From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 20 Mar 2007 05:00:00 +0000 (-0500)
Subject: postfix-2.4-20070320
X-Git-Tag: v2.4.0-RC1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=235f9bbe629f9a095c29dc6d230ddac3db7f5494;p=thirdparty%2Fpostfix.git

postfix-2.4-20070320
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 34c956f4e..54ec6b0ff 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -9851,7 +9851,7 @@ Apologies for any names omitted.
 	Bugfix: the test for "no debugger_command" was wrong.
 	Leandro Santi. File: global/debugger_command.c.
 
-20040117
+20041117
 
 	Robustness: the master-child protocol now includes a process
 	generation number besides the child process ID.  The process
@@ -13305,8 +13305,83 @@ Apologies for any names omitted.
 	mailbox dotlock files on all systems, and creates dotlock
 	files before opening mailbox files.  Files: util/sys_defs.h.
 
+20070301
+
+	Workaround: updated workaround for broken Solaris accept().
+	File: util/inet_listen.c.
+
+	Workaround: on some FreeBSD versions, accept(2) can fail
+	with a bogus EINVAL error. We now allow accept(2) to fail
+	for a limited number of times before terminating the process.
+	Files: master/single_server.c, master/multi_server.c.
+
+20070306
+
+	Bugfix (introduced with Postfix 2.3 Milter support): postdrop
+	reported "illegal seek" instead of "file too large".  File:
+	postdrop/postdrop.c.
+
+20070310
+
+	Cleanup: specify "undisclosed_recipients_header =" to disable
+	Postfix's "To: undisclosed-recipients:;" header for mail
+	that lists no recipient. The To: header is not required as
+	of RFC 2822.  The undisclosed_recipients_header parameter
+	value can now be an empty string, a value that was not
+	allowed with earlier Postfix versions. With Postfix 2.5 it
+	will be empty by default. Files: cleanup/cleanup.c,
+	cleanup/cleanup_message.c.
+
+20070312
+
+	Backwards compatibility: don't pad short message header
+	records when Milter support is turned off. This maintains
+	compatibility with Postfix versions that pre-date Milter
+	support. File: cleanup/cleanup_out.c.
+
+20070314
+
+	Bitrot: move the "don't run this daemon by hand" message
+	before other tests. Files: master/*server.c.
+
+20070315
+
+	Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
+	that are the only ones available in Sun's LDAP SDK. Define
+	suitable macros that work with new OpenLDAP and Sun's code.
+	Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c
+
+	Cleanup: new "leaf" and "terminal" result attributes support
+	fine-tuning of LDAP group expansion, and provide a solution
+	for the problem case where DN recursion returns both the
+	group address and the addresses of the member objects.
+	Victor Duchovni, Morgan Stanley.  Files: src/global/dict_ldap.c,
+	proto/LDAP_README.html, proto/ldap_table
+
+20070317
+
+	Idioten Sicherheit: stamp every executable file and every
+	core dump file with "mail_version=xxxxx". Adding version
+	stamps and checks to every IPC message is too much change
+	after code freeze, and requires too much time for testing.
+	File: src/global/mail_version.h and every main program file.
+
+20070320
+
+	Bugfix (introduced between 20070120 and 20070121): the
+	cleanup server stored no "delayed mail warning" queue file
+	records with "sendmail -t", and no header_checks filter/redirect
+	records or content encoding records with other mail.  File:
+	global/rec_type.h.
+
 Wish list:
 
+	Bind all deliveries to the same local delivery process,
+	making Postfix perform as poorly as monolithic mailers,
+	but giving a possibility to eliminate duplicate deliveries.
+
+	Maybe declare loop when resolve_local(mxhost) is true?
+
 	Update message content length when adding/removing headers.
 
 	Need scache size limit.
@@ -13319,6 +13394,7 @@ Wish list:
 	am using now.
 
 	Update MILTER_README with Martinec info.
+	http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
 
 	Make postcat header/body aware so people can grep headers.
 
diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README
index 5db4991d1..70948cde9 100644
--- a/postfix/README_FILES/ADDRESS_VERIFICATION_README
+++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README
@@ -5,9 +5,9 @@ PPoossttffiixx AAddddrreessss VVeerriiffiiccaattiioonn
 WWAARRNNIINNGG
 
 The sender/recipient address verification feature described in this document is
-suitable only for low-traffic sites. It performs poorly under high load and may
-cause your site to be blacklisted by some providers. See the "Limitations"
-section below for details.
+suitable only for low-traffic sites. It performs poorly under high load;
+excessive sender address verification activity may even cause your site to be
+blacklisted by some providers. See the "Limitations" section below for details.
 
 WWhhaatt PPoossttffiixx aaddddrreessss vveerriiffiiccaattiioonn ccaann ddoo ffoorr yyoouu
 
diff --git a/postfix/README_FILES/DATABASE_README b/postfix/README_FILES/DATABASE_README
index ef86f651c..c1202d22a 100644
--- a/postfix/README_FILES/DATABASE_README
+++ b/postfix/README_FILES/DATABASE_README
@@ -244,7 +244,7 @@ To find out what database types your Postfix system supports, use the "ppooss
         in tcp_table(5). The lookup table name is "tcp:host:port" where "host"
         specifies a symbolic hostname or a numeric IP address, and "port"
         specifies a symbolic service name or a numeric port number. This
-        protocol is not available up to and including Postfix version 2.2.
+        protocol is not available up to and including Postfix version 2.4.
     uunniixx (read-only)
         A limited way to query the UNIX authentication database. The following
         tables are implemented:
diff --git a/postfix/README_FILES/LDAP_README b/postfix/README_FILES/LDAP_README
index 12f31d110..dead25113 100644
--- a/postfix/README_FILES/LDAP_README
+++ b/postfix/README_FILES/LDAP_README
@@ -18,6 +18,7 @@ Topics covered in this document:
   * Configuring LDAP lookups
   * Example: aliases
   * Example: virtual domains/addresses
+  * Example: expanding LDAP groups
   * Other uses of LDAP lookups
   * Notes and things to think about
   * Feedback
@@ -96,12 +97,12 @@ in main.cf, you have:
 
 and in ldap:/etc/postfix/ldap-aliases.cf you have:
 
-    server_host = ldap.my.com
-    search_base = dc=my, dc=com
+    server_host = ldap.example.com
+    search_base = dc=example, dc=com
 
 Upon receiving mail for a local address "ldapuser" that isn't found in the /
 etc/aliases database, Postfix will search the LDAP server listening at port 389
-on ldap.my.com. It will bind anonymously, search for any directory entries
+on ldap.example.com. It will bind anonymously, search for any directory entries
 whose mailacceptinggeneralid attribute is "ldapuser", read the "maildrop"
 attributes of those found, and build a list of their maildrops, which will be
 treated as RFC822 addresses to which the message will be delivered.
@@ -116,7 +117,7 @@ want to make sure all of your virtual recipient's mailacceptinggeneralid
 attributes are fully qualified with their virtual domains. Finally, if you want
 to designate a directory entry as the default user for a virtual domain, just
 give it an additional mailacceptinggeneralid (or the equivalent in your
-directory) of "@virtual.dom". That's right, no user part. If you don't want a
+directory) of "@fake.dom". That's right, no user part. If you don't want a
 catchall user, omit this step and mail to unknown users in the domain will
 simply bounce.
 
@@ -143,12 +144,183 @@ this:
 Normal users might simply have one mailacceptinggeneralid and maildrop, e.g.
 "normaluser@fake.dom" and "normaluser@real.dom".
 
+EExxaammppllee:: eexxppaannddiinngg LLDDAAPP ggrroouuppss
+
+LDAP is frequently used to store group member information, and Postfix supports
+expanding a group's email address to the list of email addresses of the group
+members. There are a number of ways of handling LDAP groups, which will be
+illustrated via the mock LDAP entries and implied schema below. This shows two
+group entries "agroup" and "bgroup" and four user entries "auser", "buser",
+"cuser" and "duser". The group "agroup" has the users "auser" (1) and "buser"
+(2) as members via DN references in the multi-valued attribute "memberdn", and
+direct email addresses of two external users "auser@example.org" (3) and
+"buser@example.org" (4) stored in the multi-valued attribute "memberaddr". The
+same is true of "bgroup" and "cuser"/"duser" (6)/(7)/(8)/(9), but "bgroup" also
+has a "maildrop" attribute of "bgroup@mlm.example.com" (5):
+
+         dn: cn=agroup, dc=example, dc=com
+         objectclass: top
+         objectclass: ldapgroup
+         cn: agroup
+         mail: agroup@example.com
+    1 -> memberdn: uid=auser, dc=example, dc=com
+    2 -> memberdn: uid=buser, dc=example, dc=com
+    3 -> memberaddr: auser@example.org
+    4 -> memberaddr: buser@example.org
+
+         dn: cn=bgroup, dc=example, dc=com
+         objectclass: top
+         objectclass: ldapgroup
+         cn: bgroup
+         mail: bgroup@example.com
+    5 -> maildrop: bgroup@mlm.example.com
+    6 -> memberdn: uid=cuser, dc=example, dc=com
+    7 -> memberdn: uid=duser, dc=example, dc=com
+    8 -> memberaddr: cuser@example.org
+    9 -> memberaddr: duser@example.org
+
+         dn: uid=auser, dc=example, dc=com
+         objectclass: top
+         objectclass: ldapuser
+         uid: auser
+    10 -> mail: auser@example.com
+    11 -> maildrop: auser@mailhub.example.com
+
+         dn: uid=buser, dc=example, dc=com
+         objectclass: top
+         objectclass: ldapuser
+         uid: buser
+    12 -> mail: buser@example.com
+    13 -> maildrop: buser@mailhub.example.com
+
+         dn: uid=cuser, dc=example, dc=com
+         objectclass: top
+         objectclass: ldapuser
+         uid: cuser
+    14 -> mail: cuser@example.com
+
+         dn: uid=duser, dc=example, dc=com
+         objectclass: top
+         objectclass: ldapuser
+         uid: duser
+    15 -> mail: duser@example.com
+
+Our first use case ignores the "memberdn" attributes, and assumes that groups
+hold only direct "memberaddr" strings as in (3), (4), (8) and (9). The goal is
+to map the group address to the list of constituent "memberaddr" values. This
+is simple, ignoring the various connection related settings (hosts, ports, bind
+settings, timeouts, ...) we have:
+
+        simple.cf:
+            ...
+            search_base = dc=example, dc=com
+            query_filter = mail=%s
+            result_attribute = memberaddr
+        $ postmap -q agroup@example.com ldap:simple.cf
+        auser@example.org,buser@example.org
+
+We search "dc=example, dc=com". The "mail" attribute is used in the
+query_filter to locate the right group, the "result_attribute" setting
+described in ldap_table(5) is used to specify that "memberaddr" values from the
+matching group are to be returned as a comma separated list. Always check
+tables using postmap(1) with the "-q" option, before deploying them into
+production use in main.cf.
+
+Our second use case also expands "memberdn" attributes (1), (2), (6) and (7),
+follows the DN references and returns the "maildrop" of the referenced user
+entries. Here we use the "special_result_attribute" setting from ldap_table(5)
+to designate the "memberdn" attribute as holding DNs of the desired member
+entries. The "result_attribute" setting selects which attributes are returned
+from the selected DNs. It is important to choose a result attribute that is not
+also present in the group object, because result attributes are collected from
+both the group and the member DNs. In this case we choose "maildrop" and assume
+for the moment that groups never have a "maildrop" (the "bgroup" "maildrop"
+attribute is for a different use case). The returned data for "auser" and
+"buser" is from items (11) and (13) in the mock data.
+
+        special.cf:
+            ...
+            search_base = dc=example, dc=com
+            query_filter = mail=%s
+            result_attribute = memberaddr, maildrop
+            special_result_attribute = memberdn
+        $ postmap -q agroup@example.com ldap:special.cf
+
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+
+Note: if the desired member object result attribute is always also present in
+the group, you get suprising results, the expansion also returns the address of
+the group. This is a known limitation of Postfix releases prior to 2.4, and is
+addressed in the new with Postfix 2.4 "leaf_result_attribute" feature described
+in ldap_table(5).
+
+Our third use case has some groups that are expanded immediately, and other
+groups that are forwarded to a dedicated mailing list manager host for delayed
+expansion. This uses two LDAP tables, one for users and forwarded groups and a
+second for groups that can be expanded immediately. It is assumed that groups
+that require forwarding are never nested members of groups that are directly
+expanded.
+
+        no_expand.cf:
+            ...
+            search_base = dc=example, dc=com
+            query_filter = mail=%s
+            result_attribute = maildrop
+        expand.cf
+            ...
+            search_base = dc=example, dc=com
+            query_filter = mail=%s
+            result_attribute = memberaddr, maildrop
+            special_result_attribute = memberdn
+        $ postmap -q auser@example.com ldap:no_expand.cf ldap:expand.cf
+        auser@mailhub.example.com
+        $ postmap -q agroup@example.com ldap:no_expand.cf ldap:expand.cf
+
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+        $ postmap -q bgroup@example.com ldap:no_expand.cf ldap:expand.cf
+        bgroup@mlm.example.com
+
+Non-group objects and groups with delayed expansion (those that have a maildrop
+attribute) are rewritten to a single maildrop value. Groups that don't have a
+maildrop are expanded as the second use case. This admits a more elegant
+solution with Postfix 2.4 and later.
+
+Our final use case is the same as the third, but this time uses new features in
+Postfix 2.4. We now are able to use just one LDAP table and no longer need to
+assume that forwarded groups are never nested inside expanded groups.
+
+        fancy.cf:
+            ...
+            search_base = dc=example, dc=com
+            query_filter = mail=%s
+            result_attribute = memberaddr
+            special_result_attribute = memberdn
+            terminal_result_attribute = maildrop
+            leaf_result_attribute = mail
+        $ postmap -q auser@example.com ldap:fancy.cf
+        auser@mailhub.example.com
+        $ postmap -q cuser@example.com ldap:fancy.cf
+        cuser@example.com
+        $ postmap -q agroup@example.com ldap:fancy.cf
+
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+        $ postmap -q bgroup@example.com ldap:fancy.cf
+        bgroup@mlm.example.com
+
+Above, delayed expansion is enabled via "terminal_result_attribute", which, if
+present, is used as the sole result and all other expansion is suppressed.
+Otherwise, the "leaf_result_attribute" is only returned for leaf objects that
+don't have a "special_result_attribute" (non-groups), while the
+"result_attribute" (direct member address of groups) is returned at every level
+of recursive expansion, not just the leaf nodes. This fancy example illustrates
+all the features of Postfix 2.4 group expansion.
+
 OOtthheerr uusseess ooff LLDDAAPP llooookkuuppss
 
 Other common uses for LDAP lookups include rewriting senders and recipients
 with Postfix's canonical lookups, for example in order to make mail leaving
-your site appear to be coming from "First.Last@site.dom" instead of
-"userid@site.dom".
+your site appear to be coming from "First.Last@example.com" instead of
+"userid@example.com".
 
 NNootteess aanndd tthhiinnggss ttoo tthhiinnkk aabboouutt
 
@@ -166,9 +338,9 @@ NNootteess aanndd tthhiinnggss ttoo tthhiinnkk aabboouu
     define an entry intended for use as a mailing list that looks like this
     (Warning! Schema made up just for this example):
 
-        dn: cn=Accounting Staff List, dc=my, dc=com
+        dn: cn=Accounting Staff List, dc=example, dc=com
         cn: Accounting Staff List
-        o: my.com
+        o: example.com
         objectclass: maillist
         mailacceptinggeneralid: accountingstaff
         mailacceptinggeneralid: accounting-staff
diff --git a/postfix/README_FILES/QSHAPE_README b/postfix/README_FILES/QSHAPE_README
index fc04162d5..05c546a87 100644
--- a/postfix/README_FILES/QSHAPE_README
+++ b/postfix/README_FILES/QSHAPE_README
@@ -4,15 +4,11 @@ PPoossttffiixx BBoottttlleenneecckk AAnnaallyyssiiss
 
 PPuurrppoossee ooff tthhiiss ddooccuummeenntt
 
-This document describes the qshape(1) program which helps the administrator
-understand the Postfix queue message distribution sorted by time and by sender
-or recipient domain. qshape(1) is bundled with the Postfix 2.1 source under the
-"auxiliary" directory.
-
-In order to understand the output of qshape(1), it useful to understand the
-various Postfix queues. To this end the role of each Postfix queue directory is
-described briefly in the "Background info: Postfix queue directories" section
-near the end of this document.
+This document is an introduction to Postfix queue congestion analysis. It
+explains how the qshape(1) program can help to track down the reason for queue
+congestion. qshape(1) is bundled with Postfix 2.1 and later source code, under
+the "auxiliary" directory. This document describes qshape(1) as bundled with
+Postfix 2.4.
 
 This document covers the following topics:
 
@@ -22,7 +18,7 @@ This document covers the following topics:
   * Example 2: Deferred queue full of dictionary attack bounces
   * Example 3: Congestion in the active queue
   * Example 4: High volume destination backlog
-  * Background info: Postfix queue directories
+  * Postfix queue directories
 
       o The "maildrop" queue
       o The "hold" queue
@@ -69,14 +65,20 @@ sender domain distribution for captured spam in the "hold" queue:
     10 and 20 minutes old, 1 between 320 and 640 minutes old and 12 older than
     1280 minutes (1440 minutes in a day).
 
+When the output is a terminal intermediate results showing the top 20 domains
+(-n option) are displayed after every 1000 messages (-N option) and the final
+output also shows only the top 20 domains. This makes qshape useful even when
+the deferred queue is very large and it may otherwise take prohibitively long
+to read the entire deferred queue.
+
 By default, qshape shows statistics for the union of both the incoming and
 active queues which are the most relevant queues to look at when analyzing
 performance.
 
 One can request an alternate list of queues:
 
-    $ qshape deferred | less
-    $ qshape incoming active deferred | less
+    $ qshape deferred
+    $ qshape incoming active deferred
 
 this will show the age distribution of the deferred queue or the union of the
 incoming active and deferred queues.
@@ -95,18 +97,19 @@ stopped.
 
 The problem destinations or sender domains appear near the top left corner of
 the output table. Remember that the active queue can accommodate up to 20000
-($qmgr_message_active_limit) messages. To check wether this limit has been
+($qmgr_message_active_limit) messages. To check whether this limit has been
 reached, use:
 
-    $ qshape -s active | head       (show sender statistics)
+    $ qshape -s active       (show sender statistics)
 
 If the total sender count is below 20000 the active queue is not yet saturated,
 any high volume sender domains show near the top of the output.
 
-The active queue is also limited to at most 20000 recipient addresses
-($qmgr_message_recipient_limit). To check for exhaustion of this limit use:
+With oqmgr(8) the active queue is also limited to at most 20000 recipient
+addresses ($qmgr_message_recipient_limit). To check for exhaustion of this
+limit use:
 
-    $ qshape active | head          (show recipient statistics)
+    $ qshape active          (show recipient statistics)
 
 Having found the high volume domains, it is often useful to search the logs for
 recent messages pertaining to the domains in question.
@@ -268,7 +271,10 @@ for the queue manager to mark the destination as "dead" despite the transient
 nature of the errors. The destination will be retried again after the
 expiration of a $minimal_backoff_time timer. If the error bursts are frequent
 enough it may be that only a small quantity of email is delivered before the
-destination is again marked "dead".
+destination is again marked "dead". In some cases enabling static (not on
+demand) connection caching by listing the appropriate nexthop domain in a table
+included in "smtp_connection_cache_destinations" may help to reduce the error
+rate, because most messages will re-use existing connections.
 
 The MTA that has been observed most frequently to exhibit such bursts of errors
 is Microsoft Exchange, which refuses connections under load. Some proxy virus
@@ -276,14 +282,13 @@ scanners in front of the Exchange server propagate the refused connection to
 the client as a "421" error.
 
 Note that it is now possible to configure Postfix to exhibit similarly erratic
-behavior by misconfiguring the anvil(8) server (not included in Postfix 2.1.).
-Do not use anvil(8) for steady-state rate limiting, its purpose is DoS
-prevention and the rate limits set should be very generous!
+behavior by misconfiguring the anvil(8) service. Do not use anvil(8) for
+steady-state rate limiting, its purpose is (unintentional) DoS prevention and
+the rate limits set should be very generous!
 
-In the long run it is hoped that the Postfix dead host detection and
-concurrency control mechanism will be tuned to be more "noise" tolerant. If one
-finds oneself needing to deliver a high volume of mail to a destination that
-exhibits frequent brief bursts of errors, there is a subtle workaround.
+If one finds oneself needing to deliver a high volume of mail to a destination
+that exhibits frequent brief bursts of errors and connection caching does not
+solve the problem, there is a subtle workaround.
 
   * In master.cf set up a dedicated clone of the "smtp" transport for the
     destination in question.
@@ -292,15 +297,15 @@ exhibits frequent brief bursts of errors, there is a subtle workaround.
     number in the 10-20 range is typical).
 
   * IMPORTANT!!! In main.cf configure a very large initial and destination
-    concurrency limit for this transport (say 200).
+    concurrency limit for this transport (say 2000).
 
     /etc/postfix/main.cf:
-        initial_destination_concurrency = 200
-        transportname_destination_concurrency_limit = 200
+        initial_destination_concurrency = 2000
+        transportname_destination_concurrency_limit = 2000
 
     Where transportname is the name of the master.cf entry in question.
 
-The effect of this surprising configuration is that up to 200 consecutive
+The effect of this surprising configuration is that up to 2000 consecutive
 errors are tolerated without marking the destination dead, while the total
 concurrency remains reasonable (10-20 processes). This trick is only for a very
 specialized situation: high volume delivery into a channel with multi-error
@@ -334,7 +339,7 @@ connection caching is introduced.
 Hopefully a more elegant solution to these problems will be found in the
 future.
 
-BBaacckkggrroouunndd iinnffoo:: PPoossttffiixx qquueeuuee ddiirreeccttoorriieess
+PPoossttffiixx qquueeuuee ddiirreeccttoorriieess
 
 The following sections describe Postfix queues: their purpose, what normal
 behavior looks like, and how to diagnose abnormal behavior.
@@ -355,8 +360,9 @@ the "maildrop" queue and to notify the pickup(8) service of its arrival.
 
 All mail that enters the main Postfix queue does so via the cleanup(8) service.
 The cleanup service is responsible for envelope and header rewriting, header
-and body regular expression checks, automatic bcc recipient processing and
-guaranteed insertion of the message into the Postfix "incoming" queue.
+and body regular expression checks, automatic bcc recipient processing, milter
+content processing, and reliable insertion of the message into the Postfix
+"incoming" queue.
 
 In the absence of excessive CPU consumption in cleanup(8) header or body
 regular expression checks or other software consuming all available CPU
@@ -372,16 +378,16 @@ not negligible) of the cleanup service.
 
 Congestion in this queue is indicative of an excessive local message submission
 rate or perhaps excessive CPU consumption in the cleanup(8) service due to
-excessive body_checks.
+excessive body_checks, or (Postfix >= 2.3) high latency milters.
 
 Note, that once the active queue is full, the cleanup service will attempt to
 slow down message injection by pausing $in_flow_delay for each message. In this
 case "maildrop" queue congestion may be a consequence of congestion downstream,
 rather than a problem in its own right.
 
-Note also, that one should not attempt to deliver large volumes of mail via the
-pickup(8) service. High volume sites must avoid using content filters that
-reinject scanned mail via Postfix sendmail(1) and postdrop(1).
+Note, you should not attempt to deliver large volumes of mail via the pickup(8)
+service. High volume sites should avoid using "simple" content filters that re-
+inject scanned mail via Postfix sendmail(1) and postdrop(1).
 
 A high arrival rate of locally submitted mail may be an indication of an
 uncaught forwarding loop, or a run-away notification program. Try to keep the
@@ -401,13 +407,12 @@ processing and placed indefinitely in the "hold" queue. Messages placed in the
 delivery attempts are made for messages in the "hold" queue. The postsuper(1)
 command can be used to manually release messages into the "deferred" queue.
 
-Messages can potentially stay in the "hold" queue for a time exceeding the
-normal maximal queue lifetime (after which undelivered messages are bounced
-back to the sender). If such "old" messages need to be released from the "hold"
-queue, they should typically be moved into the "maildrop" queue, so that the
-message gets a new timestamp and is given more than one opportunity to be
-delivered. Messages that are "young" can be moved directly into the "deferred"
-queue.
+Messages can potentially stay in the "hold" queue longer than
+$maximal_queue_lifetime. If such "old" messages need to be released from the
+"hold" queue, they should typically be moved into the "maildrop" queue using
+"postsuper -r", so that the message gets a new timestamp and is given more than
+one opportunity to be delivered. Messages that are "young" can be moved
+directly into the "deferred" queue using "postsuper -H".
 
 The "hold" queue plays little role in Postfix performance, and monitoring of
 the "hold" queue is typically more closely motivated by tracking spam and
@@ -435,10 +440,14 @@ queue as soon as they become available.
 
 The incoming queue grows when the message input rate spikes above the rate at
 which the queue manager can import messages into the active queue. The main
-factor slowing down the queue manager is transport queries to the trivial-
-rewrite service. If the queue manager is routinely not keeping up, consider not
-using "slow" lookup services (MySQL, LDAP, ...) for transport lookups or
-speeding up the hosts that provide the lookup service.
+factors slowing down the queue manager are disk I/O and lookup queries to the
+trivial-rewrite service. If the queue manager is routinely not keeping up,
+consider not using "slow" lookup services (MySQL, LDAP, ...) for transport
+lookups or speeding up the hosts that provide the lookup service. If the
+problem is I/O starvation, consider striping the queue over more disks, faster
+controllers with a battery write cache, or other hardware improvements. At the
+very least, make sure that the queue directory is mounted with the "noatime"
+option if applicable to the underlying filesystem.
 
 The in_flow_delay parameter is used to clamp the input rate when the queue
 manager starts to fall behind. The cleanup(8) service will pause for
@@ -484,22 +493,37 @@ of recipients that share the same transport/nexthop combination; the group size
 is capped by the transport's recipient concurrency limit.
 
 Multiple recipient groups (from one or more messages) are queued for delivery
-via the common transport/nexthop combination. The destination concurrency limit
-for the transports caps the number of simultaneous delivery attempts for each
-nexthop. Transports with a recipient concurrency limit of 1 are special: these
-are grouped by the actual recipient address rather than the nexthop, thereby
-enabling per-recipient concurrency limits rather than per-domain concurrency
-limits. Per-recipient limits are appropriate when performing final delivery to
+grouped by transport/nexthop combination. The ddeessttiinnaattiioonn concurrency limit for
+the transports caps the number of simultaneous delivery attempts for each
+nexthop. Transports with a rreecciippiieenntt concurrency limit of 1 are special: these
+are grouped by the actual recipient address rather than the nexthop, yielding
+per-recipient concurrency limits rather than per-domain concurrency limits.
+Per-recipient limits are appropriate when performing final delivery to
 mailboxes rather than when relaying to a remote server.
 
 Congestion occurs in the active queue when one or more destinations drain
-slower than the corresponding message input rate. If a destination is down for
-some time, the queue manager will mark it dead, and immediately defer all mail
-for the destination without trying to assign it to a delivery agent. In this
-case the messages will quickly leave the active queue and end up in the
-deferred queue. If the destination is instead simply slow, or there is a
-problem causing an excessive arrival rate the active queue will grow and will
-become dominated by mail to the congested destination.
+slower than the corresponding message input rate.
+
+Input into the active queue comes both from new mail in the "incoming" queue,
+and retries of mail in the "deferred" queue. Should the "deferred" queue get
+really large, retries of old mail can dominate the arrival rate of new mail.
+Systems with more CPU, faster disks and more network bandwidth can deal with
+larger deferred queues, but as a rule of thumb the deferred queue scales to
+somewhere between 100,000 and 1,000,000 messages with good performance unlikely
+above that "limit". Systems with queues this large should typically stop
+accepting new mail, or put the backlog "on hold" until the underlying issue is
+fixed (provided that there is enough capacity to handle just the new mail).
+
+When a destination is down for some time, the queue manager will mark it dead,
+and immediately defer all mail for the destination without trying to assign it
+to a delivery agent. In this case the messages will quickly leave the active
+queue and end up in the deferred queue (with Postfix < 2.4, this is done
+directly by the queue manager, with Postfix >= 2.4 this is done via the "retry"
+delivery agent).
+
+When the destination is instead simply slow, or there is a problem causing an
+excessive arrival rate the active queue will grow and will become dominated by
+mail to the congested destination.
 
 The only way to reduce congestion is to either reduce the input rate or
 increase the throughput. Increasing the throughput requires either increasing
@@ -523,23 +547,52 @@ ESTABLISHED or SYN_SENT) reaches the process limit, mail is draining slowly and
 the system and network are not loaded, raise the "smtp" and/or "relay" process
 limits!
 
-Especially for the "relay" transport, consider lower SMTP connection timeouts
-(1-5 seconds) and higher than default destination concurrency limits. Compute
-the expected latency when 1 out of N of the MX hosts for a high volume site is
-down and not responding, and make sure that the configured concurrency divided
-by this latency exceeds the required steady-state message rate. If the
-destination is managed by you, consider load balancers in front of groups of MX
-hosts. Load balancers have higher uptime and will be able to hide individual MX
-host failures.
-
-If necessary, dedicate and tune custom transports for high volume destinations.
+When a high volume destination is served by multiple MX hosts with typically
+low delivery latency, performance can suffer dramatically when one of the MX
+hosts is unresponsive and SMTP connections to that host timeout. For example,
+if there are 2 equal weight MX hosts, the SMTP connection timeout is 30 seconds
+and one of the MX hosts is down, the average SMTP connection will take
+approximately 15 seconds to complete. With a default per-destination
+concurrency limit of 20 connections, throughput falls to just over 1 message
+per second.
+
+The best way to avoid bottlenecks when one or more MX hosts is non-responsive
+is to use connection caching. Connection caching was introduced with Postfix
+2.2 and is by default enabled on demand for destinations with a backlog of mail
+in the active queue. When connection caching is in effect for a particular
+destination, established connections are re-used to send additional messages,
+this reduces the number of connections made per message delivery and maintains
+good throughput even in the face of partial unavailability of the destination's
+MX hosts.
+
+If connection caching is not available (Postfix < 2.2) or does not provide a
+sufficient latency reduction, especially for the "relay" transport used to
+forward mail to "your own" domains, consider setting lower than default SMTP
+connection timeouts (1-5 seconds) and higher than default destination
+concurrency limits. This will further reduce latency and provide more
+concurrency to maintain throughput should latency rise.
+
+Setting high concurrency limits to domains that are not your own may be viewed
+as hostile by the receiving system, and steps may be taken to prevent you from
+monopolizing the destination system's resources. The defensive measures may
+substantially reduce your throughput or block access entirely. Do not set
+aggressive concurrency limits to remote domains without coordinating with the
+administrators of the target domain.
+
+If necessary, dedicate and tune custom transports for selected high volume
+destinations. The "relay" transport is provided for forwarding mail to domains
+for which your server is a primary or backup MX host. These can make up a
+substantial fraction of your email traffic. Use the "relay" and not the "smtp"
+transport to send email to these domains. Using the "relay" transport allocates
+a separate delivery agent pool to these destinations and allows separate tuning
+of timeouts and concurrency limits.
 
 Another common cause of congestion is unwarranted flushing of the entire
 deferred queue. The deferred queue holds messages that are likely to fail to be
-delivered and are also likely to be slow to fail delivery (timeouts). This
-means that the most common reaction to a large deferred queue (flush it!) is
-more than likely counter- productive, and is likely to make the problem worse.
-Do not flush the deferred queue unless you expect that most of its content has
+delivered and are also likely to be slow to fail delivery (time out). As a
+result the most common reaction to a large deferred queue (flush it!) is more
+than likely counter-productive, and typically makes the congestion worse. Do
+not flush the deferred queue unless you expect that most of its content has
 recently become deliverable (e.g. relayhost back up after an outage)!
 
 Note that whenever the queue manager is restarted, there may already be
@@ -549,7 +602,8 @@ the active queue messages back into the incoming queue, and then uses its
 normal incoming queue scan to refill the active queue. The process of moving
 all the messages back and forth, redoing transport table (trivial-rewrite(8)
 resolve service) lookups, and re-importing the messages back into memory is
-expensive. At all costs, avoid frequent restarts of the queue manager.
+expensive. At all costs, avoid frequent restarts of the queue manager (e.g. via
+frequent execution of "postfix reload").
 
 TThhee ""ddeeffeerrrreedd"" qquueeuuee
 
@@ -561,15 +615,15 @@ The queue manager scans the deferred queue periodically. The scan interval is
 controlled by the queue_run_delay parameter. While a deferred queue scan is in
 progress, if an incoming queue scan is also in progress (ideally these are
 brief since the incoming queue should be short), the queue manager alternates
-between bringing a new "incoming" message and a new "deferred" message into the
+between looking for messages in the "incoming" queue and in the "deferred"
 queue. This "round-robin" strategy prevents starvation of either the incoming
 or the deferred queues.
 
 Each deferred queue scan only brings a fraction of the deferred queue back into
 the active queue for a retry. This is because each message in the deferred
 queue is assigned a "cool-off" time when it is deferred. This is done by time-
-warping the modification times of the queue file into the future. The queue
-file is not eligible for a retry if its modification time is not yet reached.
+warping the modification time of the queue file into the future. The queue file
+is not eligible for a retry if its modification time is not yet reached.
 
 The "cool-off" time is at least $minimal_backoff_time and at most
 $maximal_backoff_time. The next retry time is set by doubling the message's age
@@ -578,24 +632,29 @@ that young messages are initially retried more often than old messages.
 
 If a high volume site routinely has large deferred queues, it may be useful to
 adjust the queue_run_delay, minimal_backoff_time and maximal_backoff_time to
-provide short enough delays on first failure, with perhaps longer delays after
-multiple failures, to reduce the retransmission rate of old messages and
-thereby reduce the quantity of previously deferred mail in the active queue.
+provide short enough delays on first failure (Postfix >= 2.4 has a sensibly low
+minimal backoff time by default), with perhaps longer delays after multiple
+failures, to reduce the retransmission rate of old messages and thereby reduce
+the quantity of previously deferred mail in the active queue. If you want a
+really low minimal_backoff_time, you may also want to lower queue_run_delay,
+but understand that more frequent scans will increase the demand for disk I/O.
 
 One common cause of large deferred queues is failure to validate recipients at
 the SMTP input stage. Since spammers routinely launch dictionary attacks from
 unrepliable sender addresses, the bounces for invalid recipient addresses clog
 the deferred queue (and at high volumes proportionally clog the active queue).
 Recipient validation is strongly recommended through use of the
-local_recipient_maps and relay_recipient_maps parameters.
+local_recipient_maps and relay_recipient_maps parameters. Even when bounces
+drain quickly they inundate innocent victims of forgery with unwanted email. To
+avoid this, do not accept mail for invalid recipients.
 
 When a host with lots of deferred mail is down for some time, it is possible
 for the entire deferred queue to reach its retry time simultaneously. This can
 lead to a very full active queue once the host comes back up. The phenomenon
 can repeat approximately every maximal_backoff_time seconds if the messages are
-again deferred after a brief burst of congestion. Ideally, in the future
-Postfix will add a random offset to the retry time (or use a combination of
-strategies) to reduce the chances of repeated complete deferred queue flushes.
+again deferred after a brief burst of congestion. Perhaps, a future Postfix
+release will add a random offset to the retry time (or use a combination of
+strategies) to reduce the odds of repeated complete deferred queue flushes.
 
 CCrreeddiittss
 
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index 5cf940db4..ee39ad617 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -86,18 +86,18 @@ Notes:
 
 BBuuiillddiinngg tthhee CCyyrruuss SSAASSLL lliibbrraarryy
 
-Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, which are
+Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are
 available from:
 
     ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
 
 IMPORTANT: if you install the Cyrus SASL libraries as per the default, you will
-have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.5 or /usr/
-lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.1.
+have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.x or /usr/
+lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.x.
 
-Reportedly, Microsoft Internet Explorer version 5 requires the non-standard
-SASL LOGIN authentication method. To enable this authentication method, specify
-``./configure --enable-login''.
+Reportedly, Microsoft Outlook (Express) requires the non-standard LOGIN
+authentication method. To enable this authentication method, specify ``./
+configure --enable-login''.
 
 BBuuiillddiinngg PPoossttffiixx wwiitthh CCyyrruuss SSAASSLL ssuuppppoorrtt
 
@@ -106,13 +106,13 @@ include, and that the Cyrus SASL libraries are in /usr/local/lib.
 
