerprints
@@ -332,8 +339,8 @@ behavior.
 To maintain compatibility with earlier versions, Postfix will keep evaluating
 smtpd_recipient_restrictions before smtpd_relay_restrictions, as long as the
 compatibility_level is less than 3.6, and the
-smtpd_relay_before_recipient_restrictions parameter is left at its implicit
-default setting. As a reminder, Postfix may log the following message:
+smtpd_relay_before_recipient_restrictions parameter is left unspecified at its
+implicit default setting. As a reminder, Postfix may log the following message:
 
     postfix/smtpd[54696]: using backwards-compatible default setting
         smtpd_relay_before_recipient_restrictions=no to reject recipient
@@ -356,10 +363,10 @@ backwards-compatible default values, the changes in logging could affect
 logfile analysis tools.
 
 To avoid breaking existing logfile analysis tools, Postfix will keep logging
-the deprecated form, as long as the respectful_logging parameter is left at its
-implicit default value, and the compatibility_level setting is less than 3.6.
-As a reminder, Postfix may log the following when a remote SMTP client is
-allowlisted or denylisted:
+the deprecated form, as long as the respectful_logging parameter is left
+unspecified at its implicit default value, and the compatibility_level setting
+is less than 3.6. As a reminder, Postfix may log the following when a remote
+SMTP client is allowlisted or denylisted:
 
     postfix/postscreen[22642]: Using backwards-compatible default setting
         respectful_logging=no for client [address]:port
@@ -371,6 +378,59 @@ administrator should make the backwards-compatible setting "respectful_logging
     # ppoossttccoonnff ""rreessppeeccttffuull__llooggggiinngg == nnoo""
     # ppoossttffiixx rreellooaadd
 
+UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg
+ssmmttpp__ttllssrrpptt__sskkiipp__rreeuusseedd__hhaannddsshhaakkeess==yyeess
+
+Postfix version 3.11 changes the default value for
+smtp_tlsrpt_skip_reused_handshakes from "yes" to "no". The backwards-
+compatibility safety net is designed to prevent an unexpected change in
+reporting behavior when Postfix is updated from an older version.
+
+As long as the smtp_tlsrpt_skip_reused_handshakes parameter is left unspecified
+at its implicit default value, and the compatibility_level setting is less than
+3.11, Postfix will log a reminder that it is using the backwards-compatible
+default:
+
+    postfix/smtp[388157] using backwards-compatible default setting
+        smtp_tlsrpt_skip_reused_handshakes=yes
+
+To keep the old default setting, the system administrator should make the
+backwards-compatible setting "smtp_tlsrpt_skip_reused_handshakes = yes"
+permanent in main.cf:
+
+    # ppoossttccoonnff ssmmttpp__ttllssrrpptt__sskkiipp__rreeuusseedd__hhaannddsshhaakkeess==yyeess
+    # ppoossttffiixx rreellooaadd
+
+UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg xxxxxx__sseeccuurriittyy__lleevveell==((eemmppttyy))
+
+Postfix version 3.11 changes the default value for client TLS security levels
+from "empty" to "may". The backwards-compatibility safety net is designed to
+prevent an unexpected change in mail sending behavior when Postfix is updated
+from an older version.
+
+There is no equivalent change for Postfix server TLS security levels, because
+changing the level alone is not sufficient. Server-side TLS requires that at
+least one private key and one public-key certificate chain are configured.
+
+As long as a TLS security level parameter is left unspecified at its implicit
+default value, and the compatibility_level setting is less than 3.11, Postfix
+will log one of the following reminders that it is using the backwards-
+compatible default:
+
+    postfix/smtp[...] using backwards-compatible default setting
+        smtp_tls_security_level=(empty)
+
+    postfix/tlsproxy[...] using backwards-compatible default setting
+        tlsproxy_client_security_level=(empty)
+
+To keep the old default setting, the system administrator should make the
+backwards-compatible empty setting permanent in main.cf:
+
+    # ppoossttccoonnff xxxxxx__sseeccuurriittyy__lleevveell==
+    # ppoossttffiixx rreellooaadd
+
+where xxx is taken from the above compatibility message.
+
 TTuurrnniinngg ooffff tthhee bbaacckkwwaarrddss--ccoommppaattiibbiilliittyy ssaaffeettyy nneett
 
 Backwards compatibility is turned off by updating the compatibility_level

postfix/README_FILES/DATABASE_README

@@ -200,6 +200,15 @@ To find out what database types your Postfix system supports, use the "ppooss
         databases are maintained by Postfix daemons. The lookup table name as
         used in "dbm:table" is the database file name without the ".dir" or
         ".pag" suffix.
+    ddeebbuugg
+        An adapter for another table that causes all accesses to be logged.
+        Example usage: "debug:hash:/etc/postfix/example". The formats of the
+        log messages are unspecified and subject to change. Warning: If a query
+        or the underlying table contains sensitive information (such as a
+        password), that information might be logged.
+
+        This feature is available with Postfix 3.11 and later.
+
     eennvviirroonn
         The UNIX process environment array. The lookup key is the variable
         name. The lookup table name in "environ:table" is ignored.

postfix/README_FILES/DEPRECATION_README

@@ -58,6 +58,8 @@ the "obsolete feature" name for a more detailed description.
     |                           |ooff     |iinn vveerrssiioonn|                         |
     |                           |vveerrssiioonn|          |                         |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |xxx_tls_enforce_peername   |  3.11 |      -   |xxx_tls_security_level   |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
     |disable_dns_lookups        |   3.9 |      -   |smtp_dns_support_level   |
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
     |xxx_use_tls                |   3.9 |      -   |xxx_tls_security_level   |
@@ -83,6 +85,33 @@ the "obsolete feature" name for a more detailed description.
     |                           |       |          |permit_sasl_authenticated|
     |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 
+OObbssoolleettee TTLLSS ppeeeerr nnaammee mmaattcchh ccoonnffiigguurraattiioonn
+
+The postconf(1) command logs one of the following:
+
+  * support for parameter "lmtp_tls_enforce_peername" will be removed; instead,
+    specify "lmtp_tls_security_level"
+  * support for parameter "smtp_tls_enforce_peername" will be removed; instead,
+    specify "smtp_tls_security_level"
+
+There are similarly-named parameters and warnings for postscreen(8) and
+tlsproxy(8), but those parameters should rarely be specified by hand.
+
+Replace obsolete configuration with its replacement:
+
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |GGooaall                   |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn|
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |                       |                      |xxx_security_level =     |
+    |Enforce peer name match|xxx_enforce_peername =|verify                   |
+    |with server certificate|yes                   |xxx_security_level =     |
+    |                       |                      |secure                   |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |Disable peer name match|xxx_enforce_peername =|xxx_security_level = may |
+    |with server certificate|no                    |xxx_security_level =     |
+    |                       |                      |encrypt                  |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
 OObbssoolleettee DDNNSS oonn//ooffff ccoonnffiigguurraattiioonn
 
 The postconf(1) command logs the following:

postfix/README_FILES/MULTI_INSTANCE_README

@@ -16,7 +16,7 @@ Topics covered in this document:
   * Null-client instances versus service instances
   * Multi-instance walk-through
   * Components of a Postfix system
-  * The default Postfix instance
+  * The primary Postfix instance
   * Instance groups
   * Multi-instance configuration parameters
   * Using the postmulti(1) command
@@ -64,7 +64,7 @@ that multiple instances will be easier to use than ever before.
 NNuullll--cclliieenntt iinnssttaanncceess vveerrssuuss sseerrvviiccee iinnssttaanncceess
 
 In the multi-instance approach to configuring Postfix, the first simplification
-is with the default local-submission Postfix instance.
+is with the primary local-submission Postfix instance.
 
 Most UNIX systems require support for email submission with the sendmail(1)
 command so that system processes such as cron jobs can send status reports, and
@@ -103,7 +103,7 @@ scrutiny, locally submitted messages are typically limited to mail from cron
 jobs and other system services. In this regard the border MTA is not different
 from other Unix hosts in your environment. For this reason, it will submit
 locally-generated email to the internal mail hub. We start the construction of
-the border mail server with the default instance, which will be a local-
+the border mail server with the primary instance, which will be a local-
 submission null client:
 
     /etc/postfix/main.cf:
@@ -213,7 +213,7 @@ before the input instance can be fully tested, and when the system boots, the
 and input instances into a single instance group named "mta".
 
 Just once, when adding the first secondary instance, enable multi-instance
-support in the default (null-client) instance:
+support in the primary (null-client) instance:
 
     # postmulti -e init
 
@@ -223,7 +223,7 @@ Then create the output instance:
 
 The instance configuration directory defaults to /etc/postfix-out, more
 precisely, the "postfix-out" subdirectory of the parent directory of the
-default-instance configuration directory. The new instance will be created in a
+primary-instance configuration directory. The new instance will be created in a
 "disabled" state:
 
     /etc/postfix-out/main.cf
@@ -240,7 +240,7 @@ default-instance configuration directory. The new instance will be created in a
 
 This instance has a "stock" master.cf file, and its queue and data directories,
 also named "postfix-out", will be located in the same parent directories as the
-corresponding directories of the default instance (e.g., /var/spool/postfix-out
+corresponding directories of the primary instance (e.g., /var/spool/postfix-out
 and /var/lib/postfix-out).
 
 While this instance is immediately safe to start, it is not yet usefully
@@ -367,7 +367,7 @@ instance group:
 
 The new instance configuration directory defaults to /etc/postfix-in, more
 precisely, the "postfix-in" subdirectory of the parent directory of the
-default-instance configuration directory. The new instance will be created in a
+primary-instance configuration directory. The new instance will be created in a
 "disabled" state:
 
     /etc/postfix-in/main.cf
@@ -520,7 +520,7 @@ set in main.cf is $config_directory, as this defines the location of the
 main.cf file itself.
 
 Though config_directory cannot be set in main.cf, postfix(1) and most of the
-other command-line Postfix utilities allow you to specify a non-default
+other command-line Postfix utilities allow you to specify a secondary
 configuration directory via a command line option (typically --cc) or via the
 MAIL_CONFIG environment variable. In this way, it is possible to have multiple
 configuration directories on the same machine, and to have multiple running
@@ -535,27 +535,27 @@ Each combination of configuration directory, together with the queue directory
 and data directory (specified in the corresponding main.cf file) make up a
 Postfix iinnssttaannccee.
 
-TThhee ddeeffaauulltt PPoossttffiixx iinnssttaannccee
+TThhee pprriimmaarryy PPoossttffiixx iinnssttaannccee
 
 One Postfix instance is special: this is the instance whose configuration
 directory is the default one compiled into the Postfix utilities. The location
 of the default configuration directory is typically /etc/postfix, and can be
 queried via the "postconf -d config_directory" command. We call the instance
-with this configuration directory the "default instance".
+with this configuration directory the "primary instance".
 
-The default instance is responsible for local mail submission. The setgid
+The primary instance is responsible for local mail submission. The setgid
 postdrop(1) utility is used by the sendmail(1) local submission program to
 spool messages into the mmaaiillddrroopp sub-directory of the queue directory of the
-default instance.
+primary instance.
 
 Even in the rare case when "sendmail -C" is used to submit local mail into a
-non-default Postfix instance, for security reasons, postdrop(1) will consult
-the default main.cf file to check the validity of the requested non-default
+secondary Postfix instance, for security reasons, postdrop(1) will consult the
+primary main.cf file to check the validity of the requested non-default
 configuration directory.
 
-So, while in most other respects, all instances are equal, the default instance
-is "more equal than others". You may choose to create additional instances, but
-you must have at least the default instance, with its configuration directory
+So, while in most other respects, all instances are equal, the primary instance
+is "more equal than others". You may choose to create secondary instances, but
+you must have at least the primary instance, with its configuration directory
 in the default compiled-in location.
 
 IInnssttaannccee ggrroouuppss
@@ -575,9 +575,9 @@ the related instances should be members of a single instance group (however,
 the content filter usually has its own start/stop procedure that is separate
 from any Postfix instance).
 
-The default instance main.cf file's $multi_instance_directories configuration
+The primary instance main.cf file's $multi_instance_directories configuration
 parameter lists the configuration directories of all secondary (non-default)
-instances. Together with the default instance, these secondary instances are
+instances. Together with the primary instance, these secondary instances are
 managed by the multi-instance manager. Instances are started in the order
 listed, and stopped in the opposite order. For instances that are members of a
 service "group", you should arrange to start the service back-to-front, with
@@ -587,16 +587,16 @@ started.
 MMuullttii--iinnssttaannccee ccoonnffiigguurraattiioonn ppaarraammeetteerrss
 
 multi_instance_wrapper
-    This default-instance configuration parameter must be set to a suitable
+    This primary-instance configuration parameter must be set to a suitable
     multi-instance manager's "wrapper" program that controls the starting,
     stopping, etc. of a multi-instance Postfix system. To use the postmulti(1)
     manager described in this document, this parameter should be set with the
     "postmulti -e init" command.
 
 multi_instance_directories
-    This default-instance configuration parameter specifies an optional list of
+    This primary-instance configuration parameter specifies an optional list of
     the secondary instances controlled via the multi-instance manager.
-    Instances are listed in their "start" order, with the default instance
+    Instances are listed in their "start" order, with the primary instance
     always started first (if enabled). If $multi_instance_directories is left
     empty, the postfix(1) command runs with multi-instance support turned off,
     and none of the multi_instance_ configuration parameters will have any
@@ -672,37 +672,37 @@ IInniittiiaalliizziinngg tthhee mmuullttii--iinnssttaa
 
 Before postmulti(1) is used for the first time, you must install it as the
 multi_instance_wrapper for your Postfix system and enable multi-instance
-operation of the default Postfix instance. You can then proceed to add new or
+operation of the primary Postfix instance. You can then proceed to add new or
 existing instances to the multi-instance configuration. This initial
 installation is accomplished as follows:
 
         # postmulti -e init
 
-This updates the default instance main.cf file as follows:
+This updates the primary instance main.cf file as follows:
 
         # Use postmulti(1) as a postfix-wrapper(5)
         #
         multi_instance_wrapper = ${command_directory}/postmulti -p --
 
-        # Configure the default instance to start when in multi-instance mode
+        # Configure the primary instance to start when in multi-instance mode
         #
         multi_instance_enable = yes
 
-If you prefer, you can make these changes by editing the default main.cf
+If you prefer, you can make these changes by editing the primary main.cf
 directly, or by using "postconf -e".
 
 LLiissttiinngg mmaannaaggeedd iinnssttaanncceess
 
-The list of managed instances consists of the default instance and the
-additional instances whose configuration directories are listed (in start
-order) under the multi_instance_directories parameter of the default main.cf
+The list of managed instances consists of the primary instance and the
+secondary instances whose configuration directories are listed (in start order)
+under the multi_instance_directories parameter of the primary main.cf
 configuration file.
 
 You can list selected instances, groups of instances or all instances by
 specifying only the instance matching options with the "-l" option. The "-a"
 option is assumed if no other instance selection options are specified (this
 behavior changes with the "-e" option). As a special case, even if it has an
-explicit name, the default instance can always be selected via "-i -".
+explicit name, the primary instance can always be selected via "-i -".
 
     # postmulti -l -a
     # postmulti -l -g a_group
@@ -732,8 +732,8 @@ either the instance name or the instance group is not set, it is shown as a "-
 
 When selecting an existing instance via the "-i" option, you can always use the
 full pathname of its configuration directory instead of the instance (short)
-name. This is the only way to select a non-default nameless instance. The
-default instance can be selected via "-i -", whether it has a name or not.
+name. This is the only way to select a secondary nameless instance. The primary
+instance can be selected via "-i -", whether it has a name or not.
 
 To list instances in reverse start order, include the "-R" option together with
 the instance selection options.
@@ -826,9 +826,9 @@ possibilities:
 
 CCrreeaattiinngg aa nneeww PPoossttffiixx iinnssttaannccee
 
-The postmulti(1) command can be used to create additional Postfix instances.
-New instances are created with local submission and all "inet" services
-disabled via the following non-default parameter settings in the main.cf file:
+The postmulti(1) command can be used to create secondary Postfix instances. New
+instances are created with local submission and all "inet" services disabled
+via the following non-default parameter settings in the main.cf file:
 
     authorized_submit_users =
     master_service_disable = inet
@@ -839,8 +839,8 @@ will also not accept any mail until they are fully configured, at which point
 you can do away with one or both of the above safety measures.
 
 The postmulti(1) command encourages a preferred way of organizing the
-configuration directories, queue directories and data directories of non-
-default instances. If the default instance settings are:
+configuration directories, queue directories and data directories of secondary
+instances. If the primary instance settings are:
 
     config_directory = /conf-path/postfix
     queue_directory = /queue-path/postfix
@@ -885,7 +885,7 @@ existing instances. By default, the configuration directories of newly managed
 instances are appended to the instance list. You can use the "-i" or "-g" or "-
 a" options to insert the new instance before the specified instance or group,
 or at the beginning of the instance list (multi_instance_directories parameter
-of the default instance).
+of the primary instance).
 
 If you do specify a name (use "-I" with a name that is not "-") for the new
 instance, you may omit any of the 3 instance installation parameters whose

postfix/README_FILES/SMTPUTF8_README

@@ -278,8 +278,8 @@ current versions of the Firefox and Chrome web browsers. Specify
 "enable_idna2003_compatibility = yes" to get the historical behavior.
 
 This affects the conversion of domain names that contain for example the German
-sz (ß) and the Greek zeta (ς). See https://unicode.org/cldr/utility/idna.jsp
-for more examples.
+sz (ß) and the Greek (final) sigma (ς). See https://unicode.org/cldr/utility/
+idna.jsp for more examples.
 
 CCrreeddiittss
 

postfix/README_FILES/TLSRPT_README

@@ -7,6 +7,7 @@ TTaabbllee ooff CCoonntteennttss
   * Introduction
   * Building Postfix with TLSRPT support
   * Turning on TLSRPT
+  * Connection reuse versus session resumption
   * TLSRPT Status logging
   * Delivering TLSRPT summaries via email
   * MTA-STS Support via smtp_tls_policy_maps
@@ -27,7 +28,7 @@ A policy for domain example.com could look like this:
 
 Instead of mailto:, a policy may specify an https: destination.
 
-The diagram below shows how Postfix TLS handshake success and failure events
+The diagram below shows how successful or failed Postfix TLS handshake events
 are collected and processed into daily summary reports.
 
      Postfix SMTP and      TLSRPT client     TLSRPT collector,    Email or HTTP
@@ -49,8 +50,8 @@ TLSRPT information, are implemented and maintained by sys4 at https://
 github.com/sys4/libtlsrpt and https://github.com/sys4/tlsrpt-reporter,
 respectively.
 
-The Postfix implementation supports TLSRPT or domains with DANE (Postfix built-
-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
+The Postfix implementation supports TLSRPT for domains with DANE (Postfix
+built-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
 
 The Postfix smtp(8) client process implements the SMTP client engine. With
 "smtp_tls_connection_reuse = no", the smtp(8) client process also implements
@@ -124,6 +125,36 @@ Notes:
 For details on how to run the TLSRPT collection and reporting infrastructure,
 see the documentation at https://github.com/sys4/tlsrpt-reporter.
 
+CCoonnnneeccttiioonn rreeuussee vveerrssuuss sseessssiioonn rreessuummppttiioonn
+
+The Postfix SMTP client implements two kinds of reuse:
+
+  * SSMMTTPP CCoonnnneeccttiioonn rreeuussee:: a Postfix SMTP client creates a new SMTP connection,
+    sends one email message, and saves the connection instead of closing it.
+    Later, some SMTP client reuses that connection, sends an email message, and
+    saves or closes the connection depending on whether it has reached some
+    reuse limit. Each connection can be used by only one Postfix SMTP client at
+    a time.
+
+  * TTLLSS SSeessssiioonn rreessuummppttiioonn:: a Postfix SMTP client saves the result from a "new"
+    TLS handshake. Later, one or more SMTP clients create a new SMTP connection
+    and resume the saved TLS session on their new connection.
+
+Of course there is a third case:
+
+  * CCoommbbiinneedd rreeuussee aanndd rreessuummppttiioonn:: a Postfix SMTP client creates a new SMTP
+    connection, sends one email message, saves the result from a "new" TLS
+    handshake, and also saves the connection instead of closing it. Later, one
+    SMTP client reuses (and saves) that connection, one client at a time, and
+    one or more clients create a new SMTP connection and resume the saved TLS
+    session on their new connection.
+
+In all cases, there is no TLS handshake when a saved SMTP connection is reused,
+and there is no "new" TLS handshake when a saved TLS session is resumed.
+
+As described next, Postfix will by default log and generate only a TLSRPT event
+for a "new" TLS handshake.
+
 TTLLSSRRPPTT SSttaattuuss llooggggiinngg
 
 With TLSRPT support turned on, the Postfix TLSRPT client will not only report
@@ -157,11 +188,11 @@ Notes:
     Untrusted TTLLSS ccoonnnneeccttiioonn rreeuusseedd to mail.example.com[ipaddr]:25:
         TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 
-  * By default, Postfix does not report the TLSRPT status for a TLS handshake
-    that reuses a previously-negotiated TLS session (there would be no new
-    information to report). Specify "smtp_tlsrpt_skip_reused_handshakes = no"
-    to report the TLSRPT status for all TLS handshakes. This may be useful for
-    troubleshooting.
+  * With TLSRPT enabled, the Postfix SMTP client reports the TLSRPT status for
+    all TLS handshakes (the default as of Postfix 3.11). Specify
+    "smtp_tlsrpt_skip_reused_handshakes = yes" (the default with Postfix 3.10)
+    to skip reporting TLS handshakes that reuse a previously-negotiated TLS
+    session as there would be no new information to report.
 
   * Postfix logging for certificate verification failures may differ between
     new or reused TLS sessions.
@@ -225,7 +256,7 @@ Options:
 
 MMTTAA--SSTTSS SSuuppppoorrtt vviiaa ssmmttpp__ttllss__ppoolliiccyy__mmaappss
 
-Postfix supports MTA-STS though an smtp_tls_policy_maps policy plugin, which
+Postfix supports MTA-STS through an smtp_tls_policy_maps policy plugin, which
 replies with a TLS security level and name=value attributes with certificate
 matching requirements. Postfix 3.10 and later extend the policy plugin response
 with additional name=value attributes that are needed for TLSRPT.

postfix/README_FILES/XCLIENT_README

@@ -100,8 +100,8 @@ Note 3: Postfix implementations prior to version 2.3 do not xtext encode
 attribute values. Servers that wish to interoperate with these older
 implementations should be prepared to receive unencoded information.
 
-Note 4: Some Postfix implementations do not implement the PORT or LOGIN
-attributes.
+Note 4: The PORT attribute is implemented in Postfix 2.5 and later; the LOGIN
+attribute in Postfix 2.9 and later.
 
 XXCCLLIIEENNTT SSeerrvveerr rreessppoonnssee
 

postfix/RELEASE_NOTES

@@ -1,19 +1,19 @@
-This is the Postfix 3.10 experimental release.
+This is the Postfix 3.11 experimental release.
 
-The stable Postfix release is called postfix-3.9.x where 3=major
-release number, 9=minor release number, x=patchlevel. The stable
+The stable Postfix release is called postfix-3.10.x where 3=major
+release number, 10=minor release number, x=patchlevel. The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-3.10-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.11-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day). Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
-If you upgrade from Postfix 3.8 or earlier, please read RELEASE_NOTES-3.9
+If you upgrade from Postfix 3.9 or earlier, please read RELEASE_NOTES-3.10
 before proceeding.
 
 Dual license
@@ -25,95 +25,3 @@ now also distributed with the more recent Eclipse Public License
 (EPL) 2.0. Recipients can choose to take the software under the
 license of their choice. Those who are more comfortable with the
 IPL can continue with that license.
- 
-[Feature 20250117]
-
-Support for the RFC 8689 "TLS-Required: no" message header to request
-delivery of messages such as TLSRPT summaries even if the preferred
-TLS security policy cannot be enforced. This limits the Postfix
-SMTP client to "smtp_tls_security_level = may" which does not
-authenticate server certificates and which allows falling back to
-plaintext.
-
-Support for the REQUIRETLS SMTP service extension remains future work.
-
-[Incompat 20250116]
-
-Postfix needs "postfix reload" after upgrade, because of a change in
-the delivery agent protocol. If this step is skipped, Postfix delivery
-agents will log a warning:
-
-    unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
-
-where xxx is the delivery agent service name.
-
-[Incompat 20250106]
-
-The logging of the Milter 'quarantine' action has changed. Instead
-of logging "milter triggers HOLD action", it logs the reason given
-by a Milter application, or "default_action" if a Milter application
-was unavailable and the milter_default_action parameter or Milter
-"default_action" property specifies "quarantine".
-
-[Feature 20250106]
-
-The Postfix Milter implementation now logs the reason for a 
-'quarantine' action, instead of "milter triggers HOLD action".
-
-- If the quarantine action was requested by a Milter application,
-  Postfix will log the reason given by the application.
-
-- If the quarantine action was requested with the "milter_default_action"
-  parameter setting or with a Milter "default_action" property,
-  Postfix will log "default_action".
-
-[Feature 20250105]
-
-Support for automatic RFC 2047 encoding of non-ASCII "full name"
-information in Postfix-generated From: message headers. Encoding
-non-ASCII full names can avoid the need to use SMTPUTF8, and therefore
-can avoid incompatibility with sites that do not support SMTPUTF8.
-
-The encoded result looks like "=?charset?Q?gibberish?=: for
-quoted-printable encoding, or "=?charset?B?gibberish?=" for base64
-encoding. Postfix uses quoted-printable for a full name that is
-short or mostly ASCII, and uses base64 otherwise.
-
-Background: when a message without a From: header is submitted with the
-Postfix sendmail(1) command, Postfix will add a From: header and will
-try to use the sender's full name specified with the Postfix sendmail(1)
-"-F" option, with the sendmail(1) "NAME" environment variable, or
-with the GECOS field in the UNIX password database.
-
-This introduces a new configuration parameter "full_name_encoding_charset"
-(default: utf8) which specifies the character set of the full name
-information in the Postfix sendmail(1) "-F" option or "NAME"
-environment variable, or in the GECOS field in the UNIX password
-database. The parameter value is also part of the encoded full name,
-and informs a Mail User Agent how to display the decoded gibberish.
-
-[Incompat 20250105]
-
-The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
-ends abnormally (timeout, lost connection, or too many errors).
-
-[Feature 20250105]
-
-The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
-ends abnormally (timeout, lost connection, or too many errors).
-
-[Feature 20241104]
-
-The cleanup server now logs "queueid: canceled" when a message
-transaction is started but not completed. This provides a clear
-signal to logfile collation tools.
-
-[Feature 20240926]
-
-Support for the TLSRPT protocol (defined in RFC 8460). With this,
-an email receiving domain can publish a policy in DNS, and request
-daily summary reports for successful and failed SMTP-over-TLS
-connections to that domain's MX hosts.
-
-Postfix supports TLSRPT summaries for DANE (built-in) and MTA-STS
-(via an smtp_tls_policy_maps plugin). For details, see TLSRPT_README.

postfix/RELEASE_NOTES-3.10

@@ -0,0 +1,200 @@
+This is the Postfix 3.10 stable release.
+
+The stable Postfix release is called postfix-3.10.x where 3=major
+release number, 10=minor release number, x=patchlevel. The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-3.11-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day). Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+If you upgrade from Postfix 3.8 or earlier, please read RELEASE_NOTES-3.9
+before proceeding.
+
+Dual license
+------------
+
+As of Postfix 3.2.5 this software is distributed with a dual license:
+in addition to the historical IBM Public License (IPL) 1.0, it is
+now also distributed with the more recent Eclipse Public License
+(EPL) 2.0. Recipients can choose to take the software under the
+license of their choice. Those who are more comfortable with the
+IPL can continue with that license.
+
+Major changes - tls
+-------------------
+
+[Forward compatibility 20250212] Support for OpenSSL 3.5 post-quantum
+cryptography. To manage algorithm selection, OpenSSL introduces new
+TLS group syntax that Postfix will not attempt to imitate. Instead,
+Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
+parameter values to have an empty value. When both are set empty,
+the algorithm selection can be managed through OpenSSL configuration.
+For more, look for "Post-quantum" in the postconf(5) manpage.
+
+[Feature 20250117] Support for the RFC 8689 "TLS-Required: no"
+message header to request delivery of messages such as TLSRPT
+summaries even if the preferred TLS security policy cannot be
+enforced. This limits the Postfix SMTP client to "smtp_tls_security_level
+= may" which does not authenticate server certificates and which
+allows falling back to plaintext.
+
+Support for the REQUIRETLS SMTP service extension remains future work.
+
+[Feature 20240926] Support for the TLSRPT protocol (defined in RFC
+8460). With this, a domain can publish a policy in DNS, and request
+daily summary reports for successful and failed SMTP-over-TLS
+connections to that domain's MX hosts.
+
+Postfix supports TLSRPT summaries for DANE (built-in) and MTA-STS
+(via an smtp_tls_policy_maps plugin). For details, see TLSRPT_README.
+
+Major changes - privacy
+-----------------------
+
+[Feature 20250205] With "smtpd_hide_client_session = yes", the
+Postfix SMTP server generates a Received: header without client
+session info This setting may be used with the MUA submission
+services (port 465 and 587), but it must not be used with the MTA
+service (port 25).
+
+Depending on the number of recipients, a redacted Received: header
+has one of the following forms:
+
+Received: by mail.example.com (Postfix) id postfix-queue-id
+        for <user@example.com>; Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
+
+Received: by mail.example.com (Postfix) id postfix-queue-id
+        Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
+
+The redacted form hides that a message was received with SMTP, and
+therefore it does not need to provide the information required by
+RFC 5321. It only has to satisfy RFC 5322.
+
+Major changes - rfc2047
+-----------------------
+
+[Feature 20250105] Support for automatic RFC 2047 encoding of
+non-ASCII "full name" information in Postfix-generated From: message
+headers.  Encoding non-ASCII full names can avoid the need to use
+SMTPUTF8, and therefore can avoid incompatibility with sites that
+do not support SMTPUTF8.
+
+The encoded result looks like "=?charset?Q?gibberish?=: for
+quoted-printable encoding, or "=?charset?B?gibberish?=" for base64
+encoding. Postfix uses quoted-printable for a full name that is
+short or mostly ASCII, and uses base64 otherwise.
+
+Background: when a message without a From: header is submitted with
+the Postfix sendmail(1) command, Postfix may add a From: header and
+use the sender's full name specified with the Postfix sendmail(1)
+"-F" option, with the sendmail(1) "NAME" environment variable, or
+with the GECOS field in the UNIX password database.
+
+This introduces a new configuration parameter "full_name_encoding_charset"
+(default: utf8) which specifies the character set of the full name
+information in the Postfix sendmail(1) "-F" option or "NAME"
+environment variable, or in the GECOS field in the UNIX password
+database. The parameter value becomes part of the encoded full name,
+and informs a Mail User Agent how to display the decoded gibberish.
+
+Major changes - bugfix
+----------------------
+
+[Incompat 20241130] The spawn(8) daemon failed to enforce the command
+time limit. It was sending the SIGKILL signal using the wrong
+effective UID and GID. The pipe(8) daemon has always done this
+right.
+
+Major changes - database
+------------------------
+
+[Feature 20250207] When mysql: or pgsql: configuration specifies
+a single host, assume that it is a load balancer and reconnect
+immediately after a single failure, instead of failing all requests
+for 60s.
+
+[Feature 20250114] first/next iterator support for cdb: tables, and
+other cdb: table code cleanups by Michael Tokarev.
+
+[Feature 20241024] In a pgsql: client configuration, the setting
+"dbname" is required, but ignored when the setting "hosts" contains
+an URI with a database name.
+
+[Feature 20241025] The Postfix pgsql: client configuration now
+allows any well-formed URI prefix as a pgsql: client connection
+target (the PostgreSQL URI parser decides what is allowed). The
+dbname setting is now optional if the hosts setting specifies only
+URIs.
+
+Major changes - internal protocol
+---------------------------------
+
+[Incompat 20250116] Postfix needs "postfix reload" after upgrade,
+because of a change in the delivery agent protocol. If this step
+is skipped, Postfix delivery agents will log a warning:
+
+    unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
+
+where xxx is the delivery agent service name.
+
+Major changes - milter
+----------------------
+
+[Incompat 20250106] The logging of the Milter 'quarantine' action
+has changed.  Instead of logging "milter triggers HOLD action", it
+logs the reason given by a Milter application, or "default_action"
+if a Milter application was unavailable and the milter_default_action
+parameter or per-Milter "default_action" property specifies
+"quarantine".
+
+[Feature 20250106] The Postfix Milter implementation now logs the
+reason for a 'quarantine' action, instead of "milter triggers HOLD
+action".
+
+- If the quarantine action was requested by a Milter application,
+  Postfix will log the reason given by the application.
+
+- If the quarantine action was requested with the "milter_default_action"
+  parameter setting or with a per-Milter "default_action" property,
+  Postfix will log "default_action".
+
+Major changes - logging
+-----------------------
+
+[Feature 20250106] The Postfix Milter implementation now logs the
+reason for a 'quarantine' action, instead of "milter triggers HOLD
+action".
+
+- If the quarantine action was requested by a Milter application,
+  Postfix will log the reason given by the application.
+
+- If the quarantine action was requested with the "milter_default_action"
+  parameter setting or with a per-Milter "default_action" property,
+  Postfix will log "default_action".
+
+[Incompat 20250105] The SMTP server now logs the queue ID (or
+"NOQUEUE") when a connection ends abnormally (timeout, lost connection,
+or too many errors).
+
+[Feature 20250105] The SMTP server now logs the queue ID (or
+"NOQUEUE") when a connection ends abnormally (timeout, lost connection,
+or too many errors).
+
+[Incompat 20241104] The cleanup server now logs "queueid: canceled"
+when a message transaction is started but not completed.
+
+[Feature 20241104] The cleanup server now logs "queueid: canceled"
+when a message transaction is started but not completed. This
+provides a clear signal to logfile collation tools.
+
+[Incompat 20241031] the Dovecot SASL client logging for "Invalid
+authentication mechanism" now includes the name of that mechanism.
+
+[Incompat 20241023] Postfix SMTP server 'reject' logging now shows
+the sasl_method, sasl_username, and sasl_sender if available.