 On some systems this generates the necessary Makefile definitions:
 
-(for Cyrus SASL version 1.5.5):
+(for Cyrus SASL version 1.5.x):
 
     % make tidy # if you have left-over files from a previous build
     % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
         -I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
 
-(for Cyrus SASL version 2.1.1):
+(for Cyrus SASL version 2.1.x):
 
     % make tidy # if you have left-over files from a previous build
     % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
@@ -121,14 +121,14 @@ On some systems this generates the necessary Makefile definitions:
 On Solaris 2.x you need to specify run-time link information, otherwise ld.so
 will not find the SASL shared library:
 
-(for Cyrus SASL version 1.5.5):
+(for Cyrus SASL version 1.5.x):
 
     % make tidy # if you have left-over files from a previous build
     % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
         -I/usr/local/include" AUXLIBS="-L/usr/local/lib \
         -R/usr/local/lib -lsasl"
 
-(for Cyrus SASL version 2.1.1):
+(for Cyrus SASL version 2.1.x):
 
     % make tidy # if you have left-over files from a previous build
     % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
@@ -158,8 +158,8 @@ Note: the SASL login names will be shared with the entire world.
 
 Older Microsoft SMTP client software implements a non-standard version of the
 AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
-"250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients (in
-addition to conformant clients) use the following:
+"250 AUTH=mechanism-list" instead of "250 AUTH mechanism-list". To accommodate
+such clients (in addition to conformant clients) use the following:
 
     /etc/postfix/main.cf:
         broken_sasl_auth_clients = yes
@@ -201,71 +201,83 @@ authentication server.
 
 CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
 
-In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or /usr/local/lib/
-sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to specify how the server
-should validate client passwords.
+You need to configure how the Cyrus SASL library should authenticate a client's
+username and password. These settings must be stored in a separate
+configuration file.
+
+The name of the configuration file (default: smtpd.conf) will be constructed
+from a value sent by Postfix to the Cyrus SASL library, which adds the suffix
+.conf. The value is configured using one of the following variables:
+
+    /etc/postfix/main.cf:
+        # Postfix 2.3 and later
+        smtpd_sasl_path = smtpd
+        # Postfix < 2.3
+        smtpd_sasl_application_name = smtpd
+
+Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/ (Cyrus
+SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL version 2.1.x).
 
 Note: some Postfix distributions are modified and look for the smtpd.conf file
-in /etc/postfix.
+in /etc/postfix/sasl.
 
 Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
 
-  * To authenticate against the UNIX password database, try:
+  * To authenticate against the UNIX password database, use:
 
-    (Cyrus SASL version 1.5.5)
+    (Cyrus SASL version 1.5.x)
 
         /usr/local/lib/sasl/smtpd.conf:
             pwcheck_method: pwcheck
 
-    (Cyrus SASL version 2.1.1)
-
-        /usr/local/lib/sasl2/smtpd.conf:
-            pwcheck_method: pwcheck
-
-    The name of the file in /usr/local/lib/sasl (Cyrus SASL version 1.5.5) or /
-    usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by the SASL library for
-    configuration can be set with:
-
-        /etc/postfix/main.cf:
-            smtpd_sasl_application_name = smtpd (Postfix < 2.3)
-            smtpd_sasl_path = smtpd (Postfix 2.3 and later)
-
-    The pwcheck daemon is contained in the cyrus-sasl source tarball.
-
-    IMPORTANT: postfix processes need to have group read+execute permission for
-    the /var/pwcheck directory, otherwise authentication attempts will fail.
+        IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck and
+        waits for authentication requests. Postfix processes must have
+        read+execute permission to this directory or authentication attempts
+        will fail.
 
-  * Alternately, in Cyrus SASL 1.5.26 and later (including 2.1.1), try:
+        The pwcheck daemon is contained in the cyrus-sasl source tarball.
 
     (Cyrus SASL version 1.5.26)
 
         /usr/local/lib/sasl/smtpd.conf:
             pwcheck_method: saslauthd
 
-    (Cyrus SASL version 2.1.1)
+    (Cyrus SASL version 2.1.x)
 
         /usr/local/lib/sasl2/smtpd.conf:
             pwcheck_method: saslauthd
+            mech_list: PLAIN LOGIN
 
     The saslauthd daemon is also contained in the cyrus-sasl source tarball. It
     is more flexible than the pwcheck daemon, in that it can authenticate
     against PAM and various other sources. To use PAM, start saslauthd with "-
     a pam".
 
+    IMPORTANT: saslauthd usually establishes a UNIX domain socket in /var/run/
+    saslauthd and waits for authentication requests. Postfix processes must
+    have read+execute permission to this directory or authentication attempts
+    will fail.
+
+    Note: The directory where saslauthd puts the socket is configurable. See
+    the command-line option "-m /path/to/socket" in the saslauthd --help
+    listing.
+
   * To authenticate against Cyrus SASL's own password database:
 
-    (Cyrus SASL version 1.5.5)
+    (Cyrus SASL version 1.5.x)
 
         /usr/local/lib/sasl/smtpd.conf:
-            pwcheck_method:  sasldb
+            pwcheck_method: sasldb
 
-    (Cyrus SASL version 2.1.1)
+    (Cyrus SASL version 2.1.x)
 
         /usr/local/lib/sasl2/smtpd.conf:
-            pwcheck_method:  auxprop
+            pwcheck_method: auxprop
+            auxprop_plugin: sasldb
+            mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 
     This will use the Cyrus SASL password file (default: /etc/sasldb in version
-    1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained with the
+    1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained with the
     saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On
     some poorly-supported systems the saslpasswd command needs to be run
     multiple times before it stops complaining. The Postfix SMTP server needs
@@ -279,17 +291,17 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
 
     EXAMPLE:
 
-    (Cyrus SASL version 1.5.5)
+    (Cyrus SASL version 1.5.x)
 
         % saslpasswd -c -u `postconf -h myhostname` exampleuser
 
-    (Cyrus SASL version 2.1.1)
+    (Cyrus SASL version 2.1.x)
 
         % saslpasswd2 -c -u `postconf -h myhostname` exampleuser
 
     You can find out SASL's idea about the realms of the users in sasldb with
-    sasldblistusers (Cyrus SASL version 1.5.5) or sasldblistusers2 (Cyrus SASL
-    version 2.1.1).
+    sasldblistusers (Cyrus SASL version 1.5.x) or sasldblistusers2 (Cyrus SASL
+    version 2.1.x).
 
     On the Postfix side, you can have only one realm per smtpd instance, and
     only the users belonging to that realm would be able to authenticate. The
@@ -298,21 +310,19 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
         /etc/postfix/main.cf:
             smtpd_sasl_local_domain = $myhostname
 
-IMPORTANT: all users must be able to authenticate using ALL authentication
-mechanisms advertised by Postfix, otherwise the negotiation might end up with
-an unsupported mechanism, and authentication would fail. For example if you
-configure SASL to use saslauthd for authentication against PAM (pluggable
-authentication modules), only the PLAIN and LOGIN mechanisms are supported and
-stand a chance to succeed, yet the SASL library would also advertise other
-mechanisms, such as DIGEST-MD5. This happens because those mechanisms are made
-available by other plugins, and the SASL library have no way to know that your
-only valid authentication source is PAM. Thus you might need to limit the list
-of mechanisms advertised by Postfix.
+IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd
+can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus
+SASL library doesn't know this, and will happily advertise other authentication
+mechanisms that the SASL library implements, such as DIGEST-MD5. As a result,
+if an SMTP client chooses any mechanism other than PLAIN or LOGIN while pwcheck
+or saslauthd are used, authentication will fail. Thus you may need to limit the
+list of mechanisms advertised by Postfix.
 
   * With older Cyrus SASL versions you remove the corresponding library files
     from the SASL plug-in directory (and again whenever the system is updated).
 
-  * With Cyrus SASL version 2.1.1 or later:
+  * With Cyrus SASL version 2.1.x or later the mech_list variable can specify a
+    list of authentication mechanisms that Cyrus SASL may offer:
 
         /usr/local/lib/sasl2/smtpd.conf:
             mech_list: plain login
@@ -320,14 +330,14 @@ of mechanisms advertised by Postfix.
 For the same reasons you might want to limit the list of plugins used for
 authentication.
 
-  * With Cyrus SASL version 1.5.5 your only choice is to delete the
+  * With Cyrus SASL version 1.5.x your only choice is to delete the
     corresponding library files from the SASL plug-in directory.
 
-  * With SASL version 2.1.1:
+  * With SASL version 2.1.x:
 
         /usr/local/lib/sasl2/smtpd.conf:
-            pwcheck_method:  auxprop
-            auxprop_plugin:  sql
+            pwcheck_method: auxprop
+            auxprop_plugin: sql
 
 To run software chrooted with SASL support is an interesting exercise. It
 probably is not worth the trouble.
@@ -371,15 +381,17 @@ base64-encoded form.
 TTrroouubbllee sshhoooottiinngg tthhee SSAASSLL iinntteerrnnaallss
 
 In the Cyrus SASL sources you'll find a subdirectory named "sample". Run make
-there, "su" to the user postfix (or whatever your mail_owner directive is set
-to):
+there, then create a symbolic link from sample.conf to smtpd.conf in your Cyrus
+SASL library directory /usr/local/lib/sasl2. "su" to the user postfix (or
+whatever your mail_owner directive is set to):
 
     % su postfix
 
-then run the resulting sample server and client in separate terminals. Strace /
-ktrace / truss the server to see what makes it unhappy, and fix the problem.
-Repeat the previous step until you can successfully authenticate with the
-sample client. Only then get back to Postfix.
+then run the resulting sample server and client in separate terminals. The
+sample applications send log messages to the syslog facility auth. Check the
+log to fix the problem or run strace / ktrace / truss on the server to see what
+makes it unhappy. Repeat the previous step until you can successfully
+authenticate with the sample client. Only then get back to Postfix.
 
 EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
 
@@ -401,6 +413,11 @@ that is specified with the relayhost parameter or with a transport(5) table.
         [mail.myisp.net]            username:password
         [mail.myisp.net]:submission username:password
 
+The Postfix SASL client password file is opened before the SMTP server enters
+the optional chroot jail, so you can keep the file in /etc/postfix and set
+permissions read / write only for root to keep the username:password
+combinations away from other system users.
+
 Postfix version 2.3 supports-per-sender SASL password information. To search
 the Postfix SASL password by sender before it searches by destination, specify:
 
@@ -424,9 +441,6 @@ plaintext authentication specify, for example:
     /etc/postfix/main.cf:
         smtp_sasl_security_options = noanonymous
 
-The Postfix SASL client password file is opened before the SMTP server enters
-the optional chroot jail, so you can keep the file in /etc/postfix.
-
 Note: Some SMTP servers support authentication mechanisms that, although
 available on the client system, may not in practice work or possess the
 appropriate credentials to authenticate to the server. It is possible via the
@@ -437,7 +451,7 @@ mechanisms that the smtp(8) client will take into consideration:
         smtp_sasl_mechanism_filter = !gssapi, !external, static:all
 
 In the above example, Postfix will decline to use mechanisms that require
-special infrastructure such as Kerberos.
+special infrastructure such as Kerberos or TLS.
 
 The Postfix SMTP client is backwards compatible with SMTP servers that use the
 non-standard "AUTH=method..." syntax in response to the EHLO command; there is
@@ -458,4 +472,6 @@ CCrreeddiittss
     smtpd_sasl_path.
   * The Dovecot SMTP server-only plug-in was originally implemented by Timo
     Sirainen of Procontrol, Finland.
+  * Patrick Ben Koetter revised this document for Postfix 2.4 and made much
+    needed updates.
 
diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README
index 6ce119b84..7735aaeaa 100644
--- a/postfix/README_FILES/SMTPD_POLICY_README
+++ b/postfix/README_FILES/SMTPD_POLICY_README
@@ -10,9 +10,11 @@ policy decisions to an external server that runs outside Postfix.
 
 With this policy delegation mechanism, a simple greylist policy can be
 implemented with only a dozen lines of Perl, as is shown at the end of this
-document. Another example of policy delegation is the SPF policy server by Meng
-Wong at http://spf.pobox.com/. Examples of both policies can be found in the
-Postfix source code, in the directory examples/smtpd-policy.
+document. A complete example can be found in the Postfix source code, in the
+directory examples/smtpd-policy.
+
+Another example of policy delegation is the SPF policy server at http://
+www.openspf.org/Software.
 
 Policy delegation is now the preferred method for adding policies to Postfix.
 It's much easier to develop a new feature in few lines of Perl, than trying to
diff --git a/postfix/README_FILES/TLS_LEGACY_README b/postfix/README_FILES/TLS_LEGACY_README
index c534beb48..78d128521 100644
--- a/postfix/README_FILES/TLS_LEGACY_README
+++ b/postfix/README_FILES/TLS_LEGACY_README
@@ -558,7 +558,7 @@ Their DSA counterparts:
 
     /etc/postfix/main.cf:
         smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-        smtp_tls_dkey_file = $smtpd_tls_cert_file
+        smtp_tls_dkey_file = $smtp_tls_dcert_file
 
 To verify a remote SMTP server certificate, the Postfix SMTP client needs to
 trust the certificates of the issuing certification authorities. These
@@ -578,7 +578,7 @@ files in the directory when the information is needed. Thus, the
 $smtp_tls_CApath directory needs to be accessible inside the optional chroot
 jail.
 
-The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is a space/time
+The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a space/time
 tradeoff. If there are many trusted CAs, the cost of preloading them all into
 memory may not pay off in reduced access time when the certificate is needed.
 
diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README
index dc12a8ff7..d8fbc02be 100644
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -673,7 +673,7 @@ Their DSA counterparts:
 
     /etc/postfix/main.cf:
         smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-        smtp_tls_dkey_file = $smtpd_tls_cert_file
+        smtp_tls_dkey_file = $smtp_tls_dcert_file
 
 To verify a remote SMTP server certificate, the Postfix SMTP client needs to
 trust the certificates of the issuing certification authorities. These
@@ -693,7 +693,7 @@ files in the directory when the information is needed. Thus, the
 $smtp_tls_CApath directory needs to be accessible inside the optional chroot
 jail.
 
-The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is a space/time
+The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a space/time
 tradeoff. If there are many trusted CAs, the cost of preloading them all into
 memory may not pay off in reduced access time when the certificate is needed.
 
diff --git a/postfix/README_FILES/TUNING_README b/postfix/README_FILES/TUNING_README
index c544ffc2a..000f98d21 100644
--- a/postfix/README_FILES/TUNING_README
+++ b/postfix/README_FILES/TUNING_README
@@ -141,7 +141,7 @@ Postfix version 2.0 and earlier:
 
 MMeeaassuurreess aaggaaiinnsstt cclliieennttss tthhaatt mmaakkee ttoooo mmaannyy ccoonnnneeccttiioonnss
 
-Note: this feature is not included with Postfix version 2.1.
+Note: the anvil(8) service was introduced with Postfix version 2.2.
 
 The Postfix smtpd(8) server can limit the number of simultaneous connections
 from the same SMTP client, as well as the number of connections that a client
diff --git a/postfix/README_FILES/VIRTUAL_README b/postfix/README_FILES/VIRTUAL_README
index 9ee405dbd..5b47482f7 100644
--- a/postfix/README_FILES/VIRTUAL_README
+++ b/postfix/README_FILES/VIRTUAL_README
@@ -316,12 +316,14 @@ Notes:
     NEVER list a virtual MAILBOX domain name as a virtual ALIAS domain!
 
   * Lines 4, 7-13: The virtual_mailbox_maps parameter specifies the lookup
-    table with all valid recipient addresses. The lookup result is ignored by
-    Postfix. In the above example, info@example.com and sales@example.com are
-    listed as valid addresses, and mail for anything else is rejected with
-    "User unknown". If you intend to use LDAP, MySQL or PgSQL instead of local
-    files, be sure to review the "local files versus databases" section at the
-    top of this document!
+    table with all valid recipient addresses. The lookup result value is
+    ignored by Postfix. In the above example, info@example.com and
+    sales@example.com are listed as valid addresses; other mail for example.com
+    is rejected with "User unknown" by the Postfix SMTP server. It's left up to
+    the non-Postfix delivery agent to reject non-existent recipients from local
+    submission or from local alias expansion. If you intend to use LDAP, MySQL
+    or PgSQL instead of local files, be sure to review the "local files versus
+    databases" section at the top of this document!
 
   * Line 12: The commented out entry (text after #) shows how one would inform
     Postfix of the existence of a catch-all address. Again, the lookup result
diff --git a/postfix/auxiliary/qshape/qshape.pl b/postfix/auxiliary/qshape/qshape.pl
index 67d378984..243df445a 100644
--- a/postfix/auxiliary/qshape/qshape.pl
+++ b/postfix/auxiliary/qshape/qshape.pl
@@ -13,6 +13,7 @@
 #	\fBqshape\fR [\fB-s\fR] [\fB-p\fR] [\fB-m \fImin_subdomains\fR]
 #		[\fB-b \fIbucket_count\fR] [\fB-t \fIbucket_time\fR]
 #		[\fB-l\fR] [\fB-w \fIterminal_width\fR]
+#		[\fB-N \fIbatch_msg_count\fR] [\fB-n \fIbatch_top_domains\fR]
 #		[\fB-c \fIconfig_directory\fR] [\fIqueue_name\fR ...]
 # DESCRIPTION
 #	The \fBqshape\fR program helps the administrator understand the
@@ -63,6 +64,15 @@
 #	parent domain rows are shown as '.+' followed by the last 16 bytes
 #	of the domain name. If this is still too narrow to show the domain
 #	name and all the counters, the terminal_width limit is violated.
+# .IP "\fB-N \fIbatch_msg_count\fR"
+#	When the output device is a terminal, intermediate results are
+#	shown each "batch_msg_count" messages. This produces usable results
+#	in a reasonable time even when the deferred queue is large. The
+#	default is to show intermediate results every 1000 messages.
+# .IP "\fB-n \fIbatch_top_domains\fR"
+#	When reporting intermediate or final results to a termainal, report
+#	only the top "batch_top_domains" domains. The default limit is 20
+#	domains.
 # .IP "\fB-c \fIconfig_directory\fR"
 #	The \fBmain.cf\fR configuration file is in the named directory
 #	instead of the default configuration directory.
@@ -104,6 +114,9 @@ use IO::File;
 use File::Find;
 use Getopt::Std;
 
+my $cls;		# Clear screen escape sequence
+my $batch_msg_count;	# Interim result frequency
+my $batch_top_domains;	# Interim result count
 my %opts;		# Command line switches
 my %q;			# domain counts for queues and buckets
 my %sub;		# subdomain counts for parent domains
@@ -120,6 +133,7 @@ do {
     	warn "$0: $_[0]" unless exists($opts{"h"});
 	die "Usage: $0 [ -s ] [ -p ] [ -m <min_subdomains> ] [ -l ]\n".
 	    "\t[ -b <bucket_count> ] [ -t <bucket_time> ] [ -w <terminal_width> ]\n".
+	    "\t[ -N <batch_msg_count> ] [ -n <batch_top_domains> ]\n".
 	    "\t[ -c <config_directory> ] [ <queue_name> ... ]\n".
 	"The 's' option shows sender domain counts.\n".
 	"The 'p' option shows address counts by for parent domains.\n".
@@ -142,7 +156,7 @@ do {
 	"not supported. If necessary, use explicit absolute paths for all queues.\n";
     };
 
-    getopts("lhc:psw:b:t:m:", \%opts);
+    getopts("lhc:psw:b:t:m:n:N:", \%opts);
     warn "Help message" if (exists $opts{"h"});
 
     @qlist = @ARGV if (@ARGV > 0);
@@ -169,6 +183,16 @@ $bnum = $opts{"b"} if (exists $opts{"b"} && $opts{"b"} > 0);
 $tick = $opts{"t"} if (exists $opts{"t"} && $opts{"t"} > 0);
 $minsub = $opts{"m"} if (exists $opts{"m"} && $opts{"m"} > 0);
 
+if ( -t STDOUT ) {
+    $batch_msg_count = 1000 unless defined($batch_msg_count = $opts{"N"});
+    $batch_top_domains = 20 unless defined ($batch_top_domains = $opts{"n"});
+    $cls = `clear`;
+} else {
+    $batch_msg_count = 0;
+    $batch_top_domains = 0;
+    $cls = "";
+}
+
 sub rec_get {
     my ($h) = @_;
     my $r = getc($h) || return;
@@ -263,6 +287,7 @@ sub bucket {
 
 # Collate by age of message in the selected queues.
 #
+my $msgs;
 sub wanted {
     if (my ($t, $s, @r) = qenv($_)) {
 	my $b = bucket($t, $now);
@@ -281,26 +306,15 @@ sub wanted {
 		$new = ! $old;
 	    } while ($opts{"p"} && $a =~ s/^(?:\.)?[^.]+\.(.*\.)/.$1/);
 	}
+    	if ($batch_msg_count > 0 && ++$msgs % $batch_msg_count == 0) {
+	    results();
+	}
     }
 }
-find(\&wanted, @qlist);
 
 my @heads;
-my $fmt = "";
-my $dw = $width;
-
-for (my $i = 0, my $t = 0; $i <= $bnum; ) {
-    $q{"TOTAL"}->[$i] ||= 0;
-    my $l = length($q{"TOTAL"}->[$i]);
-    my $h = ($i == 0) ? "T" : $t;
-    $l = length($h) if (length($h) >= $l);
-    $l = ($l > 2) ? $l + 1 : 3;
-    push(@heads, $h);
-    $fmt .= sprintf "%%%ds", $l;
-    $dw -= $l;
-    if (++$i < $bnum) { $t += ($t && !$opts{"l"}) ? $t : $tick; } else { $t = "$t+"; }
-}
-$dw = $dwidth if ($dw < $dwidth);
+my $fmt;
+my $dw;
 
 sub pdomain {
     my ($d, @count) = @_;
@@ -318,18 +332,45 @@ sub pdomain {
     printf "$fmt\n", @count;
 }
 
-# Print headings
-#
-pdomain("", @heads);
+sub results {
+    @heads = ();
+    $dw = $width;
+    $fmt = "";
+    for (my $i = 0, my $t = 0; $i <= $bnum; ) {
+	$q{"TOTAL"}->[$i] ||= 0;
+	my $l = length($q{"TOTAL"}->[$i]);
+	my $h = ($i == 0) ? "T" : $t;
+	$l = length($h) if (length($h) >= $l);
+	$l = ($l > 2) ? $l + 1 : 3;
+	push(@heads, $h);
+	$fmt .= sprintf "%%%ds", $l;
+	$dw -= $l;
+	if (++$i < $bnum) { $t += ($t && !$opts{"l"}) ? $t : $tick; } else { $t = "$t+"; }
+    }
+    $dw = $dwidth if ($dw < $dwidth);
 
-# Show per-domain totals
-#
-foreach my $d (sort { $q{$b}->[0] <=> $q{$a}->[0] ||
-		       length($a) <=> length($b) } keys %q) {
+    print $cls if ($batch_msg_count > 0);
 
-    # Skip parent domains with < $minsub subdomains.
+    # Print headings
     #
-    next if ($d =~ /^\./ && $sub{$d} < $minsub);
+    pdomain("", @heads);
 
-    pdomain($d, @{$q{$d}});
+    my $n = 0;
+
+    # Show per-domain totals
+    #
+    foreach my $d (sort { $q{$b}->[0] <=> $q{$a}->[0] ||
+			   length($a) <=> length($b) } keys %q) {
+
+	# Skip parent domains with < $minsub subdomains.
+	#
+	next if ($d =~ /^\./ && $sub{$d} < $minsub);
+
+	last if ($batch_top_domains > 0 && ++$n > $batch_top_domains);
+
+	pdomain($d, @{$q{$d}});
+    }
 }
+
+find(\&wanted, @qlist);
+results();
diff --git a/postfix/conf/access b/postfix/conf/access
index 633f4d03b..ad5c548c4 100644
--- a/postfix/conf/access
+++ b/postfix/conf/access
@@ -1,7 +1,7 @@
 # ACCESS(5)                                                            ACCESS(5)
 # 
 # NAME
-#        access - Postfix access table format
+#        access - Postfix SMTP server access table
 # 
 # SYNOPSIS
 #        postmap /etc/postfix/access
@@ -11,20 +11,18 @@
 #        postmap -q - /etc/postfix/access <inputfile
 # 
 # DESCRIPTION
-#        The  optional  access(5)  table  directs  the Postfix SMTP
-#        server to selectively reject or accept mail. Access can be
-#        allowed  or  denied for specific host names, domain names,
-#        networks, host addresses or mail addresses.
-# 
-#        For an example, see the EXAMPLE section at the end of this
-#        manual page.
+#        The  Postfix SMTP server supports access control on remote
+#        SMTP client information: host  names,  network  addresses,
+#        and   envelope   sender   or   recipient  addresses.   See
+#        header_checks(5) or body_checks(5) for access  control  on
+#        the content of email messages.
 # 
 #        Normally,  the access(5) table is specified as a text file
 #        that serves as  input  to  the  postmap(1)  command.   The
 #        result,  an  indexed file in dbm or db format, is used for
 #        fast searching by the mail  system.  Execute  the  command
-#        "postmap  /etc/postfix/access"  in  order  to  rebuild the
-#        indexed file after changing the access table.
+#        "postmap  /etc/postfix/access"  to rebuild an indexed file
+#        after changing the corresponding text file.
 # 
 #        When the table is provided via other means  such  as  NIS,
 #        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -33,9 +31,9 @@
 #        Alternatively, the table can be  provided  as  a  regular-
 #        expression map where patterns are given as regular expres-
 #        sions, or lookups can be directed to TCP-based server.  In
-#        that  case,  the  lookups are done in a slightly different
+#        those  cases, the lookups are done in a slightly different
 #        way as described below under "REGULAR  EXPRESSION  TABLES"
-#        and "TCP-BASED TABLES".
+#        or "TCP-BASED TABLES".
 # 
 # CASE FOLDING
 #        The  search  string is folded to lowercase before database
@@ -199,18 +197,19 @@
 # 
 #        DEFER_IF_REJECT optional text...
 #               Defer  the  request if some later restriction would
-#               result in a REJECT action. Reply with "450 optional
-#               text... when the optional text is specified, other-
-#               wise reply with a generic error response message.
+#               result in a REJECT action. Reply  with  "450  4.7.1
+#               optional  text...  when the optional text is speci-
+#               fied, otherwise reply with a generic error response
+#               message.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        DEFER_IF_PERMIT optional text...
-#               Defer  the  request if some later restriction would
-#               result in a an explicit or implicit PERMIT  action.
-#               Reply  with "450 optional text... when the optional
-#               text is specified, otherwise reply with  a  generic
-#               error response message.
+#               Defer the request if some later  restriction  would
+#               result  in a an explicit or implicit PERMIT action.
+#               Reply with "450 4.7.1  optional  text...  when  the
+#               optional  text is specified, otherwise reply with a
+#               generic error response message.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
@@ -220,53 +219,54 @@
 #               reject_unauth_destination, and so on).
 # 
 #        DISCARD optional text...
-#               Claim  successful delivery and silently discard the
-#               message.  Log the optional text if specified,  oth-
+#               Claim successful delivery and silently discard  the
+#               message.   Log the optional text if specified, oth-
 #               erwise log a generic message.
 # 
-#               Note:  this action currently affects all recipients
-#               of the message.   To  discard  only  one  recipient
-#               without  discarding  the  entire  message,  use the
+#               Note: this action currently affects all  recipients
+#               of  the  message.   To  discard  only one recipient
+#               without discarding  the  entire  message,  use  the
 #               transport(5) table to direct mail to the discard(8)
 #               service.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
-#        DUNNO  Pretend that the lookup key  was  not  found.  This
-#               prevents  Postfix  from  trying  substrings  of the
-#               lookup key (such as a subdomain name, or a  network
+#        DUNNO  Pretend  that  the  lookup  key was not found. This
+#               prevents Postfix  from  trying  substrings  of  the
+#               lookup  key (such as a subdomain name, or a network
 #               address subnetwork).
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
 #        FILTER transport:destination
-#               After the message is queued, send the  entire  mes-
+#               After  the  message is queued, send the entire mes-
 #               sage through the specified external content filter.
-#               The transport:destination syntax  is  described  in
-#               the  transport(5)  manual  page.   More information
-#               about external content filters is  in  the  Postfix
+#               The  transport:destination  syntax  is described in
+#               the transport(5)  manual  page.   More  information
+#               about  external  content  filters is in the Postfix
 #               FILTER_README file.
 # 
-#               Note:   this  action  overrides  the  main.cf  con-
+#               Note:  this  action  overrides  the  main.cf   con-
 #               tent_filter  setting,  and  currently  affects  all
 #               recipients of the message.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
 #        HOLD optional text...
-#               Place the message on the hold queue, where it  will
-#               sit  until someone either deletes it or releases it
-#               for delivery.  Log the optional text if  specified,
+#               Place  the message on the hold queue, where it will
+#               sit until someone either deletes it or releases  it
+#               for  delivery.  Log the optional text if specified,
 #               otherwise log a generic message.
 # 
-#               Mail  that  is  placed on hold can be examined with
-#               the postcat(1) command, and  can  be  destroyed  or
+#               Mail that is placed on hold can  be  examined  with
+#               the  postcat(1)  command,  and  can be destroyed or
 #               released with the postsuper(1) command.
 # 
-#               Note:  use  "postsuper -r" to release mail that was
-#               kept on hold for a significant fraction  of  $maxi-
+#               Note: use "postsuper -r" to release mail  that  was
+#               kept  on  hold for a significant fraction of $maxi-
 #               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
-#               longer.
+#               longer.  Use "postsuper -H" only for mail that will
+#               not expire within a few delivery attempts.
 # 
 #               Note: this action currently affects all  recipients
 #               of the message.
@@ -275,105 +275,102 @@
 # 
 #        PREPEND headername: headervalue
 #               Prepend the specified message header  to  the  mes-
-#               sage.  When this action is used multiple times, the
-#               first prepended header appears  before  the  second
-#               etc. prepended header.
-# 
-#               Note:  this action does not support multi-line mes-
-#               sage headers.
+#               sage.   When more than one PREPEND action executes,
+#               the first prepended header appears before the  sec-
+#               ond etc. prepended header.
 # 
-#               Note: this action must be used before  the  message
-#               content   is   received;   it  cannot  be  used  in
-#               smtpd_end_of_data_restrictions.
+#               Note:  this  action must execute before the message
+#               content is received; it cannot execute in the  con-
+#               text of smtpd_end_of_data_restrictions.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        REDIRECT user@domain
-#               After  the  message  is queued, send the message to
+#               After the message is queued, send  the  message  to
 #               the  specified  address  instead  of  the  intended
 #               recipient(s).
 # 
-#               Note:  this action overrides the FILTER action, and
+#               Note: this action overrides the FILTER action,  and
 #               currently affects all recipients of the message.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        WARN optional text...
 #               Log a warning with the optional text, together with
-#               client information and  if  available,  with  helo,
+#               client  information  and  if  available, with helo,
 #               sender, recipient and protocol information.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 # ENHANCED STATUS CODES
-#        Postfix version 2.3  and  later  support  enhanced  status
-#        codes  as  defined  in  RFC 3463.  When an enhanced status
-#        code is specified in an access table,  it  is  subject  to
-#        modification.  The  following  transformations  are needed
-#        when the same access  table  is  used  for  client,  helo,
-#        sender,  or  recipient  access  restrictions;  they happen
+#        Postfix  version  2.3  and  later  support enhanced status
+#        codes as defined in RFC 3463.   When  an  enhanced  status
+#        code  is  specified  in  an access table, it is subject to
+#        modification. The  following  transformations  are  needed
+#        when  the  same  access  table  is  used for client, helo,
+#        sender, or  recipient  access  restrictions;  they  happen
 #        regardless of whether Postfix replies to a MAIL FROM, RCPT
 #        TO or other SMTP command.
 # 
-#        o      When  a sender address matches a REJECT action, the
-#               Postfix SMTP server will transform a recipient  DSN
-#               status  (e.g.,  4.1.1-4.1.6) into the corresponding
+#        o      When a sender address matches a REJECT action,  the
+#               Postfix  SMTP server will transform a recipient DSN
+#               status (e.g., 4.1.1-4.1.6) into  the  corresponding
 #               sender DSN status, and vice versa.
 # 
-#        o      When  non-address  information  matches  a   REJECT
-#               action  (such  as  the HELO command argument or the
-#               client hostname/address), the Postfix  SMTP  server
-#               will  transform  a  sender  or recipient DSN status
-#               into  a  generic  non-address  DSN  status   (e.g.,
+#        o      When   non-address  information  matches  a  REJECT
+#               action (such as the HELO command  argument  or  the
+#               client  hostname/address),  the Postfix SMTP server
+#               will transform a sender  or  recipient  DSN  status
+#               into   a  generic  non-address  DSN  status  (e.g.,
 #               4.0.0).
 # 
 # REGULAR EXPRESSION TABLES
-#        This  section  describes how the table lookups change when
+#        This section describes how the table lookups  change  when
 #        the table is given in the form of regular expressions. For
-#        a  description  of regular expression lookup table syntax,
+#        a description of regular expression lookup  table  syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each pattern is a regular expression that  is  applied  to
+#        Each  pattern  is  a regular expression that is applied to
 #        the entire string being looked up. Depending on the appli-
-#        cation, that string  is  an  entire  client  hostname,  an
+#        cation,  that  string  is  an  entire  client hostname, an
 #        entire client IP address, or an entire mail address. Thus,
 #        no  parent  domain  or  parent  network  search  is  done,
-#        user@domain  mail  addresses  are not broken up into their
+#        user@domain mail addresses are not broken  up  into  their
 #        user@ and domain constituent parts, nor is user+foo broken
 #        up into user and foo.
 # 
-#        Patterns  are applied in the order as specified in the ta-
-#        ble, until a pattern is  found  that  matches  the  search
+#        Patterns are applied in the order as specified in the  ta-
+#        ble,  until  a  pattern  is  found that matches the search
 #        string.
 # 
-#        Actions  are  the  same as with indexed file lookups, with
-#        the additional feature that parenthesized substrings  from
+#        Actions are the same as with indexed  file  lookups,  with
+#        the  additional feature that parenthesized substrings from
 #        the pattern can be interpolated as $1, $2 and so on.
 # 
 # TCP-BASED TABLES
-#        This  section  describes how the table lookups change when
+#        This section describes how the table lookups  change  when
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.3.
+#        Postfix version 2.4.
 # 
-#        Each  lookup  operation uses the entire query string once.
-#        Depending on the application, that  string  is  an  entire
+#        Each lookup operation uses the entire query  string  once.
+#        Depending  on  the  application,  that string is an entire
 #        client hostname, an entire client IP address, or an entire
-#        mail address.  Thus, no parent domain  or  parent  network
-#        search  is done, user@domain mail addresses are not broken
-#        up into their user@ and domain constituent parts,  nor  is
+#        mail  address.   Thus,  no parent domain or parent network
+#        search is done, user@domain mail addresses are not  broken
+#        up  into  their user@ and domain constituent parts, nor is
 #        user+foo broken up into user and foo.
 # 
 #        Actions are the same as with indexed file lookups.
 # 
 # EXAMPLE
-#        The  following  example  uses an indexed file, so that the
-#        order of table entries does not matter. The  example  per-
-#        mits  access  by the client at address 1.2.3.4 but rejects
-#        all other clients in 1.2.3.0/24. Instead  of  hash  lookup
-#        tables,  some  systems use dbm.  Use the command "postconf
-#        -m" to find out what lookup  tables  Postfix  supports  on
+#        The following example uses an indexed file,  so  that  the
+#        order  of  table entries does not matter. The example per-
+#        mits access by the client at address 1.2.3.4  but  rejects
+#        all  other  clients  in 1.2.3.0/24. Instead of hash lookup
+#        tables, some systems use dbm.  Use the  command  "postconf
+#        -m"  to  find  out  what lookup tables Postfix supports on
 #        your system.
 # 
 #        /etc/postfix/main.cf:
@@ -388,7 +385,7 @@
 #        editing the file.
 # 
 # BUGS
-#        The  table format does not understand quoting conventions.
+#        The table format does not understand quoting  conventions.
 # 
 # SEE ALSO
 #        postmap(1), Postfix lookup table manager
@@ -397,13 +394,13 @@
 #        transport(5), transport:nexthop syntax
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        SMTPD_ACCESS_README, built-in SMTP server access control
 #        DATABASE_README, Postfix lookup table overview
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/conf/aliases b/postfix/conf/aliases
index 32d3f9797..8a19f8e5a 100644
--- a/postfix/conf/aliases
+++ b/postfix/conf/aliases
@@ -114,8 +114,8 @@ decode:		root
 #               When the command fails, a limited amount of command
 #               output is mailed back  to  the  sender.   The  file
 #               /usr/include/sysexits.h  defines  the expected exit
-#               status codes. For example, use |"exit 67" to  simu-
-#               late  a  "user  unknown"  error,  and  |"exit 0" to
+#               status codes. For example, use "|exit 67" to  simu-
+#               late  a  "user  unknown"  error,  and  "|exit 0" to
 #               implement an expensive black hole.
 # 
 #        :include:/file/name
diff --git a/postfix/conf/canonical b/postfix/conf/canonical
index 1dc739589..fc0c3ee6a 100644
--- a/postfix/conf/canonical
+++ b/postfix/conf/canonical
@@ -20,8 +20,8 @@
 #        file  that serves as input to the postmap(1) command.  The
 #        result, an indexed file in dbm or db format, is  used  for
 #        fast  searching  by  the  mail system. Execute the command
-#        "postmap /etc/postfix/canonical" in order to  rebuild  the
-#        indexed file after changing the text file.
+#        "postmap /etc/postfix/canonical"  to  rebuild  an  indexed
+#        file after changing the corresponding text file.
 # 
 #        When  the  table  is provided via other means such as NIS,
 #        LDAP or SQL, the same lookups are  done  as  for  ordinary
@@ -30,9 +30,9 @@
 #        Alternatively,  the  table  can  be provided as a regular-
 #        expression map where patterns are given as regular expres-
 #        sions,  or lookups can be directed to TCP-based server. In
-#        that case, the lookups are done in  a  slightly  different
+#        those cases, the lookups are done in a slightly  different
 #        way  as  described below under "REGULAR EXPRESSION TABLES"
-#        and "TCP-BASED TABLES".
+#        or "TCP-BASED TABLES".
 # 
 #        By default the canonical(5) mapping affects  both  message
 #        header  addresses  (i.e. addresses that appear inside mes-
@@ -53,11 +53,9 @@
 #        addresses produced by legacy mail systems.
 # 
 #        The canonical(5) mapping is not to be confused  with  vir-
-#        tual  domain support. Use the virtual(5) map for that pur-
-#        pose.
-# 
-#        The canonical(5) mapping is not to be confused with  local
-#        aliasing.  Use the aliases(5) map for that purpose.
+#        tual  alias  support or with local aliasing. To change the
+#        destination but not the headers,  use  the  virtual(5)  or
+#        aliases(5) map instead.
 # 
 # CASE FOLDING
 #        The  search  string is folded to lowercase before database
@@ -109,6 +107,13 @@
 #               Replace other addresses in domain by address.  This
 #               form has the lowest precedence.
 # 
+#               Note:  @domain  is  a  wild-card. When this form is
+#               applied to recipient addresses,  the  Postfix  SMTP
+#               server  accepts  mail  for any recipient in domain,
+#               regardless of whether that recipient exists.   This
+#               may turn your mail system into a backscatter source
+#               that returns undeliverable spam to innocent people.
+# 
 # RESULT ADDRESS REWRITING
 #        The lookup result is subject to address rewriting:
 # 
@@ -156,7 +161,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.3.
+#        Postfix version 2.4.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
 #        user@domain  mail  addresses  are not broken up into their
diff --git a/postfix/conf/generic b/postfix/conf/generic
index 232e7b058..f5e5a10e9 100644
--- a/postfix/conf/generic
+++ b/postfix/conf/generic
@@ -33,8 +33,8 @@
 #        that serves as  input  to  the  postmap(1)  command.   The
 #        result,  an  indexed file in dbm or db format, is used for
 #        fast searching by the mail  system.  Execute  the  command
-#        "postmap  /etc/postfix/generic"  in  order  to rebuild the
-#        indexed file after changing the text file.
+#        "postmap  /etc/postfix/generic" to rebuild an indexed file
+#        after changing the corresponding text file.
 # 
 #        When the table is provided via other means  such  as  NIS,
 #        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -43,9 +43,9 @@
 #        Alternatively, the table can be  provided  as  a  regular-
 #        expression map where patterns are given as regular expres-
 #        sions, or lookups can be directed to TCP-based server.  In
-#        that  case,  the  lookups are done in a slightly different
+#        those  case,  the lookups are done in a slightly different
 #        way as described below under "REGULAR  EXPRESSION  TABLES"
-#        and "TCP-BASED TABLES".
+#        or "TCP-BASED TABLES".
 # 
 # CASE FOLDING
 #        The  search  string is folded to lowercase before database
@@ -136,7 +136,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.3.
+#        Postfix version 2.4.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
 #        user@domain  mail  addresses  are not broken up into their
diff --git a/postfix/conf/header_checks b/postfix/conf/header_checks
index 238599ffd..65469c57a 100644
--- a/postfix/conf/header_checks
+++ b/postfix/conf/header_checks
@@ -13,12 +13,16 @@
 #        postmap -fq - pcre:/etc/postfix/filename <inputfile
 # 
 # DESCRIPTION
-#        Postfix  provides  a  simple  built-in  content inspection
-#        mechanism that examines incoming mail one  message  header
-#        or one message body line at a time. Each input is compared
-#        against a list of patterns, and when a match is found  the
-#        corresponding  action is executed.  This feature is imple-
-#        mented by the Postfix cleanup(8) server.
+#        The  Postfix  cleanup(8) server supports access control on
+#        the content of message headers  and  message  body  lines.
+#        See  access(5)  for  access  control on remote SMTP client
+#        information.
+# 
+#        Each message header  or  message  body  line  is  compared
+#        against  a  list  of  patterns.  When a match is found the
+#        corresponding action is executed, and the matching process
+#        is  repeated  for  the next message header or message body
+#        line.
 # 
 #        For examples, see the EXAMPLES section at the end of  this
 #        manual page.
@@ -185,14 +189,15 @@
 #               Note: use "postsuper -r" to release mail  that  was
 #               kept  on  hold for a significant fraction of $maxi-
 #               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
-#               longer.
+#               longer.  Use "postsuper -H" only for mail that will
+#               not expire within a few delivery attempts.
 # 
-#               Note:  this  action  affects  all recipients of the
+#               Note: this action affects  all  recipients  of  the
 #               message.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
-#        IGNORE Delete  the current line from the input and inspect
+#        IGNORE Delete the current line from the input and  inspect
 #               the next input line.
 # 
 #        PREPEND text...
@@ -201,18 +206,18 @@
 # 
 #               Notes:
 # 
-#               o      The  prepended  text is output on a separate
+#               o      The prepended text is output on  a  separate
 #                      line,  immediately  before  the  input  that
 #                      triggered the PREPEND action.
 # 
 #               o      The prepended text is not considered part of
-#                      the input  stream:  it  is  not  subject  to
+#                      the  input  stream:  it  is  not  subject to
 #                      header/body checks or address rewriting, and
 #                      it does not affect the way that Postfix adds
 #                      missing message headers.
 # 
 #               o      When prepending text before a message header
-#                      line, the prepended text must begin  with  a
+#                      line,  the  prepended text must begin with a
 #                      valid message header label.
 # 
 #               o      This action cannot be used to prepend multi-
@@ -221,46 +226,46 @@
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        REDIRECT user@domain
-#               Write  a  message  redirection request to the queue
-#               file and inspect the next  input  line.  After  the
+#               Write a message redirection request  to  the  queue
+#               file  and  inspect  the  next input line. After the
 #               message is queued, it will be sent to the specified
 #               address instead of the intended recipient(s).
 # 
-#               Note: this action overrides the FILTER action,  and
-#               affects  all recipients of the message. If multiple
-#               REDIRECT actions fire, only the last  one  is  exe-
+#               Note:  this action overrides the FILTER action, and
+#               affects all recipients of the message. If  multiple
+#               REDIRECT  actions  fire,  only the last one is exe-
 #               cuted.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        REPLACE text...
-#               Replace the current line with  the  specified  text
+#               Replace  the  current  line with the specified text
 #               and inspect the next input line.
 # 
 #               This feature is available in Postfix 2.2 and later.
-#               The description below applies to Postfix 2.2.2  and
+#               The  description below applies to Postfix 2.2.2 and
 #               later.
 # 
 #               Notes:
 # 
-#               o      When  replacing  a  message header line, the
-#                      replacement text must  begin  with  a  valid
+#               o      When replacing a message  header  line,  the
+#                      replacement  text  must  begin  with a valid
 #                      header label.
 # 
-#               o      The  replaced text remains part of the input
-#                      stream. Unlike the result from  the  PREPEND
-#                      action,  a  replaced  message  header may be
-#                      subject to address rewriting and may  affect
-#                      the  way  that  Postfix adds missing message
+#               o      The replaced text remains part of the  input
+#                      stream.  Unlike  the result from the PREPEND
+#                      action, a replaced  message  header  may  be
+#                      subject  to address rewriting and may affect
+#                      the way that Postfix  adds  missing  message
 #                      headers.
 # 
 #        REJECT optional text...
-#               Reject the  entire  message.  Reply  with  optional
+#               Reject  the  entire  message.  Reply  with optional
 #               text... when the optional text is specified, other-
 #               wise reply with a generic error message.
 # 
-#               Note:  this  action  disables  further  header   or
-#               body_checks  inspection  of the current message and
+#               Note:   this  action  disables  further  header  or
+#               body_checks inspection of the current  message  and
 #               affects all recipients.
 # 
 #               Postfix version 2.3 and later support enhanced sta-
@@ -269,26 +274,26 @@
 #               enhanced status code of "5.7.1".
 # 
 #        WARN optional text...
-#               Log  a  warning with the optional text... (or log a
-#               generic message) and inspect the next  input  line.
+#               Log a warning with the optional text... (or  log  a
+#               generic  message)  and inspect the next input line.
 #               This action is useful for debugging and for testing
 #               a pattern before applying more drastic actions.
 # 
 # BUGS
-#        Many people overlook the main limitations  of  header  and
-#        body_checks  rules.   These  rules  operate on one logical
-#        message header or one body line at a time, and a  decision
-#        made  for  one  line is not carried over to the next line.
+#        Many  people  overlook  the main limitations of header and
+#        body_checks rules.  These rules  operate  on  one  logical
+#        message  header or one body line at a time, and a decision
+#        made for one line is not carried over to  the  next  line.
 #        If text in the message body is encoded (RFC 2045) then the
-#        rules  have  to specified for the encoded form.  Likewise,
+#        rules have to specified for the encoded  form.   Likewise,
 #        when message headers are encoded (RFC 2047) then the rules
 #        need to be specified for the encoded form.
 # 
-#        Message  headers added by the cleanup(8) daemon itself are
+#        Message headers added by the cleanup(8) daemon itself  are
 #        excluded from inspection. Examples of such message headers
 #        are From:, To:, Message-ID:, Date:.
 # 
-#        Message  headers  deleted by the cleanup(8) daemon will be
+#        Message headers deleted by the cleanup(8) daemon  will  be
 #        examined before they are deleted. Examples are: Bcc:, Con-
 #        tent-Length:, Return-Path:.
 # 
@@ -296,11 +301,11 @@
 #        body_checks
 #               Lookup tables with content filter rules for message
 #               body lines.  These filters see one physical line at
-#               a  time,  in  chunks  of at most $line_length_limit
+#               a time, in chunks  of  at  most  $line_length_limit
 #               bytes.
 # 
 #        body_checks_size_limit
-#               The amount of  content  per  message  body  segment
+#               The  amount  of  content  per  message body segment
 #               (attachment) that is subjected to $body_checks fil-
 #               tering.
 # 
@@ -310,32 +315,32 @@
 # 
 #        nested_header_checks (default: $header_checks)
 #               Lookup tables with content filter rules for message
-#               header  lines:  respectively,  these are applied to
-#               the initial message  headers  (not  including  MIME
-#               headers),  to the MIME headers anywhere in the mes-
-#               sage, and to the initial headers of  attached  mes-
+#               header lines: respectively, these  are  applied  to
+#               the  initial  message  headers  (not including MIME
+#               headers), to the MIME headers anywhere in the  mes-
+#               sage,  and  to the initial headers of attached mes-
 #               sages.
 # 
-#               Note:  these filters see one logical message header
-#               at a time, even when a message header spans  multi-
-#               ple  lines.  Message  headers  that are longer than
+#               Note: these filters see one logical message  header
+#               at  a time, even when a message header spans multi-
+#               ple lines. Message headers  that  are  longer  than
 #               $header_size_limit characters are truncated.
 # 
 #        disable_mime_input_processing
-#               While receiving mail, give no special treatment  to
-#               MIME  related  message  headers; all text after the
+#               While  receiving mail, give no special treatment to
+#               MIME related message headers; all  text  after  the
 #               initial message headers is considered to be part of
-#               the  message body. This means that header_checks is
-#               applied to all the  initial  message  headers,  and
+#               the message body. This means that header_checks  is
+#               applied  to  all  the  initial message headers, and
 #               that body_checks is applied to the remainder of the
 #               message.
 # 
-#               Note: when used in this  manner,  body_checks  will
-#               process  a  multi-line message header one line at a
+#               Note:  when  used  in this manner, body_checks will
+#               process a multi-line message header one line  at  a
 #               time.
 # 
 # EXAMPLES
-#        Header pattern to block attachments  with  bad  file  name
+#        Header  pattern  to  block  attachments with bad file name
 #        extensions.
 # 
 #        /etc/postfix/main.cf:
@@ -367,7 +372,7 @@
 #        RFC 2047, message header encoding for non-ASCII text
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        DATABASE_README, Postfix lookup table overview
 #        CONTENT_INSPECTION_README, Postfix content inspection overview
@@ -375,7 +380,7 @@
 #        BACKSCATTER_README, blocking returned forged mail
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/conf/post-install b/postfix/conf/post-install
index 27d6ac2bd..6620d6322 100644
--- a/postfix/conf/post-install
+++ b/postfix/conf/post-install
@@ -586,18 +586,9 @@ EOF
 
     # Turn on safety nets for new features that could bounce mail that
     # would be accepted by a previous Postfix version.
-    # This safety net is also documented in LOCAL_RECIPIENT_README.
 
-#    unknown_local=unknown_local_recipient_reject_code
-#    has_lrm=`$POSTCONF -c $config_directory -n local_recipient_maps`
-#    has_lrjc=`$POSTCONF -c $config_directory -n $unknown_local`
-#
-#    if [ -z "$has_lrm" -a -z "$has_lrjc" ]
-#    then
-#	echo SAFETY: editing main.cf, setting $unknown_local=450.
-#	echo See the LOCAL_RECIPIENT_README file for details.
-#	$POSTCONF -c $config_directory -e "$unknown_local = 450" || exit 1
-#    fi
+    # [The "unknown_local_recipient_reject_code = 450" safety net,
+    # introduced with Postfix 2.0 and deleted after Postfix 2.3.]
 
     # Add missing proxymap service to master.cf.
 
diff --git a/postfix/conf/relocated b/postfix/conf/relocated
index ba018e5bc..5c602103d 100644
--- a/postfix/conf/relocated
+++ b/postfix/conf/relocated
@@ -15,8 +15,8 @@
 #        file that serves as input to the postmap(1) command.   The
 #        result,  an  indexed file in dbm or db format, is used for
 #        fast searching by the mail  system.  Execute  the  command
-#        "postmap  /etc/postfix/relocated"  in order to rebuild the
-#        indexed file after changing the relocated table.
+#        "postmap  /etc/postfix/relocated"  to  rebuild  an indexed
+#        file after changing the corresponding relocated table.
 # 
 #        When the table is provided via other means  such  as  NIS,
 #        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -25,9 +25,9 @@
 #        Alternatively, the table can be  provided  as  a  regular-
 #        expression map where patterns are given as regular expres-
 #        sions, or lookups can be directed to TCP-based server.  In
-#        that  case,  the  lookups are done in a slightly different
+#        those  case,  the lookups are done in a slightly different
 #        way as described below under "REGULAR  EXPRESSION  TABLES"
-#        and "TCP-BASED TABLES".
+#        or "TCP-BASED TABLES".
 # 
 #        Table lookups are case insensitive.
 # 
@@ -85,7 +85,7 @@
 #        regexp_table(5) or pcre_table(5). For a description of the
 #        TCP client/server table lookup protocol, see tcp_table(5).
 #        This feature is not available up to and including  Postfix
-#        version 2.3.
+#        version 2.4.
 # 
 #        Each  pattern  is  a regular expression that is applied to
 #        the entire address being looked up. Thus, user@domain mail
@@ -106,7 +106,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.3.
+#        Postfix version 2.4.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
 #        user@domain mail addresses are not broken  up  into  their
diff --git a/postfix/conf/transport b/postfix/conf/transport
index da6e0ef40..2a6fa3795 100644
--- a/postfix/conf/transport
+++ b/postfix/conf/transport
@@ -49,8 +49,8 @@
 #        file that serves as input to the postmap(1) command.   The
 #        result,  an  indexed file in dbm or db format, is used for
 #        fast searching by the mail  system.  Execute  the  command
-#        "postmap  /etc/postfix/transport"  in order to rebuild the
-#        indexed file after changing the transport table.
+#        "postmap  /etc/postfix/transport"  to  rebuild  an indexed
+#        file after changing the corresponding transport table.
 # 
 #        When the table is provided via other means  such  as  NIS,
 #        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -59,9 +59,9 @@
 #        Alternatively, the table can be  provided  as  a  regular-
 #        expression map where patterns are given as regular expres-
 #        sions, or lookups can be directed to TCP-based server.  In
-#        that  case,  the  lookups are done in a slightly different
+#        those  case,  the lookups are done in a slightly different
 #        way as described below under "REGULAR  EXPRESSION  TABLES"
-#        and "TCP-BASED TABLES".
+#        or "TCP-BASED TABLES".
 # 
 # CASE FOLDING
 #        The  search  string is folded to lowercase before database
@@ -237,7 +237,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.3.
+#        Postfix version 2.4.
 # 
 #        Each  lookup  operation  uses the entire recipient address
 #        once.  Thus, some.domain.hierarchy is not  looked  up  via
@@ -271,6 +271,7 @@
 # README FILES
 #        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
+#        ADDRESS_REWRITING_README, address rewriting guide
 #        DATABASE_README, Postfix lookup table overview
 #        FILTER_README, external content filter
 # 
diff --git a/postfix/conf/virtual b/postfix/conf/virtual
index 64e2a26fa..6e4ca70d5 100644
--- a/postfix/conf/virtual
+++ b/postfix/conf/virtual
@@ -42,8 +42,8 @@
 #        text  file that serves as input to the postmap(1) command.
 #        The result, an indexed file in dbm or db format,  is  used
 #        for fast searching by the mail system. Execute the command
-#        "postmap /etc/postfix/virtual" in  order  to  rebuild  the
-#        indexed file after changing the text file.
+#        "postmap /etc/postfix/virtual" to rebuild an indexed  file
+#        after changing the corresponding text file.
 # 
 #        When  the  table  is provided via other means such as NIS,
 #        LDAP or SQL, the same lookups are  done  as  for  ordinary
@@ -52,9 +52,9 @@
 #        Alternatively,  the  table  can  be provided as a regular-
 #        expression map where patterns are given as regular expres-
 #        sions,  or lookups can be directed to TCP-based server. In
-#        that case, the lookups are done in  a  slightly  different
+#        those case, the lookups are done in a  slightly  different
 #        way  as  described below under "REGULAR EXPRESSION TABLES"
-#        and "TCP-BASED TABLES".
+#        or "TCP-BASED TABLES".
 # 
 # CASE FOLDING
 #        The search string is folded to lowercase  before  database
@@ -103,15 +103,22 @@
 #               Redirect mail for other users in domain to address.
 #               This form has the lowest precedence.
 # 
+#               Note:  @domain  is a wild-card. With this form, the
+#               Postfix SMTP server accepts mail for any  recipient
+#               in  domain,  regardless  of  whether that recipient
+#               exists.  This may turn  your  mail  system  into  a
+#               backscatter  source that returns undeliverable spam
+#               to innocent people.
+# 
 # RESULT ADDRESS REWRITING
 #        The lookup result is subject to address rewriting:
 # 
-#        o      When  the  result  has  the  form @otherdomain, the
-#               result becomes the same user in otherdomain.   This
+#        o      When the result  has  the  form  @otherdomain,  the
+#               result  becomes the same user in otherdomain.  This
 #               works only for the first address in a multi-address
 #               lookup result.
 # 
-#        o      When "append_at_myorigin=yes", append  "@$myorigin"
+#        o      When  "append_at_myorigin=yes", append "@$myorigin"
 #               to addresses without "@domain".
 # 
 #        o      When "append_dot_mydomain=yes", append ".$mydomain"
@@ -119,29 +126,29 @@
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
-#        ient  delimiter  (e.g., user+foo@domain), the lookup order
+#        ient delimiter (e.g., user+foo@domain), the  lookup  order
 #        becomes: user+foo@domain, user@domain, user+foo, user, and
 #        @domain.
 # 
-#        The   propagate_unmatched_extensions   parameter  controls
-#        whether an unmatched address extension  (+foo)  is  propa-
+#        The  propagate_unmatched_extensions   parameter   controls
+#        whether  an  unmatched  address extension (+foo) is propa-
 #        gated to the result of table lookup.
 # 
 # VIRTUAL ALIAS DOMAINS
-#        Besides  virtual aliases, the virtual alias table can also
+#        Besides virtual aliases, the virtual alias table can  also
 #        be used to implement virtual alias domains. With a virtual
-#        alias  domain,  all  recipient  addresses  are  aliased to
+#        alias domain,  all  recipient  addresses  are  aliased  to
 #        addresses in other domains.
 # 
 #        Virtual alias domains are not to be confused with the vir-
 #        tual mailbox domains that are implemented with the Postfix
 #        virtual(8)  mail  delivery  agent.  With  virtual  mailbox
-#        domains,  each recipient address can have its own mailbox.
+#        domains, each recipient address can have its own  mailbox.
 # 
-#        With a virtual alias domain, the virtual  domain  has  its
-#        own  user  name  space. Local (i.e. non-virtual) usernames
-#        are not visible in a virtual alias domain. In  particular,
-#        local  aliases(5)  and local mailing lists are not visible
+#        With  a  virtual  alias domain, the virtual domain has its
+#        own user name space. Local  (i.e.  non-virtual)  usernames
+#        are  not visible in a virtual alias domain. In particular,
+#        local aliases(5) and local mailing lists are  not  visible
 #        as localname@virtual-alias.domain.
 # 
 #        Support for a virtual alias domain looks like:
@@ -149,8 +156,8 @@
 #        /etc/postfix/main.cf:
 #            virtual_alias_maps = hash:/etc/postfix/virtual
 # 
-#            Note: some systems use dbm databases instead of  hash.
-#            See  the output from "postconf -m" for available data-
+#            Note:  some systems use dbm databases instead of hash.
+#            See the output from "postconf -m" for available  data-
 #            base types.
 # 
 #        /etc/postfix/virtual:
@@ -159,95 +166,95 @@
 #            user1@virtual-alias.domain   address1
 #            user2@virtual-alias.domain   address2, address3
 # 
-#        The virtual-alias.domain anything entry is required for  a
+#        The  virtual-alias.domain anything entry is required for a
 #        virtual alias domain. Without this entry, mail is rejected
-#        with "relay access denied", or bounces  with  "mail  loops
+#        with  "relay  access  denied", or bounces with "mail loops
 #        back to myself".
 # 
-#        Do  not  specify virtual alias domain names in the main.cf
+#        Do not specify virtual alias domain names in  the  main.cf
 #        mydestination or relay_domains configuration parameters.
 # 
-#        With a virtual  alias  domain,  the  Postfix  SMTP  server
-#        accepts   mail  for  known-user@virtual-alias.domain,  and
-#        rejects  mail  for  unknown-user@virtual-alias.domain   as
+#        With  a  virtual  alias  domain,  the  Postfix SMTP server
+#        accepts  mail  for  known-user@virtual-alias.domain,   and
+#        rejects   mail  for  unknown-user@virtual-alias.domain  as
 #        undeliverable.
 # 
-#        Instead  of  specifying  the virtual alias domain name via
-#        the virtual_alias_maps table, you may also specify it  via
+#        Instead of specifying the virtual alias  domain  name  via
+#        the  virtual_alias_maps table, you may also specify it via
 #        the main.cf virtual_alias_domains configuration parameter.
-#        This latter parameter uses the same syntax as the  main.cf
+#        This  latter parameter uses the same syntax as the main.cf
 #        mydestination configuration parameter.
 # 
 # REGULAR EXPRESSION TABLES
-#        This  section  describes how the table lookups change when
+#        This section describes how the table lookups  change  when
 #        the table is given in the form of regular expressions. For
-#        a  description  of regular expression lookup table syntax,
+#        a description of regular expression lookup  table  syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each pattern is a regular expression that  is  applied  to
+#        Each  pattern  is  a regular expression that is applied to
 #        the entire address being looked up. Thus, user@domain mail
-#        addresses are not broken up into their  user  and  @domain
+#        addresses  are  not  broken up into their user and @domain
 #        constituent parts, nor is user+foo broken up into user and
 #        foo.
 # 
-#        Patterns are applied in the order as specified in the  ta-
-#        ble,  until  a  pattern  is  found that matches the search
+#        Patterns  are applied in the order as specified in the ta-
+#        ble, until a pattern is  found  that  matches  the  search
 #        string.
 # 
-#        Results are the same as with indexed  file  lookups,  with
-#        the  additional feature that parenthesized substrings from
+#        Results  are  the  same as with indexed file lookups, with
+#        the additional feature that parenthesized substrings  from
 #        the pattern can be interpolated as $1, $2 and so on.
 # 
 # TCP-BASED TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.3.
+#        Postfix version 2.4.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
-#        user@domain  mail  addresses  are not broken up into their
+#        user@domain mail addresses are not broken  up  into  their
 #        user and @domain constituent parts, nor is user+foo broken
 #        up into user and foo.
 # 
 #        Results are the same as with indexed file lookups.
 # 
 # BUGS
-#        The  table format does not understand quoting conventions.
+#        The table format does not understand quoting  conventions.
 # 
 # CONFIGURATION PARAMETERS
-#        The following main.cf parameters are  especially  relevant
-#        to  this  topic.  See  the Postfix main.cf file for syntax
-#        details and for default values. Use the  "postfix  reload"
+#        The  following  main.cf parameters are especially relevant
+#        to this topic. See the Postfix  main.cf  file  for  syntax
+#        details  and  for default values. Use the "postfix reload"
 #        command after a configuration change.
 # 
 #        virtual_alias_maps
 #               List of virtual aliasing tables.
 # 
 #        virtual_alias_domains
-#               List  of  virtual alias domains. This uses the same
+#               List of virtual alias domains. This uses  the  same
 #               syntax as the mydestination parameter.
 # 
 #        propagate_unmatched_extensions
-#               A list of address rewriting  or  forwarding  mecha-
-#               nisms  that propagate an address extension from the
-#               original address to the result.   Specify  zero  or
-#               more   of   canonical,   virtual,  alias,  forward,
+#               A  list  of  address rewriting or forwarding mecha-
+#               nisms that propagate an address extension from  the
+#               original  address  to  the result.  Specify zero or
+#               more  of  canonical,   virtual,   alias,   forward,
 #               include, or generic.
 # 
 #        Other parameters of interest:
 # 
 #        inet_interfaces
-#               The network interface addresses  that  this  system
+#               The  network  interface  addresses that this system
 #               receives mail on.  You need to stop and start Post-
 #               fix when this parameter changes.
 # 
 #        mydestination
-#               List of domains that  this  mail  system  considers
+#               List  of  domains  that  this mail system considers
 #               local.
 # 
 #        myorigin
-#               The  domain  that  is  appended to any address that
+#               The domain that is appended  to  any  address  that
 #               does not have a domain.
 # 
 #        owner_request_special
@@ -266,14 +273,14 @@
 #        canonical(5), canonical address mapping
 # 
 # README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
+#        Use "postconf readme_directory" or  "postconf  html_direc-
 #        tory" to locate this information.
-#        DATABASE_README, Postfix lookup table overview
 #        ADDRESS_REWRITING_README, address rewriting guide
+#        DATABASE_README, Postfix lookup table overview
 #        VIRTUAL_README, domain hosting guide
 # 
 # LICENSE
-#        The Secure Mailer license must be  distributed  with  this
+#        The  Secure  Mailer  license must be distributed with this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/html/ADDRESS_VERIFICATION_README.html b/postfix/html/ADDRESS_VERIFICATION_README.html
index 7f6ab85ca..0f14fb030 100644
--- a/postfix/html/ADDRESS_VERIFICATION_README.html
+++ b/postfix/html/ADDRESS_VERIFICATION_README.html
@@ -21,7 +21,8 @@
 
 <p> The sender/recipient address verification feature described in this
 document is suitable only for low-traffic sites. It performs poorly
-under high load and may cause your site to be blacklisted by some
+under high load; excessive sender address verification activity may
+even cause your site to be blacklisted by some
 providers. See the "<a href="#limitations">Limitations</a>" section
 below for details. </p>
 
diff --git a/postfix/html/DATABASE_README.html b/postfix/html/DATABASE_README.html
index 84838b569..315fe1c20 100644
--- a/postfix/html/DATABASE_README.html
+++ b/postfix/html/DATABASE_README.html
@@ -54,7 +54,7 @@ documentation: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/postfix/aliases            (local aliasing)
     <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks (content filtering)
     <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport      (routing table)
@@ -364,7 +364,7 @@ described in <a href="tcp_table.5.html">tcp_table(5)</a>. The lookup table name
 where "host" specifies a symbolic hostname or a numeric IP address,
 and "port" specifies a symbolic service name or a numeric port
 number. This protocol is not available up to and including Postfix
-version 2.2.  </dd>
+version 2.4.  </dd>
 
 <dt> <b>unix</b> (read-only) </dt>
 
diff --git a/postfix/html/LDAP_README.html b/postfix/html/LDAP_README.html
index e828b2848..6fe7ef71b 100644
--- a/postfix/html/LDAP_README.html
+++ b/postfix/html/LDAP_README.html
@@ -41,6 +41,8 @@ it to each. </p>
 
 <li><a href="#example_virtual">Example: virtual domains/addresses</a>
 
+<li><a href="#example_group">Example: expanding LDAP groups</a>
+
 <li><a href="#other">Other uses of LDAP lookups</a>
 
 <li><a href="#hmmmm">Notes and things to think about</a>
@@ -124,7 +126,7 @@ option (e.g. '-R') so the executables can find it at runtime. </p>
 <h2><a name="config">Configuring LDAP lookups</a></h2>
 
 <p> In order to use LDAP lookups, define an LDAP source
-as a table lookup in main.cf, for example: </p>
+as a table lookup in <a href="postconf.5.html">main.cf</a>, for example: </p>
 
 <blockquote>
 <pre>
@@ -140,7 +142,7 @@ page. </p>
 <h2><a name="example_alias">Example: local(8) aliases</a></h2>
 
 <p> Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
-aliases. Assume that in main.cf, you have: </p>
+aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have: </p>
 
 <blockquote> 
 <pre>
@@ -152,14 +154,14 @@ aliases. Assume that in main.cf, you have: </p>
 
 <blockquote> 
 <pre>
-server_host = ldap.my.com
-search_base = dc=my, dc=com
+server_host = ldap.example.com
+search_base = dc=example, dc=com
 </pre>
 </blockquote> 
 
 <p> Upon receiving mail for a local address "ldapuser" that isn't
 found in the /etc/aliases database, Postfix will search the LDAP
-server listening at port 389 on ldap.my.com. It will bind anonymously,
+server listening at port 389 on ldap.example.com. It will bind anonymously,
 search for any directory entries whose mailacceptinggeneralid
 attribute is "ldapuser", read the "maildrop" attributes of those
 found, and build a list of their maildrops, which will be treated
@@ -176,7 +178,7 @@ of your virtual recipient's mailacceptinggeneralid attributes are
 fully qualified with their virtual domains. Finally, if you want
 to designate a directory entry as the default user for a virtual
 domain, just give it an additional mailacceptinggeneralid (or the
-equivalent in your directory) of "@virtual.dom". That's right, no
+equivalent in your directory) of "@fake.dom". That's right, no
 user part. If you don't want a catchall user, omit this step and
 mail to unknown users in the domain will simply bounce. </p>
 
@@ -212,12 +214,221 @@ go to this entry ... </p>
 <a href="QSHAPE_README.html#maildrop_queue">maildrop</a>, e.g. "normaluser@fake.dom" and "normaluser@real.dom".
 </p>
 
+<h2><a name="example_group">Example: expanding LDAP groups</a></h2>
+
+<p> LDAP is frequently used to store group member information, and Postfix
+supports expanding a group's email address to the list of email addresses
+of the group members. There are a number of ways of handling LDAP groups,
+which will be illustrated via the mock LDAP entries and implied schema
+below.  This shows two group entries "agroup" and "bgroup" and four
+user entries "auser", "buser", "cuser" and "duser". The group "agroup"
+has the users "auser" (1) and "buser" (2) as members via DN references
+in the multi-valued attribute "memberdn", and direct email addresses of
+two external users "auser@example.org" (3) and "buser@example.org" (4)
+stored in the multi-valued attribute "memberaddr".  The same is true of
+"bgroup" and "cuser"/"duser" (6)/(7)/(8)/(9), but "bgroup" also has a
+"maildrop" attribute of "bgroup@mlm.example.com" (5): </p>
+
+<blockquote> 
+<pre>
+     dn: cn=agroup, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapgroup
+     cn: agroup
+     mail: agroup@example.com
+1 -&gt; memberdn: uid=auser, dc=example, dc=com
+2 -&gt; memberdn: uid=buser, dc=example, dc=com
+3 -&gt; memberaddr: auser@example.org
+4 -&gt; memberaddr: buser@example.org
+</pre>
+<br>
+
+<pre>
+     dn: cn=bgroup, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapgroup
+     cn: bgroup
+     mail: bgroup@example.com
+5 -&gt; maildrop: bgroup@mlm.example.com
+6 -&gt; memberdn: uid=cuser, dc=example, dc=com
+7 -&gt; memberdn: uid=duser, dc=example, dc=com
+8 -&gt; memberaddr: cuser@example.org
+9 -&gt; memberaddr: duser@example.org
+</pre>
+<br>
+
+<pre>
+     dn: uid=auser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: auser
+10 -&gt; mail: auser@example.com
+11 -&gt; maildrop: auser@mailhub.example.com
+</pre>
+<br>
+
+<pre>
+     dn: uid=buser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: buser
+12 -&gt; mail: buser@example.com
+13 -&gt; maildrop: buser@mailhub.example.com
+</pre>
+<br>
+
+<pre>
+     dn: uid=cuser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: cuser
+14 -&gt; mail: cuser@example.com
+</pre>
+<br>
+
+<pre>
+     dn: uid=duser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: duser
+15 -&gt; mail: duser@example.com
+</pre>
+<br>
+
+</blockquote> 
+
+<p> Our first use case ignores the "memberdn" attributes, and assumes
+that groups hold only direct "memberaddr" strings as in (3), (4), (8) and
+(9). The goal is to map the group address to the list of constituent
+"memberaddr" values. This is simple, ignoring the various connection
+related settings (hosts, ports, bind settings, timeouts, ...) we have:
+</p>
+
+<blockquote> 
+<pre>
+    simple.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr
+    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:simple.cf
+    auser@example.org,buser@example.org
+</pre>
+</blockquote> 
+
+<p> We search "dc=example, dc=com". The "mail" attribute is used in the
+query_filter to locate the right group, the "result_attribute" setting
+described in <a href="ldap_table.5.html">ldap_table(5)</a> is used to specify that "memberaddr" values
+from the matching group are to be returned as a comma separated list.
+Always check tables using <a href="postmap.1.html">postmap(1)</a> with the "-q" option, before
+deploying them into production use in <a href="postconf.5.html">main.cf</a>. </p>
+
+<p> Our second use case also expands "memberdn" attributes (1), (2),
+(6) and (7), follows the DN references and returns the "maildrop" of the
+referenced user entries. Here we use the "special_result_attribute"
+setting from <a href="ldap_table.5.html">ldap_table(5)</a> to designate the "memberdn" attribute
+as holding DNs of the desired member entries. The "result_attribute"
+setting selects which attributes are returned from the selected DNs. It
+is important to choose a result attribute that is not also present in
+the group object, because result attributes are collected from both
+the group and the member DNs. In this case we choose "maildrop" and
+assume for the moment that groups never have a "maildrop" (the "bgroup"
+"maildrop" attribute is for a different use case). The returned data for
+"auser" and "buser" is from items (11) and (13) in the mock data. </p>
+
+<blockquote> 
+<pre>
+    special.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr, maildrop
+        special_result_attribute = memberdn
+    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:special.cf
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+</pre>
+</blockquote> 
+
+<p> Note: if the desired member object result attribute is always also
+present in the group, you get suprising results, the expansion also
+returns the address of the group. This is a known limitation of Postfix
+releases prior to 2.4, and is addressed in the new with Postfix 2.4
+"leaf_result_attribute" feature described in <a href="ldap_table.5.html">ldap_table(5)</a>. </p>
+
+<p> Our third use case has some groups that are expanded immediately,
+and other groups that are forwarded to a dedicated mailing list manager
+host for delayed expansion. This uses two LDAP tables, one for users
+and forwarded groups and a second for groups that can be expanded
+immediately. It is assumed that groups that require forwarding are
+never nested members of groups that are directly expanded. </p>
+
+<blockquote> 
+<pre>
+    no_expand.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = maildrop
+    expand.cf
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr, maildrop
+        special_result_attribute = memberdn
+    $ postmap -q auser@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
+    auser@mailhub.example.com
+    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+    $ postmap -q bgroup@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
+    bgroup@mlm.example.com
+</pre>
+</blockquote> 
+
+<p> Non-group objects and groups with delayed expansion (those that have a
+maildrop attribute) are rewritten to a single maildrop value. Groups that
+don't have a maildrop are expanded as the second use case. This admits
+a more elegant solution with Postfix 2.4 and later. </p>
+
+<p> Our final use case is the same as the third, but this time uses new
+features in Postfix 2.4. We now are able to use just one LDAP table and
+no longer need to assume that forwarded groups are never nested inside
+expanded groups. </p>
+
+<blockquote> 
+<pre>
+    fancy.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr
+        special_result_attribute = memberdn
+        terminal_result_attribute = maildrop
+        leaf_result_attribute = mail
+    $ postmap -q auser@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
+    auser@mailhub.example.com
+    $ postmap -q cuser@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
+    cuser@example.com
+    $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+    $ postmap -q bgroup@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
+    bgroup@mlm.example.com
+</pre>
+</blockquote> 
+
+<p> Above, delayed expansion is enabled via "terminal_result_attribute",
+which, if present, is used as the sole result and all other expansion is
+suppressed. Otherwise, the "leaf_result_attribute" is only returned for
+leaf objects that don't have a "special_result_attribute" (non-groups),
+while the "result_attribute" (direct member address of groups) is returned
+at every level of recursive expansion, not just the leaf nodes. This fancy
+example illustrates all the features of Postfix 2.4 group expansion. </p>
+
 <h2><a name="other">Other uses of LDAP lookups</a></h2>
 
 Other common uses for LDAP lookups include rewriting senders and
 recipients with Postfix's canonical lookups, for example in order
 to make mail leaving your site appear to be coming from
-"First.Last@site.dom" instead of "userid@site.dom".
+"First.Last@example.com" instead of "userid@example.com".
 