postfix/conf/main.cf

@@ -31,7 +31,7 @@
 #
 # The level below is what should be used with new (not upgrade) installs.
 #
-compatibility_level = 3.10
+compatibility_level = 3.11
 
 # SOFT BOUNCE
 #

postfix/conf/postfix-tls-script

@@ -177,7 +177,7 @@
 #	The location of the OpenSSL command line program \fBopenssl\fR(1).
 # .IP "\fBsmtp_tls_loglevel (0)\fR"
 #	Enable additional Postfix SMTP client logging of TLS activity.
-# .IP "\fBsmtp_tls_security_level (empty)\fR"
+# .IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
 #	The default SMTP TLS security level for the Postfix SMTP client.
 # .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
 #	Name of the file containing the optional Postfix SMTP client

postfix/conf/relocated

@@ -38,9 +38,10 @@
 #        lookup fields can match both upper and lower case.
 # 
 # TABLE FORMAT
-#        The input format for the postmap(1) command is as follows:
-# 
-#        o      An entry has one of the following form:
+#        o      By default, Postfix will prepend a hard-coded  pre-
+#               fix  "5.1.6  User  has moved to " to a table lookup
+#               result, and the format for a table entry is as fol-
+#               lows:
 # 
 #                    pattern      new_location
 # 
@@ -48,6 +49,15 @@
 #               such as an  email  address,  or  perhaps  a  street
 #               address or telephone number.
 # 
+#        o      Postfix  3.11  and later can optionally disable the
+#               hard-coded prefix. Specify "relocated_prefix_enable
+#               =   no"  in  main.cf,  and  specify  relocated_maps
+#               entries with your own RFC  3463-compliant  enhanced
+#               status code and text, for example:
+# 
+#                    pattern      5.2.0 Mailbox is unavailable
+#                    pattern      5.2.1 Mailbox is disabled
+# 
 #        o      Empty  lines and whitespace-only lines are ignored,
 #               as are lines whose first  non-whitespace  character
 #               is a `#'.
@@ -128,25 +138,31 @@
 #               Optional lookup tables with new contact information
 #               for users or domains that no longer exist.
 # 
+#        Available with Postfix version 3.11 and later:
+# 
+#        relocated_prefix_enable (yes)
+#               Prepend  the  prefix  "5.1.6 User has moved to " to
+#               all relocated_maps lookup results.
+# 
 #        Other parameters of interest:
 # 
 #        inet_interfaces (all)
-#               The  local  network  interface  addresses that this
+#               The local network  interface  addresses  that  this
 #               mail system receives mail on.
 # 
 #        mydestination  ($myhostname,  localhost.$mydomain,  local-
 #        host)
-#               The list of domains  that  are  delivered  via  the
+#               The  list  of  domains  that  are delivered via the
 #               $local_transport mail delivery transport.
 # 
 #        myorigin ($myhostname)
 #               The domain name that locally-posted mail appears to
-#               come from, and that locally posted mail  is  deliv-
+#               come  from,  and that locally posted mail is deliv-
 #               ered to.
 # 
 #        proxy_interfaces (empty)
-#               The  remote  network  interface addresses that this
-#               mail system receives mail on by way of a  proxy  or
+#               The remote network interface  addresses  that  this
+#               mail  system  receives mail on by way of a proxy or
 #               network address translation unit.
 # 
 # SEE ALSO
@@ -155,13 +171,13 @@
 #        postconf(5), configuration parameters
 # 
 # README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
+#        Use "postconf readme_directory" or  "postconf  html_direc-
 #        tory" to locate this information.
 #        DATABASE_README, Postfix lookup table overview
 #        ADDRESS_REWRITING_README, address rewriting guide
 # 
 # LICENSE
-#        The Secure Mailer license must be  distributed  with  this
+#        The  Secure  Mailer  license must be distributed with this
 #        software.
 # 
 # AUTHOR(S)

postfix/html/COMPATIBILITY_README.html

@@ -102,6 +102,20 @@ default setting respectful_logging=no</a> </p>
 
 </ul>
 
+<p> Logged with <a href="postconf.5.html#compatibility_level">compatibility_level</a> &lt; 3.11: </p>
+
+<ul>
+
+<li> <p> <a href="#tlsrpt_reused"> using backwards-compatible default
+setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </p>
+
+<li> <p> <a href="#xxx_tls_level"> using backwards-compatible default
+setting <i>xxx</i>_security_level=(empty)</a> </p>
+
+</ul>
+
+<p>
+
 <p> If such a message is logged in the context of a legitimate
 request, the system administrator should make the backwards-compatible
 setting permanent in <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a>, as detailed in the
@@ -120,7 +134,8 @@ to "no". This could result in unexpected non-delivery of email after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 
-<p> As long as the <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameter is left at
+<p> As long as the <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameter is left unspecified
+at
 its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is
 less than 1, Postfix may log one of the following messages:</p>
 
@@ -178,7 +193,7 @@ after updating Postfix from an older version. The backwards-compatibility
 safety net is designed allow the administrator to choose if they
 want to keep the old behavior. </p>
 
-<p> As long as a <a href="master.5.html">master.cf</a> chroot field is left at its
+<p> As long as a <a href="master.5.html">master.cf</a> chroot field is left unspecified at its
 implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting
 is less than 1, Postfix may log the following message while it
 reads the <a href="master.5.html">master.cf</a> file: </p>
@@ -218,7 +233,8 @@ from an older Postfix version. The backwards-compatibility safety
 net is designed to prevent such surprises. </p>
 
 <p> When the <a href="postconf.5.html#compatibility_level">compatibility_level</a> less than 1, and the
-<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter is left at its implicit default
+<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter is left unspecified at its
+implicit default
 setting, Postfix may log the following message: </p>
 
 <blockquote>
@@ -250,7 +266,8 @@ addresses from clients that don't request SMTPUTF8 support, after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 
-<p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left at its implicit
+<p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left unspecified
+at its implicit
 default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is
 less than 1, Postfix logs a warning each time an SMTP command uses a
 non-ASCII address localpart without requesting SMTPUTF8 support: </p>
@@ -293,7 +310,8 @@ Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 
 <p> As long as the <a href="postconf.5.html#mynetworks">mynetworks</a> and <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> parameters are
-left at their implicit default values, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a>
+left unspecified at their implicit default values, and the
+<a href="postconf.5.html#compatibility_level">compatibility_level</a>
 setting is less than 2, the Postfix SMTP server may log one of the
 following messages: </p>
 
@@ -333,7 +351,8 @@ denied' errors or ETRN errors after Postfix is updated from an older
 version. The backwards-compatibility safety net is designed to
 prevent such surprises. </p>
 
-<p> As long as the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter is left at its implicit
+<p> As long as the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter is left unspecified at
+its implicit
 default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is less than 2,
 Postfix may log one of the following messages.  </p>
 
@@ -408,7 +427,8 @@ secure digest of the client certificate.  </p>
 with the "sha256" digests of the expected client certificate or public
 key.  </p>
 
-<p> As long as the <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter is left at its
+<p> As long as the <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter is left
+unspecified at its
 implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is less than
 3.6, Postfix logs a warning each time a client certificate or public key
 fingerprint is (potentially) used for access control: </p>
@@ -455,7 +475,8 @@ policies in the TLS policy table to specify matching "sha256" digests of
 the expected server certificates or public keys.  </p>
 
 <p> As long as the <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (or LMTP equivalent)
-parameter is left at its implicit default value, and the
+parameter is left unspecified at its implicit default value, and
+the
 <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is less than 3.6, Postfix logs a warning each
 time the "fingerprint" security level is used to specify matching "md5"
 digests of trusted server certificates or public keys: </p>
@@ -499,7 +520,8 @@ command, and both support the same features. </p> </blockquote>
 keep evaluating <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> before
 <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>, as long as the <a href="postconf.5.html#compatibility_level">compatibility_level</a> is
 less than 3.6, and the <a href="postconf.5.html#smtpd_relay_before_recipient_restrictions">smtpd_relay_before_recipient_restrictions</a>
-parameter is left at its implicit default setting. As a reminder,
+parameter is left unspecified at its implicit default setting. As
+a reminder,
 Postfix may log the following message: </p>
 
 <blockquote>
@@ -533,7 +555,8 @@ the changes in logging could affect logfile analysis tools. </p>
 
 <p> To avoid breaking existing logfile analysis tools, Postfix will keep
 logging the deprecated form, as long as the <a href="postconf.5.html#respectful_logging">respectful_logging</a> parameter
-is left at its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a>
+is left unspecified at its implicit default value, and the
+<a href="postconf.5.html#compatibility_level">compatibility_level</a>
 setting is less than 3.6. As a reminder, Postfix may log the following
 when a remote SMTP client is allowlisted or denylisted: </p>
 
@@ -555,6 +578,83 @@ system administrator should make the backwards-compatible setting
 </pre>
 </blockquote>
 
+<h2> <a name="tlsrpt_reused"> Using backwards-compatible
+default setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </h2>
+
+<p> Postfix version 3.11 changes the default value for
+<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> from "yes" to "no". The
+backwards-compatibility safety net is designed to prevent an
+unexpected change in reporting behavior when Postfix is updated
+from an older version. </p>
+
+<p> As long as the <a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> parameter is
+left unspecified at its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a>
+setting is less than 3.11, Postfix will log a reminder that it is
+using the backwards-compatible default: </p>
+
+<blockquote>
+<pre>
+postfix/smtp[388157] using backwards-compatible default setting
+    <a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>=yes
+</pre>
+</blockquote>
+
+<p> To keep the old default setting, the system administrator should
+make the backwards-compatible setting "<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>
+= yes" permanent in <a href="postconf.5.html">main.cf</a>:
+
+<blockquote>
+<pre>
+# <b>postconf <a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>=yes</b>
+# <b>postfix reload</b>
+</pre>
+</blockquote>
+
+<h2> <a name="xxx_tls_level"> Using backwards-compatible
+default setting <i>xxx</i>_security_level=(empty)</a> </h2>
+
+<p> Postfix version 3.11 changes the default value for client TLS
+security levels from "empty" to "may". The backwards-compatibility
+safety net is designed to prevent an unexpected change in mail
+sending behavior when Postfix is updated from an older version.
+</p>
+
+<p> There is no equivalent change for Postfix server TLS security
+levels, because changing the level alone is not sufficient. Server-side
+TLS requires that at least one private key and one public-key
+certificate chain are configured. </p>
+
+<p> As long as a TLS security level parameter is left unspecified
+at its implicit default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting
+is less than 3.11, Postfix will log one of the following reminders
+that it is using the backwards-compatible default: </p>
+
+<blockquote>
+<pre>
+postfix/smtp[...] using backwards-compatible default setting
+    <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>=(empty)
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+postfix/tlsproxy[...] using backwards-compatible default setting
+    <a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a>=(empty)
+</pre>
+</blockquote>
+
+<p> To keep the old default setting, the system administrator should
+make the backwards-compatible empty setting permanent in <a href="postconf.5.html">main.cf</a>: </p>
+
+<blockquote>
+<pre>
+# <b>postconf <i>xxx</i>_security_level=</b>
+# <b>postfix reload</b>
+</pre>
+</blockquote>
+
+<p> where <i>xxx</i> is taken from the above compatibility message. </p>
+
 <h2> <a name="turnoff">Turning off the backwards-compatibility safety net</a> </h2>
 
 <p> Backwards compatibility is turned off by updating the

postfix/html/DATABASE_README.html

@@ -293,6 +293,19 @@ databases are maintained by Postfix daemons. The lookup table name
 as used in "<a href="DATABASE_README.html#types">dbm</a>:table" is the database file name without the ".dir"
 or ".pag" suffix.  </dd>
 
+<dt> <b>debug</b> </dt>
+
+<dd>
+<p> An adapter for another table that causes all accesses to be
+logged.  Example usage: "debug:<a href="DATABASE_README.html#types">hash</a>:/etc/postfix/example".  The
+formats of the log messages are unspecified and subject to change.
+Warning: If a query or the underlying table contains sensitive
+information (such as a password), that information might be
+logged. </p>
+
+<p> This feature is available with Postfix 3.11 and later. </p>
+</dd>
+
 <dt> <b>environ</b> </dt>
 
 <dd> The UNIX process environment array. The lookup key is the

postfix/html/DEPRECATION_README.html

@@ -104,11 +104,16 @@ detailed description. </p>
 </th> <th> Removed <br> in version </th> <th> Replacement </th>
 </tr>
 
+<tr> <td> <a href="#xxx_tls_enforce_peername">
+<i>xxx</i>_tls_enforce_peername </a> </td> <td align="center"> 3.11
+</td> <td align="center"> - </td> <td> <i>xxx</i>_tls_security_level
+</td> </tr>
+
 <tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a>
 </td> <td align="center"> 3.9 </td> <td align="center"> - </td>
 <td> <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> </td> </tr>
 
-<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_use_tls </a> </td>
+<tr> <td> <a href="#xxx_use_tls"> <i>xxx</i>_use_tls </a> </td>
 <td align="center"> 3.9 </td> <td align="center"> - </td> <td>
 <i>xxx</i>_tls_security_level </td> </tr>
 
@@ -149,6 +154,45 @@ smtpd_tls_dh1024_param_file </a> </td> <td align="center"> 3.9 </td>
 
 </blockquote>
 
+<h3> <a name="xxx_tls_enforce_peername"> Obsolete TLS peer name
+match configuration </a> </h3>
+
+<p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "<a href="postconf.5.html#lmtp_tls_enforce_peername">lmtp_tls_enforce_peername</a>" will be
+removed; instead, specify "<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a>"
+
+<li> support for parameter "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>" will be
+removed; instead, specify "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>"
+
+</ul>
+
+<p> There are similarly-named parameters and warnings for <a href="postscreen.8.html">postscreen(8)</a>
+and <a href="tlsproxy.8.html">tlsproxy(8)</a>, but those parameters should rarely be specified
+by hand. </p>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> Enforce peer name match with server certificate </td>
+<td> <i>xxx</i>_enforce_peername = yes </td> <td> <i>xxx</i>_security_level
+= verify <br> <i>xxx</i>_security_level = secure </td> </tr>
+
+<tr> <td> Disable peer name match with server certificate </td>
+<td> <i>xxx</i>_enforce_peername = no </td> <td> <i>xxx</i>_security_level
+= may <br> <i>xxx</i>_security_level = encrypt </td> </tr>
+
+</table>
+
+</blockquote>
+
 <h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration
 </a> </h3>
 

postfix/html/MULTI_INSTANCE_README.html

@@ -40,7 +40,7 @@ management framework, and on how to deploy a custom instance manager.
 
 <li><a href="#parts"> Components of a Postfix system </a> 
 
-<li><a href="#default"> The default Postfix instance </a> 
+<li><a href="#default"> The primary Postfix instance </a> 
 
 <li><a href="#group"> Instance groups </a>
 
@@ -102,7 +102,7 @@ use than ever before. </p>
 <h2><a name="split"> Null-client instances versus service instances </a></h2>
 
 <p> In the multi-instance approach to configuring Postfix, the first
-simplification is with the default local-submission Postfix instance.
+simplification is with the primary local-submission Postfix instance.
 </p>
 
 <p> Most UNIX systems require support for email submission with the
@@ -152,7 +152,7 @@ limited to mail from cron jobs and other system services. In this
 regard the border MTA is not different from other Unix hosts in
 your environment. For this reason, it will submit locally-generated
 email to the internal mail hub. We start the construction of the
-border mail server with the <a href="#default_instance">default</a>
+border mail server with the <a href="#default">primary</a>
 instance, which will be a local-submission <a
 href="STANDARD_CONFIGURATION_README.html#null_client">null client</a>:
 </p>
@@ -283,7 +283,7 @@ must start before the input instance. We will put the output and
 input instances into a single instance group named "mta".  </p>
 
 <p> Just once, when adding the first secondary instance, enable
-multi-instance support in the default (null-client) instance: </p>
+multi-instance support in the primary (null-client) instance: </p>
 
 <blockquote>
 <pre>
@@ -301,7 +301,7 @@ multi-instance support in the default (null-client) instance: </p>
 
 <p> The instance configuration directory defaults to /etc/postfix-out,
 more precisely, the "postfix-out" subdirectory of the parent directory
-of the default-instance configuration directory. The new instance will
+of the primary-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 
 <blockquote>
@@ -323,7 +323,7 @@ be created in a "disabled" state: </p>
 <p> This instance has a "stock" <a href="master.5.html">master.cf</a> file, and its queue and
 data directories, also named "postfix-out", will be located in the
 same parent directories as the corresponding directories of the
-default instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
+primary instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
 </p>
 
 <p> While this instance is immediately safe to start, it is not yet
@@ -472,7 +472,7 @@ also part of the "mta" instance group: </p>
 
 <p> The new instance configuration directory defaults to /etc/postfix-in,
 more precisely, the "postfix-in" subdirectory of the parent directory
-of the default-instance configuration directory. The new instance will
+of the primary-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 
 <blockquote>
@@ -658,7 +658,7 @@ all but one may be optionally set to a non-default value via the
 
 <p> Though <a href="postconf.5.html#config_directory">config_directory</a> cannot be set in <a href="postconf.5.html">main.cf</a>, <a href="postfix.1.html">postfix(1)</a> and
 most of the other command-line Postfix utilities allow you to specify a
-non-default configuration directory via a command line option (typically
+secondary configuration directory via a command line option (typically
 <b>-c</b>) or via the MAIL_CONFIG environment variable. In this way,
 it is possible to have multiple configuration directories on the same
 machine, and to have multiple running <a href="master.8.html">master(8)</a> daemons each with its
@@ -672,28 +672,28 @@ directories, queue directories or data directories. </p>
 directory and data directory (specified in the corresponding <a href="postconf.5.html">main.cf</a> file)
 make up a Postfix <b>instance</b>. </p>
 
-<h2><a name="default"> The default Postfix instance </a></h2>
+<h2><a name="default"> The primary Postfix instance </a></h2>
 
 <p> One Postfix instance is special: this is the instance whose
 configuration directory is the default one compiled into the Postfix
 utilities. The location of the default configuration directory is
 typically /etc/postfix, and can be queried via the "postconf -d
 <a href="postconf.5.html#config_directory">config_directory</a>" command.  We call the instance with this configuration
-directory the "default instance". </p>
+directory the "primary instance". </p>
 
-<p> The default instance is responsible for local mail submission. The
+<p> The primary instance is responsible for local mail submission. The
 setgid <a href="postdrop.1.html">postdrop(1)</a> utility is used by the <a href="sendmail.1.html">sendmail(1)</a> local submission
 program to spool messages into the <b>maildrop</b> sub-directory of the
-queue directory of the default instance. </p>
+queue directory of the primary instance. </p>
 
 <p> Even in the rare case when "sendmail -C" is used to submit local mail
-into a non-default Postfix instance, for security reasons, <a href="postdrop.1.html">postdrop(1)</a>
-will consult the default <a href="postconf.5.html">main.cf</a> file to check the validity of the
+into a secondary Postfix instance, for security reasons, <a href="postdrop.1.html">postdrop(1)</a>
+will consult the primary <a href="postconf.5.html">main.cf</a> file to check the validity of the
 requested non-default configuration directory. </p>
 
 <p> So, while in most other respects, all instances are equal, the
-default instance is "more equal than others". You may choose to create
-additional instances, but you must have at least the default instance,
+primary instance is "more equal than others". You may choose to create
+secondary instances, but you must have at least the primary instance,
 with its configuration directory in the default compiled-in location. </p>
 
 <h2><a name="group"> Instance groups </a></h2>
@@ -715,9 +715,9 @@ of a single instance group (however, the content filter usually has
 its own start/stop procedure that is separate from any Postfix
 instance).  </p>
 
-<p> The default instance <a href="postconf.5.html">main.cf</a> file's $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
+<p> The primary instance <a href="postconf.5.html">main.cf</a> file's $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
 configuration parameter lists the configuration directories of all
-secondary (non-default) instances. Together with the default instance,
+secondary (non-default) instances. Together with the primary instance,
 these secondary instances are managed by the multi-instance manager.
 Instances are started in the order listed, and stopped in the
 opposite order. For instances that are members of a service "group",
@@ -731,7 +731,7 @@ stages are started. </p>
 
 <dt> <a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> </dt> 
 
-<dd> <p> This default-instance configuration parameter must be set
+<dd> <p> This primary-instance configuration parameter must be set
 to a suitable multi-instance manager's "wrapper" program that
 controls the starting, stopping, etc. of a multi-instance Postfix
 system. To use the <a href="postmulti.1.html">postmulti(1)</a> manager described in this document,
@@ -740,10 +740,10 @@ this parameter should be set with the "<a href="#init">postmulti
 
 <dt> <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> </dt>
 
-<dd> <p> This default-instance configuration parameter specifies
+<dd> <p> This primary-instance configuration parameter specifies
 an optional list of the secondary instances controlled via the
 multi-instance manager. Instances are listed in their "start" order,
-with the default instance always started first (if enabled). If
+with the primary instance always started first (if enabled). If
 $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> is left empty, the <a href="postfix.1.html">postfix(1)</a> command
 runs with multi-instance support turned off, and none of the
 multi_instance_ configuration parameters will have any effect. </p>
@@ -842,7 +842,7 @@ automatically. See below. </p>
 
 <p> Before <a href="postmulti.1.html">postmulti(1)</a> is used for the first time, you must install
 it as the <a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> for your Postfix system and enable
-multi-instance operation of the default Postfix instance. You can then
+multi-instance operation of the primary Postfix instance. You can then
 proceed to add <a href="#create">new</a> or <a href="#import">existing</a>
 instances to the multi-instance configuration. This initial installation
 is accomplished as follows: </p>
@@ -853,7 +853,7 @@ is accomplished as follows: </p>
 </pre>
 </blockquote>
 
-<p> This updates the default instance <a href="postconf.5.html">main.cf</a> file as follows: </p>
+<p> This updates the primary instance <a href="postconf.5.html">main.cf</a> file as follows: </p>
 
 <blockquote>
 <pre>
@@ -861,28 +861,28 @@ is accomplished as follows: </p>
     #
     <a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> = ${<a href="postconf.5.html#command_directory">command_directory</a>}/postmulti -p --
 
-    # Configure the default instance to start when in multi-instance mode
+    # Configure the primary instance to start when in multi-instance mode
     #
     <a href="postconf.5.html#multi_instance_enable">multi_instance_enable</a> = yes
 </pre>
 </blockquote>
 
-<p> If you prefer, you can make these changes by editing the default
+<p> If you prefer, you can make these changes by editing the primary
 <a href="postconf.5.html">main.cf</a> directly, or by using "postconf -e". </p>
 
 <h3><a name="list"> Listing managed instances </a></h3>
 
-<p> The list of managed instances consists of the default instance and
-the additional instances whose configuration directories are listed
+<p> The list of managed instances consists of the primary instance and
+the secondary instances whose configuration directories are listed
 (in start order) under the <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> parameter of the
-default <a href="postconf.5.html">main.cf</a> configuration file.  </p>
+primary <a href="postconf.5.html">main.cf</a> configuration file.  </p>
 
 <p> You can list selected instances, groups of instances or all
 instances by specifying only the instance matching options with the
 "-l" option.  The "-a" option is assumed if no other instance
 selection options are specified (this behavior changes with the
 "-e" option).  As a special case, even if it has an explicit name,
-the default instance can always be selected via "-i -". </p>
+the primary instance can always be selected via "-i -". </p>
 
 <blockquote>
 <pre>
@@ -926,7 +926,7 @@ set, it is shown as a "-". </p>
 <p> When selecting an existing instance via the "-i" option, you
 can always use the full pathname of its configuration directory
 instead of the instance (short) name. This is the only way to select
-a non-default nameless instance. The default instance can be selected
+a secondary nameless instance. The primary instance can be selected
 via "-i -", whether it has a name or not. </p>
 
 <p> To list instances in reverse start order, include the "-R"
@@ -1052,7 +1052,7 @@ $ postmulti -x sh -c 'echo "-- $MAIL_CONFIG"; postconf -n'
 
 <h3><a name="create"> Creating a new Postfix instance </a></h3>
 
-<p> The <a href="postmulti.1.html">postmulti(1)</a> command can be used to create additional Postfix
+<p> The <a href="postmulti.1.html">postmulti(1)</a> command can be used to create secondary Postfix
 instances. New instances are created with local submission and all "inet"
 services disabled via the following non-default parameter settings in
 the <a href="postconf.5.html">main.cf</a> file: </p>
@@ -1072,7 +1072,7 @@ the above safety measures. </p>
 
 <p> The <a href="postmulti.1.html">postmulti(1)</a> command encourages a preferred way of organizing
 the configuration directories, queue directories and data directories
-of non-default instances. If the default instance settings are: </p>
+of secondary instances. If the primary instance settings are: </p>
 
 <blockquote>
 <pre>
@@ -1140,7 +1140,7 @@ the configuration directories of newly managed instances are appended
 to the instance list. You can use the "-i" or "-g" or "-a" options to
 insert the new instance before the specified instance or group, or at
 the beginning of the instance list (<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> parameter
-of the default instance). </p>
+of the primary instance). </p>
 
 <p> If you do specify a name (use "-I" with a name that is not "-")
 for the new instance, you may omit any of the 3 instance installation

postfix/html/SASL_README.html

@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="https://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>

postfix/html/SMTPUTF8_README.html

@@ -375,7 +375,7 @@ Firefox and Chrome web browsers. Specify "<a href="postconf.5.html#enable_idna20
 = yes" to get the historical behavior. </p>
 
 <p> This affects the conversion of domain names that contain for
-example the German sz (ß) and the Greek zeta (ς). See
+example the German sz (ß) and the Greek (final) sigma (ς). See
 <a href="https://unicode.org/cldr/utility/idna.jsp">https://unicode.org/cldr/utility/idna.jsp</a> for more examples. </p>
 
 <h2> <a name="credits">Credits</a> </h2>

postfix/html/TLSRPT_README.html

@@ -25,6 +25,7 @@
 <li> <a href="#intro"> Introduction </a> </li>
 <li> <a href="#building"> Building Postfix with TLSRPT support </a>
 <li> <a href="#using"> Turning on TLSRPT </a> </li>
+<li> <a href="#reusing"> Connection reuse versus session resumption </a> </li>
 <li> <a href="#logging"> TLSRPT Status logging </a> </li>
 <li> <a href="#delivering"> Delivering TLSRPT summaries via email</a> </li>
 <li> <a href="#mta-sts"> MTA-STS Support via smtp_tls_policy_maps </a> </li>
@@ -52,8 +53,8 @@ _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:smtp-tls-report@example.c
 <p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
 destination. </p>
 
-<p> The diagram below shows how Postfix TLS handshake success and
-failure events are collected and processed into daily summary
+<p> The diagram below shows how successful or failed Postfix TLS
+handshake events are collected and processed into daily summary
 reports. </p>
 
 <blockquote>
@@ -99,7 +100,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> and
 <a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>, respectively. </p>
 
-<p> The Postfix implementation supports TLSRPT or domains with DANE
+<p> The Postfix implementation supports TLSRPT for domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
 
@@ -203,6 +204,49 @@ programs should create sockets there. </p>
 infrastructure, see the documentation at
 <a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>.
 
+<h2> <a name="reusing"> Connection reuse versus session resumption
+</a> </h2>
+
+<p> The Postfix SMTP client implements two kinds of reuse: </p>
+
+<ul>
+
+<li> <p> <b> SMTP Connection reuse: </b> a Postfix SMTP client
+creates a new SMTP connection, sends one email message, and saves
+the connection instead of closing it. Later, some SMTP client reuses
+that connection, sends an email message, and saves or closes the
+connection depending on whether it has reached some reuse limit.
+Each connection can be used by only one Postfix SMTP client at a
+time. </p>
+
+<li> <p> <b> TLS Session resumption: </b> a Postfix SMTP client
+saves the result from a "new" TLS handshake. Later, one or more
+SMTP clients create a new SMTP connection and resume the saved TLS
+session on their new connection. <p>
+
+</ul>
+
+<p> Of course there is a third case: </p>
+
+<ul>
+
+<li> <p> <b> Combined reuse and resumption: </b> a Postfix SMTP
+client creates a new SMTP connection, sends one email message, saves
+the result from a "new" TLS handshake, and also saves the connection
+instead of closing it. Later, one SMTP client reuses (and saves)
+that connection, one client at a time, and one or more clients
+create a new SMTP connection and resume the saved TLS session on
+their new connection. <p>
+
+</ul>
+
+<p> In all cases, there is no TLS handshake when a saved SMTP connection
+is reused, and there is no "new" TLS handshake when a saved TLS session
+is resumed. </p>
+
+<p> As described next, Postfix will by default log and generate only a
+TLSRPT event for a "new" TLS handshake.  </p>
+
 <h2> <a name="logging"> TLSRPT Status logging </a> </h2>
 
 <p> With TLSRPT support turned on, the Postfix TLSRPT client will
@@ -242,12 +286,12 @@ Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
     TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 </pre>
 
-<li> <p> By default, Postfix does not report the TLSRPT status for
-a TLS handshake that reuses a previously-negotiated TLS session
-(there would be no new information to report). Specify
-"<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = no" to report the TLSRPT
-status for all TLS handshakes. This may be useful for troubleshooting.
-</p>
+<li> <p> With TLSRPT enabled, the Postfix SMTP client reports the
+TLSRPT status for all TLS handshakes (the default as of Postfix
+3.11).  Specify "<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = yes" (the
+default with Postfix 3.10) to skip reporting TLS handshakes that
+reuse a previously-negotiated TLS session as there would be no new
+information to report. </p>
 
 <li> <p> Postfix logging for certificate verification failures may
 differ between new or reused TLS sessions. </p>
@@ -329,7 +373,7 @@ generator's sender address): </p>
 <h2> <a name="mta-sts"> MTA-STS Support via smtp_tls_policy_maps
 </a></h2>
 
-<p> Postfix supports MTA-STS though an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
+<p> Postfix supports MTA-STS through an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
 plugin, which replies with a TLS security level and name=value
 attributes with certificate matching requirements. Postfix 3.10 and
 later extend the policy plugin response with additional name=value

postfix/html/XCLIENT_README.html

@@ -145,8 +145,8 @@ xtext encode attribute values. Servers that wish to interoperate
 with these older implementations should be prepared to receive
 unencoded information. </p>
 
-<p> Note 4: Some Postfix implementations do not implement the PORT
-or LOGIN attributes.  </p>
+<p> Note 4: The PORT attribute is implemented in Postfix 2.5 and
+later; the LOGIN attribute in Postfix 2.9 and later. </p>
 
 <h2>XCLIENT Server response</h2>
 

postfix/html/discard.8.html

@@ -60,7 +60,7 @@ DISCARD(8)                                                          DISCARD(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The maximal number of digits after the decimal point  when  log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
               The  sender  address of postmaster notifications that are gener-

postfix/html/error.8.html

@@ -70,7 +70,7 @@ ERROR(8)                                                              ERROR(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
               The sender address of postmaster notifications that  are  gener-

postfix/html/lmdb_table.5.html

@@ -56,24 +56,25 @@ LMDB_TABLE(5)                                                    LMDB_TABLE(5)
 
 <b><a name="synchronization">SYNCHRONIZATION</a></b>
        The Postfix LMDB adapter does not use LMDB's built-in  locking  scheme,
-       because  that  would require world-writable lockfiles and would violate
-       the Postfix security model.  Instead, Postfix uses fcntl(2) locks  with
-       whole-file granularity.  Programs that use LMDB's built-in locking pro-
-       tocol will corrupt a Postfix LMDB database or will read garbage.
+       because  that would require world-writable lockfiles and therefore vio-
+       late the Postfix security model.  Instead, Postfix uses fcntl(2)  locks
+       with whole-file granularity.  Programs that use LMDB's built-in locking
+       protocol will corrupt a Postfix LMDB database or will read garbage.
 
        Every Postfix LMDB database read or write transaction must be protected
-       from  start  to end with a shared or exclusive fcntl(2) lock.  A writer
-       may atomically downgrade an exclusive lock to a  shared  lock,  but  it
-       must hold an exclusive lock while opening another write transaction.
+       from  start  to end with a shared or exclusive fcntl(2) lock. A process
+       may atomically downgrade an exclusive lock  to  a  shared  lock  before
+       opening a database read transaction, but it must hold an exclusive lock
+       while opening a write transaction.
 
-       Note  that  fcntl(2)  locks do not protect transactions within the same
-       process against each other.  If a program cannot avoid making  simulta-
-       neous  database  requests,  then  it must protect its transactions with
+       Note that fcntl(2) locks do not protect transactions  within  the  same
+       process  against each other.  If a program cannot avoid making simulta-
+       neous database requests, then it must  protect  its  transactions  with
        in-process locks, in addition to the per-process fcntl(2) locks.
 
 <b><a name="configuration_parameters">CONFIGURATION PARAMETERS</a></b>
-       Short-lived programs automatically pick up changes  to  <a href="postconf.5.html">main.cf</a>.   With
-       long-running  daemon programs, Use the command "<b>postfix reload</b>" after a
+       Short-lived  programs  automatically  pick up changes to <a href="postconf.5.html">main.cf</a>.  With
+       long-running daemon programs, Use the command "<b>postfix reload</b>" after  a
        configuration change.
 
        <b><a href="postconf.5.html#lmdb_map_size">lmdb_map_size</a> (16777216)</b>

postfix/html/lmtp.8.html

@@ -511,7 +511,7 @@ SMTP(8)                                                                SMTP(8)
        Detailed  information  about STARTTLS configuration may be found in the
        <a href="TLS_README.html">TLS_README</a> document.
 
-       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (Postfix</b> &gt;<b>= 3.11: may; Postfix</b> &lt; <b>3.11: empty)</b>
               The default SMTP TLS security level for the Postfix SMTP client.
 
        <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
@@ -757,50 +757,50 @@ SMTP(8)                                                                SMTP(8)
               The pathname of a UNIX-domain datagram socket that is managed by
               a local TLSRPT reporting service.
 
-       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
-              Do not report the TLSRPT status for TLS protocol handshakes that
-              reuse  a  previously-negotiated  TLS  session  (there  is no new
-              information to report).
+       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (Postfix</b> &gt;<b>= 3.11: no, Postfix  3.10:</b>
+       <b>yes)</b>
+              When set to "yes", report the TLSRPT status only for  "new"  TLS
+              sessions.
 
        <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
               Enable  support  for  the  "TLS-Required:  no"  message  header,
               defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
 
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
-       The  following  configuration  parameters  exist for compatibility with
-       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       The following configuration parameters  exist  for  compatibility  with
+       Postfix  versions  before  2.3.  Support for these will be removed in a
        future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode: use TLS when a remote SMTP server announces
+              Opportunistic mode: use TLS when a remote SMTP server  announces
               STARTTLS support, otherwise send the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
+              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
               encryption, and never send mail in the clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require  that the remote SMTP
-              server hostname matches  the  information  in  the  remote  SMTP
+              With mandatory TLS encryption,  require  that  the  remote  SMTP
+              server  hostname  matches  the  information  in  the remote SMTP
               server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional  lookup  tables  with the Postfix SMTP client TLS usage
-              policy by next-hop destination and by remote SMTP  server  host-
+              Optional lookup tables with the Postfix SMTP  client  TLS  usage
+              policy  by  next-hop destination and by remote SMTP server host-
               name.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
               cipher list.
 
 <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The Postfix SMTP client time limit for completing a TCP  connec-
+              The  Postfix SMTP client time limit for completing a TCP connec-
               tion, or zero (use the operating system built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the HELO or EHLO
-              command, and  for  receiving  the  initial  remote  SMTP  server
+              The Postfix SMTP client time limit for sending the HELO or  EHLO
+              command,  and  for  receiving  the  initial  remote  SMTP server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@@ -812,19 +812,19 @@ SMTP(8)                                                                SMTP(8)
               mand, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
+              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
+              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
+              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The Postfix SMTP client time limit for sending the SMTP  message
+              The  Postfix SMTP client time limit for sending the SMTP message
               content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@@ -838,13 +838,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The  maximal number of MX (mail exchanger) IP addresses that can
-              result from Postfix SMTP client mail exchanger lookups, or  zero
+              The maximal number of MX (mail exchanger) IP addresses that  can
+              result  from Postfix SMTP client mail exchanger lookups, or zero
               (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal number of SMTP sessions per delivery request before
-              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
+              The maximal number of SMTP sessions per delivery request  before
+              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
               <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@@ -854,17 +854,17 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and earlier:
 
        <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
               seconds.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable  SMTP  connection  caching for the specified
+              Permanently enable SMTP connection  caching  for  the  specified
               destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a  destination
+              Temporarily  enable  SMTP connection caching while a destination
               has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
 
        <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@@ -878,23 +878,23 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit for connection cache connect, send or receive opera-
+              Time limit for connection cache connect, send or receive  opera-
               tions.
 
        Available in Postfix version 2.9 - 3.6:
 
        <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time  limit  per  read  or write system call, to a time limit to
-              send or receive a complete record (an SMTP  command  line,  SMTP
-              response  line,  SMTP message content line, or TLS protocol mes-
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              time limit per read or write system call, to  a  time  limit  to
+              send  or  receive  a complete record (an SMTP command line, SMTP
+              response line, SMTP message content line, or TLS  protocol  mes-
               sage).
 
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When SMTP connection caching is enabled,  the  number  of  times
-              that  an SMTP session may be reused before it is closed, or zero
+              When  SMTP  connection  caching  is enabled, the number of times
+              that an SMTP session may be reused before it is closed, or  zero
               (no limit).
 
        Available in Postfix version 3.4 and later:
@@ -905,13 +905,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time  limit  per  plaintext or TLS read or write call, to a com-
-              bined time limit for sending a complete  SMTP  request  and  for
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              time limit per plaintext or TLS read or write call,  to  a  com-
+              bined  time  limit  for  sending a complete SMTP request and for
               receiving a complete SMTP response.
 
        <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
-              The  minimum  plaintext  data  transfer rate in bytes/second for
+              The minimum plaintext data transfer  rate  in  bytes/second  for
               DATA    requests,    when    deadlines    are    enabled    with
               <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
 
@@ -919,54 +919,54 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a>   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A  transport-specific  override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+              A transport-specific override for  the  <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
               <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
        <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a>     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
               A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
 <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
        Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable  preliminary SMTPUTF8 support for the protocols described
+              Enable preliminary SMTPUTF8 support for the protocols  described
               in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect that a message requires SMTPUTF8 support for  the  speci-
+              Detect  that  a message requires SMTPUTF8 support for the speci-
               fied mail origin classes.
 
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable   'transitional'   compatibility   between  IDNA2003  and
-              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
+              Enable  'transitional'  compatibility   between   IDNA2003   and
+              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
               form that is used for DNS lookups.
 
 <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The  increment  in verbose logging level when a nexthop destina-
-              tion, remote client or server name or network address matches  a
+              The increment in verbose logging level when a  nexthop  destina-
+              tion,  remote client or server name or network address matches a
               pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional  list  of  nexthop destination, remote client or server
-              name or network address patterns that,  if  matched,  cause  the
-              verbose  logging  level  to  increase by the amount specified in
+              Optional list of nexthop destination, remote  client  or  server
+              name  or  network  address  patterns that, if matched, cause the
+              verbose logging level to increase by  the  amount  specified  in
               $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The recipient of postmaster notifications  about  mail  delivery
+              The  recipient  of  postmaster notifications about mail delivery
               problems that are caused by policy, resource, software or proto-
               col errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What  categories  of  Postfix-generated  mail  are  subject   to
-              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              What   categories  of  Postfix-generated  mail  are  subject  to
+              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
               <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@@ -974,46 +974,46 @@ SMTP(8)                                                                SMTP(8)
 
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where the Postfix  SMTP  client  should  deliver  mail  when  it
+              Where  the  Postfix  SMTP  client  should  deliver  mail when it
               detects a "mail loops back to myself" error condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
               figuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process  may  take  to  handle  a
+              How  much  time  a  Postfix  daemon process may take to handle a
               request before it is terminated by a built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number of digits after the decimal point when log-
+              The maximal number of digits after the decimal point  when  log-
               ging delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The local network interface  addresses  that  this  mail  system
+              The  local  network  interface  addresses  that this mail system
               receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
-              The  Internet  protocols Postfix will attempt to use when making
+              The Internet protocols Postfix will attempt to use  when  making
               or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The time limit for sending  or  receiving  information  over  an
+              The  time  limit  for  sending  or receiving information over an
               internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When  a remote LMTP server announces no DSN support, assume that
-              the server performs final delivery, and send "delivered"  deliv-
+              When a remote LMTP server announces no DSN support, assume  that
+              the  server performs final delivery, and send "delivered" deliv-
               ery status notifications instead of "relayed".
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
               The default TCP port that the Postfix LMTP client connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount of time that an idle Postfix daemon process
+              The maximum amount of time that an idle Postfix  daemon  process
               waits for an incoming connection before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@@ -1027,21 +1027,21 @@ SMTP(8)                                                                SMTP(8)
               The process name of a Postfix command or daemon process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The remote network interface addresses  that  this  mail  system
-              receives  mail  on by way of a proxy or network address transla-
+              The  remote  network  interface  addresses that this mail system
+              receives mail on by way of a proxy or network  address  transla-
               tion unit.
 
        <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
               The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client  will  try  first,  when  a destination has IPv6 and IPv4
+              client will try first, when a  destination  has  IPv6  and  IPv4
               addresses with equal MX preference.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
               client should bind to when making an IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
               client should bind to when making an IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -1061,7 +1061,7 @@ SMTP(8)                                                                SMTP(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A  prefix  that  is  prepended  to  the  process  name in syslog
+              A prefix that  is  prepended  to  the  process  name  in  syslog
               records, so that, for example, "smtpd" becomes "prefix/smtpd".
 
        Available with Postfix 2.2 and earlier:
@@ -1073,14 +1073,14 @@ SMTP(8)                                                                SMTP(8)
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional  list  of  relay destinations that will be used when an
-              SMTP destination is not found, or when delivery fails due  to  a
+              Optional list of relay destinations that will be  used  when  an
+              SMTP  destination  is not found, or when delivery fails due to a
               non-permanent error.
 
        Available with Postfix 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In  the context of email address verification, the SMTP protocol
+              In the context of email address verification, the SMTP  protocol
               stage that determines whether an email address is deliverable.
 
        Available with Postfix 3.1 and later:
@@ -1102,7 +1102,7 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
-              Defer  delivery  when  the  Postfix SMTP client cannot apply the
+              Defer delivery when the Postfix SMTP  client  cannot  apply  the
               <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
 
 <b><a name="see_also">SEE ALSO</a></b>

postfix/html/memcache_table.5.html

@@ -99,18 +99,30 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               time. Smaller values are relative to the time of the update.
 
 <b><a name="memcache_key_parameters">MEMCACHE KEY PARAMETERS</a></b>
+       <b>key_digest (default: empty)</b>
+              After processing the <b>key_format</b> setting, and  before  sending  a
+              request  to  the  memcache server, run the key through the named
+              message digest algorithm and convert  the  result  to  lowercase
+              hexadecimal  characters.  This  prevents a database access error
+              when keys may exceed the  memcache  server's  key  length  limit
+              (usually, 250 bytes). Specify the name of a message digest algo-
+              rithm that is supported by OpenSSL, for example, <b>sha256</b>.
+
+              This feature  is  available  in  Postfix  3.11  and  later,  and
+              requires that Postfix is built with TLS support.
+
        <b>key_format (default: %s)</b>
-              Format of the lookup and update keys that the  Postfix  memcache
-              client  sends to the memcache server.  By default, these are the
-              same as the lookup and update  keys  that  the  memcache  client
+              Format  of  the lookup and update keys that the Postfix memcache
+              client sends to the memcache server.  By default, these are  the
+              same  as  the  lookup  and  update keys that the memcache client
               receives from Postfix applications.
 
-              NOTE  1:  The <b>key_format</b> feature is not used for <b>backup</b> database
+              NOTE 1: The <b>key_format</b> feature is not used for  <b>backup</b>  database
               requests.
 
-              NOTE 2: When multiple tables share the same  memcache  database,
-              each  table  should  prepend its own unique string to the lookup
-              key.  Otherwise,  automatic  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  or  <a href="verify.8.html"><b>verify</b>(8)</a>  cache
+              NOTE  2:  When multiple tables share the same memcache database,
+              each table should prepend its own unique string  to  the  lookup
+              key.   Otherwise,  automatic  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  or  <a href="verify.8.html"><b>verify</b>(8)</a> cache
               cleanup may not work.
 
               Examples:
@@ -126,37 +138,37 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               <b>%s</b>     This is replaced by the memcache client input key.
 
               <b>%u</b>     When the input key is an address of the form user@domain,
-                     <b>%u</b> is replaced by  the  SQL  quoted  local  part  of  the
-                     address.   Otherwise, <b>%u</b> is replaced by the entire search
-                     string.  If the localpart is empty, a lookup is  silently
-                     suppressed  and  returns no results (an update is skipped
+                     <b>%u</b>  is  replaced  by  the  SQL  quoted  local part of the
+                     address.  Otherwise, <b>%u</b> is replaced by the entire  search
+                     string.   If the localpart is empty, a lookup is silently
+                     suppressed and returns no results (an update  is  skipped
                      with a warning).
 
               <b>%d</b>     When the input key is an address of the form user@domain,
                      <b>%d</b> is replaced by the domain part of the address.  Other-
-                     wise, a lookup is  silently  suppressed  and  returns  no
+                     wise,  a  lookup  is  silently  suppressed and returns no
                      results (an update is skipped with a warning).
 
               <b>%[SUD]</b> The upper-case equivalents of the above expansions behave
-                     in  the  <b>key_format</b>  parameter   identically   to   their
+                     in   the   <b>key_format</b>   parameter  identically  to  their
                      lower-case counter-parts.
 
-              <b>%[1-9]</b> The  patterns  %1,  %2, ... %9 are replaced by the corre-
-                     sponding most significant component of  the  input  key's
-                     domain.  If  the input key is <i>user@mail.example.com</i>, then
+              <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced  by  the  corre-
+                     sponding  most  significant  component of the input key's
+                     domain. If the input key is  <i>user@mail.example.com</i>,  then
                      %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key
-                     is  unqualified or does not have enough domain components
-                     to satisfy  all  the  specified  patterns,  a  lookup  is
-                     silently  suppressed and returns no results (an update is
+                     is unqualified or does not have enough domain  components
+                     to  satisfy  all  the  specified  patterns,  a  lookup is
+                     silently suppressed and returns no results (an update  is
                      skipped with a warning).
 
        <b>domain (default: no domain list)</b>
-              This feature can  significantly  reduce  database  server  load.
-              Specify  a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>"
-              databases.  When specified, only  fully  qualified  search  keys
-              with  a *non-empty* localpart and a matching domain are eligible
-              for lookup or update: bare 'user' lookups, bare  domain  lookups
-              and  "@domain" lookups are silently skipped (updates are skipped
+              This  feature  can  significantly  reduce  database server load.
+              Specify a list of domain names, paths to files, or  "<a href="DATABASE_README.html">type:table</a>"
+              databases.   When  specified,  only  fully qualified search keys
+              with a *non-empty* localpart and a matching domain are  eligible
+              for  lookup  or update: bare 'user' lookups, bare domain lookups
+              and "@domain" lookups are silently skipped (updates are  skipped
               with a warning).  Example:
 
                   domain = example.com, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains
@@ -169,30 +181,30 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               The maximal memcache reply line length in bytes.
 
        <b>max_try (default: 2)</b>
-              The number of times to try a memcache command before giving  up.
-              The  memcache  client does not retry a command when the memcache
+              The  number of times to try a memcache command before giving up.
+              The memcache client does not retry a command when  the  memcache
               server accepts no connection.
 
        <b>retry_pause (default: 1)</b>
               The time in seconds before retrying a failed memcache command.
 
        <b>timeout (default: 2)</b>
-              The time limit for sending a memcache command and for  receiving
+              The  time limit for sending a memcache command and for receiving
               a memcache reply.
 
 <b><a name="bugs">BUGS</a></b>
-       The  Postfix  memcache  client  cannot  be  used for security-sensitive
+       The Postfix memcache  client  cannot  be  used  for  security-sensitive
        tables such as <b><a href="postconf.5.html#alias_maps">alias_maps</a></b> (these may contain "<i>|command</i> and "<i>/file/name</i>"
-       destinations),  or <b><a href="postconf.5.html#virtual_uid_maps">virtual_uid_maps</a></b>, <b><a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a></b> and <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mail</a>-</b>
-       <b><a href="postconf.5.html#virtual_mailbox_maps">box_maps</a></b> (these specify UNIX process privileges or "<i>/file/name</i>"  desti-
-       nations).   In  a typical deployment a memcache database is writable by
-       any process that can talk to the memcache server;  in  contrast,  secu-
-       rity-sensitive  tables must never be writable by the unprivileged Post-
+       destinations), or <b><a href="postconf.5.html#virtual_uid_maps">virtual_uid_maps</a></b>, <b><a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a></b> and  <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mail</a>-</b>
+       <b><a href="postconf.5.html#virtual_mailbox_maps">box_maps</a></b> (these specify UNIX process privileges for "<i>/file/name</i>" desti-
+       nations).  In a typical deployment a memcache database is  writable  by
+       any  process  that  can talk to the memcache server; in contrast, secu-
+       rity-sensitive tables must never be writable by the unprivileged  Post-
        fix user.
 
        The Postfix memcache client requires additional configuration when used
-       as  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  or  <a href="verify.8.html"><b>verify</b>(8)</a> cache.  For details see the <b>backup</b> and
-       <b>ttl</b> parameter discussions  in  the  MEMCACHE  MAIN  PARAMETERS  section
+       as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache.  For details see  the  <b>backup</b>  and
+       <b>ttl</b>  parameter  discussions  in  the  MEMCACHE  MAIN PARAMETERS section
        above.
 
 <b><a name="see_also">SEE ALSO</a></b>

postfix/html/mysql_table.5.html

@@ -61,16 +61,15 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
               TCP you have to specify
                   hosts = 127.0.0.1
 
-              NOTE:  if  the  <b>hosts</b>  setting specifies one server, this client
-              assumes that the target is a load balancer  and  will  reconnect
-              immediately  after  a  single  failure,  instead  of failing all
-              requests temporarily. With older versions of this client,  spec-
-              ify the same server twice.
+              NOTE:  if  the  <b>hosts</b>  setting  specifies  only one server, this
+              client assumes that the target  is  a  load  balancer  and  will
+              reconnect  immediately after a single failure. With Postfix ver-
+              sions 3.9 and earlier, specify the same server twice.
 
        <b>user</b>
 
        <b>password</b>
-              The  user name and password to log into the mysql server.  Exam-
+              The user name and password to log into the mysql server.   Exam-
               ple:
                   user = someone
                   password = some_password
@@ -79,15 +78,15 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
                   dbname = customer_database
 
        <b>charset (default: utf8mb4)</b>
-              The default MySQL client character set; this  also  implies  the
+              The  default  MySQL  client character set; this also implies the
               collation order.
 
-              This  parameter  is  available with Postfix 3.9 and later.  With
-              earlier Postfix versions, the default was chosen  by  the  MySQL
+              This parameter is available with Postfix 3.9  and  later.   With
+              earlier  Postfix  versions,  the default was chosen by the MySQL
               implementation (<b>utf8mb4</b> as of MySQL 8.0, <b>latin1</b> historically).
 
        <b>idle_interval (default: 60)</b>
-              The  number  of  seconds after which an idle database connection
+              The number of seconds after which an  idle  database  connection
               will be closed.
 
               This feature is available in Postfix 3.9 and later.
@@ -96,11 +95,10 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
               The number of seconds that a database connection will be skipped
               after an error.
 
-              NOTE:  if  the  <b>hosts</b>  setting specifies one server, this client
-              assumes that the target is a load balancer  and  will  reconnect
-              immediately  after  a  single  failure,  instead  of failing all
-              requests temporarily. With older versions of this client,  spec-
-              ify the same server twice.
+              NOTE: if the <b>hosts</b>  setting  specifies  only  one  server,  this
+              client  assumes  that  the  target  is  a load balancer and will
+              reconnect immediately after a single failure. With Postfix  ver-
+              sions 3.9 and earlier, specify the same server twice.
 
               This feature is available in Postfix 3.9 and later.
 

postfix/html/oqmgr.8.html

@@ -348,7 +348,7 @@ OQMGR(8)                                                              OQMGR(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
               Log warnings about problematic configuration settings, and  pro-

postfix/html/pgsql_table.5.html

@@ -65,16 +65,15 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
               URI, the Postfix PostgreSQL client will ignore the <b>dbname</b>, <b>user</b>,
               and <b>password</b> settings for that connection.
 
-              NOTE: if the <b>hosts</b> setting specifies  one  server,  this  client
-              assumes  that  the  target is a load balancer and will reconnect
-              immediately after a  single  failure,  instead  of  failing  all
-              requests  temporarily. With older versions of this client, spec-
-              ify the same server twice.
+              NOTE: if the <b>hosts</b>  setting  specifies  only  one  server,  this
+              client  assumes  that  the  target  is  a load balancer and will
+              reconnect immediately after a single failure. With Postfix  ver-
+              sions 3.9 and earlier, specify the same server twice.
 
        <b>user</b>
 
        <b>password</b>
-              The user name and password to log into the pgsql server.   Exam-
+              The  user name and password to log into the pgsql server.  Exam-
               ple:
                   user = someone
                   password = some_password
@@ -85,25 +84,25 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
        <b>dbname</b> The database name on the servers. Example:
                   dbname = customer_database
 
-              The <b>dbname</b> setting is ignored for  <b>hosts</b>  connections  that  are
+              The  <b>dbname</b>  setting  is  ignored for <b>hosts</b> connections that are
               specified as an URI.
 
               The <b>dbname</b> setting is required with Postfix 3.10 and later, when
-              <b>hosts</b> specifies any non-URI connection; it  is  always  required
+              <b>hosts</b>  specifies  any  non-URI connection; it is always required
               with earlier Postfix versions.
 
        <b>encoding</b>
-              The  encoding  used  by the database client. The default setting
+              The encoding used by the database client.  The  default  setting
               is:
                   encoding = UTF8
 
-              Historically, the database client was hard coded to  use  LATIN1
+              Historically,  the  database client was hard coded to use LATIN1
               in an attempt to disable multibyte character support.
 
               This feature is available in Postfix 3.8 and later.
 
        <b>idle_interval (default: 60)</b>
-              The  number  of  seconds after which an idle database connection
+              The number of seconds after which an  idle  database  connection
               will be closed.
 
               This feature is available in Postfix 3.9 and later.
@@ -112,11 +111,10 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
               The number of seconds that a database connection will be skipped
               after an error.
 
-              NOTE:  if  the  <b>hosts</b>  setting specifies one server, this client
-              assumes that the target is a load balancer  and  will  reconnect
-              immediately  after  a  single  failure,  instead  of failing all
-              requests temporarily. With older versions of this client,  spec-
-              ify the same server twice.
+              NOTE: if the <b>hosts</b>  setting  specifies  only  one  server,  this
+              client  assumes  that  the  target  is  a load balancer and will
+              reconnect immediately after a single failure. With Postfix  ver-
+              sions 3.9 and earlier, specify the same server twice.
 
               This feature is available in Postfix 3.9 and later.
 

postfix/html/postconf.1.html

@@ -226,6 +226,16 @@ POSTCONF(1)                                                        POSTCONF(1)
               <b>dbm</b>    An indexed file type based on hashing.  Available on sys-
                      tems with support for DBM databases.
 
+              <b>debug</b>  An  adapter for another table that causes all accesses to
+                     be logged.  The table name syntax is <i>type</i><b>:</b><i>name</i>.   Example
+                     usage:  <b>debug:<a href="DATABASE_README.html#types">hash</a>:/etc/postfix/example</b>.   The formats of
+                     the log messages are unspecified and subject  to  change.
+                     Warning: If a query or the underlying table contains sen-
+                     sitive information (such as a password), that information
+                     might be logged.
+
+                     This feature is available with Postfix 3.11 and later.
+
               <b>environ</b>
                      The UNIX process environment array. The lookup key is the
                      environment variable name; the  table  name  is  ignored.

postfix/html/postconf.5.html

@@ -20,7 +20,7 @@ if (hash && isChrome) {
     setTimeout(function() {
         window.location.hash = "";
         window.location.hash = hash;
-    }, 1000);
+    }, 1500);
 }
 
 </script>
@@ -3349,7 +3349,7 @@ with older Postfix versions).  </p>
 when converting UTF-8 domain names to/from the ASCII form that is
 used for DNS lookups. Specify "yes" for compatibility with Postfix
 &le; 3.1 (not recommended). This affects the conversion of domain
-names that contain for example the German sz and the Greek zeta.
+names that contain for example the German sz and the Greek sigma.
 See <a href="https://unicode.org/cldr/utility/idna.jsp">https://unicode.org/cldr/utility/idna.jsp</a> for more examples.
 </p>
 
@@ -4236,15 +4236,20 @@ environment.  Examples of relevant environment variables: </p>
 
 <dd>Needed to make "<b>postfix -c</b>" work. </dd>
 
+<dt><b>POSTLOG_HOSTNAME</b></dt>
+
+<dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
+process initialization. </dd>
+
 <dt><b>POSTLOG_SERVICE</b></dt>
 
 <dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
 process initialization. </dd>
 
-<dt><b>POSTLOG_HOSTNAME</b></dt>
+<dt><b>XDG_RUNTIME_DIR</b></dt>
 
-<dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
-process initialization. </dd>
+<dd>Needed for debugging Postfix daemons with an XDG-style debugger.
+</dd>
 
 </dl>
 
@@ -8878,6 +8883,10 @@ clients,
 and <a href="postscreen.8.html">postscreen(8)</a> will update an SMTP client's DNSBL score with
 each non-error reply as described below. </p>
 
+<p> NOTE: Always respect the usage policies of reputation services.
+Avoid public or ISP resolvers, unless the queries use your unique
+API key. </p>
+
 <p> Caution: when postscreen rejects mail, its SMTP response contains
 the DNSBL
 domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to hide
@@ -10518,6 +10527,30 @@ Examples:
 </pre>
 
 
+</DD>
+
+<DT><b><a name="relocated_prefix_enable">relocated_prefix_enable</a>
+(default: yes)</b></DT><DD>
+
+<p> Prepend the prefix "<b>5.1.6 User has moved to </b>" to all
+<a href="postconf.5.html#relocated_maps">relocated_maps</a> lookup results. With "<a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> =
+no", all lookup results must contain a valid <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> compliant
+enhanced status code and text (format: "[45].number.number text...").
+
+<p>
+Example:
+</p>
+
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#relocated_maps">relocated_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/relocated
+    <a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> = no
+<br>
+<a href="DATABASE_README.html#types">hash</a>:/etc/postfix/relocated:
+    user@example.com 5.2.1 User account is disabled
+</pre>
+
+
 </DD>
 
 <DT><b><a name="remote_header_rewrite_domain">remote_header_rewrite_domain</a>
@@ -12469,6 +12502,12 @@ line. </p>
 
 <pre>
 /etc/postfix/reply_filter:
+    # Some Microsoft servers violate <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> section 4, causing Postfix
+    # to complain with "non-empty initial GSSAPI challenge from server"
+    /^334\s+GSSAPI\s+supported/ 334
+</pre>
+
+<pre>
     # Transform garbage into "250-filler..." so that it looks like
     # one line from a multi-line reply. It does not matter what we
     # substitute here as long it has the right syntax.  The Postfix
@@ -14425,14 +14464,16 @@ example.net     secure match=example.com:.example.com
 </DD>
 
 <DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
-(default: empty)</b></DT><DD>
+(default: Postfix &ge; 3.11: may; Postfix &lt; 3.11: empty)</b></DT><DD>
 
 <p> The default SMTP TLS security level for the Postfix SMTP client.
 When a non-empty value is specified, this overrides the obsolete
 parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>;
-when no value is specified for <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> or the obsolete
-parameters, the default SMTP TLS security level is
-<a href="TLS_README.html#client_tls_none">none</a>. </p>
+when no value is specified for those obsolete parameters, the default
+SMTP TLS security level is <a href="TLS_README.html#client_tls_may">may</a>
+(<a href="postconf.5.html#compatibility_level">compatibility_level</a> &ge; 3.11) or <a
+href="TLS_README.html#client_tls_none">none</a>
+(<a href="postconf.5.html#compatibility_level">compatibility_level</a> &lt; 3.11). </p>
 
 <p> Specify one of the following security levels: </p>
 
@@ -14866,13 +14907,11 @@ requirements for MTA-STS <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls
 </DD>
 
 <DT><b><a name="smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>
-(default: yes)</b></DT><DD>
+(default: Postfix &ge; 3.11: no, Postfix 3.10: yes)</b></DT><DD>
 
-<p> Do not report the TLSRPT status for TLS protocol handshakes
-that reuse a previously-negotiated TLS session (there is no new
-information to report). Report the TLSRPT status only for "new" TLS
-sessions. Set this to "no" to log the TLSRPT status of all TLS
-handshakes, for example to troubleshoot Postfix TLSRPT support.
+<p> When set to "yes", report the TLSRPT status only for "new" TLS
+sessions. When set to "no", also report the TLSRPT status for TLS
+protocol handshakes that reuse a previously-negotiated TLS session.
 </p>
 
 <p> Note: if an SMTP over TLS connection is reused, there is no
@@ -15553,7 +15592,12 @@ The <a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> para
 rejected requests (default:  554), the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a>  parameter
 specifies the default server reply, and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a>  parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
-This feature is available in Postfix 2.0 and later.  </dd>
+<br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking the key in SMTP server
+responses). <br>
+This feature is available in Postfix 2.0 and later. </dd>
 
 <dt><b><a name="permit_dnswl_client">permit_dnswl_client <i>dnswl_domain=d.d.d.d</i></a></b></dt>
 