 <h2><a name="hmmmm">Notes and things to think about</a></h2>
 
@@ -240,9 +451,9 @@ to make mail leaving your site appear to be coming from
 
 <blockquote>
 <pre>
-dn: cn=Accounting Staff List, dc=my, dc=com
+dn: cn=Accounting Staff List, dc=example, dc=com
 cn: Accounting Staff List
-o: my.com
+o: example.com
 objectclass: maillist
 mailacceptinggeneralid: accountingstaff
 mailacceptinggeneralid: accounting-staff
@@ -341,7 +552,7 @@ contents, please include the applicable bits of some directory entries. </p>
             external files (<a href="ldap_table.5.html">ldap</a>:/path/ldap.cf) needed to securely store
             passwords for plain auth.
 
-<li>Liviu Daia revised the configuration interface and added the main.cf
+<li>Liviu Daia revised the configuration interface and added the <a href="postconf.5.html">main.cf</a>
     configuration feature.</li>
     
 <li>Liviu Daia with further refinements from Jose Luis Tallon and
diff --git a/postfix/html/QSHAPE_README.html b/postfix/html/QSHAPE_README.html
index c15d95efd..905bc5ebb 100644
--- a/postfix/html/QSHAPE_README.html
+++ b/postfix/html/QSHAPE_README.html
@@ -19,17 +19,11 @@
 
 <h2>Purpose of this document </h2>
 
-<p> This document describes the <a href="qshape.1.html">qshape(1)</a> program which helps the
-administrator understand the Postfix queue message distribution
-sorted by time and by sender or recipient domain. <a href="qshape.1.html">qshape(1)</a> is
-bundled with the Postfix 2.1 source under the "auxiliary" directory.
-</p>
-
-<p> In order to understand the output of <a href="qshape.1.html">qshape(1)</a>, it useful to
-understand the various Postfix queues. To this end the role of each
-Postfix queue directory is described briefly in the "Background
-info:  Postfix queue directories" section near the end of this
-document.  </p>
+<p> This document is an introduction to Postfix queue congestion analysis.
+It explains how the <a href="qshape.1.html">qshape(1)</a> program can help to track down the
+reason for queue congestion.  <a href="qshape.1.html">qshape(1)</a> is bundled with Postfix
+2.1 and later source code, under the "auxiliary" directory. This
+document describes <a href="qshape.1.html">qshape(1)</a> as bundled with Postfix 2.4.  </p>
 
 <p> This document covers the following topics: </p>
 
@@ -49,7 +43,7 @@ queue</a></li>
 
 <li><a href="#backlog">Example 4: High volume destination backlog</a>
 
-<li><a href="#queues">Background info: Postfix queue directories</a>
+<li><a href="#queues">Postfix queue directories</a>
 
 <ul>
 
@@ -71,7 +65,6 @@ queue</a></li>
 
 <h2><a name="qshape">Introducing the qshape tool</a></h2>
 
-
 <p> When mail is draining slowly or the queue is unexpectedly large,
 run <a href="qshape.1.html">qshape(1)</a> as the super-user (root) to help zero in on the problem.
 The <a href="qshape.1.html">qshape(1)</a> program displays a tabular view of the Postfix queue
@@ -124,6 +117,12 @@ minutes old and 12 older than 1280 minutes (1440 minutes in a day).
 
 </ul>
 
+<p> When the output is a terminal intermediate results showing the top 20
+domains (-n option) are displayed after every 1000 messages (-N option)
+and the final output also shows only the top 20 domains. This makes
+qshape useful even when the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is very large and it may
+otherwise take prohibitively long to read the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. </p>
+
 <p> By default, qshape shows statistics for the union of both the
 <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a> which are the most relevant queues to
 look at when analyzing performance. </p>
@@ -132,8 +131,8 @@ look at when analyzing performance. </p>
 
 <blockquote>
 <pre>
-$ qshape deferred | less
-$ qshape incoming active deferred | less
+$ qshape deferred
+$ qshape incoming active deferred
 </pre>
 </blockquote>
 
@@ -157,11 +156,11 @@ a burst of mail started, and when it stopped. </p>
 <p> The problem destinations or sender domains appear near the top
 left corner of the output table. Remember that the <a href="QSHAPE_README.html#active_queue">active queue</a>
 can accommodate up to 20000 ($<a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a>) messages.
-To check wether this limit has been reached, use: </p>
+To check whether this limit has been reached, use: </p>
 
 <blockquote>
 <pre>
-$ qshape -s active | head       <i>(show sender statistics)</i>
+$ qshape -s active       <i>(show sender statistics)</i>
 </pre>
 </blockquote>
 
@@ -169,13 +168,13 @@ $ qshape -s active | head       <i>(show sender statistics)</i>
 not yet saturated, any high volume sender domains show near the
 top of the output.
 
-<p> The <a href="QSHAPE_README.html#active_queue">active queue</a> is also limited to at most 20000 recipient
-addresses ($<a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>). To check for exhaustion
-of this limit use: </p>
+<p> With <a href="qmgr.8.html">oqmgr(8)</a> the <a href="QSHAPE_README.html#active_queue">active queue</a> is also limited to at most 20000
+recipient addresses ($<a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>). To check for
+exhaustion of this limit use: </p>
 
 <blockquote>
 <pre>
-$ qshape active | head          <i>(show recipient statistics)</i>
+$ qshape active          <i>(show recipient statistics)</i>
 </pre>
 </blockquote>
 
@@ -381,14 +380,17 @@ queue congestion is a greater cause for alarm; one might need to
 take measures to ensure that the mail is deferred instead or even
 add an <a href="access.5.html">access(5)</a> rule asking the sender to try again later. </p>
 
-<p> If a high volume destination exhibits frequent bursts of
-consecutive connections refused by all MX hosts or "421 Server busy
-errors", it is possible for the queue manager to mark the destination
-as "dead" despite the transient nature of the errors. The destination
-will be retried again after the expiration of a $<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>
-timer.  If the error bursts are frequent enough it may be that only
-a small quantity of email is delivered before the destination is
-again marked "dead". </p>
+<p> If a high volume destination exhibits frequent bursts of consecutive
+connections refused by all MX hosts or "421 Server busy errors", it
+is possible for the queue manager to mark the destination as "dead"
+despite the transient nature of the errors. The destination will be
+retried again after the expiration of a $<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> timer.
+If the error bursts are frequent enough it may be that only a small
+quantity of email is delivered before the destination is again marked
+"dead". In some cases enabling static (not on demand) connection
+caching by listing the appropriate nexthop domain in a table included in
+"<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a>" may help to reduce the error rate,
+because most messages will re-use existing connections. </p>
 
 <p> The MTA that has been observed most frequently to exhibit such
 bursts of errors is Microsoft Exchange, which refuses connections
@@ -396,47 +398,44 @@ under load. Some proxy virus scanners in front of the Exchange
 server propagate the refused connection to the client as a "421"
 error. </p>
 
-<p> Note that it is now possible to configure Postfix to exhibit
-similarly erratic behavior by misconfiguring the <a href="anvil.8.html">anvil(8)</a> server
-(not included in Postfix 2.1.). Do not use <a href="anvil.8.html">anvil(8)</a> for steady-state
-rate limiting, its purpose is DoS prevention and the rate limits
-set should be very generous! </p>
+<p> Note that it is now possible to configure Postfix to exhibit similarly
+erratic behavior by misconfiguring the <a href="anvil.8.html">anvil(8)</a> service.  Do not use
+<a href="anvil.8.html">anvil(8)</a> for steady-state rate limiting, its purpose is (unintentional)
+DoS prevention and the rate limits set should be very generous! </p>
 
-<p> In the long run it is hoped that the Postfix dead host detection
-and concurrency control mechanism will be tuned to be more "noise"
-tolerant.  If one finds oneself needing to deliver a high volume
-of mail to a destination that exhibits frequent brief bursts of
-errors, there is a subtle workaround. </p>
+<p> If one finds oneself needing to deliver a high volume of mail to a
+destination that exhibits frequent brief bursts of errors and connection
+caching does not solve the problem, there is a subtle workaround. </p>
 
 <ul>
 
-<li> <p> In master.cf set up a dedicated clone of the "smtp"
+<li> <p> In <a href="master.5.html">master.cf</a> set up a dedicated clone of the "smtp"
 transport for the destination in question. </p>
 
-<li> <p> In master.cf configure a reasonable process limit for the
+<li> <p> In <a href="master.5.html">master.cf</a> configure a reasonable process limit for the
 transport (a number in the 10-20 range is typical). </p>
 
-<li> <p> IMPORTANT!!! In main.cf configure a very large initial
-and destination concurrency limit for this transport (say 200). </p>
+<li> <p> IMPORTANT!!! In <a href="postconf.5.html">main.cf</a> configure a very large initial
+and destination concurrency limit for this transport (say 2000). </p>
 
 <pre>
-/etc/postfix/main.cf:
-    <a href="postconf.5.html#initial_destination_concurrency">initial_destination_concurrency</a> = 200
-    <i>transportname</i>_destination_concurrency_limit = 200
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#initial_destination_concurrency">initial_destination_concurrency</a> = 2000
+    <i>transportname</i>_destination_concurrency_limit = 2000
 </pre>
 
-<p> Where <i>transportname</i> is the name of the master.cf entry
+<p> Where <i>transportname</i> is the name of the <a href="master.5.html">master.cf</a> entry
 in question. </p>
 
 </ul>
 
-<p> The effect of this surprising configuration is that up to 200
+<p> The effect of this surprising configuration is that up to 2000
 consecutive errors are tolerated without marking the destination
 dead, while the total concurrency remains reasonable (10-20
 processes). This trick is only for a very specialized situation:
 high volume delivery into a channel with multi-error bursts
 that is capable of high throughput, but is repeatedly throttled by
-the bursts of errors.
+the bursts of errors. </p>
 
 <p> When a destination is unable to handle the load even after the
 Postfix process limit is reduced to 1, a desperate measure is to
@@ -447,7 +446,7 @@ insert brief delays between delivery attempts. </p>
 <li> <p>  In the transport map entry for the problem destination,
 specify a dead host as the primary nexthop. </p>
 
-<li> <p> In the master.cf entry for the transport specify the
+<li> <p> In the <a href="master.5.html">master.cf</a> entry for the transport specify the
 problem destination as the <a href="postconf.5.html#fallback_relay">fallback_relay</a> and specify a small
 <a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> value. </p>
 
@@ -455,7 +454,7 @@ problem destination as the <a href="postconf.5.html#fallback_relay">fallback_rel
 /etc/postfix/transport:
     problem.example.com  slow:[dead.host]
 
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
     # service type  private unpriv  chroot  wakeup  maxproc command
     slow      unix     -       -       n       -       1    smtp
         -o <a href="postconf.5.html#fallback_relay">fallback_relay</a>=problem.example.com
@@ -472,7 +471,7 @@ updated when SMTP connection caching is introduced.  </p>
 <p> Hopefully a more elegant solution to these problems will be
 found in the future. </p>
 
-<h2><a name="queues">Background info: Postfix queue directories</a></h2>
+<h2><a name="queues">Postfix queue directories</a></h2>
 
 <p> The following sections describe Postfix queues: their purpose,
 what normal behavior looks like, and how to diagnose abnormal
@@ -497,8 +496,8 @@ to notify the <a href="pickup.8.html">pickup(8)</a> service of its arrival. </p>
 <p> All mail that enters the main Postfix queue does so via the
 <a href="cleanup.8.html">cleanup(8)</a> service. The cleanup service is responsible for envelope
 and header rewriting, header and body regular expression checks,
-automatic bcc recipient processing and guaranteed insertion of the
-message into the Postfix "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>. </p>
+automatic bcc recipient processing, milter content processing, and
+reliable insertion of the message into the Postfix "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>. </p>
 
 <p> In the absence of excessive CPU consumption in <a href="cleanup.8.html">cleanup(8)</a> header
 or body regular expression checks or other software consuming all
@@ -514,9 +513,10 @@ one message at a time at a rate that does not exceed the reciprocal
 disk I/O latency (+ CPU if not negligible) of the cleanup service.
 </p>
 
-<p> Congestion in this queue is indicative of an excessive local
-message submission rate or perhaps excessive CPU consumption in
-the <a href="cleanup.8.html">cleanup(8)</a> service due to excessive <a href="postconf.5.html#body_checks">body_checks</a>. </p>
+<p> Congestion in this queue is indicative of an excessive local message
+submission rate or perhaps excessive CPU consumption in the <a href="cleanup.8.html">cleanup(8)</a>
+service due to excessive <a href="postconf.5.html#body_checks">body_checks</a>, or (Postfix &ge; 2.3) high latency
+milters. </p>
 
 <p> Note, that once the <a href="QSHAPE_README.html#active_queue">active queue</a> is full, the cleanup service
 will attempt to slow down message injection by pausing $<a href="postconf.5.html#in_flow_delay">in_flow_delay</a>
@@ -524,10 +524,10 @@ for each message. In this case "<a href="QSHAPE_README.html#maildrop_queue">mail
 a consequence of congestion downstream, rather than a problem in
 its own right. </p>
 
-<p> Note also, that one should not attempt to deliver large volumes
-of mail via the <a href="pickup.8.html">pickup(8)</a> service. High volume sites must avoid
-using content filters that reinject scanned mail via Postfix
-<a href="sendmail.1.html">sendmail(1)</a> and <a href="postdrop.1.html">postdrop(1)</a>. </p>
+<p> Note, you should not attempt to deliver large volumes of mail via
+the <a href="pickup.8.html">pickup(8)</a> service. High volume sites should avoid using "simple"
+content filters that re-inject scanned mail via Postfix <a href="sendmail.1.html">sendmail(1)</a>
+and <a href="postdrop.1.html">postdrop(1)</a>. </p>
 
 <p> A high arrival rate of locally submitted mail may be an indication
 of an uncaught forwarding loop, or a run-away notification program.
@@ -545,20 +545,19 @@ size of the "<a href="QSHAPE_README.html#maildrop_queue">maildrop" queue</a>. </
 <p> The administrator can define "smtpd" <a href="access.5.html">access(5)</a> policies, or
 <a href="cleanup.8.html">cleanup(8)</a> header/body checks that cause messages to be automatically
 diverted from normal processing and placed indefinitely in the
-"<a href="QSHAPE_README.html#hold_queue">hold" queue</a>.  Messages placed in the "hold" queue stay there until
+"<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. Messages placed in the "hold" queue stay there until
 the administrator intervenes. No periodic delivery attempts are
 made for messages in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. The <a href="postsuper.1.html">postsuper(1)</a> command
 can be used to manually release messages into the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>.
 </p>
 
-<p> Messages can potentially stay in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> for a time
-exceeding the normal maximal queue lifetime (after which undelivered
-messages are bounced back to the sender). If such "old" messages
-need to be released from the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>, they should typically
-be moved into the "<a href="QSHAPE_README.html#maildrop_queue">maildrop" queue</a>, so that the message gets a new
-timestamp and is given more than one opportunity to be delivered.
-Messages that are "young" can be moved directly into the "deferred"
-queue. </p>
+<p> Messages can potentially stay in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> longer than
+$<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a>. If such "old" messages need to be released from
+the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>, they should typically be moved into the "maildrop"
+queue using "postsuper -r", so that the message gets a new timestamp and
+is given more than one opportunity to be delivered.  Messages that are
+"young" can be moved directly into the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> using
+"postsuper -H". </p>
 
 <p> The "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> plays little role in Postfix performance, and
 monitoring of the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> is typically more closely motivated
@@ -589,11 +588,15 @@ messages into the <a href="QSHAPE_README.html#active_queue">active queue</a> as
 
 <p> The <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> grows when the message input rate spikes
 above the rate at which the queue manager can import messages into
-the <a href="QSHAPE_README.html#active_queue">active queue</a>. The main factor slowing down the queue manager
-is transport queries to the trivial-rewrite service. If the queue
+the <a href="QSHAPE_README.html#active_queue">active queue</a>. The main factors slowing down the queue manager
+are disk I/O and lookup queries to the trivial-rewrite service. If the queue
 manager is routinely not keeping up, consider not using "slow"
 lookup services (MySQL, LDAP, ...) for transport lookups or speeding
-up the hosts that provide the lookup service.  </p>
+up the hosts that provide the lookup service.  If the problem is I/O
+starvation, consider striping the queue over more disks, faster controllers
+with a battery write cache, or other hardware improvements. At the very
+least, make sure that the queue directory is mounted with the "noatime"
+option if applicable to the underlying filesystem. </p>
 
 <p> The <a href="postconf.5.html#in_flow_delay">in_flow_delay</a> parameter is used to clamp the input rate
 when the queue manager starts to fall behind. The <a href="cleanup.8.html">cleanup(8)</a> service
@@ -645,26 +648,40 @@ combination; the group size is capped by the transport's recipient
 concurrency limit.  </p>
 
 <p> Multiple recipient groups (from one or more messages) are queued
-for delivery via the common transport/nexthop combination. The
-destination concurrency limit for the transports caps the number
+for delivery grouped by transport/nexthop combination. The
+<b>destination</b> concurrency limit for the transports caps the number
 of simultaneous delivery attempts for each nexthop. Transports with
-a recipient concurrency limit of 1 are special: these are grouped
-by the actual recipient address rather than the nexthop, thereby
-enabling per-recipient concurrency limits rather than per-domain
+a <b>recipient</b> concurrency limit of 1 are special: these are grouped
+by the actual recipient address rather than the nexthop, yielding
+per-recipient concurrency limits rather than per-domain
 concurrency limits. Per-recipient limits are appropriate when
 performing final delivery to mailboxes rather than when relaying
 to a remote server.  </p>
 
 <p> Congestion occurs in the <a href="QSHAPE_README.html#active_queue">active queue</a> when one or more destinations
-drain slower than the corresponding message input rate. If a
-destination is down for some time, the queue manager will mark it
-dead, and immediately defer all mail for the destination without
+drain slower than the corresponding message input rate. </p>
+
+<p> Input into the <a href="QSHAPE_README.html#active_queue">active queue</a> comes both from new mail in the "incoming"
+queue, and retries of mail in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. Should the "deferred"
+queue get really large, retries of old mail can dominate the arrival
+rate of new mail. Systems with more CPU, faster disks and more network
+bandwidth can deal with larger <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>, but as a rule of thumb
+the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scales to somewhere between 100,000 and 1,000,000
+messages with good performance unlikely above that "limit". Systems with
+queues this large should typically stop accepting new mail, or put the
+backlog "on hold" until the underlying issue is fixed (provided that
+there is enough capacity to handle just the new mail). </p>
+
+<p> When a destination is down for some time, the queue manager will
+mark it dead, and immediately defer all mail for the destination without
 trying to assign it to a delivery agent. In this case the messages
-will quickly leave the <a href="QSHAPE_README.html#active_queue">active queue</a> and end up in the deferred
-queue. If the destination is instead simply slow, or there is a
-problem causing an excessive arrival rate the <a href="QSHAPE_README.html#active_queue">active queue</a> will
-grow and will become dominated by mail to the congested destination.
-</p>
+will quickly leave the <a href="QSHAPE_README.html#active_queue">active queue</a> and end up in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>
+(with Postfix &lt; 2.4, this is done directly by the queue manager,
+with Postfix &ge; 2.4 this is done via the "retry" delivery agent). </p>
+
+<p> When the destination is instead simply slow, or there is a problem
+causing an excessive arrival rate the <a href="QSHAPE_README.html#active_queue">active queue</a> will grow and will
+become dominated by mail to the congested destination.  </p>
 
 <p> The only way to reduce congestion is to either reduce the input
 rate or increase the throughput. Increasing the throughput requires
@@ -691,28 +708,56 @@ a high average latency. If the number of outbound SMTP connections
 is draining slowly and the system and network are not loaded, raise
 the "smtp" and/or "relay" process limits!  </p>
 
-<p> Especially for the "relay" transport, consider lower SMTP
-connection timeouts (1-5 seconds) and higher than default destination
-concurrency limits. Compute the expected latency when 1 out of N
-of the MX hosts for a high volume site is down and not responding,
-and make sure that the configured concurrency divided by this
-latency exceeds the required steady-state message rate. If the
-destination is managed by you, consider load balancers in front of
-groups of MX hosts. Load balancers have higher uptime and will be
-able to hide individual MX host failures.  </p>
-
-<p> If necessary, dedicate and tune custom transports for high
-volume destinations.  </p>
-
-<p> Another common cause of congestion is unwarranted flushing of
-the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. The deferred queue holds messages that
-are likely to fail to be delivered and are also likely to be slow
-to fail delivery (timeouts). This means that the most common reaction
-to a large <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> (flush it!) is more than likely counter-
-productive, and is likely to make the problem worse. Do not flush
-the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> unless you expect that most of its content has
-recently become deliverable (e.g. <a href="postconf.5.html#relayhost">relayhost</a> back up after an outage)!
-</p>
+<p> When a high volume destination is served by multiple MX hosts with
+typically low delivery latency, performance can suffer dramatically when
+one of the MX hosts is unresponsive and SMTP connections to that host
+timeout. For example, if there are 2 equal weight MX hosts, the SMTP
+connection timeout is 30 seconds and one of the MX hosts is down, the
+average SMTP connection will take approximately 15 seconds to complete.
+With a default per-destination concurrency limit of 20 connections,
+throughput falls to just over 1 message per second. </p>
+
+<p> The best way to avoid bottlenecks when one or more MX hosts is
+non-responsive is to use connection caching. Connection caching was
+introduced with Postfix 2.2 and is by default enabled on demand for
+destinations with a backlog of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. When connection
+caching is in effect for a particular destination, established connections
+are re-used to send additional messages, this reduces the number of
+connections made per message delivery and maintains good throughput even
+in the face of partial unavailability of the destination's MX hosts. </p>
+
+<p> If connection caching is not available (Postfix &lt; 2.2) or does
+not provide a sufficient latency reduction, especially for the "relay"
+transport used to forward mail to "your own" domains, consider setting
+lower than default SMTP connection timeouts (1-5 seconds) and higher
+than default destination concurrency limits. This will further reduce
+latency and provide more concurrency to maintain throughput should
+latency rise. </p>
+
+<p> Setting high concurrency limits to domains that are not your own may
+be viewed as hostile by the receiving system, and steps may be taken
+to prevent you from monopolizing the destination system's resources.
+The defensive measures may substantially reduce your throughput or block
+access entirely. Do not set aggressive concurrency limits to remote
+domains without coordinating with the administrators of the target
+domain. </p>
+
+<p> If necessary, dedicate and tune custom transports for selected high
+volume destinations. The "relay" transport is provided for forwarding mail
+to domains for which your server is a primary or backup MX host. These can
+make up a substantial fraction of your email traffic. Use the "relay" and
+not the "smtp" transport to send email to these domains. Using the "relay"
+transport allocates a separate delivery agent pool to these destinations
+and allows separate tuning of timeouts and concurrency limits. </p>
+
+<p> Another common cause of congestion is unwarranted flushing of the
+entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. The deferred queue holds messages that are likely
+to fail to be delivered and are also likely to be slow to fail delivery
+(time out). As a result the most common reaction to a large <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>
+(flush it!) is more than likely counter-productive, and typically makes
+the congestion worse. Do not flush the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> unless you expect
+that most of its content has recently become deliverable (e.g. <a href="postconf.5.html#relayhost">relayhost</a>
+back up after an outage)!  </p>
 
 <p> Note that whenever the queue manager is restarted, there may
 already be messages in the <a href="QSHAPE_README.html#active_queue">active queue</a> directory, but the "real"
@@ -723,7 +768,7 @@ queue scan to refill the <a href="QSHAPE_README.html#active_queue">active queue<
 the messages back and forth, redoing transport table (<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>
 resolve service) lookups, and re-importing the messages back into
 memory is expensive. At all costs, avoid frequent restarts of the
-queue manager.  </p>
+queue manager (e.g. via frequent execution of "postfix reload").  </p>
 
 <h3> <a name="deferred_queue"> The "deferred" queue </a> </h3>
 
@@ -732,20 +777,19 @@ and for some recipients delivery failed for a transient reason (it
 might succeed later), the message is placed in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>.
 </p>
 
-<p> The queue manager scans the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> periodically. The
-scan interval is controlled by the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> parameter.
-While a <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scan is in progress, if an <a href="QSHAPE_README.html#incoming_queue">incoming queue</a>
-scan is also in progress (ideally these are brief since the incoming
-queue should be short), the queue manager alternates between bringing
-a new "incoming" message and a new "deferred" message into the
-queue.  This "round-robin" strategy prevents starvation of either
-the <a href="QSHAPE_README.html#incoming_queue">incoming</a> or the <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>.  </p>
+<p> The queue manager scans the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> periodically. The scan
+interval is controlled by the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> parameter.  While a deferred
+queue scan is in progress, if an <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> scan is also in progress
+(ideally these are brief since the <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> should be short), the
+queue manager alternates between looking for messages in the "incoming"
+queue and in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. This "round-robin" strategy prevents
+starvation of either the <a href="QSHAPE_README.html#incoming_queue">incoming</a> or the <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>.  </p>
 
 <p> Each <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scan only brings a fraction of the deferred
 queue back into the <a href="QSHAPE_README.html#active_queue">active queue</a> for a retry. This is because each
 message in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is assigned a "cool-off" time when
 it is deferred.  This is done by time-warping the modification
-times of the queue file into the future. The queue file is not
+time of the queue file into the future. The queue file is not
 eligible for a retry if its modification time is not yet reached.
 </p>
 
@@ -756,28 +800,34 @@ within the limits. This means that young messages are initially
 retried more often than old messages.  </p>
 
 <p> If a high volume site routinely has large <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>, it
-may be useful to adjust the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>, <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>
-and <a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> to provide short enough delays on first
-failure, with perhaps longer delays after multiple failures, to
-reduce the retransmission rate of old messages and thereby reduce
-the quantity of previously deferred mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.  </p>
+may be useful to adjust the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>, <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> and
+<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> to provide short enough delays on first failure
+(Postfix &ge; 2.4 has a sensibly low minimal backoff time by default),
+with perhaps longer delays after multiple failures, to reduce the
+retransmission rate of old messages and thereby reduce the quantity
+of previously deferred mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.  If you want a really
+low <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>, you may also want to lower <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>,
+but understand that more frequent scans will increase the demand for
+disk I/O. </p>
 
 <p> One common cause of large <a href="QSHAPE_README.html#deferred_queue">deferred queues</a> is failure to validate
 recipients at the SMTP input stage. Since spammers routinely launch
 dictionary attacks from unrepliable sender addresses, the bounces
-for invalid recipient addresses clog the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> (and at
-high volumes proportionally clog the <a href="QSHAPE_README.html#active_queue">active queue</a>). Recipient
-validation is strongly recommended through use of the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>
-and <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> parameters.  </p>
+for invalid recipient addresses clog the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> (and at high
+volumes proportionally clog the <a href="QSHAPE_README.html#active_queue">active queue</a>). Recipient validation
+is strongly recommended through use of the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> and
+<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> parameters. Even when bounces drain quickly they
+inundate innocent victims of forgery with unwanted email. To avoid
+this, do not accept mail for invalid recipients. </p>
 
 <p> When a host with lots of deferred mail is down for some time,
 it is possible for the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> to reach its retry
 time simultaneously. This can lead to a very full <a href="QSHAPE_README.html#active_queue">active queue</a> once
 the host comes back up. The phenomenon can repeat approximately
 every <a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> seconds if the messages are again deferred
-after a brief burst of congestion. Ideally, in the future Postfix
+after a brief burst of congestion. Perhaps, a future Postfix release
 will add a random offset to the retry time (or use a combination
-of strategies) to reduce the chances of repeated complete deferred
+of strategies) to reduce the odds of repeated complete deferred
 queue flushes.  </p>
 
 <h2><a name="credits">Credits</a></h2>
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index 20b1a562f..3824e7de2 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -149,7 +149,7 @@ their CCARGS and AUXLIBS into the above command line. </p>
 
 <h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
 
-<p> Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, 
+<p> Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, 
 which are available from: </p>
 
 <blockquote>
@@ -160,11 +160,11 @@ which are available from: </p>
 
 <p> IMPORTANT: if you install the Cyrus SASL libraries as per the
 default, you will have to symlink /usr/lib/sasl -&gt; /usr/local/lib/sasl
-for version 1.5.5 or /usr/lib/sasl2 -&gt; /usr/local/lib/sasl2 for
-version 2.1.1. </p>
+for version 1.5.x or /usr/lib/sasl2 -&gt; /usr/local/lib/sasl2 for
+version 2.1.x. </p>
 
-<p> Reportedly, Microsoft Internet Explorer version 5 requires the
-non-standard SASL LOGIN authentication method. To enable this
+<p> Reportedly, Microsoft Outlook (Express) requires the
+non-standard LOGIN authentication method. To enable this
 authentication method, specify ``./configure --enable-login''. </p>
 
 <h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>
@@ -178,7 +178,7 @@ and that the Cyrus SASL libraries are in /usr/local/lib. </p>
 
 <dl>
 
-<dt> (for Cyrus SASL version 1.5.5):
+<dt> (for Cyrus SASL version 1.5.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -186,7 +186,7 @@ and that the Cyrus SASL libraries are in /usr/local/lib. </p>
     -I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
 </pre>
 
-<dt> (for Cyrus SASL version 2.1.1):
+<dt> (for Cyrus SASL version 2.1.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -201,7 +201,7 @@ otherwise ld.so will not find the SASL shared library: </p>
 
 <dl>
 
-<dt> (for Cyrus SASL version 1.5.5):
+<dt> (for Cyrus SASL version 1.5.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -210,7 +210,7 @@ otherwise ld.so will not find the SASL shared library: </p>
     -R/usr/local/lib -lsasl"
 </pre>
 
-<dt> (for Cyrus SASL version 2.1.1):
+<dt> (for Cyrus SASL version 2.1.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -258,8 +258,9 @@ SMTP server</a></h2>
 
 <p> Older Microsoft SMTP client software implements a non-standard
 version of the AUTH protocol syntax, and expects that the SMTP
-server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
-stuff".  To accommodate such clients (in addition to conformant
+server replies to EHLO with "250 AUTH=mechanism-list" instead of
+"250 AUTH mechanism-list".  To accommodate such clients (in addition
+to conformant
 clients) use the following: </p>
 
 <blockquote>
@@ -318,22 +319,41 @@ the Dovecot authentication server. </p>
 <h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
 SMTP server</a></h2>
 
-<p> In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or
-/usr/local/lib/sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to
-specify how the server should validate client passwords. </p>
+<p> You need to configure how the Cyrus SASL library should
+authenticate a client's username and password. These settings must
+be stored in a separate configuration file. </p>
+
+<p> The name of the configuration file (default: smtpd.conf) will
+be constructed from a value sent by Postfix to the Cyrus SASL
+library, which adds the suffix .conf. The value is configured using
+one of the following variables: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    # Postfix 2.3 and later
+    <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> = smtpd
+    # Postfix < 2.3
+    smtpd_sasl_application_name = smtpd
+</pre>
+</blockquote>
+
+<p> Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/
+(Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL
+version 2.1.x). </p>
 
 <p> Note: some Postfix distributions are modified and look for 
-the smtpd.conf file in /etc/postfix. </p>
+the smtpd.conf file in /etc/postfix/sasl. </p>
 
 <p> Note: some Cyrus SASL distributions look for the smtpd.conf
 file in /etc/sasl2. </p>
 
 <ul>
 
-<li> <p> To authenticate against the UNIX password database, try: </p>
+<li> <p> To authenticate against the UNIX password database, use: </p>
 
 <dl>
-<dt> (Cyrus SASL version 1.5.5)
+<dt> (Cyrus SASL version 1.5.x)
 <dd>
 <pre>
 /usr/local/lib/sasl/smtpd.conf:
@@ -341,39 +361,13 @@ file in /etc/sasl2. </p>
 
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
-<dd>
-<pre>
-/usr/local/lib/sasl2/smtpd.conf:
-    pwcheck_method: pwcheck
-</pre>
-
-</dl>
-
-<p> The name of the file in /usr/local/lib/sasl (Cyrus SASL version
-1.5.5) or /usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by
-the SASL
-library for configuration can be set with: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    smtpd_sasl_application_name = smtpd (Postfix &lt; 2.3)
-    <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> = smtpd (Postfix 2.3 and later)
-</pre>
-</blockquote>
+<p> IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck
+and waits for authentication requests. Postfix processes must have
+read+execute permission to this directory or authentication attempts
+will fail. </p>
 
 <p> The pwcheck daemon is contained in the cyrus-sasl source tarball. </p>
 
-<p> IMPORTANT: postfix processes need to have group read+execute
-permission for the /var/pwcheck directory, otherwise authentication
-attempts will fail. </p>
-
-<li> <p> Alternately, in Cyrus SASL 1.5.26 and later (including
-2.1.1), try: </p>
-
-<dl>
-
 <dt> (Cyrus SASL version 1.5.26)
 <dd>
 <pre>
@@ -381,11 +375,12 @@ attempts will fail. </p>
     pwcheck_method: saslauthd
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
+<dt> (Cyrus SASL version 2.1.x)
 <dd>
 <pre>
 /usr/local/lib/sasl2/smtpd.conf:
     pwcheck_method: saslauthd
+    mech_list: PLAIN LOGIN
 </pre>
 
 </dl>
@@ -395,27 +390,38 @@ tarball.  It is more flexible than the pwcheck daemon, in that it
 can authenticate against PAM and various other sources. To use PAM,
 start saslauthd with "-a pam". </p>
 
+<p> IMPORTANT: saslauthd usually establishes a UNIX domain socket
+in /var/run/saslauthd and waits for authentication requests. Postfix
+processes must have read+execute permission to this directory or
+authentication attempts will fail. </p>
+
+<p> Note: The directory where saslauthd puts the socket is configurable.
+See the command-line option "-m /path/to/socket" in the saslauthd
+--help listing. </p>
+
 <li> <p> To authenticate against Cyrus SASL's own password database: </p>
 