@@ -15565,8 +15609,12 @@ If no "<i>=d.d.d.d</i>" is specified, accept the request when the
 reversed client network address is listed with any A record under
 <i>dnswl_domain</i>. <br> For safety, <a href="postconf.5.html#permit_dnswl_client">permit_dnswl_client</a> is silently
 ignored when it would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>.  The
-result is DEFER_IF_REJECT when allowlist lookup fails.  This feature
-is available in Postfix 2.8 and later.  </dd>
+result is DEFER_IF_REJECT when allowlist lookup fails. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
+server responses). <br>
+This feature is available in Postfix 2.8 and later. </dd>
 
 <dt><b><a name="reject_rhsbl_client">reject_rhsbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 
@@ -15579,9 +15627,14 @@ number..number ranges (Postfix version 2.8 and later).  If no
 hostname is listed with
 any A record under <i>rbl_domain</i>. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>
 description above for additional RBL related configuration parameters.
+<br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
+server responses). <br>
 This feature is available in Postfix 2.0 and later; with Postfix
 version 2.8 and later, <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> will usually
-produce better results.  </dd>
+produce better results. </dd>
 
 <dt><b><a name="permit_rhswl_client">permit_rhswl_client <i>rhswl_domain=d.d.d.d</i></a></b></dt>
 
@@ -15597,8 +15650,12 @@ allowlisting should be used only to reduce false positives in e.g.
 DNS-based blocklists, and not for making access rule exceptions.
 <br> For safety, <a href="postconf.5.html#permit_rhswl_client">permit_rhswl_client</a> is silently ignored when it
 would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>.  The result is DEFER_IF_REJECT
-when allowlist lookup fails.  This feature is available in Postfix
-2.8 and later.  </dd>
+when allowlist lookup fails. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
+server responses). <br>
+This feature is available in Postfix 2.8 and later.</dd>
 
 <dt><b><a name="reject_rhsbl_reverse_client">reject_rhsbl_reverse_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 
@@ -15609,8 +15666,12 @@ one or more ";"-separated numbers or number..number ranges.
 If no "<i>=d.d.d.d</i>" is specified, reject the request when the
 unverified reverse client hostname is listed with any A record under
 <i>rbl_domain</i>. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> description above for
-additional RBL related configuration parameters.  This feature is
-available in Postfix 2.8 and later.  </dd>
+additional RBL related configuration parameters. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
+server responses). <br>
+This feature is available in Postfix 2.8 and later. </dd>
 
 <dt><b><a name="reject_unknown_client_hostname">reject_unknown_client_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_client)</dt>
 
@@ -16512,8 +16573,12 @@ listed with any A record under <i>rbl_domain</i>. See the
 parameters.  Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully
 enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a
 client can simply skip <a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> by not sending HELO or
-EHLO). This feature is available in Postfix 2.0
-and later.  </dd>
+EHLO). <br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
+server responses). <br>
+This feature is available in Postfix 2.0 and later. </dd>
 
 <dt><b><a name="reject_unknown_helo_hostname">reject_unknown_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_hostname)</dt>
 
@@ -16572,7 +16637,7 @@ SMTP server's Received: message header. </p>
 
 <li> <p> The default setting, "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = no",
 must be used for the port 25 MTA service. It provides information
-that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. </p>
+that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. </p>
 
 <li> <p> The setting "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@@ -16595,8 +16660,9 @@ Received: by mail.example.com (Postfix) id postfix-queue-id
 </blockquote>
 
 <p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. The form does still meet <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> requirements. </p>
+and therefore it does not need to provide the FROM clause according
+to <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. The redacted form still meets <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>
+requirements. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
 
@@ -17231,8 +17297,12 @@ any A record under <i>rbl_domain</i>. <br> The <a href="postconf.5.html#maps_rbl
 parameter specifies the response code for rejected requests (default:
 554); the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> parameter specifies the default server
 reply; and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> parameter specifies tables with server
-replies indexed by <i>rbl_domain</i>.  This feature is available
-in Postfix version 2.0 and later.</dd>
+replies indexed by <i>rbl_domain</i>. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
+server responses). <br>
+This feature is available in Postfix version 2.0 and later.</dd>
 
 <dt><b><a name="reject_unauth_destination">reject_unauth_destination</a></b></dt>
 
@@ -17324,6 +17394,58 @@ Example:
 </pre>
 
 
+</DD>
+
+<DT><b><a name="smtpd_reject_filter_maps">smtpd_reject_filter_maps</a>
+(default: empty)</b></DT><DD>
+
+<p> An optional filter that can replace a reject response from the
+Postfix SMTP server itself, or from a program that replies through
+the Postfix SMTP server. The filter is applied before the optional
+reject footers are appended. Typically, the filter will be a <a href="regexp_table.5.html">regexp</a>:
+or <a href="pcre_table.5.html">pcre</a>: table, where the left-hand side specifies a pattern, and
+the right-hand side specifies replacement text. </p>
+
+<p> The input is a server response that starts with a 4XX or 5XX
+reply code (see <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>), usually followed by an enhanced status
+code (see <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>) and text. The filter returns replacement text
+or indicates that there was no match. This feature cannot be used
+to change a reject reply into a non-reject one or vice versa. </p>
+
+<p> LIMITATION: <a href="postconf.5.html#smtpd_reject_filter_maps">smtpd_reject_filter_maps</a> will not replace text that
+was already logged before the Postfix SMTP server replies to the
+remote SMTP client. To help with logfile analysis, the Postfix SMTP
+server logs both the unmodified reply (logged below as "reject
+filter in") and the replacement reply (logged below as "reject
+filter out").
+
+<p> Example: </p>
+
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtpd_reject_filter_maps">smtpd_reject_filter_maps</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/smtpd_reject_filter
+</pre>
+
+<pre>
+/etc/postfix/smtpd_reject_filter:
+    # Replace soft reject with hard reject.
+    /^451 4(\.6\.0 Alias expansion error)/ 550 5${1}
+</pre>
+
+<pre>
+    # Silly rule for demo purposes.
+    /^(4.+[^.])\.*$/ $1. See you later.
+</pre>
+
+<pre>
+/var/log/maillog:
+    NOQUEUE: reject filter in: 451 4.6.0 Alias expansion error
+    NOQUEUE: reject filter out: 550 5.6.0 Alias expansion error
+</pre>
+
+<p> This feature is available in Postfix &ge; 3.11. </p>
+
+
 </DD>
 
 <DT><b><a name="smtpd_reject_footer">smtpd_reject_footer</a>
@@ -18082,6 +18204,11 @@ listed with any A record under <i>rbl_domain</i>. <br> The
 rejected requests (default:  554); the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> parameter
 specifies the default server reply; and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
+<br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> for how to avoid leaking an API key in SMTP
+server responses). <br>
 This feature is available in Postfix 2.0 and later.</dd>
 
 <dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt>
@@ -20119,13 +20246,11 @@ openssl.cnf:
     Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
 </pre>
 
-<p> Caution: It is typically best to just use the default group
-settings, for which no $<a href="postconf.5.html#tls_config_file">tls_config_file</a> is required (you can set
-"<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none", to avoid unwanted leakage of system-wide
-settings that strive to harden HTTPS against mostly browser-specific
-security and privacy issues into Postfix use of opportunistic TLS,
-where they're they can be counterproductive, leading to downgrades
-to cleartext, rather than more "secure" TLS). </p>
+<p> Caution: It is typically best to just use the default OpenSSL
+group settings, by setting "<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none". Overly strict
+system-wide TLS settings will conflict with Postfix's opportunistic
+TLS, where being less restrictive is better than downgrading to
+cleartext SMTP. </p>
 
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
@@ -20721,7 +20846,8 @@ gives timeout errors.  </p>
 
 <p> Enable support for the "TLS-Required: no" message header, defined
 in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. By adding this header to a message, a sender requests
-no enforcement of TLS policy. This limits the Postfix SMTP client
+no enforcement of TLS policy. This disables TLS policy lookup, and
+limits the Postfix SMTP client
 TLS security level to "may", that is, do not verify remote SMTP
 server certificates, and fall back to plaintext if TLS is unavailable.
 If a message contains a "TLS-Required: no" header, then Postfix

postfix/html/postfix-tls.1.html

@@ -182,7 +182,7 @@ POSTFIX-TLS(1)                                                  POSTFIX-TLS(1)
        <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
               Enable additional Postfix SMTP client logging of TLS activity.
 
-       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (Postfix</b> &gt;<b>= 3.11: may; Postfix</b> &lt; <b>3.11: empty)</b>
               The default SMTP TLS security level for the Postfix SMTP client.
 
        <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>

postfix/html/postmap.1.html

@@ -120,7 +120,7 @@ POSTMAP(1)                                                          POSTMAP(1)
               also generates header-style  lookup  keys  for  attachment  MIME
               headers and for attached message/* headers.
 
-              NOTE:  with  "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>  = yes", the <b>-b</b> option option dis-
+              NOTE:  with  "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>  = yes", the <b>-h</b> option option dis-
               ables UTF-8 syntax checks on  query  keys  and  lookup  results.
               Specify the <b>-U</b> option to force UTF-8 syntax checks anyway.
 

postfix/html/postscreen.8.html

@@ -222,7 +222,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               text..." response, in an attempt to confuse bad SMTP clients  so
               that they speak before their turn (pre-greet).
 
-       <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b>
+       <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, <a href="STRESS_README.html">overload</a>: 2s)</b>
               The  amount  of  time  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP
               client to send a command before its turn, and for DNS  blocklist
               lookup results to arrive (default: up to 2 seconds under stress,
@@ -359,7 +359,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               The  limit  on the total number of commands per SMTP session for
               <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
 
-       <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b>
+       <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, <a href="STRESS_README.html">overload</a>: 10s)</b>
               The  time  limit  to  read   an   entire   command   line   with
               <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
 
@@ -405,7 +405,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The maximal number of digits after the decimal point  when  log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
               The location of all postfix administrative commands.
@@ -468,5 +468,8 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        111 8th Avenue
        New York, NY 10011, USA
 
+       Wietse Venema
+       porcupine.org
+
                                                                  POSTSCREEN(8)
 </pre> </body> </html>

postfix/html/proxymap.8.html

@@ -45,51 +45,60 @@ PROXYMAP(8)                                                        PROXYMAP(8)
 
        The <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server implements the following requests:
 
-       <b>open</b> <i>maptype:mapname flags</i>
-              Open the table with type <i>maptype</i> and name <i>mapname</i>, as controlled
-              by  <i>flags</i>.  The  reply  includes the <i>maptype</i> dependent flags (to
-              distinguish a fixed string table from a regular  expression  ta-
-              ble).
+       <b>open</b> <i>maptype:mapname instance-flags</i>
+              Open the table with type <i>maptype</i> and name <i>mapname</i>, with  initial
+              dictionary  flags  <i>instance-flags</i>. The reply contains the actual
+              dictionary flags (for example, to distinguish a fixed-string ta-
+              ble from a regular-expression table).
 
-       <b>lookup</b> <i>maptype:mapname flags key</i>
-              Look  up  the data stored under the requested key.  The reply is
-              the request completion status code and the lookup result  value.
-              The  <i>maptype:mapname</i>  and  <i>flags</i>  are  the same as with the <b>open</b>
+       <b>lookup</b> <i>maptype:mapname instance-flags request-flags key</i>
+              Look  up  the data stored under the requested key using the dic-
+              tionary flags in <i>request-flags</i>.  The reply contains the  request
+              completion  status code, the resulting dictionary flags, and the
+              lookup result value.  The <i>maptype:mapname</i> and <i>instance-flags</i> are
+              the same as with the <b>open</b> request.
+
+       <b>update</b> <i>maptype:mapname instance-flags request-flags key value</i>
+              Update the data stored under the requested key using the dictio-
+              nary flags in <i>request-flags</i>.  The  reply  contains  the  request
+              completion  status code and the resulting dictionary flags.  The
+              <i>maptype:mapname</i> and <i>instance-flags</i> are the same as with the <b>open</b>
               request.
 
-       <b>update</b> <i>maptype:mapname flags key value</i>
-              Update the data stored under the requested key.   The  reply  is
-              the  request  completion  status  code.  The <i>maptype:mapname</i> and
-              <i>flags</i> are the same as with the <b>open</b> request.
-
-              To implement single-updater maps, specify a process limit  of  1
+              To  implement  single-updater maps, specify a process limit of 1
               in the <a href="master.5.html">master.cf</a> file entry for the <b>proxywrite</b> service.
 
               This request is supported in Postfix 2.5 and later.
 
-       <b>delete</b> <i>maptype:mapname flags key</i>
-              Delete  the  data  stored under the requested key.  The reply is
-              the request completion status  code.   The  <i>maptype:mapname</i>  and
-              <i>flags</i> are the same as with the <b>open</b> request.
+       <b>delete</b> <i>maptype:mapname instance-flags request-flags key</i>
+              Delete the data stored under the requested key, using  the  dic-
+              tionary  flags in <i>request-flags</i>.  The reply contains the request
+              completion status code and the resulting dictionary flags.   The
+              <i>maptype:mapname</i> and <i>instance-flags</i> are the same as with the <b>open</b>
+              request.
 
               This request is supported in Postfix 2.5 and later.
 
-       <b>sequence</b> <i>maptype:mapname flags function</i>
-              Iterate  over  the  specified  database.  The <i>function</i> is one of
-              DICT_SEQ_FUN_FIRST  or  DICT_SEQ_FUN_NEXT.   The  reply  is  the
-              request  completion  status  code  and  a  lookup key and result
-              value, if found.
+       <b>sequence</b> <i>maptype:mapname instance-flags request-flags function</i>
+              Iterate over the specified database, using the dictionary  flags
+              in  <i>request-flags</i>.  The <i>function</i> is either DICT_SEQ_FUN_FIRST or
+              DICT_SEQ_FUN_NEXT.  The reply contains  the  request  completion
+              status  code,  the  resulting dictionary flags, and a lookup key
+              and  result   value   if   found.    The   <i>maptype:mapname</i>   and
+              <i>instance-flags</i> are the same as with the <b>open</b> request.
 
               This request is supported in Postfix 2.9 and later.
 
+       Not implemented: close
+              There is no <b>close</b> request, nor are tables implicitly closed when
+              a client disconnects. The purpose is to share tables among  mul-
+              tiple  client  processes.  Due  to the absence of an explicit or
+              implicit <b>close</b>, updates are forced to be synchronous.
+
        The request completion status is one of OK, RETRY, NOKEY (lookup failed
        because  the  key  was not found), BAD (malformed request) or DENY (the
        table is not approved for proxy read or update access).
 
-       There is no <b>close</b> command, nor are  tables  implicitly  closed  when  a
-       client  disconnects.  The  purpose  is  to  share tables among multiple
-       client processes.
-
 <b><a name="server_process_management">SERVER PROCESS MANAGEMENT</a></b>
        <a href="proxymap.8.html"><b>proxymap</b>(8)</a> servers run under control by the Postfix <a href="master.8.html"><b>master</b>(8)</a>  server.
        Each  server  can  handle  multiple simultaneous connections.  When all
@@ -219,5 +228,8 @@ PROXYMAP(8)                                                        PROXYMAP(8)
        111 8th Avenue
        New York, NY 10011, USA
 
+       Wietse Venema
+       porcupine.org
+
                                                                    PROXYMAP(8)
 </pre> </body> </html>

postfix/html/qmgr.8.html

@@ -426,7 +426,7 @@ QMGR(8)                                                                QMGR(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
               Log warnings about problematic configuration settings, and  pro-

postfix/html/relocated.5.html

@@ -5,7 +5,7 @@
 <link rel='stylesheet' type='text/css' href='postfix-doc.css'>
 <title> Postfix manual - relocated(5) </title>
 </head> <body> <pre>
-RELOCATED(5)                                                      RELOCATED(5)
+<i>RELOCATED</i>(5)                  File Formats Manual                 <i>RELOCATED</i>(5)
 
 <b><a name="name">NAME</a></b>
        relocated - Postfix relocated table format
@@ -19,36 +19,44 @@ RELOCATED(5)                                                      RELOCATED(5)
 
        Normally, the <a href="relocated.5.html"><b>relocated</b>(5)</a> table is  specified  as  a  text  file  that
        serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command.  The result, an indexed file
-       in <b>dbm</b> or <b>db</b> format, is used for fast searching  by  the  mail  system.
-       Execute  the  command  "<b>postmap  /etc/postfix/relocated</b>"  to rebuild an
-       indexed file after changing the corresponding relocated table.
+       in <b>dbm</b> or <b>db</b> format, is used for fast searching by the mail system. Ex-
+       ecute  the  command  "<b>postmap /etc/postfix/relocated</b>" to rebuild an in-
+       dexed file after changing the corresponding relocated table.
 
        When the table is provided via other means such as NIS,  LDAP  or  SQL,
        the same lookups are done as for ordinary indexed files.
 
        Alternatively,  the  table  can be provided as a regular-expression map
-       where patterns are given as regular  expressions,  or  lookups  can  be
-       directed  to a TCP-based server. In those case, the lookups are done in
-       a slightly different way as described below under  "REGULAR  EXPRESSION
-       TABLES" or "TCP-BASED TABLES".
+       where patterns are given as regular expressions, or lookups can be  di-
+       rected  to a TCP-based server. In those case, the lookups are done in a
+       slightly different way as described below under "REGULAR EXPRESSION TA-
+       BLES" or "TCP-BASED TABLES".
 
        Table lookups are case insensitive.
 
 <b><a name="case_folding">CASE FOLDING</a></b>
-       The  search string is folded to lowercase before database lookup. As of
-       Postfix 2.3, the search string is not case folded with  database  types
-       such  as  <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both upper and
+       The search string is folded to lowercase before database lookup. As  of
+       Postfix  2.3,  the search string is not case folded with database types
+       such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both  upper  and
        lower case.
 
 <b><a name="table_format">TABLE FORMAT</a></b>
-       The input format for the <a href="postmap.1.html"><b>postmap</b>(1)</a> command is as follows:
-
-       <b>o</b>      An entry has one of the following form:
+       <b>o</b>      By default, Postfix will prepend a hard-coded prefix "5.1.6 User
+              has  moved  to  " to a table lookup result, and the format for a
+              table entry is as follows:
 
                    <i>pattern      new</i><b>_</b><i>location</i>
 
               Where <i>new</i><b>_</b><i>location</i> specifies  contact  information  such  as  an
-              email  address, or perhaps a street address or telephone number.
+              email address, or perhaps a street address or telephone number.
+
+       <b>o</b>      Postfix  3.11  and  later  can optionally disable the hard-coded
+              prefix. Specify "<a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> = no" in  <a href="postconf.5.html">main.cf</a>,  and
+              specify  <a href="postconf.5.html#relocated_maps">relocated_maps</a> entries with your own <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>-compliant
+              enhanced status code and text, for example:
+
+                   <i>pattern</i>      5.2.0 Mailbox is unavailable
+                   <i>pattern</i>      5.2.1 Mailbox is disabled
 
        <b>o</b>      Empty lines and whitespace-only lines are ignored, as are  lines
               whose first non-whitespace character is a `#'.
@@ -66,11 +74,11 @@ RELOCATED(5)                                                      RELOCATED(5)
               forms.
 
        <i>user</i>   Matches <i>user</i>@<i>site</i> when <i>site</i> is $<b><a href="postconf.5.html#myorigin">myorigin</a></b>, when <i>site</i> is listed in
-              $<b><a href="postconf.5.html#mydestination">mydestination</a></b>, or when <i>site</i> is listed  in  $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>  or
+              $<b><a href="postconf.5.html#mydestination">mydestination</a></b>,  or  when  <i>site</i> is listed in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or
               $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>.
 
        @<i>domain</i>
-              Matches  other  addresses  in  <i>domain</i>.  This form has the lowest
+              Matches other addresses in <i>domain</i>.  This  form  has  the  lowest
               precedence.
 
 <b><a name="address_extension">ADDRESS EXTENSION</a></b>
@@ -86,26 +94,26 @@ RELOCATED(5)                                                      RELOCATED(5)
        of the TCP client/server table lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.  This
        feature is available in Postfix 2.5 and later.
 
-       Each  pattern  is  a  regular  expression that is applied to the entire
-       address being looked up. Thus, <i>user@domain</i> mail addresses are not  bro-
-       ken  up  into their <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i>
-       broken up into <i>user</i> and <i>foo</i>.
+       Each pattern is a regular expression that is applied to the entire  ad-
+       dress  being looked up. Thus, <i>user@domain</i> mail addresses are not broken
+       up into their <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i>  bro-
+       ken up into <i>user</i> and <i>foo</i>.
 
-       Patterns are applied in the order as specified in the  table,  until  a
+       Patterns  are  applied  in the order as specified in the table, until a
        pattern is found that matches the search string.
 
-       Results  are the same as with indexed file lookups, with the additional
-       feature that parenthesized substrings from the pattern can be  interpo-
+       Results are the same as with indexed file lookups, with the  additional
+       feature  that parenthesized substrings from the pattern can be interpo-
        lated as <b>$1</b>, <b>$2</b> and so on.
 
 <b><a name="tcp-based_tables">TCP-BASED TABLES</a></b>
-       This  section  describes  how the table lookups change when lookups are
-       directed  to  a  TCP-based  server.  For  a  description  of  the   TCP
-       client/server  lookup  protocol,  see  <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.   This  feature is
+       This section describes how the table lookups change  when  lookups  are
+       directed   to  a  TCP-based  server.  For  a  description  of  the  TCP
+       client/server lookup  protocol,  see  <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.   This  feature  is
        available in Postfix 2.5 and later.
 
-       Each lookup operation uses the entire address once.  Thus,  <i>user@domain</i>
-       mail  addresses  are  not  broken  up  into their <i>user</i> and <i>@domain</i> con-
+       Each  lookup operation uses the entire address once.  Thus, <i>user@domain</i>
+       mail addresses are not broken up  into  their  <i>user</i>  and  <i>@domain</i>  con-
        stituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
 
        Results are the same as with indexed file lookups.
@@ -114,32 +122,38 @@ RELOCATED(5)                                                      RELOCATED(5)
        The table format does not understand quoting conventions.
 
 <b><a name="configuration_parameters">CONFIGURATION PARAMETERS</a></b>
-       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are  especially  relevant.   The  text
-       below  provides  only  a  parameter  summary.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more
-       details including examples.
+       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant.  The text be-
+       low provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details
+       including examples.
 
        <b><a href="postconf.5.html#relocated_maps">relocated_maps</a> (empty)</b>
               Optional lookup tables with new contact information for users or
               domains that no longer exist.
 
+       Available with Postfix version 3.11 and later:
+
+       <b><a href="postconf.5.html#relocated_prefix_enable">relocated_prefix_enable</a> (yes)</b>
+              Prepend  the  prefix  "<b>5.1.6  User  has  moved to</b> " to all relo-
+              cated_maps lookup results.
+
        Other parameters of interest:
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The  local  network  interface  addresses  that this mail system
-              receives mail on.
+              The local network interface addresses that this mail system  re-
+              ceives mail on.
 
        <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b>
-              The list of domains that are delivered via the  $<a href="postconf.5.html#local_transport">local_transport</a>
+              The  list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a>
               mail delivery transport.
 
        <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The  domain  name that locally-posted mail appears to come from,
+              The domain name that locally-posted mail appears to  come  from,
               and that locally posted mail is delivered to.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The remote network interface addresses  that  this  mail  system
-              receives  mail  on by way of a proxy or network address transla-
-              tion unit.
+              The remote network interface addresses that this mail system re-
+              ceives  mail on by way of a proxy or network address translation
+              unit.
 
 <b><a name="see_also">SEE ALSO</a></b>
        <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver
@@ -164,5 +178,5 @@ RELOCATED(5)                                                      RELOCATED(5)
        111 8th Avenue
        New York, NY 10011, USA
 
-                                                                  RELOCATED(5)
+                                                                  <i>RELOCATED</i>(5)
 </pre> </body> </html>

postfix/html/smtp.8.html

@@ -511,7 +511,7 @@ SMTP(8)                                                                SMTP(8)
        Detailed  information  about STARTTLS configuration may be found in the
        <a href="TLS_README.html">TLS_README</a> document.
 
-       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (Postfix</b> &gt;<b>= 3.11: may; Postfix</b> &lt; <b>3.11: empty)</b>
               The default SMTP TLS security level for the Postfix SMTP client.
 
        <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
@@ -757,50 +757,50 @@ SMTP(8)                                                                SMTP(8)
               The pathname of a UNIX-domain datagram socket that is managed by
               a local TLSRPT reporting service.
 
-       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
-              Do not report the TLSRPT status for TLS protocol handshakes that
-              reuse  a  previously-negotiated  TLS  session  (there  is no new
-              information to report).
+       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (Postfix</b> &gt;<b>= 3.11: no, Postfix  3.10:</b>
+       <b>yes)</b>
+              When set to "yes", report the TLSRPT status only for  "new"  TLS
+              sessions.
 
        <b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
               Enable  support  for  the  "TLS-Required:  no"  message  header,
               defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
 
 <b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
-       The  following  configuration  parameters  exist for compatibility with
-       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       The following configuration parameters  exist  for  compatibility  with
+       Postfix  versions  before  2.3.  Support for these will be removed in a
        future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode: use TLS when a remote SMTP server announces
+              Opportunistic mode: use TLS when a remote SMTP server  announces
               STARTTLS support, otherwise send the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
+              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
               encryption, and never send mail in the clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require  that the remote SMTP
-              server hostname matches  the  information  in  the  remote  SMTP
+              With mandatory TLS encryption,  require  that  the  remote  SMTP
+              server  hostname  matches  the  information  in  the remote SMTP
               server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional  lookup  tables  with the Postfix SMTP client TLS usage
-              policy by next-hop destination and by remote SMTP  server  host-
+              Optional lookup tables with the Postfix SMTP  client  TLS  usage
+              policy  by  next-hop destination and by remote SMTP server host-
               name.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
               cipher list.
 
 <b><a name="resource_and_rate_controls">RESOURCE AND RATE CONTROLS</a></b>
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The Postfix SMTP client time limit for completing a TCP  connec-
+              The  Postfix SMTP client time limit for completing a TCP connec-
               tion, or zero (use the operating system built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the HELO or EHLO
-              command, and  for  receiving  the  initial  remote  SMTP  server
+              The Postfix SMTP client time limit for sending the HELO or  EHLO
+              command,  and  for  receiving  the  initial  remote  SMTP server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@@ -812,19 +812,19 @@ SMTP(8)                                                                SMTP(8)
               mand, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
+              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
+              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
+              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The Postfix SMTP client time limit for sending the SMTP  message
+              The  Postfix SMTP client time limit for sending the SMTP message
               content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@@ -838,13 +838,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The  maximal number of MX (mail exchanger) IP addresses that can
-              result from Postfix SMTP client mail exchanger lookups, or  zero
+              The maximal number of MX (mail exchanger) IP addresses that  can
+              result  from Postfix SMTP client mail exchanger lookups, or zero
               (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal number of SMTP sessions per delivery request before
-              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
+              The maximal number of SMTP sessions per delivery request  before
+              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
               <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@@ -854,17 +854,17 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and earlier:
 
        <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
               seconds.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable  SMTP  connection  caching for the specified
+              Permanently enable SMTP connection  caching  for  the  specified
               destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a  destination
+              Temporarily  enable  SMTP connection caching while a destination
               has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
 
        <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@@ -878,23 +878,23 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit for connection cache connect, send or receive opera-
+              Time limit for connection cache connect, send or receive  opera-
               tions.
 
        Available in Postfix version 2.9 - 3.6:
 
        <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time  limit  per  read  or write system call, to a time limit to
-              send or receive a complete record (an SMTP  command  line,  SMTP
-              response  line,  SMTP message content line, or TLS protocol mes-
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              time limit per read or write system call, to  a  time  limit  to
+              send  or  receive  a complete record (an SMTP command line, SMTP
+              response line, SMTP message content line, or TLS  protocol  mes-
               sage).
 
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When SMTP connection caching is enabled,  the  number  of  times
-              that  an SMTP session may be reused before it is closed, or zero
+              When  SMTP  connection  caching  is enabled, the number of times
+              that an SMTP session may be reused before it is closed, or  zero
               (no limit).
 
        Available in Postfix version 3.4 and later:
@@ -905,13 +905,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time  limit  per  plaintext or TLS read or write call, to a com-
-              bined time limit for sending a complete  SMTP  request  and  for
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              time limit per plaintext or TLS read or write call,  to  a  com-
+              bined  time  limit  for  sending a complete SMTP request and for
               receiving a complete SMTP response.
 
        <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
-              The  minimum  plaintext  data  transfer rate in bytes/second for
+              The minimum plaintext data transfer  rate  in  bytes/second  for
               DATA    requests,    when    deadlines    are    enabled    with
               <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
 
@@ -919,54 +919,54 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a>   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A  transport-specific  override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+              A transport-specific override for  the  <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
               <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
        <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a>     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
               A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
 <b><a name="smtputf8_controls">SMTPUTF8 CONTROLS</a></b>
        Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable  preliminary SMTPUTF8 support for the protocols described
+              Enable preliminary SMTPUTF8 support for the protocols  described
               in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect that a message requires SMTPUTF8 support for  the  speci-
+              Detect  that  a message requires SMTPUTF8 support for the speci-
               fied mail origin classes.
 
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable   'transitional'   compatibility   between  IDNA2003  and
-              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
+              Enable  'transitional'  compatibility   between   IDNA2003   and
+              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
               form that is used for DNS lookups.
 
 <b><a name="trouble_shooting_controls">TROUBLE SHOOTING CONTROLS</a></b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The  increment  in verbose logging level when a nexthop destina-
-              tion, remote client or server name or network address matches  a
+              The increment in verbose logging level when a  nexthop  destina-
+              tion,  remote client or server name or network address matches a
               pattern given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional  list  of  nexthop destination, remote client or server
-              name or network address patterns that,  if  matched,  cause  the
-              verbose  logging  level  to  increase by the amount specified in
+              Optional list of nexthop destination, remote  client  or  server
+              name  or  network  address  patterns that, if matched, cause the
+              verbose logging level to increase by  the  amount  specified  in
               $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The recipient of postmaster notifications  about  mail  delivery
+              The  recipient  of  postmaster notifications about mail delivery
               problems that are caused by policy, resource, software or proto-
               col errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What  categories  of  Postfix-generated  mail  are  subject   to
-              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              What   categories  of  Postfix-generated  mail  are  subject  to
+              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
               <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@@ -974,46 +974,46 @@ SMTP(8)                                                                SMTP(8)
 
 <b><a name="miscellaneous_controls">MISCELLANEOUS CONTROLS</a></b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where the Postfix  SMTP  client  should  deliver  mail  when  it
+              Where  the  Postfix  SMTP  client  should  deliver  mail when it
               detects a "mail loops back to myself" error condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
               figuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process  may  take  to  handle  a
+              How  much  time  a  Postfix  daemon process may take to handle a
               request before it is terminated by a built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number of digits after the decimal point when log-
+              The maximal number of digits after the decimal point  when  log-
               ging delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The local network interface  addresses  that  this  mail  system
+              The  local  network  interface  addresses  that this mail system
               receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
-              The  Internet  protocols Postfix will attempt to use when making
+              The Internet protocols Postfix will attempt to use  when  making
               or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The time limit for sending  or  receiving  information  over  an
+              The  time  limit  for  sending  or receiving information over an
               internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When  a remote LMTP server announces no DSN support, assume that
-              the server performs final delivery, and send "delivered"  deliv-
+              When a remote LMTP server announces no DSN support, assume  that
+              the  server performs final delivery, and send "delivered" deliv-
               ery status notifications instead of "relayed".
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
               The default TCP port that the Postfix LMTP client connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount of time that an idle Postfix daemon process
+              The maximum amount of time that an idle Postfix  daemon  process
               waits for an incoming connection before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@@ -1027,21 +1027,21 @@ SMTP(8)                                                                SMTP(8)
               The process name of a Postfix command or daemon process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The remote network interface addresses  that  this  mail  system
-              receives  mail  on by way of a proxy or network address transla-
+              The  remote  network  interface  addresses that this mail system
+              receives mail on by way of a proxy or network  address  transla-
               tion unit.
 
        <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
               The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client  will  try  first,  when  a destination has IPv6 and IPv4
+              client will try first, when a  destination  has  IPv6  and  IPv4
               addresses with equal MX preference.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
               client should bind to when making an IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
               client should bind to when making an IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -1061,7 +1061,7 @@ SMTP(8)                                                                SMTP(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A  prefix  that  is  prepended  to  the  process  name in syslog
+              A prefix that  is  prepended  to  the  process  name  in  syslog
               records, so that, for example, "smtpd" becomes "prefix/smtpd".
 
        Available with Postfix 2.2 and earlier:
@@ -1073,14 +1073,14 @@ SMTP(8)                                                                SMTP(8)
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional  list  of  relay destinations that will be used when an
-              SMTP destination is not found, or when delivery fails due  to  a
+              Optional list of relay destinations that will be  used  when  an
+              SMTP  destination  is not found, or when delivery fails due to a
               non-permanent error.
 
        Available with Postfix 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In  the context of email address verification, the SMTP protocol
+              In the context of email address verification, the SMTP  protocol
               stage that determines whether an email address is deliverable.
 
        Available with Postfix 3.1 and later:
@@ -1102,7 +1102,7 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix 3.7 and later:
 
        <b><a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> (no)</b>
-              Defer  delivery  when  the  Postfix SMTP client cannot apply the
+              Defer delivery when the Postfix SMTP  client  cannot  apply  the
               <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting.
 
 <b><a name="see_also">SEE ALSO</a></b>

postfix/html/smtpd.8.html

@@ -1437,6 +1437,13 @@ SMTPD(8)                                                              SMTPD(8)
               Do  not  include  SMTP client session information in the Postfix
               SMTP server's Received: message header.
 
+       Available in Postfix version 3.11 and later:
+
+       <b><a href="postconf.5.html#smtpd_reject_filter_maps">smtpd_reject_filter_maps</a> (empty)</b>
+              An optional filter that can replace a reject response  from  the
+              Postfix  SMTP  server  itself,  or  from  a program that replies
+              through the Postfix SMTP server.
+
 <b><a name="see_also">SEE ALSO</a></b>
        <a href="anvil.8.html">anvil(8)</a>, connection/rate limiting
        <a href="cleanup.8.html">cleanup(8)</a>, message canonicalization

postfix/html/virtual.8.html

@@ -233,7 +233,7 @@ VIRTUAL(8)                                                          VIRTUAL(8)
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
               The  maximal  number of digits after the decimal point when log-
-              ging sub-second delay values.
+              ging delay values.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
               The time limit for sending  or  receiving  information  over  an

postfix/man/man1/postconf.1

@@ -258,6 +258,16 @@ This feature is available with Postfix 2.2 and later.
 .IP \fBdbm\fR
 An indexed file type based on hashing.  Available on systems
 with support for DBM databases.
+.IP \fBdebug\fR
+An adapter for another table that causes all accesses to be
+logged.  The table name syntax is \fItype\fB:\fIname\fR.
+Example usage: \fBdebug:hash:/etc/postfix/example\fR.  The
+formats of the log messages are unspecified and subject to
+change.  Warning: If a query or the underlying table contains
+sensitive information (such as a password), that information
+might be logged.
+
+This feature is available with Postfix 3.11 and later.
 .IP \fBenviron\fR
 The UNIX process environment array. The lookup key is the
 environment variable name; the table name is ignored.  Originally

postfix/man/man1/postfix-tls.1

@@ -185,7 +185,7 @@ configuration files.
 The location of the OpenSSL command line program \fBopenssl\fR(1).
 .IP "\fBsmtp_tls_loglevel (0)\fR"
 Enable additional Postfix SMTP client logging of TLS activity.
-.IP "\fBsmtp_tls_security_level (empty)\fR"
+.IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
 The default SMTP TLS security level for the Postfix SMTP client.
 .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
 Name of the file containing the optional Postfix SMTP client

postfix/man/man1/postmap.1

@@ -136,7 +136,7 @@ parsing with \fB\-m\fR. With this, the \fB\-h\fR option also
 generates header\-style lookup keys for attachment MIME
 headers and for attached message/* headers.
 .sp
-NOTE: with "smtputf8_enable = yes", the \fB\-b\fR option
+NOTE: with "smtputf8_enable = yes", the \fB\-h\fR option
 option disables UTF\-8 syntax checks on query keys and
 lookup results. Specify the \fB\-U\fR option to force UTF\-8
 syntax checks anyway.

postfix/man/man1/postmulti.1

@@ -95,6 +95,10 @@ command is performed just for the primary instance.
 .PP
 Iterator mode implements the following command options:
 .SH "Instance selection"
+.na
+.nf
+.ad
+.fi
 .IP \fB\-a\fR
 Perform the operation on all instances. This is the default.
 .IP "\fB\-g \fIgroup\fR"
@@ -111,10 +115,18 @@ are started before "source" instances.
 .sp
 This option cannot be used with \fB\-p\fR.
 .SH "List mode"
+.na
+.nf
+.ad
+.fi
 .IP \fB\-l\fR
 List Postfix instances with their instance name, instance
 group name, enable/disable status and configuration directory.
-.SH "Postfix\-wrapper mode"
+.SH "Postfix-wrapper mode"
+.na
+.nf
+.ad
+.fi
 .IP "\fB\-p \fIpostfix\-command\fR"
 Invoke \fBpostfix(1)\fR to execute \fIpostfix\-command\fR.
 This option implements the \fBpostfix\-wrapper\fR(5) interface.
@@ -146,6 +158,10 @@ invoke \fBpostmulti\fR(1) as follows:
 # postmulti \-g msa \-p start
 .RE
 .SH "Command mode"
+.na
+.nf
+.ad
+.fi
 .IP "\fB\-x \fIunix\-command\fR"
 Execute the specified \fIunix\-command\fR for all Postfix instances.
 The command runs with appropriate environment settings for
@@ -154,6 +170,10 @@ config_directory, queue_directory, data_directory,
 multi_instance_name, multi_instance_group and
 multi_instance_enable.
 .SH "Other options"
+.na
+.nf
+.ad
+.fi
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple
 \fB\-v\fR options make the software increasingly verbose.
@@ -168,6 +188,10 @@ multi\-instance status of an existing instance.
 .PP
 The following options are implemented:
 .SH "Existing instance selection"
+.na
+.nf
+.ad
+.fi
 .IP \fB\-a\fR
 When creating or importing an instance, place the new
 instance at the front of the secondary instance list.
@@ -183,6 +207,10 @@ With other life\-cycle operations, apply the operation to
 the named existing instance.  Specify "\-" to select the
 primary Postfix instance.
 .SH "New or existing instance name assignment"
+.na
+.nf
+.ad
+.fi
 .IP "\fB\-I \fIname\fR"
 Assign the specified instance \fIname\fR to an existing
 instance, newly\-created instance, or imported instance.
@@ -194,6 +222,10 @@ likelihood of name collisions with system files.
 Assign the specified \fIgroup\fR name to an existing instance
 or to a newly created or imported instance.
 .SH "Instance creation/deletion/status change"
+.na
+.nf
+.ad
+.fi
 .IP "\fB\-e \fIaction\fR"
 "Edit" managed instances. The following actions are supported:
 .RS
@@ -315,6 +347,10 @@ the instance will not be started etc. with "postfix start",
 "postmulti \-p start" and so on. The instance can still be
 started etc. with "postfix \-c config\-directory start".
 .SH "Other options"
+.na
+.nf
+.ad
+.fi
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple
 \fB\-v\fR options make the software increasingly verbose.

postfix/man/man5/lmdb_table.5

@@ -72,16 +72,17 @@ postscreen(8) services.
 .fi
 The Postfix LMDB adapter does not use LMDB's built\-in locking
 scheme, because that would require world\-writable lockfiles
-and would violate the Postfix security model.  Instead,
+and therefore violate the Postfix security model.  Instead,
 Postfix uses fcntl(2) locks with whole\-file granularity.
 Programs that use LMDB's built\-in locking protocol will
 corrupt a Postfix LMDB database or will read garbage.
 
 Every Postfix LMDB database read or write transaction must
 be protected from start to end with a shared or exclusive
-fcntl(2) lock.  A writer may atomically downgrade an exclusive
-lock to a shared lock, but it must hold an exclusive lock
-while opening another write transaction.
+fcntl(2) lock. A process may atomically downgrade an exclusive
+lock to a shared lock before opening a database read transaction,
+but it must hold an exclusive lock while opening a write
+transaction.
 
 Note that fcntl(2) locks do not protect transactions within
 the same process against each other.  If a program cannot

postfix/man/man5/memcache_table.5

@@ -112,6 +112,17 @@ time. Smaller values are relative to the time of the update.
 .nf
 .ad
 .fi
+.IP "\fBkey_digest (default: empty)\fB"
+After processing the \fBkey_format\fR setting, and before sending
+a request to the memcache server, run the key through the named
+message digest algorithm and convert the result to lowercase
+hexadecimal characters. This prevents a database access error
+when keys may exceed the memcache server's key length limit
+(usually, 250 bytes). Specify the name of a message digest
+algorithm that is supported by OpenSSL, for example, \fBsha256\fR.
+
+This feature is available in Postfix 3.11 and later, and requires
+that Postfix is built with TLS support.
 .IP "\fBkey_format (default: %s)\fB"
 Format of the lookup and update keys that the Postfix
 memcache client sends to the memcache server.
@@ -207,7 +218,7 @@ tables such as \fBalias_maps\fR (these may contain
 "\fI|command\fR and "\fI/file/name\fR" destinations), or
 \fBvirtual_uid_maps\fR, \fBvirtual_gid_maps\fR and
 \fBvirtual_mailbox_maps\fR (these specify UNIX process
-privileges or "\fI/file/name\fR" destinations).  In a typical
+privileges for "\fI/file/name\fR" destinations).  In a typical
 deployment a memcache database is writable by any process
 that can talk to the memcache server; in contrast,
 security\-sensitive tables must never be writable by the

postfix/man/man5/mysql_table.5

@@ -77,11 +77,10 @@ localhost over TCP you have to specify
     hosts = 127.0.0.1
 .fi
 
-NOTE: if the \fBhosts\fR setting specifies one server, this client
-assumes that the target is a load balancer and will reconnect
-immediately after a single failure, instead of failing all
-requests temporarily. With older versions of this client,
-specify the same server twice.
+NOTE: if the \fBhosts\fR setting specifies only one server,
+this client assumes that the target is a load balancer and
+will reconnect immediately after a single failure. With Postfix
+versions 3.9 and earlier, specify the same server twice.
 .IP "\fBuser\fR"
 .IP "\fBpassword\fR"
 The user name and password to log into the mysql server.
@@ -112,11 +111,10 @@ This feature is available in Postfix 3.9 and later.
 The number of seconds that a database connection will be
 skipped after an error.
 
-NOTE: if the \fBhosts\fR setting specifies one server, this client
-assumes that the target is a load balancer and will reconnect
-immediately after a single failure, instead of failing all
-requests temporarily. With older versions of this client,
-specify the same server twice.
+NOTE: if the \fBhosts\fR setting specifies only one server,
+this client assumes that the target is a load balancer and
+will reconnect immediately after a single failure. With Postfix
+versions 3.9 and earlier, specify the same server twice.
 
 This feature is available in Postfix 3.9 and later.
 .IP "\fBquery\fR"

postfix/man/man5/pgsql_table.5

@@ -81,11 +81,10 @@ NOTE: if the \fBhosts\fR setting specifies a PostgreSQL connection
 URI, the Postfix PostgreSQL client will ignore the \fBdbname\fR,
 \fBuser\fR, and \fBpassword\fR settings for that connection.
 
-NOTE: if the \fBhosts\fR setting specifies one server, this client
-assumes that the target is a load balancer and will reconnect
-immediately after a single failure, instead of failing all
-requests temporarily. With older versions of this client,
-specify the same server twice.
+NOTE: if the \fBhosts\fR setting specifies only one server,
+this client assumes that the target is a load balancer and
+will reconnect immediately after a single failure. With Postfix
+versions 3.9 and earlier, specify the same server twice.
 .IP "\fBuser\fR"
 .IP "\fBpassword\fR"
 The user name and password to log into the pgsql server.
@@ -129,11 +128,10 @@ This feature is available in Postfix 3.9 and later.
 The number of seconds that a database connection will be
 skipped after an error.
 
-NOTE: if the \fBhosts\fR setting specifies one server, this client
-assumes that the target is a load balancer and will reconnect
-immediately after a single failure, instead of failing all
-requests temporarily. With older versions of this client,
-specify the same server twice.
+NOTE: if the \fBhosts\fR setting specifies only one server,
+this client assumes that the target is a load balancer and
+will reconnect immediately after a single failure. With Postfix
+versions 3.9 and earlier, specify the same server twice.
 
 This feature is available in Postfix 3.9 and later.
 .IP "\fBquery\fR"

postfix/man/man5/postconf.5

@@ -2079,7 +2079,7 @@ Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
 when converting UTF\-8 domain names to/from the ASCII form that is
 used for DNS lookups. Specify "yes" for compatibility with Postfix
 <= 3.1 (not recommended). This affects the conversion of domain
-names that contain for example the German sz and the Greek zeta.
+names that contain for example the German sz and the Greek sigma.
 See https://unicode.org/cldr/utility/idna.jsp for more examples.
 .PP
 This feature is available in Postfix 3.2 and later.
@@ -2633,13 +2633,16 @@ Needed for debugging Postfix daemons with an X\-windows debugger.
 .IP "\fBMAIL_CONFIG\fR"
 Needed to make "\fBpostfix \-c\fR" work.
 .br
+.IP "\fBPOSTLOG_HOSTNAME\fR"
+Needed to make "\fBmaillog_file\fR" work during daemon
+process initialization.
+.br
 .IP "\fBPOSTLOG_SERVICE\fR"
 Needed to make "\fBmaillog_file\fR" work during daemon
 process initialization.
 .br
-.IP "\fBPOSTLOG_HOSTNAME\fR"
-Needed to make "\fBmaillog_file\fR" work during daemon
-process initialization.
+.IP "\fBXDG_RUNTIME_DIR\fR"
+Needed for debugging Postfix daemons with an XDG\-style debugger.
 .br
 .br
 .PP
@@ -5505,6 +5508,10 @@ clients,
 and \fBpostscreen\fR(8) will update an SMTP client's DNSBL score with
 each non\-error reply as described below.
 .PP
+NOTE: Always respect the usage policies of reputation services.
+Avoid public or ISP resolvers, unless the queries use your unique
+API key.
+.PP
 Caution: when postscreen rejects mail, its SMTP response contains
 the DNSBL
 domain name. Use the postscreen_dnsbl_reply_map feature to hide
@@ -6539,6 +6546,24 @@ relocated_maps = dbm:/etc/postfix/relocated
 relocated_maps = hash:/etc/postfix/relocated
 .fi
 .ad
+.SH relocated_prefix_enable (default: yes)
+Prepend the prefix "\fB5.1.6 User has moved to \fR" to all
+relocated_maps lookup results. With "relocated_prefix_enable =
+no", all lookup results must contain a valid RFC 3463 compliant
+enhanced status code and text (format: "[45].number.number text...").
+.PP
+Example:
+.PP
+.nf
+.na
+/etc/postfix/main.cf:
+    relocated_maps = hash:/etc/postfix/relocated
+    relocated_prefix_enable = no
+.br
+hash:/etc/postfix/relocated:
+    user@example.com 5.2.1 User account is disabled
+.fi
+.ad
 .SH remote_header_rewrite_domain (default: empty)
 Rewrite or add message headers in mail from remote clients if
 the remote_header_rewrite_domain parameter value is non\-empty,
@@ -7870,6 +7895,14 @@ Examples:
 .nf
 .na
 /etc/postfix/reply_filter:
+    # Some Microsoft servers violate RFC 2554 section 4, causing Postfix
+    # to complain with "non\-empty initial GSSAPI challenge from server"
+    /^334\es+GSSAPI\es+supported/ 334
+.fi
+.ad
+.PP
+.nf
+.na
     # Transform garbage into "250\-filler..." so that it looks like
     # one line from a multi\-line reply. It does not matter what we
     # substitute here as long it has the right syntax.  The Postfix
@@ -9519,13 +9552,14 @@ example.net     secure match=example.com:.example.com
 .in -4
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_security_level (default: empty)
+.SH smtp_tls_security_level (default: Postfix >= 3.11: may; Postfix < 3.11: empty)
 The default SMTP TLS security level for the Postfix SMTP client.
 When a non\-empty value is specified, this overrides the obsolete
 parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername;
-when no value is specified for smtp_tls_enforce_peername or the obsolete
-parameters, the default SMTP TLS security level is
-none.
+when no value is specified for those obsolete parameters, the default
+SMTP TLS security level is may
+(compatibility_level >= 3.11) or none
+(compatibility_level < 3.11).
 .PP
 Specify one of the following security levels:
 .IP "\fBnone\fR"
@@ -9917,12 +9951,10 @@ See TLSRPT_README for configuration examples and additional
 requirements for MTA\-STS smtp_tls_policy_maps plugins.
 .PP
 This feature is available in Postfix >= 3.10.
-.SH smtp_tlsrpt_skip_reused_handshakes (default: yes)
-Do not report the TLSRPT status for TLS protocol handshakes
-that reuse a previously\-negotiated TLS session (there is no new
-information to report). Report the TLSRPT status only for "new" TLS
-sessions. Set this to "no" to log the TLSRPT status of all TLS
-handshakes, for example to troubleshoot Postfix TLSRPT support.
+.SH smtp_tlsrpt_skip_reused_handshakes (default: Postfix >= 3.11: no, Postfix 3.10: yes)
+When set to "yes", report the TLSRPT status only for "new" TLS
+sessions. When set to "no", also report the TLSRPT status for TLS
+protocol handshakes that reuse a previously\-negotiated TLS session.
 .PP
 Note: if an SMTP over TLS connection is reused, there is no
 second etc. TLS handshake to report.
@@ -10381,6 +10413,12 @@ The maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554), the default_rbl_reply  parameter
 specifies the default server reply, and the rbl_reply_maps  parameter
 specifies tables with server replies indexed by \fIrbl_domain\fR.
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking the key in SMTP server
+responses).
+.br
 This feature is available in Postfix 2.0 and later.
 .br
 .IP "\fBpermit_dnswl_client \fIdnswl_domain=d.d.d.d\fR\fR"
@@ -10394,8 +10432,14 @@ reversed client network address is listed with any A record under
 .br
 For safety, permit_dnswl_client is silently
 ignored when it would override reject_unauth_destination.  The
-result is DEFER_IF_REJECT when allowlist lookup fails.  This feature
-is available in Postfix 2.8 and later.
+result is DEFER_IF_REJECT when allowlist lookup fails.
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP
+server responses).
+.br
+This feature is available in Postfix 2.8 and later.
 .br
 .IP "\fBreject_rhsbl_client \fIrbl_domain=d.d.d.d\fR\fR"
 Reject the request when the client hostname is listed with the
@@ -10407,6 +10451,12 @@ number..number ranges (Postfix version 2.8 and later).  If no
 hostname is listed with
 any A record under \fIrbl_domain\fR. See the reject_rbl_client
 description above for additional RBL related configuration parameters.
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP
+server responses).
+.br
 This feature is available in Postfix 2.0 and later; with Postfix
 version 2.8 and later, reject_rhsbl_reverse_client will usually
 produce better results.
@@ -10426,8 +10476,14 @@ DNS\-based blocklists, and not for making access rule exceptions.
 .br
 For safety, permit_rhswl_client is silently ignored when it
 would override reject_unauth_destination.  The result is DEFER_IF_REJECT
-when allowlist lookup fails.  This feature is available in Postfix
-2.8 and later.
+when allowlist lookup fails.
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP
+server responses).
+.br
+This feature is available in Postfix 2.8 and later.
 .br
 .IP "\fBreject_rhsbl_reverse_client \fIrbl_domain=d.d.d.d\fR\fR"
 Reject the request when the unverified reverse client hostname
@@ -10437,8 +10493,14 @@ one or more ";"\-separated numbers or number..number ranges.
 If no "\fI=d.d.d.d\fR" is specified, reject the request when the
 unverified reverse client hostname is listed with any A record under
 \fIrbl_domain\fR. See the reject_rbl_client description above for
-additional RBL related configuration parameters.  This feature is
-available in Postfix 2.8 and later.
+additional RBL related configuration parameters.
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP
+server responses).
+.br
+This feature is available in Postfix 2.8 and later.
 .br
 .IP "\fBreject_unknown_client_hostname\fR (with Postfix < 2.3: reject_unknown_client)"
 Reject the request when 1) the client IP address\->name mapping
@@ -11155,8 +11217,14 @@ reject_rbl_client description for additional RBL related configuration
 parameters.  Note: specify "smtpd_helo_required = yes" to fully
 enforce this restriction (without "smtpd_helo_required = yes", a
 client can simply skip reject_rhsbl_helo by not sending HELO or
-EHLO). This feature is available in Postfix 2.0
-and later.
+EHLO).
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP
+server responses).
+.br
+This feature is available in Postfix 2.0 and later.
 .br
 .IP "\fBreject_unknown_helo_hostname\fR (with Postfix < 2.3: reject_unknown_hostname)"
 Reject the request when the HELO or EHLO hostname has no DNS A
@@ -11204,7 +11272,7 @@ SMTP server's Received: message header.
 .IP \(bu
 The default setting, "smtpd_hide_client_session = no",
 must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321.
+that is required by RFC 5321 section 4.4.
 .IP \(bu
 The setting "smtpd_hide_client_session = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@@ -11228,8 +11296,9 @@ Received: by mail.example.com (Postfix) id postfix\-queue\-id
 .in -4
 .PP
 The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-RFC 5321. The form does still meet RFC 5322 requirements.
+and therefore it does not need to provide the FROM clause according
+to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+requirements.
 .PP
 This feature is available in Postfix >= 3.10.
 .SH smtpd_history_flush_threshold (default: 100)
@@ -11653,8 +11722,14 @@ The maps_rbl_reject_code
 parameter specifies the response code for rejected requests (default:
 554); the default_rbl_reply parameter specifies the default server
 reply; and the rbl_reply_maps parameter specifies tables with server
-replies indexed by \fIrbl_domain\fR.  This feature is available
-in Postfix version 2.0 and later.
+replies indexed by \fIrbl_domain\fR.
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP
+server responses).
+.br
+This feature is available in Postfix version 2.0 and later.
 .br
 .IP "\fBreject_unauth_destination\fR"
 Reject the request unless one of the following is true:
@@ -11741,6 +11816,60 @@ Example:
 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
 .fi
 .ad
+.SH smtpd_reject_filter_maps (default: empty)
+An optional filter that can replace a reject response from the
+Postfix SMTP server itself, or from a program that replies through
+the Postfix SMTP server. The filter is applied before the optional
+reject footers are appended. Typically, the filter will be a regexp:
+or pcre: table, where the left\-hand side specifies a pattern, and
+the right\-hand side specifies replacement text.
+.PP
+The input is a server response that starts with a 4XX or 5XX
+reply code (see RFC 5321), usually followed by an enhanced status
+code (see RFC 3463) and text. The filter returns replacement text
+or indicates that there was no match. This feature cannot be used
+to change a reject reply into a non\-reject one or vice versa.
+.PP
+LIMITATION: smtpd_reject_filter_maps will not replace text that
+was already logged before the Postfix SMTP server replies to the
+remote SMTP client. To help with logfile analysis, the Postfix SMTP
+server logs both the unmodified reply (logged below as "reject
+filter in") and the replacement reply (logged below as "reject
+filter out").
+.PP
+Example:
+.PP
+.nf
+.na
+/etc/postfix/main.cf:
+    smtpd_reject_filter_maps = regexp:/etc/postfix/smtpd_reject_filter
+.fi
+.ad
+.PP
+.nf
+.na
+/etc/postfix/smtpd_reject_filter:
+    # Replace soft reject with hard reject.
+    /^451 4(\e.6\e.0 Alias expansion error)/ 550 5${1}
+.fi
+.ad
+.PP
+.nf
+.na
+    # Silly rule for demo purposes.
+    /^(4.+[^.])\e.*$/ $1. See you later.
+.fi
+.ad
+.PP
+.nf
+.na
+/var/log/maillog:
+    NOQUEUE: reject filter in: 451 4.6.0 Alias expansion error
+    NOQUEUE: reject filter out: 550 5.6.0 Alias expansion error
+.fi
+.ad
+.PP
+This feature is available in Postfix >= 3.11.
 .SH smtpd_reject_footer (default: empty)
 Optional information that is appended after each Postfix SMTP
 server
@@ -12298,6 +12427,12 @@ maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554); the default_rbl_reply parameter
 specifies the default server reply; and the rbl_reply_maps parameter
 specifies tables with server replies indexed by \fIrbl_domain\fR.
+.br
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP
+server responses).
+.br
 This feature is available in Postfix 2.0 and later.
 .br
 .IP "\fBreject_sender_login_mismatch\fR"
@@ -13988,13 +14123,11 @@ openssl.cnf:
 .fi
 .ad
 .PP
-Caution: It is typically best to just use the default group
-settings, for which no $tls_config_file is required (you can set
-"tls_config_file = none", to avoid unwanted leakage of system\-wide
-settings that strive to harden HTTPS against mostly browser\-specific
-security and privacy issues into Postfix use of opportunistic TLS,
-where they're they can be counterproductive, leading to downgrades
-to cleartext, rather than more "secure" TLS).
+Caution: It is typically best to just use the default OpenSSL
+group settings, by setting "tls_config_file = none". Overly strict
+system\-wide TLS settings will conflict with Postfix's opportunistic
+TLS, where being less restrictive is better than downgrading to
+cleartext SMTP.
 .PP
 This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20.
@@ -14448,7 +14581,8 @@ This feature is available in Postfix 2.2 and later.
 .SH tls_required_enable (default: yes)
 Enable support for the "TLS\-Required: no" message header, defined
 in RFC 8689. By adding this header to a message, a sender requests
-no enforcement of TLS policy. This limits the Postfix SMTP client
+no enforcement of TLS policy. This disables TLS policy lookup, and
+limits the Postfix SMTP client
 TLS security level to "may", that is, do not verify remote SMTP
 server certificates, and fall back to plaintext if TLS is unavailable.
 If a message contains a "TLS\-Required: no" header, then Postfix

postfix/man/man5/relocated.5

@@ -46,9 +46,10 @@ lookup fields can match both upper and lower case.
 .nf
 .ad
 .fi
-The input format for the \fBpostmap\fR(1) command is as follows:
 .IP \(bu
-An entry has one of the following form:
+By default, Postfix will prepend a hard\-coded prefix "5.1.6 User
+has moved to " to a table lookup result, and the format for a
+table entry is as follows:
 
 .nf
      \fIpattern      new_location\fR
@@ -57,6 +58,16 @@ An entry has one of the following form:
 Where \fInew_location\fR specifies contact information such as
 an email address, or perhaps a street address or telephone number.
 .IP \(bu
+Postfix 3.11 and later can optionally disable the hard\-coded
+prefix. Specify "relocated_prefix_enable = no" in main.cf, and
+specify relocated_maps entries with your own RFC 3463\-compliant
+enhanced status code and text, for example:
+
+.nf
+     \fIpattern\fR      5.2.0 Mailbox is unavailable
+     \fIpattern\fR      5.2.1 Mailbox is disabled
+.fi
+.IP \(bu
 Empty lines and whitespace\-only lines are ignored, as
 are lines whose first non\-whitespace character is a `#'.
 .IP \(bu
@@ -145,6 +156,11 @@ The text below provides only a parameter summary. See
 Optional lookup tables with new contact information for users or
 domains that no longer exist.
 .PP
+Available with Postfix version 3.11 and later:
+.IP "\fBrelocated_prefix_enable (yes)\fR"
+Prepend the prefix "\fB5.1.6 User has moved to \fR" to all
+relocated_maps lookup results.
+.PP
 Other parameters of interest:
 .IP "\fBinet_interfaces (all)\fR"
 The local network interface addresses that this mail system

postfix/man/man8/discard.8

@@ -67,7 +67,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBdouble_bounce_sender (double\-bounce)\fR"
 The sender address of postmaster notifications that are generated
 by the mail system.

postfix/man/man8/error.8

@@ -75,7 +75,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBdouble_bounce_sender (double\-bounce)\fR"
 The sender address of postmaster notifications that are generated
 by the mail system.

postfix/man/man8/oqmgr.8

@@ -347,7 +347,7 @@ The names of message delivery transports that should not deliver mail
 unless someone issues "\fBsendmail \-q\fR" or equivalent.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBhelpful_warnings (yes)\fR"
 Log warnings about problematic configuration settings, and provide
 helpful suggestions.

postfix/man/man8/postscreen.8

@@ -410,7 +410,7 @@ The default location of the Postfix main.cf and master.cf
 configuration files.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
 The location of all postfix administrative commands.
 .IP "\fBmax_idle (100s)\fR"
@@ -480,3 +480,6 @@ Wietse Venema
 Google, Inc.
 111 8th Avenue
 New York, NY 10011, USA
+
+Wietse Venema
+porcupine.org

postfix/man/man8/proxymap.8

@@ -46,21 +46,24 @@ that do not reliably support multiple writers (i.e. all
 file\-based tables that are not based on \fBlmdb\fR).
 .PP
 The \fBproxymap\fR(8) server implements the following requests:
-.IP "\fBopen\fR \fImaptype:mapname flags\fR"
+.IP "\fBopen\fR \fImaptype:mapname instance\-flags\fR"
 Open the table with type \fImaptype\fR and name \fImapname\fR,
-as controlled by \fIflags\fR. The reply includes the \fImaptype\fR
-dependent flags (to distinguish a fixed string table from a regular
-expression table).
-.IP "\fBlookup\fR \fImaptype:mapname flags key\fR"
-Look up the data stored under the requested key.
-The reply is the request completion status code and
-the lookup result value.
-The \fImaptype:mapname\fR and \fIflags\fR are the same
+with initial dictionary flags \fIinstance\-flags\fR. The reply
+contains the actual dictionary flags (for example, to distinguish
+a fixed\-string table from a regular\-expression table).
+.IP "\fBlookup\fR \fImaptype:mapname instance\-flags request\-flags key\fR"
+Look up the data stored under the requested key using the
+dictionary flags in \fIrequest\-flags\fR.
+The reply contains the request completion status code, the
+resulting dictionary flags, and the lookup result value.
+The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
 as with the \fBopen\fR request.
-.IP "\fBupdate\fR \fImaptype:mapname flags key value\fR"
-Update the data stored under the requested key.
-The reply is the request completion status code.
-The \fImaptype:mapname\fR and \fIflags\fR are the same
+.IP "\fBupdate\fR \fImaptype:mapname instance\-flags request\-flags key value\fR"
+Update the data stored under the requested key using the
+dictionary flags in \fIrequest\-flags\fR.
+The reply contains the request completion status code and the
+resulting dictionary flags.
+The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
 as with the \fBopen\fR request.
 .sp
 To implement single\-updater maps, specify a process limit
@@ -68,29 +71,36 @@ of 1 in the master.cf file entry for the \fBproxywrite\fR
 service.
 .sp
 This request is supported in Postfix 2.5 and later.
-.IP "\fBdelete\fR \fImaptype:mapname flags key\fR"
-Delete the data stored under the requested key.
-The reply is the request completion status code.
-The \fImaptype:mapname\fR and \fIflags\fR are the same
+.IP "\fBdelete\fR \fImaptype:mapname instance\-flags request\-flags key\fR"
+Delete the data stored under the requested key, using the
+dictionary flags in \fIrequest\-flags\fR.
+The reply contains the request completion status code and the
+resulting dictionary flags.
+The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
 as with the \fBopen\fR request.
 .sp
 This request is supported in Postfix 2.5 and later.
-.IP "\fBsequence\fR \fImaptype:mapname flags function\fR"
-Iterate over the specified database. The \fIfunction\fR
-is one of DICT_SEQ_FUN_FIRST or DICT_SEQ_FUN_NEXT.
-The reply is the request completion status code and
-a lookup key and result value, if found.
+.IP "\fBsequence\fR \fImaptype:mapname instance\-flags request\-flags function\fR"
+Iterate over the specified database, using the dictionary flags
+in \fIrequest\-flags\fR. The \fIfunction\fR is either
+DICT_SEQ_FUN_FIRST or DICT_SEQ_FUN_NEXT.
+The reply contains the request completion status code, the
+resulting dictionary flags, and a lookup key and result value
+if found.
+The \fImaptype:mapname\fR and \fIinstance\-flags\fR are the same
+as with the \fBopen\fR request.
 .sp
 This request is supported in Postfix 2.9 and later.
+.IP "Not implemented: close"
+There is no \fBclose\fR request, nor are tables implicitly closed
+when a client disconnects. The purpose is to share tables among
+multiple client processes. Due to the absence of an explicit or
+implicit \fBclose\fR, updates are forced to be synchronous.
 .PP
 The request completion status is one of OK, RETRY, NOKEY
 (lookup failed because the key was not found), BAD (malformed
 request) or DENY (the table is not approved for proxy read
 or update access).
-
-There is no \fBclose\fR command, nor are tables implicitly closed
-when a client disconnects. The purpose is to share tables among
-multiple client processes.
 .SH "SERVER PROCESS MANAGEMENT"
 .na
 .nf
@@ -241,3 +251,6 @@ Wietse Venema
 Google, Inc.
 111 8th Avenue
 New York, NY 10011, USA
+
+Wietse Venema
+porcupine.org

postfix/man/man8/qmgr.8

@@ -411,7 +411,7 @@ The names of message delivery transports that should not deliver mail
 unless someone issues "\fBsendmail \-q\fR" or equivalent.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBhelpful_warnings (yes)\fR"
 Log warnings about problematic configuration settings, and provide
 helpful suggestions.