 <dl>
-<dt> (Cyrus SASL version 1.5.5)
+<dt> (Cyrus SASL version 1.5.x)
 <dd>
 <pre>
 /usr/local/lib/sasl/smtpd.conf:
-    pwcheck_method:  sasldb
+    pwcheck_method: sasldb
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
+<dt> (Cyrus SASL version 2.1.x)
 <dd>
 <pre>
 /usr/local/lib/sasl2/smtpd.conf:
-    pwcheck_method:  auxprop
+    pwcheck_method: auxprop
+    auxprop_plugin: sasldb
+    mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 </pre>
 
 </dl>
 
 <p> This will use the Cyrus SASL password file (default: /etc/sasldb in
-version 1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained
+version 1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained
 with the saslpasswd or saslpasswd2 command (part of the Cyrus SASL
 software). On some poorly-supported systems the saslpasswd command needs
 to be run multiple times before it stops complaining.  The Postfix SMTP
@@ -430,13 +436,13 @@ domain (realm) to a fully qualified domain name. </p>
 <p> EXAMPLE: </p>
 
 <dl>
-<dt> (Cyrus SASL version 1.5.5)
+<dt> (Cyrus SASL version 1.5.x)
 <dd>
 <pre>
 % saslpasswd -c -u `postconf -h <a href="postconf.5.html#myhostname">myhostname</a>` exampleuser
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
+<dt> (Cyrus SASL version 2.1.x)
 <dd>
 <pre>
 % saslpasswd2 -c -u `postconf -h <a href="postconf.5.html#myhostname">myhostname</a>` exampleuser
@@ -445,8 +451,8 @@ domain (realm) to a fully qualified domain name. </p>
 </dl>
 
 <p> You can find out SASL's idea about the realms of the users
-in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.5) or
-<i>sasldblistusers2</i> (Cyrus SASL version 2.1.1). </p>
+in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.x) or
+<i>sasldblistusers2</i> (Cyrus SASL version 2.1.x). </p>
 
 <p> On the Postfix side, you can have only one realm per smtpd
 instance, and only the users belonging to that realm would be able to
@@ -462,18 +468,14 @@ realm used by smtpd: </p>
 
 </ul>
 
-<p> IMPORTANT: all users must be able to authenticate using ALL
-authentication mechanisms advertised by Postfix, otherwise the
-negotiation might end up with an unsupported mechanism, and
-authentication would fail.  For example if you configure SASL to
-use <i>saslauthd</i> for authentication against PAM (pluggable
-authentication modules), only the PLAIN and LOGIN mechanisms are
-supported and stand a chance to succeed, yet the SASL library would also
-advertise other mechanisms, such as DIGEST-MD5.  This happens because
-those mechanisms are made available by other plugins, and the SASL
-library have no way to know that your only valid authentication source
-is PAM.  Thus you might need to limit the list of mechanisms advertised
-by Postfix. </p>
+<p> IMPORTANT: The Cyrus SASL password verification services pwcheck
+and saslauthd can only support the plaintext mechanisms PLAIN or
+LOGIN.  However, the Cyrus SASL library doesn't know this, and will
+happily advertise other authentication mechanisms that the SASL
+library implements, such as DIGEST-MD5. As a result, if an SMTP
+client chooses any mechanism other than PLAIN or LOGIN while pwcheck
+or saslauthd are used, authentication will fail. Thus you may need
+to limit the list of mechanisms advertised by Postfix. </p>
 
 <ul> 
 
@@ -481,7 +483,9 @@ by Postfix. </p>
 library files from the SASL plug-in directory (and again whenever
 the system is updated). </p>
 
-<li> <p> With Cyrus SASL version 2.1.1 or later: </p>
+<li> <p> With Cyrus SASL version 2.1.x or later the mech_list variable
+can specify a list of authentication mechanisms that Cyrus SASL may
+offer: </p>
 
 <blockquote>
 <pre>
@@ -497,17 +501,17 @@ used for authentication. </p>
 
 <ul>
 
-<li> <p> With Cyrus SASL version 1.5.5 your only choice is to
+<li> <p> With Cyrus SASL version 1.5.x your only choice is to
 delete the corresponding library files from the SASL plug-in 
 directory. </p>
 
-<li> <p> With SASL version 2.1.1: </p>
+<li> <p> With SASL version 2.1.x: </p>
 
 <blockquote>
 <pre>
 /usr/local/lib/sasl2/smtpd.conf:
-    pwcheck_method:  auxprop
-    auxprop_plugin:  sql
+    pwcheck_method: auxprop
+    auxprop_plugin: sql
 </pre>
 </blockquote>
 
@@ -570,8 +574,10 @@ to recover from the base64-encoded form. </p>
 <h2><a name="debugging">Trouble shooting the SASL internals</a></h2>
 
 <p> In the Cyrus SASL sources you'll find a subdirectory named
-"sample".  Run make there, "su" to the user <i>postfix</i> (or
-whatever your <i><a href="postconf.5.html#mail_owner">mail_owner</a></i> directive is set to):
+"sample".  Run make there, then create a symbolic link from sample.conf
+to smtpd.conf in your Cyrus SASL library directory /usr/local/lib/sasl2.
+"su" to the user <i>postfix</i> (or whatever your <i><a href="postconf.5.html#mail_owner">mail_owner</a></i>
+directive is set to): </p>
 
 <blockquote>
 <pre>
@@ -580,10 +586,11 @@ whatever your <i><a href="postconf.5.html#mail_owner">mail_owner</a></i> directi
 </blockquote>
 
 <p> then run the resulting sample server and client in separate
-terminals.  Strace / ktrace / truss the server to see what makes
-it unhappy, and fix the problem.  Repeat the previous step until
-you can successfully authenticate with the sample client.  Only
-then get back to Postfix. </p>
+terminals.  The sample applications send log messages to the syslog
+facility auth.  Check the log to fix the problem or run strace /
+ktrace / truss on the server to see what makes it unhappy. Repeat
+the previous step until you can successfully authenticate with the
+sample client. Only then get back to Postfix. </p>
 
 <h2><a name="client_sasl">Enabling SASL authentication in the
 Postfix SMTP client</a></h2>
@@ -612,6 +619,12 @@ table. </p>
 </pre>
 </blockquote>
 
+<p> The Postfix SASL client password file is opened before the SMTP
+server enters the optional chroot jail, so you can keep the file
+in /etc/postfix and set permissions read / write only for root to
+keep the username:password combinations away from other system
+users. </p>
+
 <p> Postfix version 2.3 supports-per-sender SASL password
 information. To search the Postfix SASL password by sender 
 before it searches by destination, specify: </p>
@@ -645,10 +658,6 @@ for example: </p>
 </pre>
 </blockquote>
 
-<p> The Postfix SASL client password file is opened before the SMTP server
-enters the optional chroot jail, so you can keep the file in
-/etc/postfix. </p>
-
 <p> Note: Some SMTP servers support authentication mechanisms that,
 although available on the client system, may not in practice work or
 possess the appropriate credentials to authenticate to the server. It
@@ -664,7 +673,7 @@ into consideration:  </p>
 </blockquote>
 
 <p> In the above example, Postfix will decline to use mechanisms
-that require special infrastructure such as Kerberos. </p>
+that require special infrastructure such as Kerberos or TLS. </p>
 
 <p> The Postfix SMTP client is backwards compatible with SMTP
 servers that use the non-standard "AUTH=method..." syntax in response
@@ -694,6 +703,9 @@ smtpd_sasl_application_name into <a href="postconf.5.html#smtpd_sasl_path">smtpd
 <li> The Dovecot SMTP server-only plug-in was originally implemented by
 Timo Sirainen of Procontrol, Finland.
 
+<li> Patrick Ben Koetter revised this document for Postfix 2.4 and
+made much needed updates.
+
 </ul>
 
 </body>
diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html
index 76f4cd8e6..0e0a21c45 100644
--- a/postfix/html/SMTPD_POLICY_README.html
+++ b/postfix/html/SMTPD_POLICY_README.html
@@ -26,11 +26,12 @@ that runs outside Postfix. </p>
 
 <p> With this policy delegation mechanism, a simple <a href="#greylist">
 greylist </a> policy can be implemented with only a dozen lines of
-Perl, as is shown at the end of this document. Another example of
-policy delegation is the SPF policy server by Meng Wong at
-<a href="http://spf.pobox.com/">http://spf.pobox.com/</a>.  Examples of both policies can be found in
-the Postfix source code, in the directory examples/smtpd-policy.
-</p>
+Perl, as is shown at the end of this document. A complete example
+can be found in the Postfix source code, in the directory
+examples/smtpd-policy. </p>
+
+<p> Another example of policy delegation is the SPF policy server
+at <a href="http://www.openspf.org/Software">http://www.openspf.org/Software</a>.  </p>
 
 <p> Policy delegation is now the preferred method for adding policies
 to Postfix. It's much easier to develop a new feature in few lines
diff --git a/postfix/html/TLS_LEGACY_README.html b/postfix/html/TLS_LEGACY_README.html
index 634c3828b..d9862b104 100644
--- a/postfix/html/TLS_LEGACY_README.html
+++ b/postfix/html/TLS_LEGACY_README.html
@@ -829,7 +829,7 @@ is correctly configured to supply its intermediate CA certificate). </p>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> = /etc/postfix/client-dsa.pem
-    <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>
+    <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>
 </pre>  
 </blockquote>
 
@@ -857,7 +857,7 @@ privileges) from the files in the directory when the information
 is needed. Thus, the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory needs to be accessible
 inside the optional chroot jail.  </p>
 
-<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> is
+<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> is
 a space/time tradeoff. If there are many trusted CAs, the cost of
 preloading them all into memory may not pay off in reduced access time
 when the certificate is needed.  </p>
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index 4ad918612..aea6c7c42 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -969,7 +969,7 @@ is correctly configured to supply its intermediate CA certificate). </p>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> = /etc/postfix/client-dsa.pem
-    <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>
+    <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>
 </pre>  
 </blockquote>
 
@@ -997,7 +997,7 @@ privileges) from the files in the directory when the information
 is needed. Thus, the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory needs to be accessible
 inside the optional chroot jail.  </p>
 
-<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> is
+<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> is
 a space/time tradeoff. If there are many trusted CAs, the cost of
 preloading them all into memory may not pay off in reduced access time
 when the certificate is needed.  </p>
diff --git a/postfix/html/TUNING_README.html b/postfix/html/TUNING_README.html
index cf7e2a3ea..6a837a4dc 100644
--- a/postfix/html/TUNING_README.html
+++ b/postfix/html/TUNING_README.html
@@ -134,7 +134,7 @@ file contains bad information, or some packet filter is blocking
 the DNS requests or replies.  </p>
 
 <li> <p> If the number of <a href="smtpd.8.html">smtpd(8)</a> processes has reached the process
-limit as specified in master.cf, new SMTP clients must wait until
+limit as specified in <a href="master.5.html">master.cf</a>, new SMTP clients must wait until
 a process becomes available.  Increase the number of processes if
 memory permits. See the instructions given under "<a
 href="#proc_limit">Tuning the number of Postfix processes</a>".
@@ -159,7 +159,7 @@ by turning off the delay: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     # Not needed with Postfix 2.1
     <a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> = 0
 </pre>
@@ -224,7 +224,8 @@ seconds or $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_t
 
 <h2><a name="conn_limit">Measures against clients that make too many connections</a></h2>
 
-<p> Note: this feature is not included with Postfix version 2.1. </p>
+<p> Note: the <a href="anvil.8.html">anvil(8)</a> service was introduced with Postfix version
+2.2. </p>
 
 <p> The Postfix <a href="smtpd.8.html">smtpd(8)</a> server can limit the number of simultaneous
 connections from the same SMTP client, as well as the number of
@@ -342,7 +343,7 @@ channel. </p>
 <li> <p> The <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a> parameter (default:
 20) controls how many messages may be sent to the same destination
 simultaneously. You can override this setting for specific message
-delivery transports by taking the name of the master.cf entry
+delivery transports by taking the name of the <a href="master.5.html">master.cf</a> entry
 and appending "_destination_concurrency_limit". </p>
 
 </ul>
@@ -404,8 +405,8 @@ as 5s or even 1s can be used to prevent congestion when one or
 more, but not all MX hosts are down. </p>
 
 <p> If necessary, set a higher transport_destination_concurrency_limit
-(in main.cf since this is a queue manager parameter) and a lower
-smtp_connection_timeout (with a "-o" override in master.cf since
+(in <a href="postconf.5.html">main.cf</a> since this is a queue manager parameter) and a lower
+smtp_connection_timeout (with a "-o" override in <a href="master.5.html">master.cf</a> since
 this parameter has no per-transport name) for the relay transport
 and any transports dedicated for specific high volume destinations.
 </p>
@@ -530,30 +531,30 @@ smtp server processes, and so on.  This may overwhelm systems with
 little memory, as well as networks with low bandwidth.  </p>
 
 <p> You can change the global process limit by specifying a
-non-default <a href="postconf.5.html#default_process_limit">default_process_limit</a> in the main.cf file. For example,
+non-default <a href="postconf.5.html#default_process_limit">default_process_limit</a> in the <a href="postconf.5.html">main.cf</a> file. For example,
 to run up to 10 smtp client processes, 10 smtp server processes,
 and so on: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#default_process_limit">default_process_limit</a> = 10
 </pre>
 </blockquote>
 
 <p> You need to execute "postfix reload" to make the change effective.
 The limits are enforced by the Postfix <a href="master.8.html">master(8)</a> daemon which does
-not automatically read main.cf when it changes. </p>
+not automatically read <a href="postconf.5.html">main.cf</a> when it changes. </p>
 
 <p> You can override the process limit for specific Postfix daemons
-by editing the master.cf file.  For example, if you do not wish to
+by editing the <a href="master.5.html">master.cf</a> file.  For example, if you do not wish to
 receive 100 SMTP messages at the same time, but do not want to
 change the process limits for local mail deliveries, you could
 specify: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
     # ====================================================================
     # service type  private unpriv  chroot  wakeup  maxproc command + args
     #               (yes)   (yes)   (yes)   (never) (100)
diff --git a/postfix/html/VIRTUAL_README.html b/postfix/html/VIRTUAL_README.html
index 81bf4d90a..6b0d3abc0 100644
--- a/postfix/html/VIRTUAL_README.html
+++ b/postfix/html/VIRTUAL_README.html
@@ -129,7 +129,7 @@ being hosted on the local Postfix machine. </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> ... example.com
 </pre>
 </blockquote>
@@ -163,11 +163,11 @@ below shows how to use this mechanism for the example.com domain.
 
 <blockquote>
 <pre>
- 1 /etc/postfix/main.cf:
+ 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
  2     <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> = example.com ...other <a href="VIRTUAL_README.html#canonical">hosted domains</a>...
  3     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
  4 
- 5 /etc/postfix/virtual:
+ 5 /etc/postfix/<a href="virtual.8.html">virtual</a>:
  6     postmaster@example.com postmaster
  7     info@example.com       joe
  8     sales@example.com      jane
@@ -210,7 +210,7 @@ for spam messages that were sent in the name of anything@example.com.
 
 <p>Execute the command "<b>postmap /etc/postfix/virtual</b>" after
 changing the virtual file, and execute the command "<b>postfix
-reload</b>" after changing the main.cf file. </p>
+reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
 
 <p> Note: virtual aliases can resolve to a local address or to a
 remote address, or both.  They don't have to resolve to UNIX system
@@ -255,7 +255,7 @@ section at the top of this document.</p>
 
 <blockquote>
 <pre>
- 1 /etc/postfix/main.cf:
+ 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
  2     <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = example.com ...more domains...
  3     <a href="postconf.5.html#virtual_mailbox_base">virtual_mailbox_base</a> = /var/mail/vhosts
  4     <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> = hash:/etc/postfix/vmailbox
@@ -271,7 +271,7 @@ section at the top of this document.</p>
 14     # @example.com      example.com/catchall
 15     ...virtual mailboxes for more domains...
 16 
-17 /etc/postfix/virtual:
+17 /etc/postfix/<a href="virtual.8.html">virtual</a>:
 18     postmaster@example.com postmaster
 </pre>
 </blockquote>
@@ -329,7 +329,7 @@ mail for example.com's postmaster address to the local postmaster.
 You can use the same mechanism to redirect an address to a remote
 address.  </p>
 
-<li> <p> Line 18: This example assumes that in main.cf, $<a href="postconf.5.html#myorigin">myorigin</a>
+<li> <p> Line 18: This example assumes that in <a href="postconf.5.html">main.cf</a>, $<a href="postconf.5.html#myorigin">myorigin</a>
 is listed under the <a href="postconf.5.html#mydestination">mydestination</a> parameter setting.  If that is
 not the case, specify an explicit domain name on the right-hand
 side of the virtual alias table entries or else mail will go to
@@ -340,7 +340,7 @@ the wrong domain. </p>
 <p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
 changing the virtual file, execute "<b>postmap /etc/postfix/vmailbox</b>"
 after changing the vmailbox file, and execute the command "<b>postfix
-reload</b>" after changing the main.cf file. </p>
+reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
 
 <p> Note: mail delivery happens with the recipient's UID/GID
 privileges specified with <a href="postconf.5.html#virtual_uid_maps">virtual_uid_maps</a> and <a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a>.
@@ -375,7 +375,7 @@ to a non-Postfix delivery agent: </p>
 
 <blockquote>
 <pre>
- 1 /etc/postfix/main.cf:
+ 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
  2     <a href="postconf.5.html#virtual_transport">virtual_transport</a> = ...see below...
  3     <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = example.com ...more domains...
  4     <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> = hash:/etc/postfix/vmailbox
@@ -389,7 +389,7 @@ to a non-Postfix delivery agent: </p>
 12     # @example.com      whatever
 13     ...virtual mailboxes for more domains...
 14 
-15 /etc/postfix/virtual:
+15 /etc/postfix/<a href="virtual.8.html">virtual</a>:
 16     postmaster@example.com postmaster
 </pre>
 </blockquote>
@@ -400,7 +400,7 @@ to a non-Postfix delivery agent: </p>
 
 <li> <p> Line 2: With delivery to a non-Postfix mailbox store for
 <a href="VIRTUAL_README.html#canonical">hosted domains</a>, the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter usually specifies
-the Postfix LMTP client, or the name of a master.cf entry that
+the Postfix LMTP client, or the name of a <a href="master.5.html">master.cf</a> entry that
 executes non-Postfix software via the pipe delivery agent.  Typical
 examples (use only one): </p>
 
@@ -414,7 +414,7 @@ examples (use only one): </p>
 
 <p> Postfix comes ready with support for LMTP.  And an example
 maildrop delivery method is already defined in the default Postfix
-master.cf file. See the <a href="MAILDROP_README.html">MAILDROP_README</a> document for more details.
+<a href="master.5.html">master.cf</a> file. See the <a href="MAILDROP_README.html">MAILDROP_README</a> document for more details.
 </p>
 
 <li> <p> Line 3: The <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> setting tells Postfix
@@ -432,9 +432,13 @@ domain!  </p>
 
 <li> <p> Lines 4, 7-13: The <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> parameter specifies
 the lookup table with all valid recipient addresses. The lookup
-result is ignored by Postfix.  In the above example, info@example.com
-and sales@example.com are listed as valid addresses, and mail for
-anything else is rejected with "User unknown". If you intend to
+result value is ignored by Postfix.  In the above example,
+info@example.com
+and sales@example.com are listed as valid addresses; other mail for
+example.com is rejected with "User unknown" by the Postfix SMTP
+server. It's left up to the non-Postfix delivery agent to reject
+non-existent recipients from local submission or from local alias
+expansion.  If you intend to
 use LDAP, MySQL or PgSQL instead of local files, be sure to review
 the <a href="#local_vs_database"> "local files versus databases"</a>
 section at the top of this document! </p>
@@ -456,7 +460,7 @@ redirect mail for example.com's postmaster address to the local
 postmaster. You can use the same mechanism to redirect any addresses
 to a local or remote address.  </p>
 
-<li> <p> Line 16: This example assumes that in main.cf, $<a href="postconf.5.html#myorigin">myorigin</a>
+<li> <p> Line 16: This example assumes that in <a href="postconf.5.html">main.cf</a>, $<a href="postconf.5.html#myorigin">myorigin</a>
 is listed under the <a href="postconf.5.html#mydestination">mydestination</a> parameter setting.  If that is
 not the case, specify an explicit domain name on the right-hand
 side of the virtual alias table entries or else mail will go to
@@ -467,7 +471,7 @@ the wrong domain. </p>
 <p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
 changing the virtual file, execute "<b>postmap /etc/postfix/vmailbox</b>"
 after changing the vmailbox file, and execute the command "<b>postfix
-reload</b>" after changing the main.cf file. </p>
+reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
 
 <h2><a name="forwarding">Mail forwarding domains</a></h2>
 
@@ -478,11 +482,11 @@ as a mail forwarding domain: </p>
 
 <blockquote>
 <pre>
- 1 /etc/postfix/main.cf:
+ 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
  2     <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> = example.com ...other <a href="VIRTUAL_README.html#canonical">hosted domains</a>...
  3     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
  4 
- 5 /etc/postfix/virtual:
+ 5 /etc/postfix/<a href="virtual.8.html">virtual</a>:
  6     postmaster@example.com postmaster
  7     joe@example.com        joe@somewhere
  8     jane@example.com       jane@somewhere-else
@@ -526,7 +530,7 @@ for spam messages that were sent in the name of anything@example.com.
 
 <p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
 changing the virtual file, and execute the command "<b>postfix
-reload</b>" after changing the main.cf file. </p>
+reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
 
 <p> More details about the virtual alias file are given in the
 <a href="virtual.5.html">virtual(5)</a> manual page, including multiple addresses on the right-hand
@@ -546,10 +550,10 @@ virtual addresses to the local delivery agent: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
 
-/etc/postfix/virtual:
+/etc/postfix/<a href="virtual.8.html">virtual</a>:
     listname-request@example.com listname-request
     listname@example.com         listname
     owner-listname@example.com   owner-listname
@@ -561,7 +565,7 @@ virtual addresses to the local delivery agent: </p>
 </pre>
 </blockquote>
 
-<p> This example assumes that in main.cf, $<a href="postconf.5.html#myorigin">myorigin</a> is listed under
+<p> This example assumes that in <a href="postconf.5.html">main.cf</a>, $<a href="postconf.5.html#myorigin">myorigin</a> is listed under
 the <a href="postconf.5.html#mydestination">mydestination</a> parameter setting.  If that is not the case,
 specify an explicit domain name on the right-hand side of the
 virtual alias table entries or else mail will go to the wrong
@@ -594,10 +598,10 @@ table: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
 
-/etc/postfix/virtual:
+/etc/postfix/<a href="virtual.8.html">virtual</a>:
     user@domain.tld user@domain.tld, user@domain.tld@autoreply.<a href="postconf.5.html#mydomain">mydomain</a>.tld
 </pre>
 </blockquote>
@@ -613,13 +617,13 @@ reply back to the sender. </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
 
 /etc/postfix/transport:
     autoreply.<a href="postconf.5.html#mydomain">mydomain</a>.tld  autoreply:
 
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
     # =============================================================
     # service type  private unpriv  chroot  wakeup  maxproc command
     #               (yes)   (yes)   (yes)   (never) (100)
@@ -633,7 +637,7 @@ reply back to the sender. </p>
 the user@domain.tld recipient address on the command line. </p>
 
 <p> For more information, see the <a href="pipe.8.html">pipe(8)</a> manual page, and the
-comments in the Postfix master.cf file. </p>
+comments in the Postfix <a href="master.5.html">master.cf</a> file. </p>
 
 </body>
 
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index 1500b784a..f4ccec1f9 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -7,7 +7,7 @@
 ACCESS(5)                                                            ACCESS(5)
 
 <b>NAME</b>
-       access - Postfix access table format
+       access - Postfix SMTP server access table
 
 <b>SYNOPSIS</b>
        <b>postmap /etc/postfix/access</b>
@@ -17,20 +17,18 @@ ACCESS(5)                                                            ACCESS(5)
        <b>postmap -q - /etc/postfix/access</b> &lt;<i>inputfile</i>
 
 <b>DESCRIPTION</b>
-       The  optional  <a href="access.5.html"><b>access</b>(5)</a>  table  directs  the Postfix SMTP
-       server to selectively reject or accept mail. Access can be
-       allowed  or  denied for specific host names, domain names,
-       networks, host addresses or mail addresses.
-
-       For an example, see the EXAMPLE section at the end of this
-       manual page.
+       The  Postfix SMTP server supports access control on remote
+       SMTP client information: host  names,  network  addresses,
+       and   envelope   sender   or   recipient  addresses.   See
+       <b><a href="postconf.5.html#header_checks">header_checks</a></b>(5) or <b><a href="postconf.5.html#body_checks">body_checks</a></b>(5) for access  control  on
+       the content of email messages.
 
        Normally,  the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file
        that serves as  input  to  the  <a href="postmap.1.html"><b>postmap</b>(1)</a>  command.   The
        result,  an  indexed file in <b>dbm</b> or <b>db</b> format, is used for
        fast searching by the mail  system.  Execute  the  command
-       "<b>postmap  /etc/postfix/access</b>"  in  order  to  rebuild the
-       indexed file after changing the access table.
+       "<b>postmap  /etc/postfix/access</b>"  to rebuild an indexed file
+       after changing the corresponding text file.
 
        When the table is provided via other means  such  as  NIS,
        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -39,9 +37,9 @@ ACCESS(5)                                                            ACCESS(5)
        Alternatively, the table can be  provided  as  a  regular-
        expression map where patterns are given as regular expres-
        sions, or lookups can be directed to TCP-based server.  In
-       that  case,  the  lookups are done in a slightly different
+       those  cases, the lookups are done in a slightly different
        way as described below under "REGULAR  EXPRESSION  TABLES"
-       and "TCP-BASED TABLES".
+       or "TCP-BASED TABLES".
 
 <b>CASE FOLDING</b>
        The  search  string is folded to lowercase before database
@@ -205,18 +203,19 @@ ACCESS(5)                                                            ACCESS(5)
 
        <b>DEFER_IF_REJECT</b> <i>optional text...</i>
               Defer  the  request if some later restriction would
-              result in a REJECT action. Reply with "<b>450</b> <i>optional</i>
-              <i>text...</i> when the optional text is specified, other-
-              wise reply with a generic error response message.
+              result in a REJECT action. Reply  with  "<b>450  4.7.1</b>
+              <i>optional  text...</i>  when the optional text is speci-
+              fied, otherwise reply with a generic error response
+              message.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>DEFER_IF_PERMIT</b> <i>optional text...</i>
-              Defer  the  request if some later restriction would
-              result in a an explicit or implicit PERMIT  action.
-              Reply  with "<b>450</b> <i>optional text...</i> when the optional
-              text is specified, otherwise reply with  a  generic
-              error response message.
+              Defer the request if some later  restriction  would
+              result  in a an explicit or implicit PERMIT action.
+              Reply with "<b>450 4.7.1</b>  <i>optional  text...</i>  when  the
+              optional  text is specified, otherwise reply with a
+              generic error response message.
 
               This feature is available in Postfix 2.1 and later.
 
@@ -226,53 +225,54 @@ ACCESS(5)                                                            ACCESS(5)
               <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a></b>, and so on).
 
        <b>DISCARD</b> <i>optional text...</i>
-              Claim  successful delivery and silently discard the
-              message.  Log the optional text if specified,  oth-
+              Claim successful delivery and silently discard  the
+              message.   Log the optional text if specified, oth-
               erwise log a generic message.
 
-              Note:  this action currently affects all recipients
-              of the message.   To  discard  only  one  recipient
-              without  discarding  the  entire  message,  use the
+              Note: this action currently affects all  recipients
+              of  the  message.   To  discard  only one recipient
+              without discarding  the  entire  message,  use  the
               <a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a>
               service.
 
               This feature is available in Postfix 2.0 and later.
 
-       <b>DUNNO</b>  Pretend that the lookup key  was  not  found.  This
-              prevents  Postfix  from  trying  substrings  of the
-              lookup key (such as a subdomain name, or a  network
+       <b>DUNNO</b>  Pretend  that  the  lookup  key was not found. This
+              prevents Postfix  from  trying  substrings  of  the
+              lookup  key (such as a subdomain name, or a network
               address subnetwork).
 
               This feature is available in Postfix 2.0 and later.
 
        <b>FILTER</b> <i>transport:destination</i>
-              After the message is queued, send the  entire  mes-
+              After  the  message is queued, send the entire mes-
               sage through the specified external content filter.
-              The <i>transport:destination</i> syntax  is  described  in
-              the  <a href="transport.5.html"><b>transport</b>(5)</a>  manual  page.   More information
-              about external content filters is  in  the  Postfix
+              The  <i>transport:destination</i>  syntax  is described in
+              the <a href="transport.5.html"><b>transport</b>(5)</a>  manual  page.   More  information
+              about  external  content  filters is in the Postfix
               <a href="FILTER_README.html">FILTER_README</a> file.
 
-              Note:   this  action  overrides  the  <a href="postconf.5.html"><b>main.cf</a>  <a href="postconf.5.html#content_filter">con</a>-</b>
+              Note:  this  action  overrides  the  <a href="postconf.5.html"><b>main.cf</a>   <a href="postconf.5.html#content_filter">con</a>-</b>
               <b><a href="postconf.5.html#content_filter">tent_filter</a></b>  setting,  and  currently  affects  all
               recipients of the message.
 
               This feature is available in Postfix 2.0 and later.
 
        <b>HOLD</b> <i>optional text...</i>
-              Place the message on the <b>hold</b> queue, where it  will
-              sit  until someone either deletes it or releases it
-              for delivery.  Log the optional text if  specified,
+              Place  the message on the <b>hold</b> queue, where it will
+              sit until someone either deletes it or releases  it
+              for  delivery.  Log the optional text if specified,
               otherwise log a generic message.
 
-              Mail  that  is  placed on hold can be examined with
-              the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and  can  be  destroyed  or
+              Mail that is placed on hold can  be  examined  with
+              the  <a href="postcat.1.html"><b>postcat</b>(1)</a>  command,  and  can be destroyed or
               released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
 
-              Note:  use  "<b>postsuper -r</b>" to release mail that was
-              kept on hold for a significant fraction  of  <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+              Note: use "<b>postsuper -r</b>" to release mail  that  was
+              kept  on  hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
               <b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b>  or  <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>,  or
-              longer.
+              longer.  Use "<b>postsuper -H</b>" only for mail that will
+              not expire within a few delivery attempts.
 
               Note: this action currently affects all  recipients
               of the message.
@@ -281,105 +281,102 @@ ACCESS(5)                                                            ACCESS(5)
 
        <b>PREPEND</b> <i>headername: headervalue</i>
               Prepend the specified message header  to  the  mes-
-              sage.  When this action is used multiple times, the
-              first prepended header appears  before  the  second
-              etc. prepended header.
-
-              Note:  this action does not support multi-line mes-
-              sage headers.
+              sage.   When more than one PREPEND action executes,
+              the first prepended header appears before the  sec-
+              ond etc. prepended header.
 
-              Note: this action must be used before  the  message
-              content   is   received;   it  cannot  be  used  in
-              <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
+              Note:  this  action must execute before the message
+              content is received; it cannot execute in the  con-
+              text of <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>REDIRECT</b> <i>user@domain</i>
-              After  the  message  is queued, send the message to
+              After the message is queued, send  the  message  to
               the  specified  address  instead  of  the  intended
               recipient(s).
 
-              Note:  this action overrides the FILTER action, and
+              Note: this action overrides the FILTER action,  and
               currently affects all recipients of the message.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>WARN</b> <i>optional text...</i>
               Log a warning with the optional text, together with
-              client information and  if  available,  with  helo,
+              client  information  and  if  available, with helo,
               sender, recipient and protocol information.
 
               This feature is available in Postfix 2.1 and later.
 
 <b>ENHANCED STATUS CODES</b>
-       Postfix version 2.3  and  later  support  enhanced  status
-       codes  as  defined  in  <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>.  When an enhanced status
-       code is specified in an access table,  it  is  subject  to
-       modification.  The  following  transformations  are needed
-       when the same access  table  is  used  for  client,  helo,
-       sender,  or  recipient  access  restrictions;  they happen
+       Postfix  version  2.3  and  later  support enhanced status
+       codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>.   When  an  enhanced  status
+       code  is  specified  in  an access table, it is subject to
+       modification. The  following  transformations  are  needed
+       when  the  same  access  table  is  used for client, helo,
+       sender, or  recipient  access  restrictions;  they  happen
        regardless of whether Postfix replies to a MAIL FROM, RCPT
        TO or other SMTP command.
 
-       <b>o</b>      When  a sender address matches a REJECT action, the
-              Postfix SMTP server will transform a recipient  DSN
-              status  (e.g.,  4.1.1-4.1.6) into the corresponding
+       <b>o</b>      When a sender address matches a REJECT action,  the
+              Postfix  SMTP server will transform a recipient DSN
+              status (e.g., 4.1.1-4.1.6) into  the  corresponding
               sender DSN status, and vice versa.
 
-       <b>o</b>      When  non-address  information  matches  a   REJECT
-              action  (such  as  the HELO command argument or the
-              client hostname/address), the Postfix  SMTP  server
-              will  transform  a  sender  or recipient DSN status
-              into  a  generic  non-address  DSN  status   (e.g.,
+       <b>o</b>      When   non-address  information  matches  a  REJECT
+              action (such as the HELO command  argument  or  the
+              client  hostname/address),  the Postfix SMTP server
+              will transform a sender  or  recipient  DSN  status
+              into   a  generic  non-address  DSN  status  (e.g.,
               4.0.0).
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This  section  describes how the table lookups change when
+       This section describes how the table lookups  change  when
        the table is given in the form of regular expressions. For
-       a  description  of regular expression lookup table syntax,
+       a description of regular expression lookup  table  syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each pattern is a regular expression that  is  applied  to
+       Each  pattern  is  a regular expression that is applied to
        the entire string being looked up. Depending on the appli-
-       cation, that string  is  an  entire  client  hostname,  an
+       cation,  that  string  is  an  entire  client hostname, an
        entire client IP address, or an entire mail address. Thus,
        no  parent  domain  or  parent  network  search  is  done,
-       <i>user@domain</i>  mail  addresses  are not broken up into their
+       <i>user@domain</i> mail addresses are not broken  up  into  their
        <i>user@</i> and <i>domain</i> constituent parts, nor is <i>user+foo</i> broken
        up into <i>user</i> and <i>foo</i>.
 
-       Patterns  are applied in the order as specified in the ta-
-       ble, until a pattern is  found  that  matches  the  search
+       Patterns are applied in the order as specified in the  ta-
+       ble,  until  a  pattern  is  found that matches the search
        string.
 
-       Actions  are  the  same as with indexed file lookups, with
-       the additional feature that parenthesized substrings  from
+       Actions are the same as with indexed  file  lookups,  with
+       the  additional feature that parenthesized substrings from
        the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
 
 <b>TCP-BASED TABLES</b>
-       This  section  describes how the table lookups change when
+       This section describes how the table lookups  change  when
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.3.
+       Postfix version 2.4.
 
-       Each  lookup  operation uses the entire query string once.
-       Depending on the application, that  string  is  an  entire
+       Each lookup operation uses the entire query  string  once.
+       Depending  on  the  application,  that string is an entire
        client hostname, an entire client IP address, or an entire
-       mail address.  Thus, no parent domain  or  parent  network
-       search  is done, <i>user@domain</i> mail addresses are not broken
-       up into their <i>user@</i> and <i>domain</i> constituent parts,  nor  is
+       mail  address.   Thus,  no parent domain or parent network
+       search is done, <i>user@domain</i> mail addresses are not  broken
+       up  into  their <i>user@</i> and <i>domain</i> constituent parts, nor is
        <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
 
        Actions are the same as with indexed file lookups.
 
 <b>EXAMPLE</b>
-       The  following  example  uses an indexed file, so that the
-       order of table entries does not matter. The  example  per-
-       mits  access  by the client at address 1.2.3.4 but rejects
-       all other clients in 1.2.3.0/24. Instead  of  <b>hash</b>  lookup
-       tables,  some  systems use <b>dbm</b>.  Use the command "<b>postconf</b>
-       <b>-m</b>" to find out what lookup  tables  Postfix  supports  on
+       The following example uses an indexed file,  so  that  the
+       order  of  table entries does not matter. The example per-
+       mits access by the client at address 1.2.3.4  but  rejects
+       all  other  clients  in 1.2.3.0/24. Instead of <b>hash</b> lookup
+       tables, some systems use <b>dbm</b>.  Use the  command  "<b>postconf</b>
+       <b>-m</b>"  to  find  out  what lookup tables Postfix supports on
        your system.
 
        /etc/postfix/<a href="postconf.5.html">main.cf</a>:
@@ -394,7 +391,7 @@ ACCESS(5)                                                            ACCESS(5)
        editing the file.
 
 <b>BUGS</b>
-       The  table format does not understand quoting conventions.
+       The table format does not understand quoting  conventions.
 