postfix/man/man8/smtp.8

@@ -492,7 +492,7 @@ results.
 .fi
 Detailed information about STARTTLS configuration may be found
 in the TLS_README document.
-.IP "\fBsmtp_tls_security_level (empty)\fR"
+.IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR"
 The default SMTP TLS security level for the Postfix SMTP client.
 .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
 The SASL authentication security options that the Postfix SMTP
@@ -681,10 +681,9 @@ Enable support for RFC 8460 TLSRPT notifications.
 .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
 The pathname of a UNIX\-domain datagram socket that is managed
 by a local TLSRPT reporting service.
-.IP "\fBsmtp_tlsrpt_skip_reused_handshakes (yes)\fR"
-Do not report the TLSRPT status for TLS protocol handshakes
-that reuse a previously\-negotiated TLS session (there is no new
-information to report).
+.IP "\fBsmtp_tlsrpt_skip_reused_handshakes (Postfix >= 3.11: no, Postfix 3.10: yes)\fR"
+When set to "yes", report the TLSRPT status only for "new" TLS
+sessions.
 .IP "\fBtls_required_enable (yes)\fR"
 Enable support for the "TLS\-Required: no" message header, defined
 in RFC 8689.

postfix/man/man8/smtpd.8

@@ -1237,6 +1237,12 @@ Available in Postfix 3.10 and later:
 .IP "\fBsmtpd_hide_client_session (no)\fR"
 Do not include SMTP client session information in the Postfix
 SMTP server's Received: message header.
+.PP
+Available in Postfix version 3.11 and later:
+.IP "\fBsmtpd_reject_filter_maps (empty)\fR"
+An optional filter that can replace a reject response from the
+Postfix SMTP server itself, or from a program that replies through
+the Postfix SMTP server.
 .SH "SEE ALSO"
 .na
 .nf

postfix/man/man8/virtual.8

@@ -263,7 +263,7 @@ How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built\-in watchdog timer.
 .IP "\fBdelay_logging_resolution_limit (2)\fR"
 The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
 .IP "\fBipc_timeout (3600s)\fR"
 The time limit for sending or receiving information over an internal
 communication channel.

postfix/mantools/check-spell-proto-html

@@ -4,4 +4,4 @@
 
 LANG=C; export LANG
 
-mantools/dehtml proto/*html proto/*.proto | spell | grep -F -vxf proto/stop | grep -F -vxf proto/stop.spell-proto-html
+mantools/dehtml proto/*html proto/*.proto | tr '+' ' ' | spell | grep -F -vxf proto/stop | grep -F -vxf proto/stop.spell-proto-html

postfix/mantools/postlink

@@ -443,6 +443,7 @@ while (<>) {
     s;\brelay_transport\b;<a href="postconf.5.html#relay_transport">$&</a>;g;
     s;\brelay[-</bB>]*\n*[ <bB>]*host\b;<a href="postconf.5.html#relayhost">$&</a>;g;
     s;\brelocated_maps\b;<a href="postconf.5.html#relocated_maps">$&</a>;g;
+    s;\brelocated_prefix_enable\b;<a href="postconf.5.html#relocated_prefix_enable">$&</a>;g;
     s;\brequire_home_directory\b;<a href="postconf.5.html#require_home_directory">$&</a>;g;
     s;\bresolve_dequoted_address\b;<a href="postconf.5.html#resolve_dequoted_address">$&</a>;g;
     s;\brewrite_service_name\b;<a href="postconf.5.html#rewrite_service_name">$&</a>;g;
@@ -769,6 +770,7 @@ while (<>) {
     s;\bsmtpd_use_tls\b;<a href="postconf.5.html#smtpd_use_tls">$&</a>;g;
     s;\bsmtpd_reject_footer\b;<a href="postconf.5.html#smtpd_reject_footer">$&</a>;g;
     s;\bsmtpd_reject_footer_maps\b;<a href="postconf.5.html#smtpd_reject_footer_maps">$&</a>;g;
+    s;\bsmtpd_reject_filter_maps\b;<a href="postconf.5.html#smtpd_reject_filter_maps">$&</a>;g;
     s;\bsmtpd_per_record_deadline\b;<a href="postconf.5.html#smtpd_per_record_deadline">$&</a>;g;
     s;\bsmtpd_per_request_deadline\b;<a href="postconf.5.html#smtpd_per_request_deadline">$&</a>;g;
     s;\bsmtpd_min_data_rate\b;<a href="postconf.5.html#smtpd_min_data_rate">$&</a>;g;

postfix/mantools/srctoman

@@ -92,7 +92,7 @@ do
 	/^HISTORY/s//.SH &\
 .ad\
 .fi/
-	/^[A-Z][A-Z][A-Z][^a-z]*$/s//.SH "&"\
+	/^[A-Z][A-Za-z][A-Za-z].*$/s//.SH "&"\
 .na\
 .nf/
 	p

postfix/proto/COMPATIBILITY_README.html

@@ -102,6 +102,20 @@ default setting respectful_logging=no</a> </p>
 
 </ul>
 
+<p> Logged with compatibility_level &lt; 3.11: </p>
+
+<ul>
+
+<li> <p> <a href="#tlsrpt_reused"> using backwards-compatible default
+setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </p>
+
+<li> <p> <a href="#xxx_tls_level"> using backwards-compatible default
+setting <i>xxx</i>_security_level=(empty)</a> </p>
+
+</ul>
+
+<p>
+
 <p> If such a message is logged in the context of a legitimate
 request, the system administrator should make the backwards-compatible
 setting permanent in main.cf or master.cf, as detailed in the
@@ -120,7 +134,8 @@ to "no". This could result in unexpected non-delivery of email after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 
-<p> As long as the append_dot_mydomain parameter is left at
+<p> As long as the append_dot_mydomain parameter is left unspecified
+at
 its implicit default value, and the compatibility_level setting is
 less than 1, Postfix may log one of the following messages:</p>
 
@@ -178,7 +193,7 @@ after updating Postfix from an older version. The backwards-compatibility
 safety net is designed allow the administrator to choose if they
 want to keep the old behavior. </p>
 
-<p> As long as a master.cf chroot field is left at its
+<p> As long as a master.cf chroot field is left unspecified at its
 implicit default value, and the compatibility_level setting
 is less than 1, Postfix may log the following message while it
 reads the master.cf file: </p>
@@ -218,7 +233,8 @@ from an older Postfix version. The backwards-compatibility safety
 net is designed to prevent such surprises. </p>
 
 <p> When the compatibility_level less than 1, and the
-smtpd_relay_restrictions parameter is left at its implicit default
+smtpd_relay_restrictions parameter is left unspecified at its
+implicit default
 setting, Postfix may log the following message: </p>
 
 <blockquote>
@@ -250,7 +266,8 @@ addresses from clients that don't request SMTPUTF8 support, after
 Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 
-<p> As long as the smtputf8_enable parameter is left at its implicit
+<p> As long as the smtputf8_enable parameter is left unspecified
+at its implicit
 default value, and the compatibility_level setting is
 less than 1, Postfix logs a warning each time an SMTP command uses a
 non-ASCII address localpart without requesting SMTPUTF8 support: </p>
@@ -293,7 +310,8 @@ Postfix is updated from an older version. The backwards-compatibility
 safety net is designed to prevent such surprises. </p>
 
 <p> As long as the mynetworks and mynetworks_style parameters are
-left at their implicit default values, and the compatibility_level
+left unspecified at their implicit default values, and the
+compatibility_level
 setting is less than 2, the Postfix SMTP server may log one of the
 following messages: </p>
 
@@ -333,7 +351,8 @@ denied' errors or ETRN errors after Postfix is updated from an older
 version. The backwards-compatibility safety net is designed to
 prevent such surprises. </p>
 
-<p> As long as the relay_domains parameter is left at its implicit
+<p> As long as the relay_domains parameter is left unspecified at
+its implicit
 default value, and the compatibility_level setting is less than 2,
 Postfix may log one of the following messages.  </p>
 
@@ -408,7 +427,8 @@ secure digest of the client certificate.  </p>
 with the "sha256" digests of the expected client certificate or public
 key.  </p>
 
-<p> As long as the smtpd_tls_fingerprint_digest parameter is left at its
+<p> As long as the smtpd_tls_fingerprint_digest parameter is left
+unspecified at its
 implicit default value, and the compatibility_level setting is less than
 3.6, Postfix logs a warning each time a client certificate or public key
 fingerprint is (potentially) used for access control: </p>
@@ -455,7 +475,8 @@ policies in the TLS policy table to specify matching "sha256" digests of
 the expected server certificates or public keys.  </p>
 
 <p> As long as the smtp_tls_fingerprint_digest (or LMTP equivalent)
-parameter is left at its implicit default value, and the
+parameter is left unspecified at its implicit default value, and
+the
 compatibility_level setting is less than 3.6, Postfix logs a warning each
 time the "fingerprint" security level is used to specify matching "md5"
 digests of trusted server certificates or public keys: </p>
@@ -499,7 +520,8 @@ command, and both support the same features. </p> </blockquote>
 keep evaluating smtpd_recipient_restrictions before
 smtpd_relay_restrictions, as long as the compatibility_level is
 less than 3.6, and the smtpd_relay_before_recipient_restrictions
-parameter is left at its implicit default setting. As a reminder,
+parameter is left unspecified at its implicit default setting. As
+a reminder,
 Postfix may log the following message: </p>
 
 <blockquote>
@@ -533,7 +555,8 @@ the changes in logging could affect logfile analysis tools. </p>
 
 <p> To avoid breaking existing logfile analysis tools, Postfix will keep
 logging the deprecated form, as long as the respectful_logging parameter
-is left at its implicit default value, and the compatibility_level
+is left unspecified at its implicit default value, and the
+compatibility_level
 setting is less than 3.6. As a reminder, Postfix may log the following
 when a remote SMTP client is allowlisted or denylisted: </p>
 
@@ -555,6 +578,83 @@ system administrator should make the backwards-compatible setting
 </pre>
 </blockquote>
 
+<h2> <a name="tlsrpt_reused"> Using backwards-compatible
+default setting smtp_tlsrpt_skip_reused_handshakes=yes</a> </h2>
+
+<p> Postfix version 3.11 changes the default value for
+smtp_tlsrpt_skip_reused_handshakes from "yes" to "no". The
+backwards-compatibility safety net is designed to prevent an
+unexpected change in reporting behavior when Postfix is updated
+from an older version. </p>
+
+<p> As long as the smtp_tlsrpt_skip_reused_handshakes parameter is
+left unspecified at its implicit default value, and the compatibility_level
+setting is less than 3.11, Postfix will log a reminder that it is
+using the backwards-compatible default: </p>
+
+<blockquote>
+<pre>
+postfix/smtp[388157] using backwards-compatible default setting
+    smtp_tlsrpt_skip_reused_handshakes=yes
+</pre>
+</blockquote>
+
+<p> To keep the old default setting, the system administrator should
+make the backwards-compatible setting "smtp_tlsrpt_skip_reused_handshakes
+= yes" permanent in main.cf:
+
+<blockquote>
+<pre>
+# <b>postconf smtp_tlsrpt_skip_reused_handshakes=yes</b>
+# <b>postfix reload</b>
+</pre>
+</blockquote>
+
+<h2> <a name="xxx_tls_level"> Using backwards-compatible
+default setting <i>xxx</i>_security_level=(empty)</a> </h2>
+
+<p> Postfix version 3.11 changes the default value for client TLS
+security levels from "empty" to "may". The backwards-compatibility
+safety net is designed to prevent an unexpected change in mail
+sending behavior when Postfix is updated from an older version.
+</p>
+
+<p> There is no equivalent change for Postfix server TLS security
+levels, because changing the level alone is not sufficient. Server-side
+TLS requires that at least one private key and one public-key
+certificate chain are configured. </p>
+
+<p> As long as a TLS security level parameter is left unspecified
+at its implicit default value, and the compatibility_level setting
+is less than 3.11, Postfix will log one of the following reminders
+that it is using the backwards-compatible default: </p>
+
+<blockquote>
+<pre>
+postfix/smtp[...] using backwards-compatible default setting
+    smtp_tls_security_level=(empty)
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+postfix/tlsproxy[...] using backwards-compatible default setting
+    tlsproxy_client_security_level=(empty)
+</pre>
+</blockquote>
+
+<p> To keep the old default setting, the system administrator should
+make the backwards-compatible empty setting permanent in main.cf: </p>
+
+<blockquote>
+<pre>
+# <b>postconf <i>xxx</i>_security_level=</b>
+# <b>postfix reload</b>
+</pre>
+</blockquote>
+
+<p> where <i>xxx</i> is taken from the above compatibility message. </p>
+
 <h2> <a name="turnoff">Turning off the backwards-compatibility safety net</a> </h2>
 
 <p> Backwards compatibility is turned off by updating the

postfix/proto/DATABASE_README.html

@@ -293,6 +293,19 @@ databases are maintained by Postfix daemons. The lookup table name
 as used in "dbm:table" is the database file name without the ".dir"
 or ".pag" suffix.  </dd>
 
+<dt> <b>debug</b> </dt>
+
+<dd>
+<p> An adapter for another table that causes all accesses to be
+logged.  Example usage: "debug:hash:/etc/postfix/example".  The
+formats of the log messages are unspecified and subject to change.
+Warning: If a query or the underlying table contains sensitive
+information (such as a password), that information might be
+logged. </p>
+
+<p> This feature is available with Postfix 3.11 and later. </p>
+</dd>
+
 <dt> <b>environ</b> </dt>
 
 <dd> The UNIX process environment array. The lookup key is the

postfix/proto/DEPRECATION_README.html

@@ -104,11 +104,16 @@ detailed description. </p>
 </th> <th> Removed <br> in version </th> <th> Replacement </th>
 </tr>
 
+<tr> <td> <a href="#xxx_tls_enforce_peername">
+<i>xxx</i>_tls_enforce_peername </a> </td> <td align="center"> 3.11
+</td> <td align="center"> - </td> <td> <i>xxx</i>_tls_security_level
+</td> </tr>
+
 <tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a>
 </td> <td align="center"> 3.9 </td> <td align="center"> - </td>
 <td> smtp_dns_support_level </td> </tr>
 
-<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_use_tls </a> </td>
+<tr> <td> <a href="#xxx_use_tls"> <i>xxx</i>_use_tls </a> </td>
 <td align="center"> 3.9 </td> <td align="center"> - </td> <td>
 <i>xxx</i>_tls_security_level </td> </tr>
 
@@ -149,6 +154,45 @@ reject_rbl_client </td> </tr>
 
 </blockquote>
 
+<h3> <a name="xxx_tls_enforce_peername"> Obsolete TLS peer name
+match configuration </a> </h3>
+
+<p> The postconf(1) command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "lmtp_tls_enforce_peername" will be
+removed; instead, specify "lmtp_tls_security_level"
+
+<li> support for parameter "smtp_tls_enforce_peername" will be
+removed; instead, specify "smtp_tls_security_level"
+
+</ul>
+
+<p> There are similarly-named parameters and warnings for postscreen(8)
+and tlsproxy(8), but those parameters should rarely be specified
+by hand. </p>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> Enforce peer name match with server certificate </td>
+<td> <i>xxx</i>_enforce_peername = yes </td> <td> <i>xxx</i>_security_level
+= verify <br> <i>xxx</i>_security_level = secure </td> </tr>
+
+<tr> <td> Disable peer name match with server certificate </td>
+<td> <i>xxx</i>_enforce_peername = no </td> <td> <i>xxx</i>_security_level
+= may <br> <i>xxx</i>_security_level = encrypt </td> </tr>
+
+</table>
+
+</blockquote>
+
 <h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration
 </a> </h3>
 

postfix/proto/MULTI_INSTANCE_README.html

@@ -40,7 +40,7 @@ management framework, and on how to deploy a custom instance manager.
 
 <li><a href="#parts"> Components of a Postfix system </a> 
 
-<li><a href="#default"> The default Postfix instance </a> 
+<li><a href="#default"> The primary Postfix instance </a> 
 
 <li><a href="#group"> Instance groups </a>
 
@@ -102,7 +102,7 @@ use than ever before. </p>
 <h2><a name="split"> Null-client instances versus service instances </a></h2>
 
 <p> In the multi-instance approach to configuring Postfix, the first
-simplification is with the default local-submission Postfix instance.
+simplification is with the primary local-submission Postfix instance.
 </p>
 
 <p> Most UNIX systems require support for email submission with the
@@ -152,7 +152,7 @@ limited to mail from cron jobs and other system services. In this
 regard the border MTA is not different from other Unix hosts in
 your environment. For this reason, it will submit locally-generated
 email to the internal mail hub. We start the construction of the
-border mail server with the <a href="#default_instance">default</a>
+border mail server with the <a href="#default">primary</a>
 instance, which will be a local-submission <a
 href="STANDARD_CONFIGURATION_README.html#null_client">null client</a>:
 </p>
@@ -283,7 +283,7 @@ must start before the input instance. We will put the output and
 input instances into a single instance group named "mta".  </p>
 
 <p> Just once, when adding the first secondary instance, enable
-multi-instance support in the default (null-client) instance: </p>
+multi-instance support in the primary (null-client) instance: </p>
 
 <blockquote>
 <pre>
@@ -301,7 +301,7 @@ multi-instance support in the default (null-client) instance: </p>
 
 <p> The instance configuration directory defaults to /etc/postfix-out,
 more precisely, the "postfix-out" subdirectory of the parent directory
-of the default-instance configuration directory. The new instance will
+of the primary-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 
 <blockquote>
@@ -323,7 +323,7 @@ be created in a "disabled" state: </p>
 <p> This instance has a "stock" master.cf file, and its queue and
 data directories, also named "postfix-out", will be located in the
 same parent directories as the corresponding directories of the
-default instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
+primary instance (e.g., /var/spool/postfix-out and /var/lib/postfix-out).
 </p>
 
 <p> While this instance is immediately safe to start, it is not yet
@@ -472,7 +472,7 @@ also part of the "mta" instance group: </p>
 
 <p> The new instance configuration directory defaults to /etc/postfix-in,
 more precisely, the "postfix-in" subdirectory of the parent directory
-of the default-instance configuration directory. The new instance will
+of the primary-instance configuration directory. The new instance will
 be created in a "disabled" state: </p>
 
 <blockquote>
@@ -658,7 +658,7 @@ main.cf file itself. </p>
 
 <p> Though config_directory cannot be set in main.cf, postfix(1) and
 most of the other command-line Postfix utilities allow you to specify a
-non-default configuration directory via a command line option (typically
+secondary configuration directory via a command line option (typically
 <b>-c</b>) or via the MAIL_CONFIG environment variable. In this way,
 it is possible to have multiple configuration directories on the same
 machine, and to have multiple running master(8) daemons each with its
@@ -672,28 +672,28 @@ directories, queue directories or data directories. </p>
 directory and data directory (specified in the corresponding main.cf file)
 make up a Postfix <b>instance</b>. </p>
 
-<h2><a name="default"> The default Postfix instance </a></h2>
+<h2><a name="default"> The primary Postfix instance </a></h2>
 
 <p> One Postfix instance is special: this is the instance whose
 configuration directory is the default one compiled into the Postfix
 utilities. The location of the default configuration directory is
 typically /etc/postfix, and can be queried via the "postconf -d
 config_directory" command.  We call the instance with this configuration
-directory the "default instance". </p>
+directory the "primary instance". </p>
 
-<p> The default instance is responsible for local mail submission. The
+<p> The primary instance is responsible for local mail submission. The
 setgid postdrop(1) utility is used by the sendmail(1) local submission
 program to spool messages into the <b>maildrop</b> sub-directory of the
-queue directory of the default instance. </p>
+queue directory of the primary instance. </p>
 
 <p> Even in the rare case when "sendmail -C" is used to submit local mail
-into a non-default Postfix instance, for security reasons, postdrop(1)
-will consult the default main.cf file to check the validity of the
+into a secondary Postfix instance, for security reasons, postdrop(1)
+will consult the primary main.cf file to check the validity of the
 requested non-default configuration directory. </p>
 
 <p> So, while in most other respects, all instances are equal, the
-default instance is "more equal than others". You may choose to create
-additional instances, but you must have at least the default instance,
+primary instance is "more equal than others". You may choose to create
+secondary instances, but you must have at least the primary instance,
 with its configuration directory in the default compiled-in location. </p>
 
 <h2><a name="group"> Instance groups </a></h2>
@@ -715,9 +715,9 @@ of a single instance group (however, the content filter usually has
 its own start/stop procedure that is separate from any Postfix
 instance).  </p>
 
-<p> The default instance main.cf file's $multi_instance_directories
+<p> The primary instance main.cf file's $multi_instance_directories
 configuration parameter lists the configuration directories of all
-secondary (non-default) instances. Together with the default instance,
+secondary (non-default) instances. Together with the primary instance,
 these secondary instances are managed by the multi-instance manager.
 Instances are started in the order listed, and stopped in the
 opposite order. For instances that are members of a service "group",
@@ -731,7 +731,7 @@ stages are started. </p>
 
 <dt> multi_instance_wrapper </dt> 
 
-<dd> <p> This default-instance configuration parameter must be set
+<dd> <p> This primary-instance configuration parameter must be set
 to a suitable multi-instance manager's "wrapper" program that
 controls the starting, stopping, etc. of a multi-instance Postfix
 system. To use the postmulti(1) manager described in this document,
@@ -740,10 +740,10 @@ this parameter should be set with the "<a href="#init">postmulti
 
 <dt> multi_instance_directories </dt>
 
-<dd> <p> This default-instance configuration parameter specifies
+<dd> <p> This primary-instance configuration parameter specifies
 an optional list of the secondary instances controlled via the
 multi-instance manager. Instances are listed in their "start" order,
-with the default instance always started first (if enabled). If
+with the primary instance always started first (if enabled). If
 $multi_instance_directories is left empty, the postfix(1) command
 runs with multi-instance support turned off, and none of the
 multi_instance_ configuration parameters will have any effect. </p>
@@ -842,7 +842,7 @@ automatically. See below. </p>
 
 <p> Before postmulti(1) is used for the first time, you must install
 it as the multi_instance_wrapper for your Postfix system and enable
-multi-instance operation of the default Postfix instance. You can then
+multi-instance operation of the primary Postfix instance. You can then
 proceed to add <a href="#create">new</a> or <a href="#import">existing</a>
 instances to the multi-instance configuration. This initial installation
 is accomplished as follows: </p>
@@ -853,7 +853,7 @@ is accomplished as follows: </p>
 </pre>
 </blockquote>
 
-<p> This updates the default instance main.cf file as follows: </p>
+<p> This updates the primary instance main.cf file as follows: </p>
 
 <blockquote>
 <pre>
@@ -861,28 +861,28 @@ is accomplished as follows: </p>
     #
     multi_instance_wrapper = ${command_directory}/postmulti -p --
 
-    # Configure the default instance to start when in multi-instance mode
+    # Configure the primary instance to start when in multi-instance mode
     #
     multi_instance_enable = yes
 </pre>
 </blockquote>
 
-<p> If you prefer, you can make these changes by editing the default
+<p> If you prefer, you can make these changes by editing the primary
 main.cf directly, or by using "postconf -e". </p>
 
 <h3><a name="list"> Listing managed instances </a></h3>
 
-<p> The list of managed instances consists of the default instance and
-the additional instances whose configuration directories are listed
+<p> The list of managed instances consists of the primary instance and
+the secondary instances whose configuration directories are listed
 (in start order) under the multi_instance_directories parameter of the
-default main.cf configuration file.  </p>
+primary main.cf configuration file.  </p>
 
 <p> You can list selected instances, groups of instances or all
 instances by specifying only the instance matching options with the
 "-l" option.  The "-a" option is assumed if no other instance
 selection options are specified (this behavior changes with the
 "-e" option).  As a special case, even if it has an explicit name,
-the default instance can always be selected via "-i -". </p>
+the primary instance can always be selected via "-i -". </p>
 
 <blockquote>
 <pre>
@@ -926,7 +926,7 @@ set, it is shown as a "-". </p>
 <p> When selecting an existing instance via the "-i" option, you
 can always use the full pathname of its configuration directory
 instead of the instance (short) name. This is the only way to select
-a non-default nameless instance. The default instance can be selected
+a secondary nameless instance. The primary instance can be selected
 via "-i -", whether it has a name or not. </p>
 
 <p> To list instances in reverse start order, include the "-R"
@@ -1052,7 +1052,7 @@ $ postmulti -x sh -c 'echo "-- $MAIL_CONFIG"; postconf -n'
 
 <h3><a name="create"> Creating a new Postfix instance </a></h3>
 
-<p> The postmulti(1) command can be used to create additional Postfix
+<p> The postmulti(1) command can be used to create secondary Postfix
 instances. New instances are created with local submission and all "inet"
 services disabled via the following non-default parameter settings in
 the main.cf file: </p>
@@ -1072,7 +1072,7 @@ the above safety measures. </p>
 
 <p> The postmulti(1) command encourages a preferred way of organizing
 the configuration directories, queue directories and data directories
-of non-default instances. If the default instance settings are: </p>
+of secondary instances. If the primary instance settings are: </p>
 
 <blockquote>
 <pre>
@@ -1140,7 +1140,7 @@ the configuration directories of newly managed instances are appended
 to the instance list. You can use the "-i" or "-g" or "-a" options to
 insert the new instance before the specified instance or group, or at
 the beginning of the instance list (multi_instance_directories parameter
-of the default instance). </p>
+of the primary instance). </p>
 
 <p> If you do specify a name (use "-I" with a name that is not "-")
 for the new instance, you may omit any of the 3 instance installation

postfix/proto/SASL_README.html

@@ -178,7 +178,7 @@ later. </p>
 <p> Dovecot is a POP/IMAP server that has its own configuration to
 authenticate POP/IMAP clients. When the Postfix SMTP server uses
 Dovecot SASL, it reuses parts of this configuration.  Consult the
-<a href="https://wiki.dovecot.org">Dovecot documentation</a> for how
+<a href="https://doc.dovecot.org">Dovecot documentation</a> for how
 to configure and operate the Dovecot authentication server.  </p>
 
 <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>

postfix/proto/SMTPUTF8_README.html

@@ -375,7 +375,7 @@ Firefox and Chrome web browsers. Specify "enable_idna2003_compatibility
 = yes" to get the historical behavior. </p>
 
 <p> This affects the conversion of domain names that contain for
-example the German sz (ß) and the Greek zeta (ς). See
+example the German sz (ß) and the Greek (final) sigma (ς). See
 https://unicode.org/cldr/utility/idna.jsp for more examples. </p>
 
 <h2> <a name="credits">Credits</a> </h2>

postfix/proto/TLSRPT_README.html

@@ -25,6 +25,7 @@
 <li> <a href="#intro"> Introduction </a> </li>
 <li> <a href="#building"> Building Postfix with TLSRPT support </a>
 <li> <a href="#using"> Turning on TLSRPT </a> </li>
+<li> <a href="#reusing"> Connection reuse versus session resumption </a> </li>
 <li> <a href="#logging"> TLSRPT Status logging </a> </li>
 <li> <a href="#delivering"> Delivering TLSRPT summaries via email</a> </li>
 <li> <a href="#mta-sts"> MTA-STS Support via smtp_tls_policy_maps </a> </li>
@@ -52,8 +53,8 @@ _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:smtp-tls-report@example.c
 <p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
 destination. </p>
 
-<p> The diagram below shows how Postfix TLS handshake success and
-failure events are collected and processed into daily summary
+<p> The diagram below shows how successful or failed Postfix TLS
+handshake events are collected and processed into daily summary
 reports. </p>
 
 <blockquote>
@@ -99,7 +100,7 @@ fetch, and report TLSRPT information, are implemented and maintained
 by sys4 at https://github.com/sys4/libtlsrpt and
 https://github.com/sys4/tlsrpt-reporter, respectively. </p>
 
-<p> The Postfix implementation supports TLSRPT or domains with DANE
+<p> The Postfix implementation supports TLSRPT for domains with DANE
 (Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
 smtp_tls_policy_maps plug-in</a>). </p>
 
@@ -203,6 +204,49 @@ programs should create sockets there. </p>
 infrastructure, see the documentation at
 https://github.com/sys4/tlsrpt-reporter.
 