 <b>SEE ALSO</b>
        <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
@@ -407,7 +404,7 @@ ACCESS(5)                                                            ACCESS(5)
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/aliases.5.html b/postfix/html/aliases.5.html
index ab5cae5bd..30cddaa27 100644
--- a/postfix/html/aliases.5.html
+++ b/postfix/html/aliases.5.html
@@ -82,8 +82,8 @@ ALIASES(5)                                                          ALIASES(5)
               When the command fails, a limited amount of command
               output is mailed back  to  the  sender.   The  file
               <b>/usr/include/sysexits.h</b>  defines  the expected exit
-              status codes. For example, use <b>|"exit 67"</b> to  simu-
-              late  a  "user  unknown"  error,  and  <b>|"exit 0"</b> to
+              status codes. For example, use <b>"|exit 67"</b> to  simu-
+              late  a  "user  unknown"  error,  and  <b>"|exit 0"</b> to
               implement an expensive black hole.
 
        <b>:include:</b><i>/file/name</i>
diff --git a/postfix/html/anvil.8.html b/postfix/html/anvil.8.html
index b8f45190c..650506f61 100644
--- a/postfix/html/anvil.8.html
+++ b/postfix/html/anvil.8.html
@@ -182,27 +182,28 @@ ANVIL(8)                                                              ANVIL(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -214,7 +215,7 @@ ANVIL(8)                                                              ANVIL(8)
        <a href="TUNING_README.html">TUNING_README</a>, performance tuning
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>HISTORY</b>
diff --git a/postfix/html/bounce.5.html b/postfix/html/bounce.5.html
index e6c23320c..261a91cc3 100644
--- a/postfix/html/bounce.5.html
+++ b/postfix/html/bounce.5.html
@@ -31,8 +31,8 @@ BOUNCE(5)                                                            BOUNCE(5)
        bounce template formats.
 
 <b>GENERAL PROCEDURE</b>
-       To create customized bounce template file, create a tempo-
-       rary  copy  of the file <b>/etc/postfix/bounce.cf.default</b> and
+       To create a customized bounce template file, create a tem-
+       porary copy of the file <b>/etc/postfix/bounce.cf.default</b> and
        edit the temporary file.
 
        To preview the results of $<i>name</i> expansions in the template
diff --git a/postfix/html/bounce.8.html b/postfix/html/bounce.8.html
index 6256c3efc..ef1104937 100644
--- a/postfix/html/bounce.8.html
+++ b/postfix/html/bounce.8.html
@@ -120,35 +120,36 @@ BOUNCE(8)                                                            BOUNCE(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The  list of error classes that are reported to the
+              The list of error classes that are reported to  the
               postmaster.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>FILES</b>
@@ -165,7 +166,7 @@ BOUNCE(8)                                                            BOUNCE(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/canonical.5.html b/postfix/html/canonical.5.html
index 8ee71e649..c43a1df35 100644
--- a/postfix/html/canonical.5.html
+++ b/postfix/html/canonical.5.html
@@ -26,8 +26,8 @@ CANONICAL(5)                                                      CANONICAL(5)
        file  that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command.  The
        result, an indexed file in <b>dbm</b> or <b>db</b> format, is  used  for
        fast  searching  by  the  mail system. Execute the command
-       "<b>postmap /etc/postfix/canonical</b>" in order to  rebuild  the
-       indexed file after changing the text file.
+       "<b>postmap /etc/postfix/canonical</b>"  to  rebuild  an  indexed
+       file after changing the corresponding text file.
 
        When  the  table  is provided via other means such as NIS,
        LDAP or SQL, the same lookups are  done  as  for  ordinary
@@ -36,9 +36,9 @@ CANONICAL(5)                                                      CANONICAL(5)
        Alternatively,  the  table  can  be provided as a regular-
        expression map where patterns are given as regular expres-
        sions,  or lookups can be directed to TCP-based server. In
-       that case, the lookups are done in  a  slightly  different
+       those cases, the lookups are done in a slightly  different
        way  as  described below under "REGULAR EXPRESSION TABLES"
-       and "TCP-BASED TABLES".
+       or "TCP-BASED TABLES".
 
        By default the <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping affects  both  message
        header  addresses  (i.e. addresses that appear inside mes-
@@ -59,11 +59,9 @@ CANONICAL(5)                                                      CANONICAL(5)
        addresses produced by legacy mail systems.
 
        The <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping is not to be confused  with  <i>vir-</i>
-       <i>tual  domain</i> support. Use the <a href="virtual.5.html"><b>virtual</b>(5)</a> map for that pur-
-       pose.
-
-       The <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping is not to be confused with  local
-       aliasing.  Use the <a href="aliases.5.html"><b>aliases</b>(5)</a> map for that purpose.
+       <i>tual  alias</i>  support or with local aliasing. To change the
+       destination but not the headers,  use  the  <a href="virtual.5.html"><b>virtual</b>(5)</a>  or
+       <a href="aliases.5.html"><b>aliases</b>(5)</a> map instead.
 
 <b>CASE FOLDING</b>
        The  search  string is folded to lowercase before database
@@ -115,6 +113,13 @@ CANONICAL(5)                                                      CANONICAL(5)
               Replace other addresses in <i>domain</i> by <i>address</i>.  This
               form has the lowest precedence.
 
+              Note:  @<i>domain</i>  is  a  wild-card. When this form is
+              applied to recipient addresses,  the  Postfix  SMTP
+              server  accepts  mail  for any recipient in <i>domain</i>,
+              regardless of whether that recipient exists.   This
+              may turn your mail system into a backscatter source
+              that returns undeliverable spam to innocent people.
+
 <b>RESULT ADDRESS REWRITING</b>
        The lookup result is subject to address rewriting:
 
@@ -162,7 +167,7 @@ CANONICAL(5)                                                      CANONICAL(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.3.
+       Postfix version 2.4.
 
        Each lookup operation uses the entire address once.  Thus,
        <i>user@domain</i>  mail  addresses  are not broken up into their
diff --git a/postfix/html/cidr_table.5.html b/postfix/html/cidr_table.5.html
index d869dbb9e..4a8011240 100644
--- a/postfix/html/cidr_table.5.html
+++ b/postfix/html/cidr_table.5.html
@@ -18,59 +18,62 @@ CIDR_TABLE(5)                                                    CIDR_TABLE(5)
        The  Postfix  mail  system  uses  optional  lookup tables.
        These tables are usually in <b>dbm</b> or  <b>db</b>  format.   Alterna-
        tively,  lookup tables can be specified in CIDR (Classless
-       Inter-Domain Routing) form.
+       Inter-Domain Routing) form. In this case,  each  input  is
+       compared  against  a  list  of  patterns.  When a match is
+       found, the corresponding result is returned and the search
+       is terminated.
 
-       To find out what types of lookup tables your Postfix  sys-
+       To  find out what types of lookup tables your Postfix sys-
        tem supports use the "<b>postconf -m</b>" command.
 
-       To  test  lookup  tables,  use the "<b>postmap -q</b>" command as
+       To test lookup tables, use the  "<b>postmap  -q</b>"  command  as
        described in the SYNOPSIS above.
 
 <b>TABLE FORMAT</b>
        The general form of a Postfix CIDR table is:
 
        <i>network</i><b>_</b><i>address</i><b>/</b><i>network</i><b>_</b><i>mask     result</i>
-              When a search string matches the specified  network
-              block,  use the corresponding <i>result</i> value. Specify
-              0.0.0.0/0 to match every IPv4 address, and ::/0  to
+              When  a search string matches the specified network
+              block, use the corresponding <i>result</i> value.  Specify
+              0.0.0.0/0  to match every IPv4 address, and ::/0 to
               match every IPv6 address.
 
               An IPv4 network address is a sequence of four deci-
-              mal octets separated by ".", and  an  IPv6  network
+              mal  octets  separated  by ".", and an IPv6 network
               address is a sequence of three to eight hexadecimal
               octet pairs separated by ":".
 
-              Before comparisons are made, lookup keys and  table
+              Before  comparisons are made, lookup keys and table
               entries are converted from string to binary. There-
-              fore table entries will be  matched  regardless  of
+              fore  table  entries  will be matched regardless of
               redundant zero characters.
 
-              Note:  address  information  may be enclosed inside
+              Note: address information may  be  enclosed  inside
               "[]" but this form is not recommended.
 
               IPv6 support is available in Postfix 2.2 and later.
 
        <i>network</i><b>_</b><i>address     result</i>
-              When  a search string matches the specified network
+              When a search string matches the specified  network
               address, use the corresponding <i>result</i> value.
 
        blank lines and comments
-              Empty lines and whitespace-only lines are  ignored,
-              as  are  lines whose first non-whitespace character
+              Empty  lines and whitespace-only lines are ignored,
+              as are lines whose first  non-whitespace  character
               is a `#'.
 
        multi-line text
-              A logical line starts with non-whitespace  text.  A
-              line  that starts with whitespace continues a logi-
+              A  logical  line starts with non-whitespace text. A
+              line that starts with whitespace continues a  logi-
               cal line.
 
 <b>TABLE SEARCH ORDER</b>
-       Patterns are applied in the order as specified in the  ta-
-       ble,  until  a  pattern  is  found that matches the search
+       Patterns  are applied in the order as specified in the ta-
+       ble, until a pattern is  found  that  matches  the  search
        string.
 
 <b>EXAMPLE SMTPD ACCESS MAP</b>
-       /etc/postfix/main.cf:
+       /etc/postfix/<a href="postconf.5.html">main.cf</a>:
            <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = ... <a href="cidr_table.5.html">cidr</a>:/etc/postfix/client.cidr ...
 
        /etc/postfix/client.<a href="cidr_table.5.html">cidr</a>:
@@ -90,7 +93,6 @@ CIDR_TABLE(5)                                                    CIDR_TABLE(5)
 <b>AUTHOR(S)</b>
        The CIDR table lookup code was originally written by:
        Jozsef Kadlecsik
-       kadlec@blackhole.kfki.hu
        KFKI Research Institute for Particle and Nuclear Physics
        POB. 49
        1525 Budapest, Hungary
diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html
index d207e4703..2cd0ceec3 100644
--- a/postfix/html/cleanup.8.html
+++ b/postfix/html/cleanup.8.html
@@ -412,31 +412,32 @@ CLEANUP(8)                                                          CLEANUP(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
               The internet hostname of this mail system.
 
        <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
               The domain name that locally-posted mail appears to
-              come  from,  and that locally posted mail is deliv-
+              come from, and that locally posted mail  is  deliv-
               ered to.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@@ -447,14 +448,14 @@ CLEANUP(8)                                                          CLEANUP(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b>
-              Enable  support  for  the   X-Original-To   message
+              Enable   support   for  the  X-Original-To  message
               header.
 
 <b>FILES</b>
@@ -478,7 +479,7 @@ CLEANUP(8)                                                          CLEANUP(8)
        <a href="CONTENT_INSPECTION_README.html">CONTENT_INSPECTION_README</a> content inspection
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/discard.8.html b/postfix/html/discard.8.html
index 2fb77c2e1..9325692c5 100644
--- a/postfix/html/discard.8.html
+++ b/postfix/html/discard.8.html
@@ -77,31 +77,32 @@ DISCARD(8)                                                          DISCARD(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -114,7 +115,7 @@ DISCARD(8)                                                          DISCARD(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>HISTORY</b>
diff --git a/postfix/html/error.8.html b/postfix/html/error.8.html
index 849a55641..d66f9ead4 100644
--- a/postfix/html/error.8.html
+++ b/postfix/html/error.8.html
@@ -15,8 +15,8 @@ ERROR(8)                                                              ERROR(8)
 <b>DESCRIPTION</b>
        The  Postfix  <a href="error.8.html"><b>error</b>(8)</a>  delivery  agent processes delivery
        requests from the queue manager. Each request specifies  a
-       queue  file,  a sender address, a domain or host name that
-       is treated as the reason for non-delivery,  and  recipient
+       queue  file, a sender address, the reason for non-delivery
+       (specified as the  next-hop  destination),  and  recipient
        information.   The  reason  may  be  prefixed  with an RFC
        3463-compatible detail code.  This program expects  to  be
        run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
@@ -86,35 +86,36 @@ ERROR(8)                                                              ERROR(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The list of error classes that are reported to  the
+              The  list of error classes that are reported to the
               postmaster.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -127,7 +128,7 @@ ERROR(8)                                                              ERROR(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/flush.8.html b/postfix/html/flush.8.html
index cba373e9e..c5f3bb405 100644
--- a/postfix/html/flush.8.html
+++ b/postfix/html/flush.8.html
@@ -120,37 +120,38 @@ FLUSH(8)                                                              FLUSH(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
-       <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>  (see  'postconf -d' out-</b>
+       <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf  -d'  out-</b>
        <b>put)</b>
               What   Postfix   features   match   subdomains   of
               "domain.tld" automatically, instead of requiring an
               explicit ".domain.tld" pattern.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>FILES</b>
@@ -168,7 +169,7 @@ FLUSH(8)                                                              FLUSH(8)
        <a href="ETRN_README.html">ETRN_README</a>, Postfix ETRN howto
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>HISTORY</b>
diff --git a/postfix/html/generic.5.html b/postfix/html/generic.5.html
index e0c2a5e00..9b0ffc2e4 100644
--- a/postfix/html/generic.5.html
+++ b/postfix/html/generic.5.html
@@ -39,8 +39,8 @@ GENERIC(5)                                                          GENERIC(5)
        that serves as  input  to  the  <a href="postmap.1.html"><b>postmap</b>(1)</a>  command.   The
        result,  an  indexed file in <b>dbm</b> or <b>db</b> format, is used for
        fast searching by the mail  system.  Execute  the  command
-       "<b>postmap  /etc/postfix/generic</b>"  in  order  to rebuild the
-       indexed file after changing the text file.
+       "<b>postmap  /etc/postfix/generic</b>" to rebuild an indexed file
+       after changing the corresponding text file.
 
        When the table is provided via other means  such  as  NIS,
        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -49,9 +49,9 @@ GENERIC(5)                                                          GENERIC(5)
        Alternatively, the table can be  provided  as  a  regular-
        expression map where patterns are given as regular expres-
        sions, or lookups can be directed to TCP-based server.  In
-       that  case,  the  lookups are done in a slightly different
+       those  case,  the lookups are done in a slightly different
        way as described below under "REGULAR  EXPRESSION  TABLES"
-       and "TCP-BASED TABLES".
+       or "TCP-BASED TABLES".
 
 <b>CASE FOLDING</b>
        The  search  string is folded to lowercase before database
@@ -142,7 +142,7 @@ GENERIC(5)                                                          GENERIC(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.3.
+       Postfix version 2.4.
 
        Each lookup operation uses the entire address once.  Thus,
        <i>user@domain</i>  mail  addresses  are not broken up into their
diff --git a/postfix/html/header_checks.5.html b/postfix/html/header_checks.5.html
index 4fd5a9ed0..a456be7c9 100644
--- a/postfix/html/header_checks.5.html
+++ b/postfix/html/header_checks.5.html
@@ -19,12 +19,16 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
        <b>postmap -fq - <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> &lt;<i>inputfile</i>
 
 <b>DESCRIPTION</b>
-       Postfix  provides  a  simple  built-in  content inspection
-       mechanism that examines incoming mail one  message  header
-       or one message body line at a time. Each input is compared
-       against a list of patterns, and when a match is found  the
-       corresponding  action is executed.  This feature is imple-
-       mented by the Postfix <a href="cleanup.8.html"><b>cleanup</b>(8)</a> server.
+       The  Postfix  <a href="cleanup.8.html"><b>cleanup</b>(8)</a> server supports access control on
+       the content of message headers  and  message  body  lines.
+       See  <a href="access.5.html"><b>access</b>(5)</a>  for  access  control on remote SMTP client
+       information.
+
+       Each message header  or  message  body  line  is  compared
+       against  a  list  of  patterns.  When a match is found the
+       corresponding action is executed, and the matching process
+       is  repeated  for  the next message header or message body
+       line.
 
        For examples, see the EXAMPLES section at the end of  this
        manual page.
@@ -170,7 +174,7 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
               mation about external content  filters  is  in  the
               Postfix <a href="FILTER_README.html">FILTER_README</a> file.
 
-              Note:   this  action  overrides  the  <b>main.cf  <a href="postconf.5.html#content_filter">con</a>-</b>
+              Note:   this  action  overrides  the  <a href="postconf.5.html"><b>main.cf</a>  <a href="postconf.5.html#content_filter">con</a>-</b>
               <b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and affects all recipients  of
               the  message.  In  the  case  that  multiple <b>FILTER</b>
               actions fire, only the last one is executed.
@@ -191,14 +195,15 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
               Note: use "<b>postsuper -r</b>" to release mail  that  was
               kept  on  hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
               <b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b>  or  <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>,  or
-              longer.
+              longer.  Use "<b>postsuper -H</b>" only for mail that will
+              not expire within a few delivery attempts.
 
-              Note:  this  action  affects  all recipients of the
+              Note: this action affects  all  recipients  of  the
               message.
 
               This feature is available in Postfix 2.0 and later.
 
-       <b>IGNORE</b> Delete  the current line from the input and inspect
+       <b>IGNORE</b> Delete the current line from the input and  inspect
               the next input line.
 
        <b>PREPEND</b> <i>text...</i>
@@ -207,18 +212,18 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
 
               Notes:
 
-              <b>o</b>      The  prepended  text is output on a separate
+              <b>o</b>      The prepended text is output on  a  separate
                      line,  immediately  before  the  input  that
                      triggered the <b>PREPEND</b> action.
 
               <b>o</b>      The prepended text is not considered part of
-                     the input  stream:  it  is  not  subject  to
+                     the  input  stream:  it  is  not  subject to
                      header/body checks or address rewriting, and
                      it does not affect the way that Postfix adds
                      missing message headers.
 
               <b>o</b>      When prepending text before a message header
-                     line, the prepended text must begin  with  a
+                     line,  the  prepended text must begin with a
                      valid message header label.
 
               <b>o</b>      This action cannot be used to prepend multi-
@@ -227,46 +232,46 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
               This feature is available in Postfix 2.1 and later.
 
        <b>REDIRECT</b> <i>user@domain</i>
-              Write  a  message  redirection request to the queue
-              file and inspect the next  input  line.  After  the
+              Write a message redirection request  to  the  queue
+              file  and  inspect  the  next input line. After the
               message is queued, it will be sent to the specified
               address instead of the intended recipient(s).
 
-              Note: this action overrides the <b>FILTER</b> action,  and
-              affects  all recipients of the message. If multiple
-              <b>REDIRECT</b> actions fire, only the last  one  is  exe-
+              Note:  this action overrides the <b>FILTER</b> action, and
+              affects all recipients of the message. If  multiple
+              <b>REDIRECT</b>  actions  fire,  only the last one is exe-
               cuted.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>REPLACE</b> <i>text...</i>
-              Replace the current line with  the  specified  text
+              Replace  the  current  line with the specified text
               and inspect the next input line.
 
               This feature is available in Postfix 2.2 and later.
-              The description below applies to Postfix 2.2.2  and
+              The  description below applies to Postfix 2.2.2 and
               later.
 
               Notes:
 
-              <b>o</b>      When  replacing  a  message header line, the
-                     replacement text must  begin  with  a  valid
+              <b>o</b>      When replacing a message  header  line,  the
+                     replacement  text  must  begin  with a valid
                      header label.
 
-              <b>o</b>      The  replaced text remains part of the input
-                     stream. Unlike the result from  the  <b>PREPEND</b>
-                     action,  a  replaced  message  header may be
-                     subject to address rewriting and may  affect
-                     the  way  that  Postfix adds missing message
+              <b>o</b>      The replaced text remains part of the  input
+                     stream.  Unlike  the result from the <b>PREPEND</b>
+                     action, a replaced  message  header  may  be
+                     subject  to address rewriting and may affect
+                     the way that Postfix  adds  missing  message
                      headers.
 
        <b>REJECT</b> <i>optional text...</i>
-              Reject the  entire  message.  Reply  with  <i>optional</i>
+              Reject  the  entire  message.  Reply  with <i>optional</i>
               <i>text...</i> when the optional text is specified, other-
               wise reply with a generic error message.
 
-              Note:  this  action  disables  further  header   or
-              <a href="postconf.5.html#body_checks">body_checks</a>  inspection  of the current message and
+              Note:   this  action  disables  further  header  or
+              <a href="postconf.5.html#body_checks">body_checks</a> inspection of the current  message  and
               affects all recipients.
 
               Postfix version 2.3 and later support enhanced sta-
@@ -275,26 +280,26 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
               enhanced status code of "5.7.1".
 
        <b>WARN</b> <i>optional text...</i>
-              Log  a  warning with the <i>optional text...</i> (or log a
-              generic message) and inspect the next  input  line.
+              Log a warning with the <i>optional text...</i> (or  log  a
+              generic  message)  and inspect the next input line.
               This action is useful for debugging and for testing
               a pattern before applying more drastic actions.
 
 <b>BUGS</b>
-       Many people overlook the main limitations  of  header  and
-       <a href="postconf.5.html#body_checks">body_checks</a>  rules.   These  rules  operate on one logical
-       message header or one body line at a time, and a  decision
-       made  for  one  line is not carried over to the next line.
+       Many  people  overlook  the main limitations of header and
+       <a href="postconf.5.html#body_checks">body_checks</a> rules.  These rules  operate  on  one  logical
+       message  header or one body line at a time, and a decision
+       made for one line is not carried over to  the  next  line.
        If text in the message body is encoded (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a>) then the
-       rules  have  to specified for the encoded form.  Likewise,
+       rules have to specified for the encoded  form.   Likewise,
        when message headers are encoded (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC 2047</a>) then the rules
        need to be specified for the encoded form.
 
-       Message  headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are
+       Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself  are
        excluded from inspection. Examples of such message headers
        are <b>From:</b>, <b>To:</b>, <b>Message-ID:</b>, <b>Date:</b>.
 
-       Message  headers  deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be
+       Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon  will  be
        examined before they are deleted. Examples are: <b>Bcc:, Con-</b>
        <b>tent-Length:</b>, <b>Return-Path:</b>.
 
@@ -302,11 +307,11 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
        <b><a href="postconf.5.html#body_checks">body_checks</a></b>
               Lookup tables with content filter rules for message
               body lines.  These filters see one physical line at
-              a  time,  in  chunks  of at most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b>
+              a time, in chunks  of  at  most  <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b>
               bytes.
 
        <b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a></b>
-              The amount of  content  per  message  body  segment
+              The  amount  of  content  per  message body segment
               (attachment) that is subjected to <b>$<a href="postconf.5.html#body_checks">body_checks</a></b> fil-
               tering.
 
@@ -316,35 +321,35 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
 
        <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
               Lookup tables with content filter rules for message
-              header  lines:  respectively,  these are applied to
-              the initial message  headers  (not  including  MIME
-              headers),  to the MIME headers anywhere in the mes-
-              sage, and to the initial headers of  attached  mes-
+              header lines: respectively, these  are  applied  to
+              the  initial  message  headers  (not including MIME
+              headers), to the MIME headers anywhere in the  mes-
+              sage,  and  to the initial headers of attached mes-
               sages.
 
-              Note:  these filters see one logical message header
-              at a time, even when a message header spans  multi-
-              ple  lines.  Message  headers  that are longer than
+              Note: these filters see one logical message  header
+              at  a time, even when a message header spans multi-
+              ple lines. Message headers  that  are  longer  than
               <b>$<a href="postconf.5.html#header_size_limit">header_size_limit</a></b> characters are truncated.
 
        <b><a href="postconf.5.html#disable_mime_input_processing">disable_mime_input_processing</a></b>
-              While receiving mail, give no special treatment  to
-              MIME  related  message  headers; all text after the
+              While  receiving mail, give no special treatment to
+              MIME related message headers; all  text  after  the
               initial message headers is considered to be part of
-              the  message body. This means that <b><a href="postconf.5.html#header_checks">header_checks</a></b> is
-              applied to all the  initial  message  headers,  and
+              the message body. This means that <b><a href="postconf.5.html#header_checks">header_checks</a></b>  is
+              applied  to  all  the  initial message headers, and
               that <b><a href="postconf.5.html#body_checks">body_checks</a></b> is applied to the remainder of the
               message.
 
-              Note: when used in this  manner,  <b><a href="postconf.5.html#body_checks">body_checks</a></b>  will
-              process  a  multi-line message header one line at a
+              Note:  when  used  in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will
+              process a multi-line message header one line  at  a
               time.
 
 <b>EXAMPLES</b>
-       Header pattern to block attachments  with  bad  file  name
+       Header  pattern  to  block  attachments with bad file name
        extensions.
 
-       /etc/postfix/main.cf:
+       /etc/postfix/<a href="postconf.5.html">main.cf</a>:
            <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
 
        /etc/postfix/header_checks:
@@ -354,7 +359,7 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
        Body pattern to stop a specific HTML browser vulnerability
        exploit.
 
-       /etc/postfix/main.cf:
+       /etc/postfix/<a href="postconf.5.html">main.cf</a>:
            <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
 
        /etc/postfix/body_checks:
@@ -379,7 +384,7 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
        <a href="BACKSCATTER_README.html">BACKSCATTER_README</a>, blocking returned forged mail
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/ldap_table.5.html b/postfix/html/ldap_table.5.html
index ef9d1cf53..60d460ee5 100644
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@@ -24,6 +24,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
        In order to use LDAP lookups, define an LDAP source  as  a
        lookup table in <a href="postconf.5.html">main.cf</a>, for example:
+
            <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
 
        The  file /etc/postfix/ldap-aliases.cf has the same format
@@ -87,10 +88,12 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
        For example, NEVER do this in a map  defining  $<a href="postconf.5.html#mydestination">mydestina</a>-
        <a href="postconf.5.html#mydestination">tion</a>:
+
            query_filter = domain=*
            result_attribute = domain
 
        Do this instead:
+
            query_filter = domain=%s
            result_attribute = domain
 
@@ -102,6 +105,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
        <b>server_host (default: localhost)</b>
               The name of the host running the LDAP server,  e.g.
+
                   server_host = ldap.example.com
 
               Depending  on the LDAP client library you're using,
@@ -110,10 +114,12 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               the first one fail. It should also be  possible  to
               give  each  server  in  the  list  a different port
               (overriding <b>server_port</b> below), by naming them like
+
                   server_host = ldap.example.com:1444
 
               With OpenLDAP, a (list of) LDAP URLs can be used to
               specify both the hostname(s) and the port(s):
+
                   server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444
                               <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444
 
@@ -121,21 +127,25 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               supported,  including  connections over UNIX domain
               sockets, and LDAP SSL (the last one  provided  that
               OpenLDAP was compiled with support for SSL):
+
                   server_host = ldapi://%2Fsome%2Fpath
                               ldaps://ldap.example.com:636
 
        <b>server_port (default: 389)</b>
               The port the LDAP server listens on, e.g.
+
                   server_port = 778
 
        <b>timeout (default: 10 seconds)</b>
               The number of seconds a search can take before tim-
               ing out, e.g.
+
                   timeout = 5
 
        <b>search_base (No default; you must configure this)</b>
               The <a href="http://www.faqs.org/rfcs/rfc2253.html">RFC2253</a> base DN at which to conduct the search,
               e.g.
+
                   search_base = dc=your, dc=com
 
               With  Postfix 2.2 and later this parameter supports
@@ -184,6 +194,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               The  <a href="http://www.faqs.org/rfcs/rfc2254.html">RFC2254</a>  filter  used to search the directory,
               where <b>%s</b> is a substitute for the address Postfix is
               trying to resolve, e.g.
+
                   query_filter = (&amp;(mail=%s)(paid_up=true))
 
               This  parameter  supports  the following '%' expan-
@@ -315,6 +326,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               lookups,  bare domain lookups and "@domain" lookups
               are not performed. This  can  significantly  reduce
               the query load on the LDAP server.
+
                   domain = postfix.org, hash:/etc/postfix/search-
               domains
 
@@ -330,13 +342,15 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               The  attribute(s) Postfix will read from any direc-
               tory entries returned by the lookup, to be resolved
               to an email address.
+
                   result_attribute = mailbox, maildrop
 
-       <b>special_result_attribute (No default)</b>
+       <b>special_result_attribute (default: empty)</b>
               The attribute(s) of directory entries that can con-
               tain DNs or URLs. If found, a recursive  subsequent
               search is done using their values.
-                  special_result_attribute = member
+
+                  special_result_attribute = memberdn
 
               DN  recursion  retrieves the same result_attributes
               as the main query, including the special attributes
@@ -347,6 +361,53 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               map's  special  result  attributes,  these are also
               retrieved and used recursively.
 
+       <b>terminal_result_attribute (default: empty)</b>
+              When one or more  terminal  result  attributes  are
+              found in an LDAP entry, all other result attributes
+              are ignored and only the terminal result attributes
+              are  returned. This is useful for delegating expan-
+              sion of group members  to  a  particular  host,  by
+              using  an optional "maildrop" attribute on selected
+              groups to route the group to a specific host, where
+              the  group  is  expanded, possibly via mailing-list
+              manager or other special processing.
+
+                  terminal_result_attribute = maildrop
+
+              This feature  is  available  with  Postfix  2.4  or
+              later.
+
+       <b>leaf_result_attribute (default: empty)</b>
+              When  one  or  more  special  result attributes are
+              found in a non-terminal  (see  above)  LDAP  entry,
+              leaf result attributes are excluded from the expan-
+              sion of that entry. This is useful  when  expanding
+              groups and the desired mail address attribute(s) of
+              the member objects obtained via DN or URI recursion
+              are  also  present  in  the  group  object. To only
+              return the attribute values from the  leaf  objects
+              and  not the containing group, add the attribute to
+              the  leaf_result_attribute  list,   and   not   the
+              result_attribute  list,  which  is always expanded.
+              Note, the default value  of  "result_attribute"  is
+              not  empty, you may want to set it explicitly empty
+              when using "leaf_result_attribute"  to  expand  the
+              group  to  a list of member DN addresses. If groups
+              have both member DN references AND attributes  that
+              hold  multiple string valued rfc822 addresses, then
+              the string  attributes  go  in  "result_attribute".
+              The  attributes  that represent the email addresses
+              of objects referenced via a DN (or LDAP URI) go  in
+              "leaf_result_attribute".
+
+                  result_attribute = memberaddr
+                  special_result_attribute = memberdn
+                  terminal_result_attribute = maildrop
+                  leaf_result_attribute = mail
+
+              This  feature  is  available  with  Postfix  2.4 or
+              later.
+
        <b>scope (default: sub)</b>
               The LDAP search scope: <b>sub</b>, <b>base</b>,  or  <b>one</b>.   These
               translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
@@ -356,6 +417,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               Whether or not to bind to the  LDAP  server.  Newer
               LDAP implementations don't require clients to bind,
               which saves time. Example:
+
                   bind = no
 
               If you do need to bind, you might consider  config-
@@ -369,6 +431,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
        <b>bind_dn (default: empty)</b>
               If  you  do  have  to bind, do it with this distin-
               guished name. Example:
+
                   bind_dn = uid=postfix, dc=your, dc=com
 
        <b>bind_pw (default: empty)</b>
@@ -381,6 +444,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow
               local accounts to submit mail via the sendmail com-
               mand. Example:
+
                   bind_pw = postfixpw
 
        <b>cache (IGNORED with a warning)</b>
@@ -459,13 +523,16 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
        LDAP SSL service can be requested by using a LDAP SSL  URL
        in the server_host parameter:
+
            server_host = ldaps://ldap.example.com:636
 
        STARTTLS can be turned on with the start_tls parameter:
+
            start_tls = yes
 
        Both  forms  require LDAP protocol version 3, which has to
        be set explicitly with:
+
            version = 3
 
        If any of the Postfix programs querying the map is config-
@@ -530,22 +597,24 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 <b>EXAMPLE</b>
        Here's  a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
        aliases.  Assume that in <a href="postconf.5.html">main.cf</a>, you have:
+
            <a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
                <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
 
        and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:
-           server_host = ldap.my.com
-           search_base = dc=my, dc=com
+
+           server_host = ldap.example.com
+           search_base = dc=example, dc=com
 
        Upon receiving mail for a local  address  "ldapuser"  that
        isn't  found  in  the  /etc/aliases database, Postfix will
-       search  the  LDAP  server  listening  at   port   389   on
-       ldap.my.com.   It  will  bind  anonymously, search for any
-       directory entries whose  mailacceptinggeneralid  attribute
-       is  "ldapuser",  read  the  "maildrop" attributes of those
-       found, and build a list of their maildrops, which will  be
-       treated  as  <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a> addresses to which the message will be
-       delivered.
+       search the LDAP server listening at port 389 on ldap.exam-
+       ple.com.   It will bind anonymously, search for any direc-
+       tory entries  whose  mailacceptinggeneralid  attribute  is
+       "ldapuser", read the "maildrop" attributes of those found,
+       and build a list of their maildrops, which will be treated
+       as  <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a>  addresses  to which the message will be deliv-
+       ered.
 
 <b>SEE ALSO</b>
        <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
diff --git a/postfix/html/local.8.html b/postfix/html/local.8.html
index 0e512a166..de3fd4f54 100644
--- a/postfix/html/local.8.html
+++ b/postfix/html/local.8.html
@@ -560,33 +560,34 @@ LOCAL(8)                                                              LOCAL(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a> (command, file, forward)</b>
-              The  message  delivery  contexts  where the Postfix
-              <a href="local.8.html"><b>local</b>(8)</a> delivery agent  prepends  a  Delivered-To:
-              message  header  with the address that the mail was
+              The message delivery  contexts  where  the  Postfix
+              <a href="local.8.html"><b>local</b>(8)</a>  delivery  agent  prepends a Delivered-To:
+              message header with the address that the  mail  was
               delivered to.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b>
-              What address lookup tables copy an  address  exten-
+              What  address  lookup tables copy an address exten-
               sion from the lookup key to the lookup result.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
@@ -594,15 +595,15 @@ LOCAL(8)                                                              LOCAL(8)
               sions (user+foo).
 
        <b><a href="postconf.5.html#require_home_directory">require_home_directory</a> (no)</b>
-              Whether  or  not a <a href="local.8.html"><b>local</b>(8)</a> recipient's home direc-
-              tory must exist before mail delivery is  attempted.
+              Whether or not a <a href="local.8.html"><b>local</b>(8)</a> recipient's  home  direc-
+              tory  must exist before mail delivery is attempted.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>FILES</b>
@@ -622,14 +623,14 @@ LOCAL(8)                                                              LOCAL(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>HISTORY</b>
        The <b>Delivered-To:</b> message header appears in the <b>qmail</b> sys-
        tem by Daniel Bernstein.
 
-       The  <i>maildir</i>  structure  appears  in  the  <b>qmail</b> system by
+       The <i>maildir</i> structure  appears  in  the  <b>qmail</b>  system  by
        Daniel Bernstein.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/master.8.html b/postfix/html/master.8.html
index 221984c85..859474805 100644
--- a/postfix/html/master.8.html
+++ b/postfix/html/master.8.html
@@ -27,12 +27,12 @@ MASTER(8)                                                            MASTER(8)
        number server.
 
        The behavior of the <a href="master.8.html"><b>master</b>(8)</a> daemon is controlled by  the
-       <b>master.cf</b> configuration file, as described in <a href="master.5.html"><b>master</b>(5)</a>.
+       <a href="master.5.html"><b>master.cf</b></a> configuration file, as described in <a href="master.5.html"><b>master</b>(5)</a>.
 
        Options:
 
        <b>-c</b> <i>config</i><b>_</b><i>dir</i>
-              Read  the <b>main.cf</b> and <b>master.cf</b> configuration files
+              Read  the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a> configuration files
               in the named directory instead of the default  con-
               figuration directory.  This also overrides the con-
               figuration files  for  other  Postfix  daemon  pro-
@@ -40,7 +40,7 @@ MASTER(8)                                                            MASTER(8)
 
        <b>-D</b>     After  initialization, run a debugger on the master
               process. The debugging command  is  specified  with
-              the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> in the <b>main.cf</b> global configu-
+              the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> in the <a href="postconf.5.html"><b>main.cf</b></a> global configu-
               ration file.
 
        <b>-d</b>     Do  not  redirect  stdin,  stdout  or   stderr   to
@@ -66,7 +66,7 @@ MASTER(8)                                                            MASTER(8)
        <b>SIGHUP</b> Upon  receipt of a <b>HUP</b> signal (e.g., after "<b>postfix</b>
               <b>reload</b>"), the master process re-reads its  configu-
               ration  files.  If  a service has been removed from
-              the <b>master.cf</b> file, its running processes are  ter-
+              the <a href="master.5.html"><b>master.cf</b></a> file, its running processes are  ter-
               minated  immediately.  Otherwise, running processes
               are allowed to terminate as soon as is  convenient,
               so  that  changes  in configuration settings affect
@@ -87,15 +87,15 @@ MASTER(8)                                                            MASTER(8)
        <b>MAIL_DEBUG</b>
               After initialization, start a debugger as specified
               with the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b>  configuration  parameter
-              in the <b>main.cf</b> configuration file.
+              in the <a href="postconf.5.html"><b>main.cf</b></a> configuration file.
 