+<h2> <a name="reusing"> Connection reuse versus session resumption
+</a> </h2>
+
+<p> The Postfix SMTP client implements two kinds of reuse: </p>
+
+<ul>
+
+<li> <p> <b> SMTP Connection reuse: </b> a Postfix SMTP client
+creates a new SMTP connection, sends one email message, and saves
+the connection instead of closing it. Later, some SMTP client reuses
+that connection, sends an email message, and saves or closes the
+connection depending on whether it has reached some reuse limit.
+Each connection can be used by only one Postfix SMTP client at a
+time. </p>
+
+<li> <p> <b> TLS Session resumption: </b> a Postfix SMTP client
+saves the result from a "new" TLS handshake. Later, one or more
+SMTP clients create a new SMTP connection and resume the saved TLS
+session on their new connection. <p>
+
+</ul>
+
+<p> Of course there is a third case: </p>
+
+<ul>
+
+<li> <p> <b> Combined reuse and resumption: </b> a Postfix SMTP
+client creates a new SMTP connection, sends one email message, saves
+the result from a "new" TLS handshake, and also saves the connection
+instead of closing it. Later, one SMTP client reuses (and saves)
+that connection, one client at a time, and one or more clients
+create a new SMTP connection and resume the saved TLS session on
+their new connection. <p>
+
+</ul>
+
+<p> In all cases, there is no TLS handshake when a saved SMTP connection
+is reused, and there is no "new" TLS handshake when a saved TLS session
+is resumed. </p>
+
+<p> As described next, Postfix will by default log and generate only a
+TLSRPT event for a "new" TLS handshake.  </p>
+
 <h2> <a name="logging"> TLSRPT Status logging </a> </h2>
 
 <p> With TLSRPT support turned on, the Postfix TLSRPT client will
@@ -242,12 +286,12 @@ Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
     TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 </pre>
 
-<li> <p> By default, Postfix does not report the TLSRPT status for
-a TLS handshake that reuses a previously-negotiated TLS session
-(there would be no new information to report). Specify
-"smtp_tlsrpt_skip_reused_handshakes = no" to report the TLSRPT
-status for all TLS handshakes. This may be useful for troubleshooting.
-</p>
+<li> <p> With TLSRPT enabled, the Postfix SMTP client reports the
+TLSRPT status for all TLS handshakes (the default as of Postfix
+3.11).  Specify "smtp_tlsrpt_skip_reused_handshakes = yes" (the
+default with Postfix 3.10) to skip reporting TLS handshakes that
+reuse a previously-negotiated TLS session as there would be no new
+information to report. </p>
 
 <li> <p> Postfix logging for certificate verification failures may
 differ between new or reused TLS sessions. </p>
@@ -329,7 +373,7 @@ generator's sender address): </p>
 <h2> <a name="mta-sts"> MTA-STS Support via smtp_tls_policy_maps
 </a></h2>
 
-<p> Postfix supports MTA-STS though an smtp_tls_policy_maps policy
+<p> Postfix supports MTA-STS through an smtp_tls_policy_maps policy
 plugin, which replies with a TLS security level and name=value
 attributes with certificate matching requirements. Postfix 3.10 and
 later extend the policy plugin response with additional name=value

postfix/proto/XCLIENT_README.html

@@ -145,8 +145,8 @@ xtext encode attribute values. Servers that wish to interoperate
 with these older implementations should be prepared to receive
 unencoded information. </p>
 
-<p> Note 4: Some Postfix implementations do not implement the PORT
-or LOGIN attributes.  </p>
+<p> Note 4: The PORT attribute is implemented in Postfix 2.5 and
+later; the LOGIN attribute in Postfix 2.9 and later. </p>
 
 <h2>XCLIENT Server response</h2>
 

postfix/proto/lmdb_table

@@ -60,16 +60,17 @@
 # .fi
 #	The Postfix LMDB adapter does not use LMDB's built-in locking
 #	scheme, because that would require world-writable lockfiles
-#	and would violate the Postfix security model.  Instead,
+#	and therefore violate the Postfix security model.  Instead,
 #	Postfix uses fcntl(2) locks with whole-file granularity.
 #	Programs that use LMDB's built-in locking protocol will
 #	corrupt a Postfix LMDB database or will read garbage.
 #
 #	Every Postfix LMDB database read or write transaction must
 #	be protected from start to end with a shared or exclusive
-#	fcntl(2) lock.  A writer may atomically downgrade an exclusive
-#	lock to a shared lock, but it must hold an exclusive lock
-#	while opening another write transaction.
+#	fcntl(2) lock. A process may atomically downgrade an exclusive
+#	lock to a shared lock before opening a database read transaction,
+#	but it must hold an exclusive lock while opening a write
+#	transaction.
 #
 #	Note that fcntl(2) locks do not protect transactions within
 #	the same process against each other.  If a program cannot

postfix/proto/memcache_table

@@ -102,6 +102,17 @@
 # MEMCACHE KEY PARAMETERS
 # .ad
 # .fi
+# .IP "\fBkey_digest (default: empty)\fB"
+#	After processing the \fBkey_format\fR setting, and before sending
+#	a request to the memcache server, run the key through the named
+#	message digest algorithm and convert the result to lowercase
+#	hexadecimal characters. This prevents a database access error
+#	when keys may exceed the memcache server's key length limit
+#	(usually, 250 bytes). Specify the name of a message digest
+#	algorithm that is supported by OpenSSL, for example, \fBsha256\fR.
+#
+#	This feature is available in Postfix 3.11 and later, and requires
+#	that Postfix is built with TLS support.
 # .IP "\fBkey_format (default: %s)\fB"
 #	Format of the lookup and update keys that the Postfix
 #	memcache client sends to the memcache server.
@@ -193,7 +204,7 @@
 #	"\fI|command\fR and "\fI/file/name\fR" destinations), or
 #	\fBvirtual_uid_maps\fR, \fBvirtual_gid_maps\fR and
 #	\fBvirtual_mailbox_maps\fR (these specify UNIX process
-#	privileges or "\fI/file/name\fR" destinations).  In a typical
+#	privileges for "\fI/file/name\fR" destinations).  In a typical
 #	deployment a memcache database is writable by any process
 #	that can talk to the memcache server; in contrast,
 #	security-sensitive tables must never be writable by the

postfix/proto/mysql_table

@@ -67,11 +67,10 @@
 #	    hosts = 127.0.0.1
 # .fi
 #
-#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	assumes that the target is a load balancer and will reconnect
-#	immediately after a single failure, instead of failing all
-#	requests temporarily. With older versions of this client,
-#	specify the same server twice.
+#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	this client assumes that the target is a load balancer and
+#	will reconnect immediately after a single failure. With Postfix
+#	versions 3.9 and earlier, specify the same server twice.
 # .IP "\fBuser\fR"
 # .IP "\fBpassword\fR"
 #	The user name and password to log into the mysql server.
@@ -102,11 +101,10 @@
 #	The number of seconds that a database connection will be
 #	skipped after an error.
 #
-#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	assumes that the target is a load balancer and will reconnect
-#	immediately after a single failure, instead of failing all
-#	requests temporarily. With older versions of this client,
-#	specify the same server twice.
+#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	this client assumes that the target is a load balancer and
+#	will reconnect immediately after a single failure. With Postfix
+#	versions 3.9 and earlier, specify the same server twice.
 #
 #	This feature is available in Postfix 3.9 and later.
 # .IP "\fBquery\fR"

postfix/proto/pgsql_table

@@ -71,11 +71,10 @@
 #	URI, the Postfix PostgreSQL client will ignore the \fBdbname\fR,
 #	\fBuser\fR, and \fBpassword\fR settings for that connection.
 #
-#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	assumes that the target is a load balancer and will reconnect
-#	immediately after a single failure, instead of failing all
-#	requests temporarily. With older versions of this client,
-#	specify the same server twice.
+#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	this client assumes that the target is a load balancer and
+#	will reconnect immediately after a single failure. With Postfix
+#	versions 3.9 and earlier, specify the same server twice.
 # .IP "\fBuser\fR"
 # .IP "\fBpassword\fR"
 #	The user name and password to log into the pgsql server.
@@ -119,11 +118,10 @@
 #	The number of seconds that a database connection will be
 #	skipped after an error.
 #
-#	NOTE: if the \fBhosts\fR setting specifies one server, this client
-#	assumes that the target is a load balancer and will reconnect
-#	immediately after a single failure, instead of failing all
-#	requests temporarily. With older versions of this client,
-#	specify the same server twice.
+#	NOTE: if the \fBhosts\fR setting specifies only one server,
+#	this client assumes that the target is a load balancer and
+#	will reconnect immediately after a single failure. With Postfix
+#	versions 3.9 and earlier, specify the same server twice.
 #
 #	This feature is available in Postfix 3.9 and later.
 # .IP "\fBquery\fR"

postfix/proto/postconf.html.prolog

@@ -20,7 +20,7 @@ if (hash && isChrome) {
     setTimeout(function() {
         window.location.hash = "";
         window.location.hash = hash;
-    }, 1000);
+    }, 1500);
 }
 
 </script>

postfix/proto/postconf.proto

@@ -1984,15 +1984,20 @@ environment.  Examples of relevant environment variables: </p>
 
 <dd>Needed to make "<b>postfix -c</b>" work. </dd>
 
+<dt><b>POSTLOG_HOSTNAME</b></dt>
+
+<dd>Needed to make "<b>maillog_file</b>" work during daemon  
+process initialization. </dd>
+
 <dt><b>POSTLOG_SERVICE</b></dt>
 
 <dd>Needed to make "<b>maillog_file</b>" work during daemon 
 process initialization. </dd>
 
-<dt><b>POSTLOG_HOSTNAME</b></dt>
+<dt><b>XDG_RUNTIME_DIR</b></dt>
 
-<dd>Needed to make "<b>maillog_file</b>" work during daemon  
-process initialization. </dd>
+<dd>Needed for debugging Postfix daemons with an XDG-style debugger.
+</dd>
 
 </dl>
 
@@ -4012,6 +4017,26 @@ relocated_maps = dbm:/etc/postfix/relocated
 relocated_maps = hash:/etc/postfix/relocated
 </pre>
 
+%PARAM relocated_prefix_enable  yes
+
+<p> Prepend the prefix "<b>5.1.6 User has moved to </b>" to all
+relocated_maps lookup results. With "relocated_prefix_enable =
+no", all lookup results must contain a valid RFC 3463 compliant
+enhanced status code and text (format: "[45].number.number text...").
+
+<p>
+Example:
+</p>
+
+<pre>
+/etc/postfix/main.cf:
+    relocated_maps = hash:/etc/postfix/relocated
+    relocated_prefix_enable = no
+<br>
+hash:/etc/postfix/relocated:
+    user@example.com 5.2.1 User account is disabled
+</pre>
+
 %PARAM require_home_directory no
 
 <p>
@@ -5471,7 +5496,12 @@ The maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554), the default_rbl_reply  parameter
 specifies the default server reply, and the rbl_reply_maps  parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
-This feature is available in Postfix 2.0 and later.  </dd>
+<br>
+NOTE: Always respect the usage policies of reputation services. Avoid 
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking the key in SMTP server
+responses). <br>
+This feature is available in Postfix 2.0 and later. </dd>
 
 <dt><b><a name="permit_dnswl_client">permit_dnswl_client <i>dnswl_domain=d.d.d.d</i></a></b></dt>
 
@@ -5483,8 +5513,12 @@ If no "<i>=d.d.d.d</i>" is specified, accept the request when the
 reversed client network address is listed with any A record under
 <i>dnswl_domain</i>. <br> For safety, permit_dnswl_client is silently
 ignored when it would override reject_unauth_destination.  The
-result is DEFER_IF_REJECT when allowlist lookup fails.  This feature
-is available in Postfix 2.8 and later.  </dd>
+result is DEFER_IF_REJECT when allowlist lookup fails. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP 
+server responses). <br>
+This feature is available in Postfix 2.8 and later. </dd>
 
 <dt><b><a name="reject_rhsbl_client">reject_rhsbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 
@@ -5497,9 +5531,14 @@ number..number ranges (Postfix version 2.8 and later).  If no
 hostname is listed with
 any A record under <i>rbl_domain</i>. See the reject_rbl_client
 description above for additional RBL related configuration parameters.
+<br>
+NOTE: Always respect the usage policies of reputation services. Avoid 
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP 
+server responses). <br>
 This feature is available in Postfix 2.0 and later; with Postfix
 version 2.8 and later, reject_rhsbl_reverse_client will usually
-produce better results.  </dd>
+produce better results. </dd>
 
 <dt><b><a name="permit_rhswl_client">permit_rhswl_client <i>rhswl_domain=d.d.d.d</i></a></b></dt>
 
@@ -5515,8 +5554,12 @@ allowlisting should be used only to reduce false positives in e.g.
 DNS-based blocklists, and not for making access rule exceptions.
 <br> For safety, permit_rhswl_client is silently ignored when it
 would override reject_unauth_destination.  The result is DEFER_IF_REJECT
-when allowlist lookup fails.  This feature is available in Postfix
-2.8 and later.  </dd>
+when allowlist lookup fails. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid 
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP 
+server responses). <br>
+This feature is available in Postfix 2.8 and later.</dd>
 
 <dt><b><a name="reject_rhsbl_reverse_client">reject_rhsbl_reverse_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
 
@@ -5527,8 +5570,12 @@ one or more ";"-separated numbers or number..number ranges.
 If no "<i>=d.d.d.d</i>" is specified, reject the request when the
 unverified reverse client hostname is listed with any A record under
 <i>rbl_domain</i>. See the reject_rbl_client description above for
-additional RBL related configuration parameters.  This feature is
-available in Postfix 2.8 and later.  </dd>
+additional RBL related configuration parameters. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid 
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP 
+server responses). <br>
+This feature is available in Postfix 2.8 and later. </dd>
 
 <dt><b><a name="reject_unknown_client_hostname">reject_unknown_client_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_client)</dt>
 
@@ -6034,8 +6081,12 @@ reject_rbl_client description for additional RBL related configuration
 parameters.  Note: specify "smtpd_helo_required = yes" to fully
 enforce this restriction (without "smtpd_helo_required = yes", a
 client can simply skip reject_rhsbl_helo by not sending HELO or
-EHLO). This feature is available in Postfix 2.0
-and later.  </dd>
+EHLO). <br>
+NOTE: Always respect the usage policies of reputation services. Avoid 
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP 
+server responses). <br>
+This feature is available in Postfix 2.0 and later. </dd>
 
 <dt><b><a name="reject_unknown_helo_hostname">reject_unknown_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_hostname)</dt>
 
@@ -6343,8 +6394,12 @@ any A record under <i>rbl_domain</i>. <br> The maps_rbl_reject_code
 parameter specifies the response code for rejected requests (default:
 554); the default_rbl_reply parameter specifies the default server
 reply; and the rbl_reply_maps parameter specifies tables with server
-replies indexed by <i>rbl_domain</i>.  This feature is available
-in Postfix version 2.0 and later.</dd>
+replies indexed by <i>rbl_domain</i>. <br>
+NOTE: Always respect the usage policies of reputation services. Avoid 
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP 
+server responses). <br>
+This feature is available in Postfix version 2.0 and later.</dd>
 
 <dt><b><a name="reject_unauth_destination">reject_unauth_destination</a></b></dt>
 
@@ -6861,6 +6916,11 @@ maps_rbl_reject_code parameter specifies the response code for
 rejected requests (default:  554); the default_rbl_reply parameter
 specifies the default server reply; and the rbl_reply_maps parameter
 specifies tables with server replies indexed by <i>rbl_domain</i>.
+<br>
+NOTE: Always respect the usage policies of reputation services. Avoid 
+public or ISP resolvers, unless the queries use your unique API key
+(see rbl_reply_maps for how to avoid leaking an API key in SMTP 
+server responses). <br>
 This feature is available in Postfix 2.0 and later.</dd>
 
 <dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt>
@@ -12059,14 +12119,16 @@ smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM smtp_tls_security_level
+%PARAM smtp_tls_security_level Postfix &ge; 3.11: may; Postfix &lt; 3.11: empty
 
 <p> The default SMTP TLS security level for the Postfix SMTP client.
 When a non-empty value is specified, this overrides the obsolete
 parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername;
-when no value is specified for smtp_tls_enforce_peername or the obsolete
-parameters, the default SMTP TLS security level is
-<a href="TLS_README.html#client_tls_none">none</a>. </p>
+when no value is specified for those obsolete parameters, the default
+SMTP TLS security level is <a href="TLS_README.html#client_tls_may">may</a>
+(compatibility_level &ge; 3.11) or <a
+href="TLS_README.html#client_tls_none">none</a> 
+(compatibility_level &lt; 3.11). </p>
 
 <p> Specify one of the following security levels: </p>
 
@@ -14699,6 +14761,10 @@ clients,
 and postscreen(8) will update an SMTP client's DNSBL score with
 each non-error reply as described below. </p>
 
+<p> NOTE: Always respect the usage policies of reputation services.
+Avoid public or ISP resolvers, unless the queries use your unique
+API key. </p>
+
 <p> Caution: when postscreen rejects mail, its SMTP response contains
 the DNSBL
 domain name. Use the postscreen_dnsbl_reply_map feature to hide
@@ -15037,6 +15103,12 @@ line. </p>
 
 <pre>
 /etc/postfix/reply_filter:
+    # Some Microsoft servers violate RFC 2554 section 4, causing Postfix
+    # to complain with "non-empty initial GSSAPI challenge from server"
+    /^334\s+GSSAPI\s+supported/ 334
+</pre>
+
+<pre>
     # Transform garbage into "250-filler..." so that it looks like
     # one line from a multi-line reply. It does not matter what we
     # substitute here as long it has the right syntax.  The Postfix
@@ -17726,7 +17798,7 @@ Milter support should be disabled. </p>
 when converting UTF-8 domain names to/from the ASCII form that is
 used for DNS lookups. Specify "yes" for compatibility with Postfix
 &le; 3.1 (not recommended). This affects the conversion of domain
-names that contain for example the German sz and the Greek zeta.
+names that contain for example the German sz and the Greek sigma.
 See https://unicode.org/cldr/utility/idna.jsp for more examples.
 </p>
 
@@ -19245,13 +19317,11 @@ openssl.cnf:
     Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
 </pre>
 
-<p> Caution: It is typically best to just use the default group
-settings, for which no $tls_config_file is required (you can set
-"tls_config_file = none", to avoid unwanted leakage of system-wide
-settings that strive to harden HTTPS against mostly browser-specific
-security and privacy issues into Postfix use of opportunistic TLS,
-where they're they can be counterproductive, leading to downgrades
-to cleartext, rather than more "secure" TLS). </p>
+<p> Caution: It is typically best to just use the default OpenSSL
+group settings, by setting "tls_config_file = none". Overly strict
+system-wide TLS settings will conflict with Postfix's opportunistic
+TLS, where being less restrictive is better than downgrading to
+cleartext SMTP. </p>
 
 <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
 3.6.10, and 3.5.20. </p>
@@ -19484,13 +19554,11 @@ requirements for MTA-STS smtp_tls_policy_maps plugins. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
 
-%PARAM smtp_tlsrpt_skip_reused_handshakes yes
+%PARAM smtp_tlsrpt_skip_reused_handshakes Postfix &ge; 3.11: no, Postfix 3.10: yes
 
-<p> Do not report the TLSRPT status for TLS protocol handshakes
-that reuse a previously-negotiated TLS session (there is no new
-information to report). Report the TLSRPT status only for "new" TLS
-sessions. Set this to "no" to log the TLSRPT status of all TLS
-handshakes, for example to troubleshoot Postfix TLSRPT support.
+<p> When set to "yes", report the TLSRPT status only for "new" TLS
+sessions. When set to "no", also report the TLSRPT status for TLS
+protocol handshakes that reuse a previously-negotiated TLS session.
 </p>
 
 <p> Note: if an SMTP over TLS connection is reused, there is no
@@ -19548,7 +19616,8 @@ including the netstring encapsulation. </p>
 
 <p> Enable support for the "TLS-Required: no" message header, defined
 in RFC 8689. By adding this header to a message, a sender requests
-no enforcement of TLS policy. This limits the Postfix SMTP client
+no enforcement of TLS policy. This disables TLS policy lookup, and
+limits the Postfix SMTP client
 TLS security level to "may", that is, do not verify remote SMTP
 server certificates, and fall back to plaintext if TLS is unavailable.
 If a message contains a "TLS-Required: no" header, then Postfix
@@ -19566,7 +19635,7 @@ SMTP server's Received: message header. </p>
 
 <li> <p> The default setting, "smtpd_hide_client_session = no",
 must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321. </p>
+that is required by RFC 5321 section 4.4. </p>
 
 <li> <p> The setting "smtpd_hide_client_session = yes" may be used
 for the port 587 and 465 MUA services. This hides the SMTP client
@@ -19589,7 +19658,56 @@ Received: by mail.example.com (Postfix) id postfix-queue-id
 </blockquote>
 
 <p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-RFC 5321. The form does still meet RFC 5322 requirements. </p>
+and therefore it does not need to provide the FROM clause according
+to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+requirements. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
+
+%PARAM smtpd_reject_filter_maps
+
+<p> An optional filter that can replace a reject response from the
+Postfix SMTP server itself, or from a program that replies through
+the Postfix SMTP server. The filter is applied before the optional
+reject footers are appended. Typically, the filter will be a regexp:
+or pcre: table, where the left-hand side specifies a pattern, and
+the right-hand side specifies replacement text. </p>
+
+<p> The input is a server response that starts with a 4XX or 5XX
+reply code (see RFC 5321), usually followed by an enhanced status
+code (see RFC 3463) and text. The filter returns replacement text
+or indicates that there was no match. This feature cannot be used
+to change a reject reply into a non-reject one or vice versa. </p>
+
+<p> LIMITATION: smtpd_reject_filter_maps will not replace text that
+was already logged before the Postfix SMTP server replies to the
+remote SMTP client. To help with logfile analysis, the Postfix SMTP
+server logs both the unmodified reply (logged below as "reject
+filter in") and the replacement reply (logged below as "reject
+filter out").
+
+<p> Example: </p>
+
+<pre>
+/etc/postfix/main.cf:
+    smtpd_reject_filter_maps = regexp:/etc/postfix/smtpd_reject_filter
+</pre>
+
+<pre>
+/etc/postfix/smtpd_reject_filter:
+    # Replace soft reject with hard reject.
+    /^451 4(\.6\.0 Alias expansion error)/ 550 5${1}
+</pre>
+
+<pre>
+    # Silly rule for demo purposes.
+    /^(4.+[^.])\.*$/ $1. See you later.
+</pre>
+
+<pre>
+/var/log/maillog:
+    NOQUEUE: reject filter in: 451 4.6.0 Alias expansion error
+    NOQUEUE: reject filter out: 550 5.6.0 Alias expansion error
+</pre>
+
+<p> This feature is available in Postfix &ge; 3.11. </p>

postfix/proto/relocated

@@ -36,9 +36,10 @@
 # TABLE FORMAT
 # .ad
 # .fi
-#	The input format for the \fBpostmap\fR(1) command is as follows:
 # .IP \(bu
-#	An entry has one of the following form:
+#	By default, Postfix will prepend a hard-coded prefix "5.1.6 User
+#	has moved to " to a table lookup result, and the format for a
+#	table entry is as follows:
 #
 # .nf
 #	     \fIpattern      new_location\fR
@@ -47,6 +48,16 @@
 #	Where \fInew_location\fR specifies contact information such as
 #	an email address, or perhaps a street address or telephone number.
 # .IP \(bu
+#	Postfix 3.11 and later can optionally disable the hard-coded
+#	prefix. Specify "relocated_prefix_enable = no" in main.cf, and
+#	specify relocated_maps entries with your own RFC 3463-compliant
+#	enhanced status code and text, for example:
+#
+# .nf
+#	     \fIpattern\fR      5.2.0 Mailbox is unavailable
+#	     \fIpattern\fR      5.2.1 Mailbox is disabled
+# .fi
+# .IP \(bu
 #	Empty lines and whitespace-only lines are ignored, as
 #	are lines whose first non-whitespace character is a `#'.
 # .IP \(bu
@@ -123,6 +134,11 @@
 #	Optional lookup tables with new contact information for users or
 #	domains that no longer exist.
 # .PP
+#	Available with Postfix version 3.11 and later:
+# .IP "\fBrelocated_prefix_enable (yes)\fR"
+#	Prepend the prefix "\fB5.1.6 User has moved to \fR" to all
+#	relocated_maps lookup results.
+# .PP
 #	Other parameters of interest:
 # .IP "\fBinet_interfaces (all)\fR"
 #	The local network interface addresses that this mail system

postfix/proto/stop

@@ -1672,3 +1672,16 @@ URIs
 bugfix
 MLKEM
 cleartext
+redacted
+subclassed
+nosleep
+preload
+memcached
+Geert
+Hendrickx
+typofix
+LD
+PRELOAD
+rhansen
+XDG
+crosstalk

postfix/proto/stop.double-cc

@@ -343,3 +343,6 @@ additional_info  additional_info
 ignored  ignored 
 USE_TLSRPT  USE_TLSRPT 
 encoded  encoded text can contain only alpha digit 
+ossl_digest_new  ossl_digest_new returns NULL after error ossl_digest_data 
+ Richard Hansen rhansen rhansen org 
+ long long or long integer 

postfix/proto/stop.double-history

@@ -166,3 +166,32 @@ proto  proto socketmap_table
  global mail_params h smtpd smtpd c 
  global mail_params h proto postconf proto smtp smtp c 
  proto postconf proto proto TLS_README html 
+ the command line Files postmap postmap c postalias postalias c 
+ verification in progress File verify verify c 
++ address failed File verify verify c 
+ address failed File verify verify c 
+ address failed due to a database error File verify verify c 
+ failures Fix by Viktor Dukhovni Wietse Files smtp smtp h 
+ Files smtp smtp h 
+proto  proto COMPATIBILITY_README html 
+ smtp smtp c tlsproxy tlsproxy c proto postconf proto 
+ rhansen rhansen org Files proto DATABASE_README html 
+ postconf Makefile in postconf postconf c 
+ dict_open Files util dict hc proxymap proxymap c 
+ proxymap proxymap c 
+ postmap postmap c postalias postalias c 
+ client Files dict h dict_proxy c proxymap proxymap c 
+ cross talk between different clients File proxymap proxymap c 
+ postscreen postscreen c 
+ for the h option Robert Hansen File postmap postmap c 
+ Support for the ll long long etc and j intmax_t 
+ postalias postalias c There is more time handling code in
+ long long which just like time_t is a 64 bit type on many
+ File tls tls h
+ dual purpose field File tls tls h 
+ conf postfix tls script discard discard c error error c 
+ oqmgr qmgr c postmulti postmulti c qmgr qmgr c 
+ src global config_known_tcp_ports c postmulti postmulti c 
+ virtual virtual c 
+ request Reported by John Doe File tlsproxy tlsproxy c 
+ smtpd smtpd c smtpd smtpd_chat c global mail_params h 

postfix/proto/stop.double-install-proto-text

@@ -43,3 +43,7 @@ virtual  virtual alias domain anything right hand content does not matter
 Inbound SMTP smuggling strip extra CR in CR LF CR CR LF 
 Inbound SMTP smuggling don t strip extra CR in CR LF CR CR LF 
  CR LF CR CR LF to silence false alarms from test tools
+ Prepend the prefix 5 1 6 User has moved to to all
+ pattern number number number text 
+to  to the lookup result With Postfix 3 11 and later specify
+ has moved to to a table lookup result and the format for a

postfix/proto/stop.double-proto-html

@@ -364,3 +364,4 @@ Postfix  Postfix legacy TLS Support
  with cipher ECDHE RSA AES256 GCM SHA384 256 256 bits 
  TLSv1 2 with cipher ECDHE RSA AES256 GCM SHA384 256 256 bits 
  The recommended socket location is still to be determined A good socket location would be under the Postfix queue directory for example smtp_tlsrpt_socket_name run tlsrpt tlsrpt sock The advantage of using a relative name is that it
+enhanced status code and text format 45 number number text 

postfix/proto/stop.spell-cc

@@ -1858,3 +1858,13 @@ TINYCDB
 getdata
 XXXSENDOPTS
 xtra
+HAPROXY
+SRVR
+DGST
+DIGEST
+OSSL
+ossl
+deduplicates
+intmax
+lflag
+REPLYCODE

postfix/proto/stop.spell-history

@@ -100,3 +100,16 @@ Roessner
 bitflags
 Schulze
 tlspol
+Gueven
+Oemer
+Kozmenko
+Oleksandr
+Bataille
+balancers
+Unbroke
+XDG
+ENOTSOCK
+FustÃ
+Jiaying
+PRI
+YP

postfix/src/discard/discard.c

@@ -53,7 +53,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
 /*	The sender address of postmaster notifications that are generated
 /*	by the mail system.

postfix/src/error/error.c

@@ -61,7 +61,7 @@
 /*	request before it is terminated by a built-in watchdog timer.
 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
 /*	The maximal number of digits after the decimal point when logging
-/*	sub-second delay values.
+/*	delay values.
 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
 /*	The sender address of postmaster notifications that are generated
 /*	by the mail system.

postfix/src/global/Makefile.in

@@ -129,9 +129,9 @@ TESTPROG= domain_list dot_lockfile mail_addr_crunch mail_addr_find \
 	data_redirect addr_match_list safe_ultostr verify_sender_addr \
 	mail_version mail_dict server_acl uxtext mail_parm_split \
 	fold_addr smtp_reply_footer mail_addr_map normalize_mailhost_addr \
-	haproxy_srvr map_search delivered_hdr login_sender_match \
+	haproxy_srvr_test map_search delivered_hdr login_sender_match \
 	compat_level config_known_tcp_ports hfrom_format rfc2047_code \
-	ascii_header_text sendopts_test
+	ascii_header_text sendopts_test dict_sqlite_test
 
 LIBS	= ../../lib/lib$(LIB_PREFIX)util$(LIB_SUFFIX)
 LIB_DIR	= ../../lib
@@ -381,7 +381,7 @@ smtp_reply_footer: smtp_reply_footer.c $(LIB) $(LIBS)
 normalize_mailhost_addr: normalize_mailhost_addr.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 
-haproxy_srvr: haproxy_srvr.c $(LIB) $(LIBS)
+haproxy_srvr_test: haproxy_srvr_test.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 
 map_search: map_search.c $(LIB) $(LIBS)
@@ -408,6 +408,10 @@ ascii_header_text: ascii_header_text.c $(LIB) $(LIBS)
 sendopts_test: sendopts_test.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 
+dict_sqlite_test: dict_sqlite_test.c dict_sqlite.o $(LIB) $(LIBS)
+	$(CC) $(CFLAGS) -DTEST -o $@ $@.c dict_sqlite.o $(LIB) $(LIBS) \
+	    $(SYSLIBS) $(AUXLIBS_SQLITE)
+
 config_known_tcp_ports: config_known_tcp_ports.c $(LIB) $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
 
@@ -418,10 +422,10 @@ tests: tok822_test mime_tests strip_addr_test tok822_limit_test \
 	safe_ultostr_test mail_parm_split_test fold_addr_test \
 	smtp_reply_footer_test off_cvt_test mail_addr_crunch_test \
 	mail_addr_find_test mail_addr_map_test quote_822_local_test \
-	normalize_mailhost_addr_test haproxy_srvr_test map_search_test \
+	normalize_mailhost_addr_test test_haproxy_srvr map_search_test \
 	delivered_hdr_test login_sender_match_test compat_level_test \
 	config_known_tcp_ports_test hfrom_format_test rfc2047_code_test \
-	ascii_header_text_test test_sendopts
+	ascii_header_text_test test_sendopts test_dict_sqlite
 
 mime_tests: mime_test mime_nest mime_8bit mime_dom mime_trunc mime_cvt \
 	mime_cvt2 mime_cvt3 mime_garb1 mime_garb2 mime_garb3 mime_garb4
@@ -739,10 +743,8 @@ normalize_mailhost_addr_test: update normalize_mailhost_addr
 	diff /dev/null normalize_mailhost_addr.tmp
 	rm -f normalize_mailhost_addr.tmp
 