        <b>MAIL_CONFIG</b>
               Directory with Postfix configuration files.
 
 <b>CONFIGURATION PARAMETERS</b>
        Unlike most Postfix daemon processes, the <a href="master.8.html"><b>master</b>(8)</a> server
-       does not automatically pick up changes to <b>main.cf</b>. Changes
-       to  <b>master.cf</b>  are never picked up automatically.  Use the
+       does not automatically pick up changes to <a href="postconf.5.html"><b>main.cf</b></a>. Changes
+       to  <a href="master.5.html"><b>master.cf</b></a>  are never picked up automatically.  Use the
        "<b>postfix reload</b>" command after a configuration change.
 
 <b>RESOURCE AND RATE CONTROLS</b>
@@ -105,12 +105,13 @@ MASTER(8)                                                            MASTER(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#service_throttle_time">service_throttle_time</a> (60s)</b>
               How long the Postfix <a href="master.8.html"><b>master</b>(8)</a> waits before forking
@@ -118,11 +119,11 @@ MASTER(8)                                                            MASTER(8)
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location  of  the Postfix main.cf and
-              master.cf configuration files.
+              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
-              The directory with  Postfix  support  programs  and
+              The  directory  with  Postfix  support programs and
               daemon programs.
 
        <b><a href="postconf.5.html#debugger_command">debugger_command</a> (empty)</b>
@@ -134,11 +135,11 @@ MASTER(8)                                                            MASTER(8)
               tem receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
-              The  Internet protocols Postfix will attempt to use
+              The Internet protocols Postfix will attempt to  use
               when making or accepting connections.
 
        <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
-              The list of environment parameters that  a  Postfix
+              The  list  of environment parameters that a Postfix
               process  will  import  from  a  non-Postfix  parent
               process.
 
@@ -147,39 +148,39 @@ MASTER(8)                                                            MASTER(8)
               and most Postfix daemon processes.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>FILES</b>
-       /etc/postfix/main.cf, global configuration file.
-       /etc/postfix/master.cf, master server configuration file.
+       /etc/postfix/<a href="postconf.5.html">main.cf</a>, global configuration file.
+       /etc/postfix/<a href="master.5.html">master.cf</a>, master server configuration file.
        /var/spool/postfix/pid/master.pid, master lock file.
 
 <b>SEE ALSO</b>
        <a href="qmgr.8.html">qmgr(8)</a>, queue manager
        <a href="verify.8.html">verify(8)</a>, address verification
-       <a href="master.5.html">master(5)</a>, master.cf configuration file syntax
-       <a href="postconf.5.html">postconf(5)</a>, main.cf configuration parameter syntax
+       <a href="master.5.html">master(5)</a>, <a href="master.5.html">master.cf</a> configuration file syntax
+       <a href="postconf.5.html">postconf(5)</a>, <a href="postconf.5.html">main.cf</a> configuration parameter syntax
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/pcre_table.5.html b/postfix/html/pcre_table.5.html
index 8698d02a8..10a560385 100644
--- a/postfix/html/pcre_table.5.html
+++ b/postfix/html/pcre_table.5.html
@@ -21,13 +21,14 @@ PCRE_TABLE(5)                                                    PCRE_TABLE(5)
 
        Alternatively, lookup tables can be specified in Perl Com-
        patible Regular Expression form. In this case, each  input
-       is  compared  against a list of patterns, and when a match
-       is found the corresponding result is returned.
+       is  compared  against  a list of patterns. When a match is
+       found, the corresponding result is returned and the search
+       is terminated.
 
-       To find out what types of lookup tables your Postfix  sys-
+       To  find out what types of lookup tables your Postfix sys-
        tem supports use the "<b>postconf -m</b>" command.
 
-       To  test  lookup  tables, use the "<b>postmap -fq</b>" command as
+       To test lookup tables, use the "<b>postmap  -fq</b>"  command  as
        described in the SYNOPSIS above.
 
 <b>TABLE FORMAT</b>
@@ -38,16 +39,16 @@ PCRE_TABLE(5)                                                    PCRE_TABLE(5)
               responding <i>result</i> value.
 
        <b>!/</b><i>pattern</i><b>/</b><i>flags result</i>
-              When  <i>pattern</i>  does <b>not</b> match the input string, use
+              When <i>pattern</i> does <b>not</b> match the input  string,  use
               the corresponding <i>result</i> value.
 
        <b>if /</b><i>pattern</i><b>/</b><i>flags</i>
 
        <b>endif</b>  Match the input string against the patterns between
-              <b>if</b>  and <b>endif</b>, if and only if the input string also
+              <b>if</b> and <b>endif</b>, if and only if the input string  also
               matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
 
-              Note: do not prepend whitespace to patterns  inside
+              Note:  do not prepend whitespace to patterns inside
               <b>if</b>..<b>endif</b>.
 
               This feature is available in Postfix 2.1 and later.
@@ -55,117 +56,117 @@ PCRE_TABLE(5)                                                    PCRE_TABLE(5)
        <b>if !/</b><i>pattern</i><b>/</b><i>flags</i>
 
        <b>endif</b>  Match the input string against the patterns between
-              <b>if</b>  and <b>endif</b>, if and only if the input string does
+              <b>if</b> and <b>endif</b>, if and only if the input string  does
               <b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
 
-              Note: do not prepend whitespace to patterns  inside
+              Note:  do not prepend whitespace to patterns inside
               <b>if</b>..<b>endif</b>.
 
               This feature is available in Postfix 2.1 and later.
 
        blank lines and comments
-              Empty lines and whitespace-only lines are  ignored,
-              as  are  lines whose first non-whitespace character
+              Empty  lines and whitespace-only lines are ignored,
+              as are lines whose first  non-whitespace  character
               is a `#'.
 
        multi-line text
-              A logical line starts with non-whitespace  text.  A
-              line  that starts with whitespace continues a logi-
+              A  logical  line starts with non-whitespace text. A
+              line that starts with whitespace continues a  logi-
               cal line.
 
        Each  pattern  is  a  perl-like  regular  expression.  The
-       expression  delimiter  can be any character, except white-
-       space or characters that have special meaning  (tradition-
-       ally  the  forward slash is used).  The regular expression
+       expression delimiter can be any character,  except  white-
+       space  or characters that have special meaning (tradition-
+       ally the forward slash is used).  The  regular  expression
        can contain whitespace.
 
        By default, matching is case-insensitive, and newlines are
-       not  treated  as  special characters. The behavior is con-
-       trolled by flags, which are toggled by  appending  one  or
+       not treated as special characters. The  behavior  is  con-
+       trolled  by  flags,  which are toggled by appending one or
        more of the following characters after the pattern:
 
        <b>i</b> (default: on)
-              Toggles  the  case  sensitivity  flag.  By default,
+              Toggles the  case  sensitivity  flag.  By  default,
               matching is case insensitive.
 
        <b>m</b> (default: off)
-              Toggles the PCRE_MULTILINE flag. When this flag  is
-              on,  the  <b>^</b>  and <b>$</b> metacharacters match immediately
-              after and immediately before a  newline  character,
-              respectively,  in addition to matching at the start
+              Toggles  the PCRE_MULTILINE flag. When this flag is
+              on, the <b>^</b> and <b>$</b>  metacharacters  match  immediately
+              after  and  immediately before a newline character,
+              respectively, in addition to matching at the  start
               and end of the subject string.
 
        <b>s</b> (default: on)
               Toggles the PCRE_DOTALL flag. When this flag is on,
               the <b>.</b>  metacharacter matches the newline character.
               With Postfix versions prior to 2.0, The flag is off
-              by  default,  which  is inconvenient for multi-line
+              by default, which is  inconvenient  for  multi-line
               message header matching.
 
        <b>x</b> (default: off)
-              Toggles the pcre extended flag. When this  flag  is
-              on,  whitespace  in  the  pattern  (other than in a
+              Toggles  the  pcre extended flag. When this flag is
+              on, whitespace in the  pattern  (other  than  in  a
               character class) and characters between a <b>#</b> outside
-              a  character  class  and the next newline character
-              are ignored. An escaping backslash can be  used  to
-              include  a whitespace or <b>#</b> character as part of the
+              a character class and the  next  newline  character
+              are  ignored.  An escaping backslash can be used to
+              include a whitespace or <b>#</b> character as part of  the
               pattern.
 
        <b>A</b> (default: off)
-              Toggles the PCRE_ANCHORED flag.  When this flag  is
-              on,  the  pattern  is forced to be "anchored", that
+              Toggles  the PCRE_ANCHORED flag.  When this flag is
+              on, the pattern is forced to  be  "anchored",  that
               is, it is constrained to match only at the start of
-              the  string  which  is being searched (the "subject
-              string"). This  effect  can  also  be  achieved  by
+              the string which is being  searched  (the  "subject
+              string").  This  effect  can  also  be  achieved by
               appropriate constructs in the pattern itself.
 
        <b>E</b> (default: off)
-              Toggles  the  PCRE_DOLLAR_ENDONLY  flag.  When this
-              flag is  on,  a  <b>$</b>  metacharacter  in  the  pattern
-              matches  only  at  the  end  of the subject string.
-              Without this flag, a dollar  also  matches  immedi-
+              Toggles the  PCRE_DOLLAR_ENDONLY  flag.  When  this
+              flag  is  on,  a  <b>$</b>  metacharacter  in  the pattern
+              matches only at the  end  of  the  subject  string.
+              Without  this  flag,  a dollar also matches immedi-
               ately before the final character if it is a newline
               character (but not before any other newline charac-
-              ters).  This flag is ignored if PCRE_MULTILINE flag
+              ters). This flag is ignored if PCRE_MULTILINE  flag
               is set.
 
        <b>U</b> (default: off)
               Toggles the ungreedy matching flag.  When this flag
-              is  on,  the  pattern  matching  engine inverts the
-              "greediness" of the quantifiers so  that  they  are
-              not  greedy  by  default, but become greedy if fol-
-              lowed by "?".  This flag can also  set  by  a  (?U)
+              is on, the  pattern  matching  engine  inverts  the
+              "greediness"  of  the  quantifiers so that they are
+              not greedy by default, but become  greedy  if  fol-
+              lowed  by  "?".   This  flag can also set by a (?U)
               modifier within the pattern.
 
        <b>X</b> (default: off)
               Toggles the PCRE_EXTRA flag.  When this flag is on,
-              any backslash in a pattern that is  followed  by  a
+              any  backslash  in  a pattern that is followed by a
               letter that has no special meaning causes an error,
               thus reserving these combinations for future expan-
               sion.
 
 <b>SEARCH ORDER</b>
-       Patterns  are applied in the order as specified in the ta-
-       ble, until a pattern  is  found  that  matches  the  input
+       Patterns are applied in the order as specified in the  ta-
+       ble,  until  a  pattern  is  found  that matches the input
        string.
 
-       Each  pattern  is  applied  to  the  entire  input string.
-       Depending on the application, that  string  is  an  entire
+       Each pattern  is  applied  to  the  entire  input  string.
+       Depending  on  the  application,  that string is an entire
        client hostname, an entire client IP address, or an entire
-       mail address.  Thus, no parent domain  or  parent  network
-       search  is  done,  and  <i>user@domain</i> mail addresses are not
-       broken up into their <i>user</i> and  <i>domain</i>  constituent  parts,
+       mail  address.   Thus,  no parent domain or parent network
+       search is done, and <i>user@domain</i>  mail  addresses  are  not
+       broken  up  into  their <i>user</i> and <i>domain</i> constituent parts,
        nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
 
 <b>TEXT SUBSTITUTION</b>
-       Substitution  of  substrings  from  the matched expression
-       into the result string is possible using the  conventional
-       perl  syntax  ($1,  $2,  etc.);  specify $$ to produce a $
-       character as output.  The macros in the result string  may
+       Substitution of substrings  from  the  matched  expression
+       into  the result string is possible using the conventional
+       perl syntax ($1, $2, etc.); specify  $$  to  produce  a  $
+       character  as output.  The macros in the result string may
        need to be written as ${n} or $(n) if they aren't followed
        by whitespace.
 
-       Note: since negated patterns (those preceded by <b>!</b>)  return
+       Note:  since negated patterns (those preceded by <b>!</b>) return
        a result when the expression does not match, substitutions
        are not available for negated patterns.
 
diff --git a/postfix/html/pickup.8.html b/postfix/html/pickup.8.html
index d64cb5bf1..b4f72d493 100644
--- a/postfix/html/pickup.8.html
+++ b/postfix/html/pickup.8.html
@@ -81,31 +81,32 @@ PICKUP(8)                                                            PICKUP(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -118,7 +119,7 @@ PICKUP(8)                                                            PICKUP(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html
index 26de9e7ed..6eff2edd0 100644
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@@ -139,11 +139,11 @@ PIPE(8)                                                                PIPE(8)
                      ware.
 
        <b>null_sender</b>=<i>replacement</i> (default: MAILER-DAEMON)
-              Replace the null sender address, which is typically
-              used for delivery status  notifications,  with  the
-              specified  text when expanding the <b>$sender</b> command-
-              line macro, and when generating a From_ or  Return-
-              Path: message header.
+              Replace the null sender address (typically used for
+              delivery status notifications) with  the  specified
+              text when expanding the <b>$sender</b> command-line macro,
+              and when generating a From_ or Return-Path: message
+              header.
 
               If  the null sender replacement text is a non-empty
               string then it  is  affected  by  the  <b>q</b>  flag  for
@@ -406,23 +406,24 @@ PIPE(8)                                                                PIPE(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
@@ -433,8 +434,8 @@ PIPE(8)                                                                PIPE(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -446,7 +447,7 @@ PIPE(8)                                                                PIPE(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 9933040cf..dd6ae5ed2 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -2012,9 +2012,9 @@ precision.  </p>
 
 <ul>
 
-<li> a = time before the queue manager, including message transmission
+<li> a = time from message arrival to last <a href="QSHAPE_README.html#active_queue">active queue</a> entry
 
-<li> b = time in queue manager
+<li> b = time from last <a href="QSHAPE_README.html#active_queue">active queue</a> entry to connection setup
 
 <li> c = time in connection setup, including DNS, EHLO and TLS
 
@@ -3347,7 +3347,7 @@ details. The table is not indexed by hostname for consistency with
 </DD>
 
 <DT><b><a name="lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a>
-(default: $<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
+(default: empty)</b></DT><DD>
 
 <p> A case insensitive list of LHLO keywords (pipelining, starttls,
 auth, etc.) that the LMTP client will ignore in the LHLO response
@@ -4875,8 +4875,9 @@ Examples:
 (default: 100s)</b></DT><DD>
 
 <p>
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.  This parameter
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.  This
+parameter
 is ignored by the Postfix queue manager and by other long-lived
 Postfix daemon processes.
 </p>
@@ -4893,8 +4894,9 @@ The default time unit is s (seconds).
 (default: 100)</b></DT><DD>
 
 <p>
-The maximal number of connection requests before a Postfix daemon
-process terminates. This parameter is ignored by the Postfix queue
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.  This parameter
+is ignored by the Postfix queue
 manager and by other long-lived Postfix daemon processes.
 </p>
 
@@ -6436,7 +6438,10 @@ Do not change this unless you have a complete understanding of <a href="http://w
 
 <p> Optional lookup tables with all valid addresses in the domains
 that match $<a href="postconf.5.html#relay_domains">relay_domains</a>. Specify @domain as a wild-card for
-domains that do not have a valid recipient list. Technically, tables
+domains that have no valid recipient list, and become a source of
+backscatter mail: Postfix accepts spam for non-existent recipients
+and then floods innocent people with undeliverable mail.  Technically,
+tables
 listed with $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> are used as lists: Postfix needs
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.  </p>
@@ -7994,8 +7999,9 @@ must be inside the chroot jail. </p>
 (default: empty)</b></DT><DD>
 
 <p> File with the Postfix SMTP client RSA certificate in PEM format.
-This file may also contain the client private key, and these may
-be the same as the server certificate and key file. </p>
+This file may also contain the Postfix SMTP client private RSA key,
+and these may be the same as the Postfix SMTP server RSA certificate and key
+file. </p>
 
 <p> Do not configure client certificates unless you <b>must</b> present
 client TLS certificates to one or more servers. Client certificates are
@@ -8016,21 +8022,21 @@ parameters in <a href="postconf.5.html">main.cf</a> if present. </p>
 
 <p> In order to verify certificates, the CA certificate (in case
 of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the server certificate, the
-server certificate first, then the issuing CA(s). </p>
+You should add these certificates to the client certificate, the
+client certificate first, then the issuing CA(s). </p>
 
 <p> Example: the certificate for "client.dom.ain" was issued by
 "intermediate CA" which itself has a certificate of "root CA".
 Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
 root_CA.pem &gt; client.pem". </p>
 
-<p> If you want to accept remote SMTP server certificates issued
-by these CAs yourself, you can also add the CA certificates to the
-<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>, in which case it is not necessary to have them in
-the <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> or <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>. </p>
+<p> If you also want to verify remote SMTP server certificates issued by
+these CAs, you can also add the CA certificates to the <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>,
+in which case it is not necessary to have them in the <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>
+or <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>. </p>
 
-<p> A certificate supplied here must be usable as SSL client certificate and
-hence pass the "openssl verify -purpose sslclient ..." test. </p>
+<p> A certificate supplied here must be usable as an SSL client certificate
+and hence pass the "openssl verify -purpose sslclient ..." test. </p>
 
 <p> Example: </p>
 
@@ -8067,7 +8073,7 @@ Postfix 2.3 and later; use <a href="postconf.5.html#smtp_tls_mandatory_ciphers">
 (default: empty)</b></DT><DD>
 
 <p> File with the Postfix SMTP client DSA certificate in PEM format.
-This file may also contain the server private key. </p>
+This file may also contain the Postfix SMTP client private DSA key. </p>
 
 <p> See the discussion under <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> for more details.
 </p>
@@ -8087,11 +8093,12 @@ This file may also contain the server private key. </p>
 (default: $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b></DT><DD>
 
 <p> File with the Postfix SMTP client DSA private key in PEM format.
-The private key must not be encrypted. In other words, the key must
-be accessible without password. </p>
+This file may be combined with the Postfix SMTP client DSA certificate
+file specified with $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>. </p>
 
-<p> This file may be combined with the server certificate file
-specified with $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 <p> This feature is available in Postfix 2.2 and later.  </p>
 
@@ -8157,11 +8164,12 @@ key exchange with RSA authentication. </p>
 (default: $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b></DT><DD>
 
 <p> File with the Postfix SMTP client RSA private key in PEM format.
-This file may be combined with the client certificate file specified
-with $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
+This file may be combined with the Postfix SMTP client RSA certificate
+file specified with $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
 
-<p> The private key must not be encrypted. In other words, the key
-must be accessible without password. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 <p> Example: </p>
 
@@ -10966,7 +10974,7 @@ root CA issues special CA which then issues the actual certificate...).
 (default: empty)</b></DT><DD>
 
 <p> File with the Postfix SMTP server RSA certificate in PEM format.
-This file may also contain the server private key. </p>
+This file may also contain the Postfix SMTP server private RSA key. </p>
 
 <p> Public Internet MX hosts without certificates signed by a "reputable"
 CA must generate, and be prepared to present to most clients, a
@@ -11000,14 +11008,13 @@ server certificate first, then the issuing CA(s).  </p>
 Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
 root_CA.pem &gt; server.pem". </p>
 
-<p> If you want to accept certificates issued by these CAs yourself,
-you can also add the CA certificates to the <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, in
-which case it is not necessary to have them in the <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>
-or <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>. </p>
+<p> If you also want to verify client certificates issued by these
+CAs, you can add the CA certificates to the <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, in which
+case it is not necessary to have them in the <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> or
+<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>. </p>
 
-<p> A certificate supplied here must be usable as SSL server
-certificate and hence pass the "openssl verify -purpose sslserver
-..." test. </p>
+<p> A certificate supplied here must be usable as an SSL server certificate
+and hence pass the "openssl verify -purpose sslserver ..." test. </p>
 
 <p> Example: </p>
 
@@ -11045,7 +11052,7 @@ Postfix 2.3 and later; use <a href="postconf.5.html#smtpd_tls_mandatory_ciphers"
 (default: empty)</b></DT><DD>
 
 <p> File with the Postfix SMTP server DSA certificate in PEM format.
-This file may also contain the server private key. <p>
+This file may also contain the Postfix SMTP server private key. <p>
 
 <p> See the discussion under <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> for more details.
 </p>
@@ -11115,11 +11122,12 @@ configuration parameter.  </p>
 (default: $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b></DT><DD>
 
 <p> File with the Postfix SMTP server DSA private key in PEM format.
-This file may be combined with the server certificate file specified
-with $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>. </p>
+This file may be combined with the Postfix SMTP server DSA certificate
+file specified with $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>. </p>
 
-<p> The private key must not be encrypted. In other words, the key
-must be accessible without password. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 <p> This feature is available in Postfix 2.2 and later.  </p>
 
@@ -11163,11 +11171,13 @@ key exchange with RSA authentication. </p>
 (default: $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b></DT><DD>
 
 <p> File with the Postfix SMTP server RSA private key in PEM format.
-This file may be combined with the server certificate file specified
+This file may be combined with the Postfix SMTP server certificate
+file specified
 with $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>. </p>
 
-<p> The private key must not be encrypted. In other words, the key
-must be accessible without password. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 
 </DD>
diff --git a/postfix/html/proxymap.8.html b/postfix/html/proxymap.8.html
index 57eca5eb4..f3a5270b6 100644
--- a/postfix/html/proxymap.8.html
+++ b/postfix/html/proxymap.8.html
@@ -117,23 +117,24 @@ PROXYMAP(8)                                                        PROXYMAP(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#proxy_read_maps">proxy_read_maps</a> (see 'postconf -d' output)</b>
-              The lookup tables that the  <a href="proxymap.8.html"><b>proxymap</b>(8)</a>  server  is
+              The  lookup  tables  that the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server is
               allowed to access.
 
 <b>SEE ALSO</b>
@@ -144,7 +145,7 @@ PROXYMAP(8)                                                        PROXYMAP(8)
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>HISTORY</b>
diff --git a/postfix/html/qmqpd.8.html b/postfix/html/qmqpd.8.html
index 8f244435a..9583cc1a0 100644
--- a/postfix/html/qmqpd.8.html
+++ b/postfix/html/qmqpd.8.html
@@ -114,40 +114,41 @@ QMQPD(8)                                                              QMQPD(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a> (empty)</b>
-              What  clients  are  allowed  to connect to the QMQP
+              What clients are allowed to  connect  to  the  QMQP
               server port.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
        <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
-              The  characters  Postfix  accepts as VERP delimiter
-              characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command  line
+              The characters Postfix accepts  as  VERP  delimiter
+              characters  on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
               and in SMTP commands.
 
 <b>SEE ALSO</b>
@@ -160,7 +161,7 @@ QMQPD(8)                                                              QMQPD(8)
        <a href="QMQP_README.html">QMQP_README</a>, Postfix ezmlm-idx howto.
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>HISTORY</b>
diff --git a/postfix/html/qshape.1.html b/postfix/html/qshape.1.html
index 490cb713b..4feacadab 100644
--- a/postfix/html/qshape.1.html
+++ b/postfix/html/qshape.1.html
@@ -13,6 +13,7 @@ QSHAPE(1)                                                            QSHAPE(1)
        <b>qshape</b> [<b>-s</b>] [<b>-p</b>] [<b>-m</b> <i>min</i><b>_</b><i>subdomains</i>]
                [<b>-b</b> <i>bucket</i><b>_</b><i>count</i>] [<b>-t</b> <i>bucket</i><b>_</b><i>time</i>]
                [<b>-l</b>] [<b>-w</b> <i>terminal</i><b>_</b><i>width</i>]
+               [<b>-N</b> <i>batch</i><b>_</b><i>msg</i><b>_</b><i>count</i>] [<b>-n</b> <i>batch</i><b>_</b><i>top</i><b>_</b><i>domains</i>]
                [<b>-c</b> <i>config</i><b>_</b><i>directory</i>] [<i>queue</i><b>_</b><i>name</i> ...]
 
 <b>DESCRIPTION</b>
@@ -77,26 +78,39 @@ QSHAPE(1)                                                            QSHAPE(1)
               narrow  to  show  the domain name and all the coun-
               ters, the terminal_width limit is violated.
 
+       <b>-N</b> <i>batch</i><b>_</b><i>msg</i><b>_</b><i>count</i>
+              When the output device is a terminal,  intermediate
+              results  are shown each "batch_msg_count" messages.
+              This produces usable results in a  reasonable  time
+              even  when the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is large. The default
+              is to show intermediate  results  every  1000  mes-
+              sages.
+
+       <b>-n</b> <i>batch</i><b>_</b><i>top</i><b>_</b><i>domains</i>
+              When  reporting  intermediate or final results to a
+              termainal, report only the top  "batch_top_domains"
+              domains. The default limit is 20 domains.
+
        <b>-c</b> <i>config</i><b>_</b><i>directory</i>
-              The <a href="postconf.5.html"><b>main.cf</b></a> configuration  file  is  in  the  named
+              The  <a href="postconf.5.html"><b>main.cf</b></a>  configuration  file  is  in the named
               directory  instead  of  the  default  configuration
               directory.
 
        Arguments:
 
        <i>queue</i><b>_</b><i>name</i>
-              By default <b>qshape</b> displays the  combined  distribu-
-              tion  of the <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a>. To display
-              a different set of queues, just list  their  direc-
+              By  default  <b>qshape</b> displays the combined distribu-
+              tion of the <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a>. To  display
+              a  different  set of queues, just list their direc-
               tory names on the command line.  Absolute paths are
-              used as is, other paths are taken relative  to  the
-              <a href="postconf.5.html"><b>main.cf</a>  <a href="postconf.5.html#queue_directory">queue_directory</a></b>  parameter setting.  While
-              <a href="postconf.5.html"><b>main.cf</b></a> supports the use of <i>$variable</i> expansion  in
-              the  definition  of  the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> parameter,
-              the <b>qshape</b> program does not. If you must use  vari-
+              used  as  is, other paths are taken relative to the
+              <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#queue_directory">queue_directory</a></b> parameter  setting.   While
+              <a href="postconf.5.html"><b>main.cf</b></a>  supports the use of <i>$variable</i> expansion in
+              the definition of  the  <b><a href="postconf.5.html#queue_directory">queue_directory</a></b>  parameter,
+              the  <b>qshape</b> program does not. If you must use vari-
               able expansions in the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> setting, you
-              must specify an explicit  absolute  path  for  each
-              queue  subdirectory  even  if  you want the default
+              must  specify  an  explicit  absolute path for each
+              queue subdirectory even if  you  want  the  default
               <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queue</a> distribution.
 
 <b>SEE ALSO</b>
@@ -112,7 +126,7 @@ QSHAPE(1)                                                            QSHAPE(1)
        $<a href="postconf.5.html#queue_directory">queue_directory</a>/deferred/, messages postponed for later delivery.
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/regexp_table.5.html b/postfix/html/regexp_table.5.html
index d42fa4483..d3bddd342 100644
--- a/postfix/html/regexp_table.5.html
+++ b/postfix/html/regexp_table.5.html
@@ -21,13 +21,14 @@ REGEXP_TABLE(5)                                                REGEXP_TABLE(5)
 
        Alternatively, lookup tables can  be  specified  in  POSIX
        regular  expression form. In this case, each input is com-
-       pared against a list of patterns,  and  when  a  match  is
-       found the corresponding result is returned.
+       pared against a list of patterns. When a match  is  found,
+       the  corresponding  result  is  returned and the search is
+       terminated.
 
-       To  find out what types of lookup tables your Postfix sys-
+       To find out what types of lookup tables your Postfix  sys-
        tem supports use the "<b>postconf -m</b>" command.
 
-       To test lookup tables, use the "<b>postmap  -fq</b>"  command  as
+       To  test  lookup  tables, use the "<b>postmap -fq</b>" command as
        described in the SYNOPSIS above.
 
 <b>TABLE FORMAT</b>
@@ -38,7 +39,7 @@ REGEXP_TABLE(5)                                                REGEXP_TABLE(5)
               responding <i>result</i> value.
 
        <b>!/</b><i>pattern</i><b>/</b><i>flags result</i>
-              When  <i>pattern</i>  does <b>not</b> match the input string, use
+              When <i>pattern</i> does <b>not</b> match the input  string,  use
               the corresponding <i>result</i> value.
 
        <b>if /</b><i>pattern</i><b>/</b><i>flags</i>
@@ -47,7 +48,7 @@ REGEXP_TABLE(5)                                                REGEXP_TABLE(5)
               <b>if</b> and <b>endif</b>, if and only if that same input string
               also matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
 
-              Note: do not prepend whitespace to patterns  inside
+              Note:  do not prepend whitespace to patterns inside
               <b>if</b>..<b>endif</b>.
 
               This feature is available in Postfix 2.1 and later.
@@ -56,77 +57,77 @@ REGEXP_TABLE(5)                                                REGEXP_TABLE(5)
 
        <b>endif</b>  Match the input string against the patterns between
               <b>if</b> and <b>endif</b>, if and only if that same input string
-              does <b>not</b> match <i>pattern</i>.  The  <b>if</b>..<b>endif</b>  can  nest.
+              does  <b>not</b>  match  <i>pattern</i>.  The <b>if</b>..<b>endif</b> can nest.
               matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
 
-              Note:  do not prepend whitespace to patterns inside
+              Note: do not prepend whitespace to patterns  inside
               <b>if</b>..<b>endif</b>.
 
               This feature is available in Postfix 2.1 and later.
 
        blank lines and comments
-              Empty  lines and whitespace-only lines are ignored,
-              as are lines whose first  non-whitespace  character
+              Empty lines and whitespace-only lines are  ignored,
+              as  are  lines whose first non-whitespace character
               is a `#'.
 
        multi-line text
-              A  logical  line starts with non-whitespace text. A
-              line that starts with whitespace continues a  logi-
+              A logical line starts with non-whitespace  text.  A
+              line  that starts with whitespace continues a logi-
               cal line.
 
-       Each  pattern  is a POSIX regular expression enclosed by a
+       Each pattern is a POSIX regular expression enclosed  by  a
        pair of delimiters. The regular expression syntax is docu-
-       mented  in  <b>re_format</b>(7)  with  4.4BSD,  in  <b>regex</b>(5) with
+       mented in  <b>re_format</b>(7)  with  4.4BSD,  in  <b>regex</b>(5)  with
        Solaris, and in <b>regex</b>(7) with Linux. Other systems may use
        other document names.
 
-       The  expression  delimiter  can  be  any character, except
+       The expression delimiter  can  be  any  character,  except
        whitespace or characters that have special meaning (tradi-
-       tionally  the  forward slash is used). The regular expres-
+       tionally the forward slash is used). The  regular  expres-
        sion can contain whitespace.
 
        By default, matching is case-insensitive, and newlines are
-       not  treated  as  special characters. The behavior is con-
-       trolled by flags, which are toggled by  appending  one  or
+       not treated as special characters. The  behavior  is  con-
+       trolled  by  flags,  which are toggled by appending one or
        more of the following characters after the pattern:
 
        <b>i</b> (default: on)
-              Toggles  the  case  sensitivity  flag.  By default,
+              Toggles the  case  sensitivity  flag.  By  default,
               matching is case insensitive.
 
        <b>x</b> (default: on)
-              Toggles the extended  expression  syntax  flag.  By
-              default,  support for extended expression syntax is
+              Toggles  the  extended  expression  syntax flag. By
+              default, support for extended expression syntax  is
               enabled.
 
        <b>m</b> (default: off)
-              Toggle the multi-line mode flag. When this flag  is
-              on,  the  <b>^</b>  and <b>$</b> metacharacters match immediately
-              after and immediately before a  newline  character,
-              respectively,  in addition to matching at the start
+              Toggle  the multi-line mode flag. When this flag is
+              on, the <b>^</b> and <b>$</b>  metacharacters  match  immediately
+              after  and  immediately before a newline character,
+              respectively, in addition to matching at the  start
               and end of the input string.
 
 <b>TABLE SEARCH ORDER</b>
-       Patterns are applied in the order as specified in the  ta-
-       ble,  until  a  pattern  is  found  that matches the input
+       Patterns  are applied in the order as specified in the ta-
+       ble, until a pattern  is  found  that  matches  the  input
        string.
 
-       Each pattern  is  applied  to  the  entire  input  string.
-       Depending  on  the  application,  that string is an entire
+       Each  pattern  is  applied  to  the  entire  input string.
+       Depending on the application, that  string  is  an  entire
        client hostname, an entire client IP address, or an entire
-       mail  address.   Thus,  no parent domain or parent network
-       search is done, and <i>user@domain</i>  mail  addresses  are  not
-       broken  up  into  their <i>user</i> and <i>domain</i> constituent parts,
+       mail address.  Thus, no parent domain  or  parent  network
+       search  is  done,  and  <i>user@domain</i> mail addresses are not
+       broken up into their <i>user</i> and  <i>domain</i>  constituent  parts,
        nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
 
 <b>TEXT SUBSTITUTION</b>
-       Substitution of substrings  from  the  matched  expression
-       into  the  result  string  is possible using $1, $2, etc.;
+       Substitution  of  substrings  from  the matched expression
+       into the result string is possible  using  $1,  $2,  etc.;
        specify $$ to produce a $ character as output.  The macros
-       in  the  result  string  may need to be written as ${n} or
+       in the result string may need to be  written  as  ${n}  or
        $(n) if they aren't followed by whitespace.
 
-       Note: since negated patterns (those preceded by <b>!</b>)  return
+       Note:  since negated patterns (those preceded by <b>!</b>) return
        a result when the expression does not match, substitutions
        are not available for negated patterns.
 
diff --git a/postfix/html/relocated.5.html b/postfix/html/relocated.5.html
index f3d27d524..d31e1628c 100644
--- a/postfix/html/relocated.5.html
+++ b/postfix/html/relocated.5.html
@@ -21,8 +21,8 @@ RELOCATED(5)                                                      RELOCATED(5)
        file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command.   The
        result,  an  indexed file in <b>dbm</b> or <b>db</b> format, is used for
        fast searching by the mail  system.  Execute  the  command
-       "<b>postmap  /etc/postfix/relocated</b>"  in order to rebuild the
-       indexed file after changing the relocated table.
+       "<b>postmap  /etc/postfix/relocated</b>"  to  rebuild  an indexed
+       file after changing the corresponding relocated table.
 
        When the table is provided via other means  such  as  NIS,
        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -31,9 +31,9 @@ RELOCATED(5)                                                      RELOCATED(5)
        Alternatively, the table can be  provided  as  a  regular-
        expression map where patterns are given as regular expres-
        sions, or lookups can be directed to TCP-based server.  In
-       that  case,  the  lookups are done in a slightly different
+       those  case,  the lookups are done in a slightly different
        way as described below under "REGULAR  EXPRESSION  TABLES"
-       and "TCP-BASED TABLES".
+       or "TCP-BASED TABLES".
 
        Table lookups are case insensitive.
 
@@ -91,7 +91,7 @@ RELOCATED(5)                                                      RELOCATED(5)
        <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. For a description of the
        TCP client/server table lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
        This feature is not available up to and including  Postfix
-       version 2.3.
+       version 2.4.
 
        Each  pattern  is  a regular expression that is applied to
        the entire address being looked up. Thus, <i>user@domain</i> mail
@@ -112,7 +112,7 @@ RELOCATED(5)                                                      RELOCATED(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.3.
+       Postfix version 2.4.
 
        Each lookup operation uses the entire address once.  Thus,
        <i>user@domain</i> mail addresses are not broken  up  into  their
diff --git a/postfix/html/scache.8.html b/postfix/html/scache.8.html
index 868e14f53..9b3aacc2d 100644
--- a/postfix/html/scache.8.html
+++ b/postfix/html/scache.8.html
@@ -120,8 +120,8 @@ SCACHE(8)                                                            SCACHE(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
               The  process  ID  of  a  Postfix  command or daemon
diff --git a/postfix/html/sendmail.1.html b/postfix/html/sendmail.1.html
index 0390a1dc9..52a9a8645 100644
--- a/postfix/html/sendmail.1.html
+++ b/postfix/html/sendmail.1.html
@@ -282,9 +282,9 @@ SENDMAIL(1)                                                        SENDMAIL(1)
 
 <b>SECURITY</b>
        By  design,  this  program  is not set-user (or group) id.
-       However, it must  handle  data  from  untrusted  users  or
-       untrusted  machines.   Thus, the usual precautions need to
-       be taken against malicious inputs.
+       However, it must  handle  data  from  untrusted,  possibly
+       remote,  users.   Thus,  the  usual precautions need to be
+       taken against malicious inputs.
 