-haproxy_srvr_test: update haproxy_srvr
-	-$(SHLIB_ENV) $(VALGRIND) ./haproxy_srvr >haproxy_srvr.tmp 2>&1
-	diff /dev/null haproxy_srvr.tmp
-	rm -f haproxy_srvr.tmp
+test_haproxy_srvr: update haproxy_srvr_test
+	$(SHLIB_ENV) $(VALGRIND) ./haproxy_srvr_test
 
 map_search_test: update map_search map_search.ref
 	-$(SHLIB_ENV) $(VALGRIND) ./map_search >map_search.tmp 2>&1
@@ -794,7 +796,10 @@ ascii_header_text_test: update ascii_header_text
 	$(SHLIB_ENV) $(VALGRIND) ./ascii_header_text
 
 test_sendopts: update sendopts_test
-	-$(SHLIB_ENV) $(VALGRIND) ./sendopts_test
+	$(SHLIB_ENV) $(VALGRIND) ./sendopts_test
+
+test_dict_sqlite: update dict_sqlite_test
+	$(SHLIB_ENV) $(VALGRIND) ./dict_sqlite_test
 
 clean:
 	rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAPS)
@@ -1218,10 +1223,12 @@ dict_memcache.o: ../../include/argv.h
 dict_memcache.o: ../../include/auto_clnt.h
 dict_memcache.o: ../../include/check_arg.h
 dict_memcache.o: ../../include/dict.h
+dict_memcache.o: ../../include/hex_code.h
 dict_memcache.o: ../../include/match_list.h
 dict_memcache.o: ../../include/msg.h
 dict_memcache.o: ../../include/myflock.h
 dict_memcache.o: ../../include/mymalloc.h
+dict_memcache.o: ../../include/ossl_digest.h
 dict_memcache.o: ../../include/stringops.h
 dict_memcache.o: ../../include/sys_defs.h
 dict_memcache.o: ../../include/vbuf.h
@@ -1331,6 +1338,19 @@ dict_sqlite.o: db_common.h
 dict_sqlite.o: dict_sqlite.c
 dict_sqlite.o: dict_sqlite.h
 dict_sqlite.o: string_list.h
+dict_sqlite_test.o: ../../include/argv.h
+dict_sqlite_test.o: ../../include/check_arg.h
+dict_sqlite_test.o: ../../include/dict.h
+dict_sqlite_test.o: ../../include/msg.h
+dict_sqlite_test.o: ../../include/msg_vstream.h
+dict_sqlite_test.o: ../../include/myflock.h
+dict_sqlite_test.o: ../../include/stringops.h
+dict_sqlite_test.o: ../../include/sys_defs.h
+dict_sqlite_test.o: ../../include/vbuf.h
+dict_sqlite_test.o: ../../include/vstream.h
+dict_sqlite_test.o: ../../include/vstring.h
+dict_sqlite_test.o: dict_sqlite.h
+dict_sqlite_test.o: dict_sqlite_test.c
 domain_list.o: ../../include/argv.h
 domain_list.o: ../../include/check_arg.h
 domain_list.o: ../../include/match_list.h
@@ -1512,6 +1532,7 @@ haproxy_srvr.o: ../../include/inet_proto.h
 haproxy_srvr.o: ../../include/msg.h
 haproxy_srvr.o: ../../include/myaddrinfo.h
 haproxy_srvr.o: ../../include/mymalloc.h
+haproxy_srvr.o: ../../include/normalize_v4mapped_addr.h
 haproxy_srvr.o: ../../include/sock_addr.h
 haproxy_srvr.o: ../../include/split_at.h
 haproxy_srvr.o: ../../include/stringops.h
@@ -1521,6 +1542,18 @@ haproxy_srvr.o: ../../include/vbuf.h
 haproxy_srvr.o: ../../include/vstring.h
 haproxy_srvr.o: haproxy_srvr.c
 haproxy_srvr.o: haproxy_srvr.h
+haproxy_srvr_test.o: ../../include/check_arg.h
+haproxy_srvr_test.o: ../../include/msg.h
+haproxy_srvr_test.o: ../../include/msg_vstream.h
+haproxy_srvr_test.o: ../../include/myaddrinfo.h
+haproxy_srvr_test.o: ../../include/sock_addr.h
+haproxy_srvr_test.o: ../../include/stringops.h
+haproxy_srvr_test.o: ../../include/sys_defs.h
+haproxy_srvr_test.o: ../../include/vbuf.h
+haproxy_srvr_test.o: ../../include/vstream.h
+haproxy_srvr_test.o: ../../include/vstring.h
+haproxy_srvr_test.o: haproxy_srvr.h
+haproxy_srvr_test.o: haproxy_srvr_test.c
 header_body_checks.o: ../../include/argv.h
 header_body_checks.o: ../../include/check_arg.h
 header_body_checks.o: ../../include/dict.h

postfix/src/global/config_known_tcp_ports.c

@@ -14,10 +14,10 @@
 /*	in the settings argument, and reports any warnings to the standard
 /*	error stream. The source argument is used to provide warning
 /*	context. It typically is a configuration parameter name.
-/* .SH EXPECTED SYNTAX (ABNF)
+/* EXPECTED SYNTAX (ABNF)
 /*	configuration = empty | name-to-port *("," name-to-port)
 /*	name-to-port = 1*(name "=") port
-/* SH EXAMPLES
+/* EXAMPLES
 /*	In the example below, the whitespace is optional.
 /*	smtp = 25, smtps = submissions = 465, submission = 587
 /* LICENSE

postfix/src/global/data_redirect.c

@@ -227,7 +227,7 @@ int     main(int argc, char **argv)
 	    vstream_fflush(VSTREAM_OUT);
 	    continue;
 	}
-	target = mystrtokq(&bufp, " \t");
+	target = mystrtokq(&bufp, " \t", CHARS_BRACE);
 	junk = mystrtok(&bufp, " \t");
 	if (strcmp(cmd, "file") == 0 && target && !junk) {
 	    data_redirect_file(result, target);

postfix/src/global/dict_ldap.c

@@ -1876,7 +1876,7 @@ DICT   *dict_ldap_open(const char *ldapsource, int open_flags, int dict_flags)
      * Return the new dict_ldap structure.
      */
     dict_ldap->dict.owner = cfg_get_owner(dict_ldap->parser);
-    return (DICT_DEBUG (&dict_ldap->dict));
+    return (&dict_ldap->dict);
 }
 
 #endif

postfix/src/global/dict_memcache.c

@@ -50,9 +50,11 @@
 
 /* Utility library. */
 
+#include <hex_code.h>
 #include <msg.h>
 #include <mymalloc.h>
 #include <dict.h>
+#include <ossl_digest.h>
 #include <vstring.h>
 #include <stringops.h>
 #include <auto_clnt.h>
@@ -75,6 +77,11 @@ typedef struct {
     DICT    dict;			/* parent class */
     CFG_PARSER *parser;			/* common parameter parser */
     void   *dbc_ctxt;			/* db_common context */
+    char   *key_digest;			/* digest the query key */
+#ifdef USE_TLS
+    OSSL_DGST *key_dgst_eng;		/* digest engine */
+    VSTRING *key_dgst_out;		/* digest result */
+#endif
     char   *key_format;			/* query key translation */
     int     timeout;			/* client timeout */
     int     mc_ttl;			/* memcache update expiration */
@@ -99,6 +106,7 @@ typedef struct {
 #define DICT_MC_DEF_PORT	"11211"
 #define DICT_MC_DEF_MEMCACHE	"inet:" DICT_MC_DEF_HOST ":" DICT_MC_DEF_PORT
 #define DICT_MC_DEF_KEY_FMT	"%s"
+#define DICT_MC_DEF_KEY_DGST	""
 #define DICT_MC_DEF_MC_TTL	3600
 #define DICT_MC_DEF_MC_TIMEOUT	2
 #define DICT_MC_DEF_MC_FLAGS	0
@@ -109,6 +117,7 @@ typedef struct {
 
 #define DICT_MC_NAME_MEMCACHE	"memcache"
 #define DICT_MC_NAME_BACKUP	"backup"
+#define DICT_MC_NAME_KEY_DGST	"key_digest"
 #define DICT_MC_NAME_KEY_FMT	"key_format"
 #define DICT_MC_NAME_MC_TTL	"ttl"
 #define DICT_MC_NAME_MC_TIMEOUT	"timeout"
@@ -163,7 +172,7 @@ static int dict_memcache_set(DICT_MC *dict_mc, const char *value, int ttl)
 			 DICT_TYPE_MEMCACHE, dict_mc->dict.name);
 	} else if (strcmp(STR(dict_mc->clnt_buf), "STORED") != 0) {
 	    if (count > 0)
-		msg_warn("database %s:%s: update failed: %.30s",
+		msg_warn("database %s:%s: update failed: %.100s",
 			 DICT_TYPE_MEMCACHE, dict_mc->dict.name,
 			 STR(dict_mc->clnt_buf));
 	} else {
@@ -285,6 +294,20 @@ static ssize_t dict_memcache_prepare_key(DICT_MC *dict_mc, const char *name)
     } else {
 	vstring_strcpy(dict_mc->key_buf, name);
     }
+#ifdef USE_TLS
+    if (dict_mc->key_dgst_eng) {
+	if (ossl_digest_data(dict_mc->key_dgst_eng, STR(dict_mc->key_buf),
+			LEN(dict_mc->key_buf), dict_mc->key_dgst_out) < 0) {
+	    ossl_digest_log_errors(msg_warn);
+	    msg_warn("%s:%s: %s message digest failed",
+		     DICT_TYPE_MEMCACHE, dict_mc->dict.name,
+		     dict_mc->key_digest);
+	    return (-1);
+	}
+	hex_encode_opt(dict_mc->key_buf, STR(dict_mc->key_dgst_out),
+		     LEN(dict_mc->key_dgst_out), HEX_ENCODE_FLAG_LOWERCASE);
+    }
+#endif
 
     /*
      * The length indicates whether the expansion is empty or not.
@@ -315,8 +338,10 @@ static int dict_memcache_valid_key(DICT_MC *dict_mc,
 	DICT_MC_SKIP("domain mismatch");
     if (rc < 0)
 	DICT_ERR_VAL_RETURN(dict_mc, rc, 0);
-    if (dict_memcache_prepare_key(dict_mc, name) == 0)
+    if ((rc = dict_memcache_prepare_key(dict_mc, name)) == 0)
 	DICT_MC_SKIP("empty lookup key expansion");
+    if (rc < 0)
+	DICT_ERR_VAL_RETURN(dict_mc, rc, 0);
     for (cp = (unsigned char *) STR(dict_mc->key_buf); *cp; cp++)
 	if (isascii(*cp) && isspace(*cp))
 	    DICT_MC_SKIP("name contains space");
@@ -480,6 +505,14 @@ static void dict_memcache_close(DICT *dict)
 
     cfg_parser_free(dict_mc->parser);
     db_common_free_ctx(dict_mc->dbc_ctxt);
+    if (dict_mc->key_digest)
+	myfree(dict_mc->key_digest);
+#ifdef USE_TLS
+    if (dict_mc->key_dgst_eng)
+	ossl_digest_free(dict_mc->key_dgst_eng);
+    if (dict_mc->key_dgst_out)
+	vstring_free(dict_mc->key_dgst_out);
+#endif
     if (dict_mc->key_format)
 	myfree(dict_mc->key_format);
     myfree(dict_mc->memcache);
@@ -542,6 +575,19 @@ DICT   *dict_memcache_open(const char *name, int open_flags, int dict_flags)
      * Parse the configuration file.
      */
     dict_mc->parser = parser;
+    dict_mc->key_digest = cfg_get_str(dict_mc->parser, DICT_MC_NAME_KEY_DGST,
+				      DICT_MC_DEF_KEY_DGST, 0, 0);
+#ifdef USE_TLS
+    if (*dict_mc->key_digest) {
+	if ((dict_mc->key_dgst_eng = ossl_digest_new(dict_mc->key_digest)) == 0)
+	    /* See below for dict_surrogate() error propagation. */
+	    ossl_digest_log_errors(msg_warn);
+	dict_mc->key_dgst_out = vstring_alloc(1);
+    } else {
+	dict_mc->key_dgst_eng = 0;
+	dict_mc->key_dgst_out = 0;
+    }
+#endif
     dict_mc->key_format = cfg_get_str(dict_mc->parser, DICT_MC_NAME_KEY_FMT,
 				      DICT_MC_DEF_KEY_FMT, 0, 0);
     dict_mc->timeout = cfg_get_int(dict_mc->parser, DICT_MC_NAME_MC_TIMEOUT,
@@ -594,5 +640,27 @@ DICT   *dict_memcache_open(const char *name, int open_flags, int dict_flags)
 
     dict_mc->dict.flags |= DICT_FLAG_MULTI_WRITER;
 
+#ifdef USE_TLS
+    if (*dict_mc->key_digest && dict_mc->key_dgst_eng == 0) {
+	/* See above for ossl_digest_new() error detection. */
+	DICT   *d = dict_surrogate(DICT_TYPE_MEMCACHE, name,
+				   open_flags, dict_flags,
+				   "open %s: key digest %s is not available",
+				   name, dict_mc->key_digest);
+
+	dict_memcache_close(&dict_mc->dict);
+	return (d);
+    }
+#else
+    if (*dict_mc->key_digest) {
+	DICT   *d = dict_surrogate(DICT_TYPE_MEMCACHE, name,
+				   open_flags, dict_flags, "%s support "
+				   "requires build with -DUSE_TLS",
+				   DICT_MC_NAME_KEY_DGST);
+
+	dict_memcache_close(&dict_mc->dict);
+	return (d);
+    }
+#endif
     return (&dict_mc->dict);
 }

postfix/src/global/dict_mongodb.c

@@ -564,7 +564,7 @@ DICT   *dict_mongodb_open(const char *name, int open_flags, int dict_flags)
 
     mongoc_uri_destroy(uri);
     mongoc_client_set_error_api(dict_mongodb->client, MONGOC_ERROR_API_VERSION_2);
-    return (DICT_DEBUG (&dict_mongodb->dict));
+    return (&dict_mongodb->dict);
 }
 
 #endif

postfix/src/global/dict_mysql.c

@@ -759,7 +759,7 @@ static void mysql_parse_config(DICT_MYSQL *dict_mysql, const char *mysqlcf)
     }
     /* Don't blacklist the load balancer! */
     if (dict_mysql->hosts->argc == 1)
-        argv_add(dict_mysql->hosts, dict_mysql->hosts->argv[0], (char *) 0);
+	argv_add(dict_mysql->hosts, dict_mysql->hosts->argv[0], (char *) 0);
     myfree(hosts);
 }
 
@@ -797,7 +797,7 @@ DICT   *dict_mysql_open(const char *name, int open_flags, int dict_flags)
     if (dict_mysql->pldb == NULL)
 	msg_fatal("couldn't initialize pldb!\n");
     dict_mysql->dict.owner = cfg_get_owner(dict_mysql->parser);
-    return (DICT_DEBUG (&dict_mysql->dict));
+    return (&dict_mysql->dict);
 }
 
 /*

postfix/src/global/dict_pgsql.c

@@ -744,7 +744,7 @@ DICT   *dict_pgsql_open(const char *name, int open_flags, int dict_flags)
 	return (ret);
     }
     dict_pgsql->dict.owner = cfg_get_owner(dict_pgsql->parser);
-    return (DICT_DEBUG (&dict_pgsql->dict));
+    return (&dict_pgsql->dict);
 }
 
 /* plpgsql_init - initialize a PGSQL database */

postfix/src/global/dict_proxy.c

@@ -113,6 +113,7 @@ static int dict_proxy_sequence(DICT *dict, int function,
     VSTREAM *stream;
     int     status;
     int     count = 0;
+    int     inst_flags;
     int     request_flags;
 
     /*
@@ -126,8 +127,8 @@ static int dict_proxy_sequence(DICT *dict, int function,
     VSTRING_TERMINATE(dict_proxy->reskey);
     VSTRING_RESET(dict_proxy->result);
     VSTRING_TERMINATE(dict_proxy->result);
-    request_flags = dict_proxy->inst_flags
-	| (dict->flags & DICT_FLAG_RQST_MASK);
+    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict->flags;
     for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@@ -136,15 +137,17 @@ static int dict_proxy_sequence(DICT *dict, int function,
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_SEQUENCE),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
+			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FUNC, function),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
+			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
 			 RECV_ATTR_STR(MAIL_ATTR_KEY, dict_proxy->reskey),
 			 RECV_ATTR_STR(MAIL_ATTR_VALUE, dict_proxy->result),
-			 ATTR_TYPE_END) != 3) {
+			 ATTR_TYPE_END) != 4) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno != ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
 	} else {
@@ -194,6 +197,7 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
     VSTREAM *stream;
     int     status;
     int     count = 0;
+    int     inst_flags;
     int     request_flags;
 
     /*
@@ -205,8 +209,8 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
      */
     VSTRING_RESET(dict_proxy->result);
     VSTRING_TERMINATE(dict_proxy->result);
-    request_flags = dict_proxy->inst_flags
-	| (dict->flags & DICT_FLAG_RQST_MASK);
+    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict->flags;
     for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@@ -215,14 +219,16 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_LOOKUP),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
+			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_STR(MAIL_ATTR_KEY, key),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
+			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
 			 RECV_ATTR_STR(MAIL_ATTR_VALUE, dict_proxy->result),
-			 ATTR_TYPE_END) != 2) {
+			 ATTR_TYPE_END) != 3) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno != ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
 	} else {
@@ -267,6 +273,7 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
     VSTREAM *stream;
     int     status;
     int     count = 0;
+    int     inst_flags;
     int     request_flags;
 
     /*
@@ -276,8 +283,8 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
      * associated with a specific connection. Each lookup needs to specify
      * the table and the flags that were specified to dict_proxy_open().
      */
-    request_flags = dict_proxy->inst_flags
-	| (dict->flags & DICT_FLAG_RQST_MASK);
+    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict->flags;
     for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@@ -286,6 +293,7 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_UPDATE),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
+			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_STR(MAIL_ATTR_KEY, key),
 			  SEND_ATTR_STR(MAIL_ATTR_VALUE, value),
@@ -293,7 +301,8 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
-			 ATTR_TYPE_END) != 1) {
+			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
+			 ATTR_TYPE_END) != 2) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno != ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
 	} else {
@@ -337,6 +346,7 @@ static int dict_proxy_delete(DICT *dict, const char *key)
     VSTREAM *stream;
     int     status;
     int     count = 0;
+    int     inst_flags;
     int     request_flags;
 
     /*
@@ -346,8 +356,8 @@ static int dict_proxy_delete(DICT *dict, const char *key)
      * associated with a specific connection. Each lookup needs to specify
      * the table and the flags that were specified to dict_proxy_open().
      */
-    request_flags = dict_proxy->inst_flags
-	| (dict->flags & DICT_FLAG_RQST_MASK);
+    inst_flags = dict_proxy->inst_flags;
+    request_flags = dict->flags;
     for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
 	errno = 0;
@@ -356,13 +366,15 @@ static int dict_proxy_delete(DICT *dict, const char *key)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_DELETE),
 			  SEND_ATTR_STR(MAIL_ATTR_TABLE, dict->name),
+			  SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, inst_flags),
 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, request_flags),
 			  SEND_ATTR_STR(MAIL_ATTR_KEY, key),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
 			 RECV_ATTR_INT(MAIL_ATTR_STATUS, &status),
-			 ATTR_TYPE_END) != 1) {
+			 RECV_ATTR_INT(MAIL_ATTR_FLAGS, &dict->flags),
+			 ATTR_TYPE_END) != 2) {
 	    if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno !=
 					     ENOENT))
 		msg_warn("%s: service %s: %m", myname, dict_proxy->service);
@@ -478,16 +490,20 @@ DICT   *dict_proxy_open(const char *map, int open_flags, int dict_flags)
     dict_proxy->dict.delete = dict_proxy_delete;
     dict_proxy->dict.sequence = dict_proxy_sequence;
     dict_proxy->dict.close = dict_proxy_close;
-    dict_proxy->inst_flags = (dict_flags & DICT_FLAG_INST_MASK);
+    dict_proxy->inst_flags = dict_flags;
     dict_proxy->reskey = vstring_alloc(10);
     dict_proxy->result = vstring_alloc(10);
     dict_proxy->clnt = *pstream;
     dict_proxy->service = service;
 
+#define DICT_PROXY_ERR_RETURN(d) do { \
+	DICT *_d = (d); \
+	dict_proxy_close(&dict_proxy->dict); \
+	return (_d); \
+    } while (0)
+
     /*
      * Establish initial contact and get the map type specific flags.
-     * 
-     * XXX Should retrieve flags from local instance.
      */
     for (;;) {
 	stream = clnt_stream_access(dict_proxy->clnt);
@@ -496,7 +512,7 @@ DICT   *dict_proxy_open(const char *map, int open_flags, int dict_flags)
 	    || attr_print(stream, ATTR_FLAG_NONE,
 			  SEND_ATTR_STR(MAIL_ATTR_REQ, PROXY_REQ_OPEN),
 		      SEND_ATTR_STR(MAIL_ATTR_TABLE, dict_proxy->dict.name),
-		     SEND_ATTR_INT(MAIL_ATTR_FLAGS, dict_proxy->inst_flags),
+		 SEND_ATTR_INT(MAIL_ATTR_INST_FLAGS, dict_proxy->inst_flags),
 			  ATTR_TYPE_END) != 0
 	    || vstream_fflush(stream)
 	    || attr_scan(stream, ATTR_FLAG_STRICT,
@@ -512,15 +528,18 @@ DICT   *dict_proxy_open(const char *map, int open_flags, int dict_flags)
 			 dict_flags_str(server_flags));
 	    switch (status) {
 	    case PROXY_STAT_BAD:
-		msg_fatal("%s open failed for table \"%s\": invalid request",
-			  dict_proxy->service, dict_proxy->dict.name);
+		DICT_PROXY_ERR_RETURN(dict_surrogate(DICT_TYPE_PROXY,
+			      dict_proxy->dict.name, open_flags, dict_flags,
+			 "%s open failed for table \"%s\": invalid request",
+			       dict_proxy->service, dict_proxy->dict.name));
 	    case PROXY_STAT_DENY:
-		msg_fatal("%s service is not configured for table \"%s\"",
-			  dict_proxy->service, dict_proxy->dict.name);
+		DICT_PROXY_ERR_RETURN(dict_surrogate(DICT_TYPE_PROXY,
+			      dict_proxy->dict.name, open_flags, dict_flags,
+			    "%s service is not configured for table \"%s\"",
+			       dict_proxy->service, dict_proxy->dict.name));
 	    case PROXY_STAT_OK:
-		dict_proxy->dict.flags = (dict_flags & ~DICT_FLAG_IMPL_MASK)
-		    | (server_flags & DICT_FLAG_IMPL_MASK);
-		return (DICT_DEBUG (&dict_proxy->dict));
+		dict_proxy->dict.flags = server_flags;
+		return (&dict_proxy->dict);
 	    default:
 		msg_warn("%s open failed for table \"%s\": unexpected status %d",
 			 dict_proxy->service, dict_proxy->dict.name, status);

postfix/src/global/dict_sqlite.c

@@ -34,9 +34,13 @@
 /*	Must be O_RDONLY.
 /* .IP dict_flags
 /*	See dict_open(3).
+/* DIAGNOSTICS
+/*	dict_sqlite_open() logs a warning when the query parameter value
+/*	does not use the recommended '' quotes to protect against SQL
+/*	injection (bad examples; no quotes or "" quotes).
 /* SEE ALSO
 /*	dict(3) generic dictionary manager
-/*	sqlite_table(5) sqlite client configuration
+/*	sqlite_table(5) Postfix sqlite client configuration
 /* AUTHOR(S)
 /*	Axel Steiner
 /*	ast@treibsand.com
@@ -46,12 +50,16 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	porcupine.org
 /*--*/
 
 /* System library. */
 
 #include <sys_defs.h>
 #include <string.h>
+#include <ctype.h>
 
 #ifdef HAS_SQLITE
 #include <sqlite3.h>
@@ -250,6 +258,38 @@ static const char *dict_sqlite_lookup(DICT *dict, const char *name)
 	    retval : 0);
 }
 
+/* flag_non_recommended_query - as the name says. */
+
+static void flag_non_recommended_query(const char *query,
+				               const char *sqlitecf)
+{
+    const char *cp;
+    int     in_quote;
+    const int squote = '\'';
+    const int dquote = '"';
+
+    for (in_quote = 0, cp = query; *cp != 0; cp++) {
+	if (in_quote == 0) {
+	    if (*cp == squote || *cp == dquote)
+		in_quote = *cp;
+	} else if (*cp == in_quote) {
+	    in_quote = 0;
+	}
+	if (in_quote == squote)
+	    continue;
+	if (*cp == '%') {
+	    if (cp[1] == '%') {
+		cp += 1;
+	    } else if (ISALNUM(cp[1])) {
+		msg_warn("%s:%s: query >%s< contains >%.2s< without the "
+			 "recommended '' quotes", DICT_TYPE_SQLITE, sqlitecf,
+			 query, cp);
+		cp += 1;
+	    }
+	}
+    }
+}
+
 /* sqlite_parse_config - parse sqlite configuration file */
 
 static void sqlite_parse_config(DICT_SQLITE *dict_sqlite, const char *sqlitecf)
@@ -268,6 +308,8 @@ static void sqlite_parse_config(DICT_SQLITE *dict_sqlite, const char *sqlitecf)
 	db_common_sql_build_query(buf, dict_sqlite->parser);
 	dict_sqlite->query = vstring_export(buf);
     }
+    /* Flag %[a-zA-Z0-9] if not protected with ''. */
+    flag_non_recommended_query(dict_sqlite->query, sqlitecf);
     dict_sqlite->result_format =
 	cfg_get_str(dict_sqlite->parser, "result_format", "%s", 1, 0);
     dict_sqlite->expansion_limit =
@@ -335,7 +377,7 @@ DICT   *dict_sqlite_open(const char *name, int open_flags, int dict_flags)
     }
     dict_sqlite->dict.owner = cfg_get_owner(dict_sqlite->parser);
 
-    return (DICT_DEBUG (&dict_sqlite->dict));
+    return (&dict_sqlite->dict);
 }
 
 #endif

postfix/src/global/dict_sqlite.h

@@ -23,7 +23,6 @@
 
 extern DICT *dict_sqlite_open(const char *, int, int);
 
-
 /* AUTHOR(S)
 /*	Axel Steiner
 /*	ast@treibsand.com

postfix/src/global/dict_sqlite_test.c

@@ -0,0 +1,247 @@
+/*++
+/* NAME
+/*	dict_sqlite_test 1t
+/* SUMMARY
+/*	dict_sqlite unit test
+/* SYNOPSIS
+/*	./dict_sqlite_test
+/* DESCRIPTION
+/*	dict_sqlite_test runs and logs each configured test, reports if
+/*	a test is a PASS or FAIL, and returns an exit status of zero if
+/*	all tests are a PASS.
+/*
+/*	Each test creates a temporary test database and a corresponding
+/*	Postfix sqlite client configuration file, both having unique
+/*	names. Otherwise, each test is hermetic.
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema porcupine.org
+/*--*/
+
+/*	
+ /*
+  * System library.
+  */
+#include <sys_defs.h>
+#include <stdlib.h>
+#include <string.h>
+
+ /*
+  * Utility library.
+  */
+#include <msg.h>
+#include <msg_vstream.h>
+#include <stringops.h>
+
+ /*
+  * Global library.
+  */
+#include <dict_sqlite.h>
+
+ /*
+  * TODO(wietse) make this a proper VSTREAM interface or test helper API.
+  */
+
+/* vstream_swap - capture output for testing */
+
+static void vstream_swap(VSTREAM *one, VSTREAM *two)
+{
+    VSTREAM save;
+
+    save = *one;
+    *one = *two;
+    *two = save;
+}
+
+ /*
+  * Override the printable.c module because it may break some tests.
+  * 
+  * TODO(wietse) move this to a fake_printable.c module that can override all
+  * printable.c global symbols.
+  */
+int     util_utf8_enable;
+
+char   *printable_except(char *string, int replacement, const char *except)
+{
+    return (string);
+}
+
+ /*
+  * Scaffolding for dict_sqlite(3) tests.
+  */
+
+/* create_and_populate_db - create an empty database and optionally populate */
+
+static void create_and_populate_db(char *dbpath, const char *commands)
+{
+    int     fd;
+
+    /*
+     * Create an empty database file with a unique name. Assume that an
+     * adversary cannot rename or remove the file.
+     */
+    if ((fd = mkstemp(dbpath)) < 0)
+	msg_fatal("mkstemp(\"%s\"): %m", dbpath);
+    if (close(fd) < 0)
+	msg_fatal("close %s: %m", dbpath);
+
+    /*
+     * TODO(wietse) Open the database file, prepare and execute commands
+     * to populate the database, and close the database.
+     */
+    if (commands) {
+	msg_fatal("commands are not yet supported");
+    }
+}
+
+/* create_and_populate_cf - create sqlite_table(5) configuration file */
+
+static void create_and_populate_cf(char *cfpath, const char *dbpath,
+				          const char *cftext)
+{
+    int     fd;
+    VSTREAM *fp;
+
+    /*
+     * Create an empty sqlite_table(5) configuration file with a unique name.
+     * Assume that an adversary cannot rename or remove the file.
+     */
+    if ((fd = mkstemp(cfpath)) < 0)
+	msg_fatal("mkstemp(\"%s\"): %m", cfpath);
+    if ((fp = vstream_fdopen(fd, O_WRONLY)) == 0)
+	msg_fatal("vstream_fdopen: %m");
+    (void) vstream_fprintf(fp, "%s\ndbpath = %s\n", cftext, dbpath);
+    if (vstream_fclose(fp) != 0)
+	msg_fatal("vstream_fdclose: %m");
+}
+
+ /*
+  * Test structure. Some tests may come their own.
+  */
+typedef struct TEST_CASE {
+    const char *label;
+    int     (*action) (const struct TEST_CASE *);
+    const char *commands;		/* commands or null */
+    const char *settings;		/* sqlite_table(5) */
+    const char *exp_warning;		/* substring match or null */
+} TEST_CASE;
+
+#define PASS    (0)
+#define FAIL    (1)
+
+#define PATH_TEMPLATE	"/tmp/test-XXXXXXX"
+
+/* test_flag_non_recommended_query - flag non-recommended query payloads */
+
+static int test_flag_non_recommended_query(const TEST_CASE *tp)
+{
+    static VSTRING *msg_buf;
+    VSTREAM *memory_stream;
+    const char template[] = PATH_TEMPLATE;
+    char    dbpath[sizeof(template)];
+    char    cfpath[sizeof(template)];
+    DICT   *dict;
+
+    if (msg_buf == 0)
+	msg_buf = vstring_alloc(100);
+
+    /* Prepare scaffolding database and configuration files. */
+    memcpy(dbpath, template, sizeof(dbpath));
+    create_and_populate_db(dbpath, tp->commands);
+    memcpy(cfpath, template, sizeof(cfpath));
+    create_and_populate_cf(cfpath, dbpath, tp->settings);
+
+    /* Run the test with custom STDERR stream. */
+    VSTRING_RESET(msg_buf);
+    VSTRING_TERMINATE(msg_buf);
+    if ((memory_stream = vstream_memopen(msg_buf, O_WRONLY)) == 0)
+	msg_fatal("open memory stream: %m");
+    vstream_swap(VSTREAM_ERR, memory_stream);
+    if ((dict = dict_sqlite_open(cfpath, O_RDONLY, DICT_FLAG_UTF8_REQUEST)) != 0)
+	dict_close(dict);
+    vstream_swap(memory_stream, VSTREAM_ERR);
+    if (vstream_fclose(memory_stream))
+	msg_fatal("close memory stream: %m");
+
+    /* Cleanup scaffolding database and configuration files. */
+    if (unlink(dbpath) < 0)
+	msg_fatal("unlink %s: %m", dbpath);
+    if (unlink(cfpath) < 0)
+	msg_fatal("unlink %s: %m", cfpath);
+
+    /* Verify the results. */
+    if (tp->exp_warning == 0 && VSTRING_LEN(msg_buf) > 0) {
+	msg_warn("got warning ``%s'', want ``null''", vstring_str(msg_buf));
+	return (FAIL);
+    }
+    if (tp->exp_warning != 0
+	&& strstr(vstring_str(msg_buf), tp->exp_warning) == 0) {
+	msg_warn("got warning ``%s'', want ``%s''",
+		 vstring_str(msg_buf), tp->exp_warning);
+	return (FAIL);
+    }
+    return (PASS);
+}
+
+ /*
+  * The list of test cases.
+  */
+static const TEST_CASE test_cases[] = {
+
+    /*
+     * Tests to flag non-recommended query forms. These create an empty test
+     * database, and open it with the dict_sqlite client without querying it.
+     */
+    {.label = "no_dynamic_payload",
+	.action = test_flag_non_recommended_query,
+	.settings = "query = select a from b where c = 5",
+    },
+    {.label = "dynamic_payload_inside_recommended_quotes",
+	.action = test_flag_non_recommended_query,
+	.settings = "query = select a from b where c = 'xx%syy'",
+    },
+    {.label = "dynamic_payload_without_quotes",
+	.action = test_flag_non_recommended_query,
+	.settings = "query = select s from b where c = xx%syy",
+	.exp_warning = "contains >%s< without the recommended '' quotes",
+    },
+    {.label = "payload_inside_double_quotes",
+	.action = test_flag_non_recommended_query,
+	.settings = "query = select s from b where c = \"xx%syy\"",
+	.exp_warning = "contains >%s< without the recommended '' quotes",
+    },
+
+    /*
+     * TODO: Tests that actually populate a test database, and that query it
+     * with the dict_sqlite client.
+     */
+    {0},
+};
+
+int     main(int argc, char **argv)
+{
+    const TEST_CASE *tp;
+    int     pass = 0;
+    int     fail = 0;
+
+    msg_vstream_init(sane_basename((VSTRING *) 0, argv[0]), VSTREAM_ERR);
+
+    for (tp = test_cases; tp->label != 0; tp++) {
+	int     test_failed;
+
+	msg_info("RUN  %s", tp->label);
+	test_failed = tp->action(tp);
+	if (test_failed) {
+	    msg_info("FAIL %s", tp->label);
+	    fail++;
+	} else {
+	    msg_info("PASS %s", tp->label);
+	    pass++;
+	}
+    }
+    msg_info("PASS=%d FAIL=%d", pass, fail);
+    exit(fail != 0);
+}