 <b>DIAGNOSTICS</b>
        Problems are logged to  <b>syslogd</b>(8)  and  to  the  standard
diff --git a/postfix/html/showq.8.html b/postfix/html/showq.8.html
index 5cb1f446f..0d9ccd40c 100644
--- a/postfix/html/showq.8.html
+++ b/postfix/html/showq.8.html
@@ -72,31 +72,32 @@ SHOWQ(8)                                                              SHOWQ(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>FILES</b>
@@ -111,7 +112,7 @@ SHOWQ(8)                                                              SHOWQ(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index 7d4246aab..772e43d4a 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -42,8 +42,8 @@ SMTP(8)                                                                SMTP(8)
 
        By  default, connection caching is enabled temporarily for
        destinations that have a high volume of mail in the active
-       queue. Session caching can be enabled permanently for spe-
-       cific destinations.
+       queue.  Connection  caching can be enabled permanently for
+       specific destinations.
 
 <b>SMTP DESTINATION SYNTAX</b>
        SMTP destinations have the following form:
@@ -247,7 +247,7 @@ SMTP(8)                                                                SMTP(8)
               LMTP client will ignore in the LHLO response from a
               remote LMTP server.
 
-       <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
+       <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
               A  case insensitive list of LHLO keywords (pipelin-
               ing, starttls, auth, etc.)  that  the  LMTP  client
               will ignore in the LHLO response from a remote LMTP
@@ -655,69 +655,70 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
               The network interface addresses that this mail sys-
-              tem receives mail on by way of a proxy  or  network
+              tem  receives  mail on by way of a proxy or network
               address translation unit.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An  optional  numerical  network  address  that the
-              Postfix SMTP client should bind to when  making  an
+              An optional  numerical  network  address  that  the
+              Postfix  SMTP  client should bind to when making an
               IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the
-              Postfix SMTP client should bind to when  making  an
+              An optional  numerical  network  address  that  the
+              Postfix  SMTP  client should bind to when making an
               IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The  hostname to send in the SMTP EHLO or HELO com-
+              The hostname to send in the SMTP EHLO or HELO  com-
               mand.
 
        <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
               The hostname to send in the LMTP LHLO command.
 
        <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
-              What mechanisms when the Postfix SMTP  client  uses
+              What  mechanisms  when the Postfix SMTP client uses
               to look up a host's IP address.
 
        <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
-              Randomize  the  order  of  equal-preference MX host
+              Randomize the order  of  equal-preference  MX  host
               addresses.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available with Postfix 2.2 and earlier:
 
        <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
-              Optional list of relay hosts for SMTP  destinations
+              Optional  list of relay hosts for SMTP destinations
               that can't be found or that are unreachable.
 
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional  list of relay hosts for SMTP destinations
+              Optional list of relay hosts for SMTP  destinations
               that can't be found or that are unreachable.
 
 <b>SEE ALSO</b>
@@ -735,7 +736,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 38b474b63..364f879b0 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -1048,35 +1048,36 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
-              before exiting.
+              daemon  process  waits  for  an incoming connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
-              Postfix daemon process terminates.
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
               The internet hostname of this mail system.
 
        <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
-              The  list  of "trusted" SMTP clients that have more
+              The list of "trusted" SMTP clients that  have  more
               privileges than "strangers".
 
        <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
               The domain name that locally-posted mail appears to
-              come  from,  and that locally posted mail is deliv-
+              come from, and that locally posted mail  is  deliv-
               ered to.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
@@ -1084,22 +1085,22 @@ SMTPD(8)                                                              SMTPD(8)
               sions (user+foo).
 
        <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
-              The text that follows the 220 status  code  in  the
+              The  text  that  follows the 220 status code in the
               SMTP greeting banner.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
-              List  of  commands  that  causes  the  Postfix SMTP
-              server to immediately terminate the session with  a
+              List of  commands  that  causes  the  Postfix  SMTP
+              server  to immediately terminate the session with a
               221 code.
 
 <b>SEE ALSO</b>
@@ -1129,7 +1130,7 @@ SMTPD(8)                                                              SMTPD(8)
        <a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/spawn.8.html b/postfix/html/spawn.8.html
index b5e402946..afd13628b 100644
--- a/postfix/html/spawn.8.html
+++ b/postfix/html/spawn.8.html
@@ -110,31 +110,32 @@ SPAWN(8)                                                              SPAWN(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -143,7 +144,7 @@ SPAWN(8)                                                              SPAWN(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/transport.5.html b/postfix/html/transport.5.html
index 3fc1f1c04..a2a225f3b 100644
--- a/postfix/html/transport.5.html
+++ b/postfix/html/transport.5.html
@@ -55,8 +55,8 @@ TRANSPORT(5)                                                      TRANSPORT(5)
        file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command.   The
        result,  an  indexed file in <b>dbm</b> or <b>db</b> format, is used for
        fast searching by the mail  system.  Execute  the  command
-       "<b>postmap  /etc/postfix/transport</b>"  in order to rebuild the
-       indexed file after changing the transport table.
+       "<b>postmap  /etc/postfix/transport</b>"  to  rebuild  an indexed
+       file after changing the corresponding transport table.
 
        When the table is provided via other means  such  as  NIS,
        LDAP  or  SQL,  the  same lookups are done as for ordinary
@@ -65,9 +65,9 @@ TRANSPORT(5)                                                      TRANSPORT(5)
        Alternatively, the table can be  provided  as  a  regular-
        expression map where patterns are given as regular expres-
        sions, or lookups can be directed to TCP-based server.  In
-       that  case,  the  lookups are done in a slightly different
+       those  case,  the lookups are done in a slightly different
        way as described below under "REGULAR  EXPRESSION  TABLES"
-       and "TCP-BASED TABLES".
+       or "TCP-BASED TABLES".
 
 <b>CASE FOLDING</b>
        The  search  string is folded to lowercase before database
@@ -243,7 +243,7 @@ TRANSPORT(5)                                                      TRANSPORT(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.3.
+       Postfix version 2.4.
 
        Each  lookup  operation  uses the entire recipient address
        once.  Thus, <i>some.domain.hierarchy</i> is not  looked  up  via
@@ -275,6 +275,7 @@ TRANSPORT(5)                                                      TRANSPORT(5)
        <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
 
 <b>README FILES</b>
+       <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>, address rewriting guide
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
        <a href="FILTER_README.html">FILTER_README</a>, external content filter
 
diff --git a/postfix/html/trivial-rewrite.8.html b/postfix/html/trivial-rewrite.8.html
index 2e045a1e6..18b5b7a34 100644
--- a/postfix/html/trivial-rewrite.8.html
+++ b/postfix/html/trivial-rewrite.8.html
@@ -252,45 +252,46 @@ TRIVIAL-REWRITE(8)                                          TRIVIAL-REWRITE(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#relocated_maps">relocated_maps</a> (empty)</b>
               Optional lookup tables with new contact information
               for users or domains that no longer exist.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
-              Display the name of  the  recipient  table  in  the
+              Display  the  name  of  the  recipient table in the
               "User unknown" responses.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available in Postfix version 2.0 and later:
 
        <b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
-              Log  warnings  about problematic configuration set-
+              Log warnings about problematic  configuration  set-
               tings, and provide helpful suggestions.
 
 <b>SEE ALSO</b>
@@ -305,7 +306,7 @@ TRIVIAL-REWRITE(8)                                          TRIVIAL-REWRITE(8)
        <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a>, Postfix address verification
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/virtual.5.html b/postfix/html/virtual.5.html
index ab0649357..06450986b 100644
--- a/postfix/html/virtual.5.html
+++ b/postfix/html/virtual.5.html
@@ -48,8 +48,8 @@ VIRTUAL(5)                                                          VIRTUAL(5)
        text  file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command.
        The result, an indexed file in <b>dbm</b> or <b>db</b> format,  is  used
        for fast searching by the mail system. Execute the command
-       "<b>postmap /etc/postfix/virtual</b>" in  order  to  rebuild  the
-       indexed file after changing the text file.
+       "<b>postmap /etc/postfix/virtual</b>" to rebuild an indexed  file
+       after changing the corresponding text file.
 
        When  the  table  is provided via other means such as NIS,
        LDAP or SQL, the same lookups are  done  as  for  ordinary
@@ -58,9 +58,9 @@ VIRTUAL(5)                                                          VIRTUAL(5)
        Alternatively,  the  table  can  be provided as a regular-
        expression map where patterns are given as regular expres-
        sions,  or lookups can be directed to TCP-based server. In
-       that case, the lookups are done in  a  slightly  different
+       those case, the lookups are done in a  slightly  different
        way  as  described below under "REGULAR EXPRESSION TABLES"
-       and "TCP-BASED TABLES".
+       or "TCP-BASED TABLES".
 
 <b>CASE FOLDING</b>
        The search string is folded to lowercase  before  database
@@ -109,15 +109,22 @@ VIRTUAL(5)                                                          VIRTUAL(5)
               Redirect mail for other users in <i>domain</i> to <i>address</i>.
               This form has the lowest precedence.
 
+              Note:  @<i>domain</i>  is a wild-card. With this form, the
+              Postfix SMTP server accepts mail for any  recipient
+              in  <i>domain</i>,  regardless  of  whether that recipient
+              exists.  This may turn  your  mail  system  into  a
+              backscatter  source that returns undeliverable spam
+              to innocent people.
+
 <b>RESULT ADDRESS REWRITING</b>
        The lookup result is subject to address rewriting:
 
-       <b>o</b>      When  the  result  has  the  form @<i>otherdomain</i>, the
-              result becomes the same <i>user</i> in <i>otherdomain</i>.   This
+       <b>o</b>      When the result  has  the  form  @<i>otherdomain</i>,  the
+              result  becomes the same <i>user</i> in <i>otherdomain</i>.  This
               works only for the first address in a multi-address
               lookup result.
 
-       <b>o</b>      When "<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append  "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>"
+       <b>o</b>      When  "<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>"
               to addresses without "@domain".
 
        <b>o</b>      When "<b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes</b>", append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>"
@@ -125,29 +132,29 @@ VIRTUAL(5)                                                          VIRTUAL(5)
 
 <b>ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
-       ient  delimiter  (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
+       ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the  lookup  order
        becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and
        @<i>domain</i>.
 
-       The   <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter  controls
-       whether an unmatched address extension  (<i>+foo</i>)  is  propa-
+       The  <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter   controls
+       whether  an  unmatched  address extension (<i>+foo</i>) is propa-
        gated to the result of table lookup.
 
 <b>VIRTUAL ALIAS DOMAINS</b>
-       Besides  virtual aliases, the virtual alias table can also
+       Besides virtual aliases, the virtual alias table can  also
        be used to implement <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a>. With a virtual
-       alias  domain,  all  recipient  addresses  are  aliased to
+       alias domain,  all  recipient  addresses  are  aliased  to
        addresses in other domains.
 
        Virtual alias domains are not to be confused with the vir-
        tual mailbox domains that are implemented with the Postfix
        <a href="virtual.8.html"><b>virtual</b>(8)</a>  mail  delivery  agent.  With  virtual  mailbox
-       domains,  each recipient address can have its own mailbox.
+       domains, each recipient address can have its own  mailbox.
 
-       With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, the virtual  domain  has  its
-       own  user  name  space. Local (i.e. non-virtual) usernames
-       are not visible in a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>. In  particular,
-       local  <a href="aliases.5.html"><b>aliases</b>(5)</a>  and local mailing lists are not visible
+       With  a  virtual  alias domain, the virtual domain has its
+       own user name space. Local  (i.e.  non-virtual)  usernames
+       are  not visible in a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>. In particular,
+       local <a href="aliases.5.html"><b>aliases</b>(5)</a> and local mailing lists are  not  visible
        as <i>localname@virtual-alias.domain</i>.
 
        Support for a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> looks like:
@@ -155,8 +162,8 @@ VIRTUAL(5)                                                          VIRTUAL(5)
        /etc/postfix/<a href="postconf.5.html">main.cf</a>:
            <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
 
-           Note: some systems use <b>dbm</b> databases instead of  <b>hash</b>.
-           See  the output from "<b>postconf -m</b>" for available data-
+           Note:  some systems use <b>dbm</b> databases instead of <b>hash</b>.
+           See the output from "<b>postconf -m</b>" for available  data-
            base types.
 
        /etc/postfix/<a href="virtual.8.html">virtual</a>:
@@ -165,95 +172,95 @@ VIRTUAL(5)                                                          VIRTUAL(5)
            <i>user1@virtual-alias.domain   address1</i>
            <i>user2@virtual-alias.domain   address2, address3</i>
 
-       The <i>virtual-alias.domain anything</i> entry is required for  a
+       The  <i>virtual-alias.domain anything</i> entry is required for a
        <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>. <b>Without this entry, mail is rejected</b>
-       <b>with "relay access denied", or bounces  with  "mail  loops</b>
+       <b>with  "relay  access  denied", or bounces with "mail loops</b>
        <b>back to myself".</b>
 
-       Do  not  specify <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> names in the <a href="postconf.5.html"><b>main.cf</b></a>
+       Do not specify <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> names in  the  <a href="postconf.5.html"><b>main.cf</b></a>
        <b><a href="postconf.5.html#mydestination">mydestination</a></b> or <b><a href="postconf.5.html#relay_domains">relay_domains</a></b> configuration parameters.
 
-       With a virtual  alias  domain,  the  Postfix  SMTP  server
-       accepts   mail  for  <i>known-user@virtual-alias.domain</i>,  and
-       rejects  mail  for  <i>unknown-user</i>@<i>virtual-alias.domain</i>   as
+       With  a  virtual  alias  domain,  the  Postfix SMTP server
+       accepts  mail  for  <i>known-user@virtual-alias.domain</i>,   and
+       rejects   mail  for  <i>unknown-user</i>@<i>virtual-alias.domain</i>  as
        undeliverable.
 
-       Instead  of  specifying  the <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> name via
-       the <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a></b> table, you may also specify it  via
+       Instead of specifying the virtual alias  domain  name  via
+       the  <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a></b> table, you may also specify it via
        the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a></b> configuration parameter.
-       This latter parameter uses the same syntax as the  <a href="postconf.5.html"><b>main.cf</b></a>
+       This  latter parameter uses the same syntax as the <a href="postconf.5.html"><b>main.cf</b></a>
        <b><a href="postconf.5.html#mydestination">mydestination</a></b> configuration parameter.
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This  section  describes how the table lookups change when
+       This section describes how the table lookups  change  when
        the table is given in the form of regular expressions. For
-       a  description  of regular expression lookup table syntax,
+       a description of regular expression lookup  table  syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each pattern is a regular expression that  is  applied  to
+       Each  pattern  is  a regular expression that is applied to
        the entire address being looked up. Thus, <i>user@domain</i> mail
-       addresses are not broken up into their  <i>user</i>  and  <i>@domain</i>
+       addresses  are  not  broken up into their <i>user</i> and <i>@domain</i>
        constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and
        <i>foo</i>.
 
-       Patterns are applied in the order as specified in the  ta-
-       ble,  until  a  pattern  is  found that matches the search
+       Patterns  are applied in the order as specified in the ta-
+       ble, until a pattern is  found  that  matches  the  search
        string.
 
-       Results are the same as with indexed  file  lookups,  with
-       the  additional feature that parenthesized substrings from
+       Results  are  the  same as with indexed file lookups, with
+       the additional feature that parenthesized substrings  from
        the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
 
 <b>TCP-BASED TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.3.
+       Postfix version 2.4.
 
        Each lookup operation uses the entire address once.  Thus,
-       <i>user@domain</i>  mail  addresses  are not broken up into their
+       <i>user@domain</i> mail addresses are not broken  up  into  their
        <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i> broken
        up into <i>user</i> and <i>foo</i>.
 
        Results are the same as with indexed file lookups.
 
 <b>BUGS</b>
-       The  table format does not understand quoting conventions.
+       The table format does not understand quoting  conventions.
 
 <b>CONFIGURATION PARAMETERS</b>
-       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are  especially  relevant
-       to  this  topic.  See  the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file for syntax
-       details and for default values. Use the  "<b>postfix  reload</b>"
+       The  following  <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
+       to this topic. See the Postfix  <a href="postconf.5.html"><b>main.cf</b></a>  file  for  syntax
+       details  and  for default values. Use the "<b>postfix reload</b>"
        command after a configuration change.
 
        <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a></b>
               List of virtual aliasing tables.
 
        <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a></b>
-              List  of  <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a>. This uses the same
+              List of <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a>. This uses  the  same
               syntax as the <b><a href="postconf.5.html#mydestination">mydestination</a></b> parameter.
 
        <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>
-              A list of address rewriting  or  forwarding  mecha-
-              nisms  that propagate an address extension from the
-              original address to the result.   Specify  zero  or
-              more   of   <b>canonical</b>,   <b>virtual</b>,  <b>alias</b>,  <b>forward</b>,
+              A  list  of  address rewriting or forwarding mecha-
+              nisms that propagate an address extension from  the
+              original  address  to  the result.  Specify zero or
+              more  of  <b>canonical</b>,   <b>virtual</b>,   <b>alias</b>,   <b>forward</b>,
               <b>include</b>, or <b>generic</b>.
 
        Other parameters of interest:
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
-              The network interface addresses  that  this  system
+              The  network  interface  addresses that this system
               receives mail on.  You need to stop and start Post-
               fix when this parameter changes.
 
        <b><a href="postconf.5.html#mydestination">mydestination</a></b>
-              List of domains that  this  mail  system  considers
+              List  of  domains  that  this mail system considers
               local.
 
        <b><a href="postconf.5.html#myorigin">myorigin</a></b>
-              The  domain  that  is  appended to any address that
+              The domain that is appended  to  any  address  that
               does not have a domain.
 
        <b><a href="postconf.5.html#owner_request_special">owner_request_special</a></b>
@@ -272,12 +279,12 @@ VIRTUAL(5)                                                          VIRTUAL(5)
        <a href="canonical.5.html">canonical(5)</a>, canonical address mapping
 
 <b>README FILES</b>
-       <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
        <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>, address rewriting guide
+       <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
        <a href="VIRTUAL_README.html">VIRTUAL_README</a>, domain hosting guide
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/virtual.8.html b/postfix/html/virtual.8.html
index eda09fc99..3d7e5268a 100644
--- a/postfix/html/virtual.8.html
+++ b/postfix/html/virtual.8.html
@@ -253,31 +253,32 @@ VIRTUAL(8)                                                          VIRTUAL(8)
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
               The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
-              before exiting.
+              daemon process waits  for  an  incoming  connection
+              before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
-              Postfix daemon process terminates.
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
+              nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -290,20 +291,20 @@ VIRTUAL(8)                                                          VIRTUAL(8)
        <a href="VIRTUAL_README.html">VIRTUAL_README</a>, domain hosting howto
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>HISTORY</b>
-       This delivery agent was originally based  on  the  Postfix
-       local  delivery  agent.  Modifications mainly consisted of
-       removing code that either was not applicable or  that  was
-       not  safe  in this context: aliases, ~user/.forward files,
+       This  delivery  agent  was originally based on the Postfix
+       local delivery agent. Modifications  mainly  consisted  of
+       removing  code  that either was not applicable or that was
+       not safe in this context: aliases,  ~user/.forward  files,
        delivery to "|command" or to /file/name.
 
        The <b>Delivered-To:</b> message header appears in the <b>qmail</b> sys-
        tem by Daniel Bernstein.
 
-       The  <b>maildir</b>  structure  appears  in  the  <b>qmail</b> system by
+       The <b>maildir</b> structure  appears  in  the  <b>qmail</b>  system  by
        Daniel Bernstein.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/man/man1/qshape.1 b/postfix/man/man1/qshape.1
index 4badd4c02..cd8b6350d 100644
--- a/postfix/man/man1/qshape.1
+++ b/postfix/man/man1/qshape.1
@@ -12,6 +12,7 @@ Print Postfix queue domain and age distribution
 \fBqshape\fR [\fB-s\fR] [\fB-p\fR] [\fB-m \fImin_subdomains\fR]
         [\fB-b \fIbucket_count\fR] [\fB-t \fIbucket_time\fR]
         [\fB-l\fR] [\fB-w \fIterminal_width\fR]
+        [\fB-N \fIbatch_msg_count\fR] [\fB-n \fIbatch_top_domains\fR]
         [\fB-c \fIconfig_directory\fR] [\fIqueue_name\fR ...]
 .SH DESCRIPTION
 .ad
@@ -64,6 +65,15 @@ are shown with the prefix replaced by a '+' character. Truncated
 parent domain rows are shown as '.+' followed by the last 16 bytes
 of the domain name. If this is still too narrow to show the domain
 name and all the counters, the terminal_width limit is violated.
+.IP "\fB-N \fIbatch_msg_count\fR"
+When the output device is a terminal, intermediate results are
+shown each "batch_msg_count" messages. This produces usable results
+in a reasonable time even when the deferred queue is large. The
+default is to show intermediate results every 1000 messages.
+.IP "\fB-n \fIbatch_top_domains\fR"
+When reporting intermediate or final results to a termainal, report
+only the top "batch_top_domains" domains. The default limit is 20
+domains.
 .IP "\fB-c \fIconfig_directory\fR"
 The \fBmain.cf\fR configuration file is in the named directory
 instead of the default configuration directory.
diff --git a/postfix/man/man1/sendmail.1 b/postfix/man/man1/sendmail.1
index 0b88eca36..04ba044f9 100644
--- a/postfix/man/man1/sendmail.1
+++ b/postfix/man/man1/sendmail.1
@@ -230,7 +230,7 @@ Log mailer traffic. Use the \fBdebug_peer_list\fR and
 .ad
 .fi
 By design, this program is not set-user (or group) id. However,
-it must handle data from untrusted users or untrusted machines.
+it must handle data from untrusted, possibly remote, users.
 Thus, the usual precautions need to be taken against malicious
 inputs.
 .SH DIAGNOSTICS
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index ad4f084a4..c52fbe13b 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -4,7 +4,7 @@
 .SH NAME
 access
 \-
-Postfix access table format
+Postfix SMTP server access table
 .SH "SYNOPSIS"
 .na
 .nf
@@ -16,29 +16,28 @@ Postfix access table format
 .SH DESCRIPTION
 .ad
 .fi
-The optional \fBaccess\fR(5) table directs the Postfix SMTP server
-to selectively reject or accept mail. Access can be allowed or
-denied for specific host names, domain names, networks, host
-addresses or mail addresses.
-
-For an example, see the EXAMPLE section at the end of this
-manual page.
+The Postfix SMTP server supports access control on remote
+SMTP client information: host names, network addresses, and
+envelope sender
+or recipient addresses.  See \fBheader_checks\fR(5) or
+\fBbody_checks\fR(5) for access control on the content of
+email messages.
 
 Normally, the \fBaccess\fR(5) table is specified as a text file
 that serves as input to the \fBpostmap\fR(1) command.
 The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
-is used for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/access\fR" in order to rebuild the indexed
-file after changing the access table.
+is used for fast searching by the mail system. Execute the
+command "\fBpostmap /etc/postfix/access\fR" to rebuild an
+indexed file after changing the corresponding text file.
 
 When the table is provided via other means such as NIS, LDAP
 or SQL, the same lookups are done as for ordinary indexed files.
 
 Alternatively, the table can be provided as a regular-expression
 map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In that case, the lookups are
-done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+can be directed to TCP-based server. In those cases, the lookups
+are done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 .SH "CASE FOLDING"
 .na
 .nf
@@ -195,7 +194,8 @@ Reject the address etc. that matches the pattern. Reply with
 specified, otherwise reply with a generic error response message.
 .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
 Defer the request if some later restriction would result in a
-REJECT action. Reply with "\fB450\fI optional text...\fR when the
+REJECT action. Reply with "\fB450 4.7.1 \fI optional
+text...\fR when the
 optional text is specified, otherwise reply with a generic error
 response message.
 .sp
@@ -203,7 +203,7 @@ This feature is available in Postfix 2.1 and later.
 .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
 Defer the request if some later restriction would result in a
 an explicit or implicit PERMIT action.
-Reply with "\fB450\fI optional text...\fR when the
+Reply with "\fB450 4.7.1 \fI optional text...\fR when the
 optional text is specified, otherwise reply with a generic error
 response message.
 .sp
@@ -255,20 +255,21 @@ the \fBpostsuper\fR(1) command.
 .sp
 Note: use "\fBpostsuper -r\fR" to release mail that was kept on
 hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-or \fB$bounce_queue_lifetime\fR, or longer.
+or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
+only for mail that will not expire within a few delivery attempts.
 .sp
 Note: this action currently affects all recipients of the message.
 .sp
 This feature is available in Postfix 2.0 and later.
 .IP "\fBPREPEND \fIheadername: headervalue\fR"
 Prepend the specified message header to the message.
-When this action is used multiple times, the first prepended
-header appears before the second etc. prepended header.
-.sp
-Note: this action does not support multi-line message headers.
+When more than one PREPEND action executes, the first
+prepended header appears before the second etc. prepended
+header.
 .sp
-Note: this action must be used before the message content
-is received; it cannot be used in \fBsmtpd_end_of_data_restrictions\fR.
+Note: this action must execute before the message content
+is received; it cannot execute in the context of
+\fBsmtpd_end_of_data_restrictions\fR.
 .sp
 This feature is available in Postfix 2.1 and later.
 .IP "\fBREDIRECT \fIuser@domain\fR"
@@ -340,7 +341,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.3.
+This feature is not available up to and including Postfix version 2.4.
 
 Each lookup operation uses the entire query string once.
 Depending on the application, that string is an entire client
diff --git a/postfix/man/man5/aliases.5 b/postfix/man/man5/aliases.5
index 7f067da6c..05ca24b90 100644
--- a/postfix/man/man5/aliases.5
+++ b/postfix/man/man5/aliases.5
@@ -75,8 +75,8 @@ quotes. See \fBlocal\fR(8) for details of delivery to command.
 When the command fails, a limited amount of command output is
 mailed back to the sender.  The file \fB/usr/include/sysexits.h\fR
 defines the expected exit status codes. For example, use
-\fB|"exit 67"\fR to simulate a "user unknown" error, and
-\fB|"exit 0"\fR to implement an expensive black hole.
+\fB"|exit 67"\fR to simulate a "user unknown" error, and
+\fB"|exit 0"\fR to implement an expensive black hole.
 .IP \fB:include:\fI/file/name\fR
 Mail is sent to the destinations listed in the named file.
 Lines in \fB:include:\fR files have the same syntax
diff --git a/postfix/man/man5/bounce.5 b/postfix/man/man5/bounce.5
index 4c6215ab3..25bbfda41 100644
--- a/postfix/man/man5/bounce.5
+++ b/postfix/man/man5/bounce.5
@@ -32,7 +32,8 @@ bounce template formats.
 .nf
 .ad
 .fi
-To create customized bounce template file, create a temporary
+To create a customized bounce template file, create a
+temporary
 copy of the file \fB/etc/postfix/bounce.cf.default\fR and
 edit the temporary file.
 
diff --git a/postfix/man/man5/canonical.5 b/postfix/man/man5/canonical.5
index 1faefbca7..6f1083051 100644
--- a/postfix/man/man5/canonical.5
+++ b/postfix/man/man5/canonical.5
@@ -25,17 +25,17 @@ Normally, the \fBcanonical\fR(5) table is specified as a text file
 that serves as input to the \fBpostmap\fR(1) command.
 The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
 is used for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/canonical\fR" in order to rebuild the indexed
-file after changing the text file.
+"\fBpostmap /etc/postfix/canonical\fR" to rebuild an indexed
+file after changing the corresponding text file.
 
 When the table is provided via other means such as NIS, LDAP
 or SQL, the same lookups are done as for ordinary indexed files.
 
 Alternatively, the table can be provided as a regular-expression
 map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In that case, the lookups are
-done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+can be directed to TCP-based server. In those cases, the lookups
+are done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 
 By default the \fBcanonical\fR(5) mapping affects both message
 header addresses (i.e. addresses that appear inside messages)
@@ -55,10 +55,9 @@ names by \fIFirstname.Lastname\fR, or to clean up addresses produced
 by legacy mail systems.
 
 The \fBcanonical\fR(5) mapping is not to be confused with \fIvirtual
-domain\fR support. Use the \fBvirtual\fR(5) map for that purpose.
-
-The \fBcanonical\fR(5) mapping is not to be confused with local aliasing.
-Use the \fBaliases\fR(5) map for that purpose.
+alias\fR support or with local aliasing. To change the destination
+but not the headers, use the \fBvirtual\fR(5) or \fBaliases\fR(5)
+map instead.
 .SH "CASE FOLDING"
 .na
 .nf
@@ -109,6 +108,13 @@ This form is useful for replacing login names by
 .IP "@\fIdomain address\fR"
 Replace other addresses in \fIdomain\fR by \fIaddress\fR.
 This form has the lowest precedence.
+.sp
+Note: @\fIdomain\fR is a wild-card. When this form is applied
+to recipient addresses, the Postfix SMTP server accepts
+mail for any recipient in \fIdomain\fR, regardless of whether
+that recipient exists.  This may turn your mail system into
+a backscatter source that returns undeliverable spam to
+innocent people.
 .SH "RESULT ADDRESS REWRITING"
 .na
 .nf
@@ -166,7 +172,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.3.
+This feature is not available up to and including Postfix version 2.4.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/man/man5/cidr_table.5 b/postfix/man/man5/cidr_table.5
index 30504a406..b5ba2ee7e 100644
--- a/postfix/man/man5/cidr_table.5
+++ b/postfix/man/man5/cidr_table.5
@@ -17,7 +17,10 @@ format of Postfix CIDR tables
 The Postfix mail system uses optional lookup tables.
 These tables are usually in \fBdbm\fR or \fBdb\fR format.
 Alternatively, lookup tables can be specified in CIDR
-(Classless Inter-Domain Routing) form.
+(Classless Inter-Domain Routing) form. In this case, each
+input is compared against a list of patterns. When a match
+is found, the corresponding result is returned and the search
+is terminated.
 
 To find out what types of lookup tables your Postfix system
 supports use the "\fBpostconf -m\fR" command.
@@ -99,7 +102,6 @@ DATABASE_README, Postfix lookup table overview
 .nf
 The CIDR table lookup code was originally written by:
 Jozsef Kadlecsik
-kadlec@blackhole.kfki.hu
 KFKI Research Institute for Particle and Nuclear Physics
 POB. 49
 1525 Budapest, Hungary
diff --git a/postfix/man/man5/generic.5 b/postfix/man/man5/generic.5
index e0ec31a84..32e310197 100644
--- a/postfix/man/man5/generic.5
+++ b/postfix/man/man5/generic.5
@@ -39,7 +39,7 @@ text file that serves as input to the \fBpostmap\fR(1)
 command.  The result, an indexed file in \fBdbm\fR or
 \fBdb\fR format, is used for fast searching by the mail
 system. Execute the command "\fBpostmap /etc/postfix/generic\fR"
-in order to rebuild the indexed file after changing the
+to rebuild an indexed file after changing the corresponding
 text file.
 
 When the table is provided via other means such as NIS, LDAP
@@ -47,9 +47,9 @@ or SQL, the same lookups are done as for ordinary indexed files.
 
 Alternatively, the table can be provided as a regular-expression
 map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In that case, the lookups are
-done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+can be directed to TCP-based server. In those case, the lookups
+are done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 .SH "CASE FOLDING"
 .na
 .nf
@@ -150,7 +150,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.3.
+This feature is not available up to and including Postfix version 2.4.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/man/man5/header_checks.5 b/postfix/man/man5/header_checks.5
index ada401686..bc0f4f17c 100644
--- a/postfix/man/man5/header_checks.5
+++ b/postfix/man/man5/header_checks.5
@@ -22,11 +22,16 @@ Postfix built-in header/body inspection
 .SH DESCRIPTION
 .ad
 .fi
-Postfix provides a simple built-in content inspection mechanism that
-examines incoming mail one message header or one message body line
-at a time. Each input is compared against a list of patterns, and
-when a match is found the corresponding action is executed.
-This feature is implemented by the Postfix \fBcleanup\fR(8) server.
+The Postfix \fBcleanup\fR(8) server supports access control
+on the content of message headers and message body lines.
+See \fBaccess\fR(5) for access control on remote SMTP client
+information.
+
+Each message header or message body line is compared against
+a list of patterns.
+When a match is found the corresponding action is executed, and
+the matching process is repeated for the next message header or
+message body line.
 
 For examples, see the EXAMPLES section at the end of this
 manual page.
@@ -178,7 +183,8 @@ the \fBpostsuper\fR(1) command.
 .sp
 Note: use "\fBpostsuper -r\fR" to release mail that was kept on
 hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-or \fB$bounce_queue_lifetime\fR, or longer.
+or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
+only for mail that will not expire within a few delivery attempts.
 .sp
 Note: this action affects all recipients of the message.
 .sp
diff --git a/postfix/man/man5/ldap_table.5 b/postfix/man/man5/ldap_table.5
index 4e22f4987..ca97365e7 100644
--- a/postfix/man/man5/ldap_table.5
+++ b/postfix/man/man5/ldap_table.5
@@ -22,6 +22,7 @@ Alternatively, lookup tables can be specified as LDAP databases.
 
 In order to use LDAP lookups, define an LDAP source as a lookup
 table in main.cf, for example:
+
 .ti +4
 alias_maps = ldap:/etc/postfix/ldap-aliases.cf
 
@@ -87,6 +88,7 @@ an arbitrary value. With LDAP databases it is not uncommon to
 return the key itself.
 
 For example, NEVER do this in a map defining $mydestination:
+
 .in +4
 query_filter = domain=*
 .br
@@ -94,6 +96,7 @@ result_attribute = domain
 .in -4
 
 Do this instead:
+
 .in +4
 query_filter = domain=%s
 .br
@@ -110,6 +113,7 @@ Postfix configuration routines understand how to deal with quoted
 strings.
 .IP "\fBserver_host (default: localhost)\fR"
 The name of the host running the LDAP server, e.g.
+
 .ti +4
 server_host = ldap.example.com
 
@@ -118,11 +122,13 @@ be possible to specify multiple servers here, with the library
 trying them in order should the first one fail. It should also
 be possible to give each server in the list a different port
 (overriding \fBserver_port\fR below), by naming them like
+
 .ti +4
 server_host = ldap.example.com:1444
 
 With OpenLDAP, a (list of) LDAP URLs can be used to specify both
 the hostname(s) and the port(s):
+
 .ti +4
 server_host = ldap://ldap.example.com:1444
 .ti +8
@@ -132,20 +138,24 @@ All LDAP URLs accepted by the OpenLDAP library are supported,
 including connections over UNIX domain sockets, and LDAP SSL
 (the last one provided that OpenLDAP was compiled with support
 for SSL):
+
 .ti +4
 server_host = ldapi://%2Fsome%2Fpath
 .ti +8
         ldaps://ldap.example.com:636
 .IP "\fBserver_port (default: 389)\fR"
 The port the LDAP server listens on, e.g.
+
 .ti +4
 server_port = 778
 .IP "\fBtimeout (default: 10 seconds)\fR"
 The number of seconds a search can take before timing out, e.g.
+
 .ti +4
 timeout = 5
 .IP "\fBsearch_base (No default; you must configure this)\fR"
 The RFC2253 base DN at which to conduct the search, e.g.
+
 .ti +4
 search_base = dc=your, dc=com
 .IP
@@ -188,6 +198,7 @@ no results.
 The RFC2254 filter used to search the directory, where \fB%s\fR
 is a substitute for the address Postfix is trying to resolve,
 e.g.
+
 .ti +4
 query_filter = (&(mail=%s)(paid_up=true))
 
@@ -297,6 +308,7 @@ keys with a *non-empty* localpart and a matching domain
 are eligible for lookup: 'user' lookups, bare domain lookups
 and "@domain" lookups are not performed. This can significantly
 reduce the query load on the LDAP server.
+
 .ti +4
 domain = postfix.org, hash:/etc/postfix/searchdomains
 
@@ -310,14 +322,16 @@ This feature is available in Postfix 1.0 and later.
 The attribute(s) Postfix will read from any directory
 entries returned by the lookup, to be resolved to an email
 address.
+
 .ti +4
 result_attribute = mailbox, maildrop
-.IP "\fBspecial_result_attribute (No default)\fR"
+.IP "\fBspecial_result_attribute (default: empty)\fR"
 The attribute(s) of directory entries that can contain DNs
 or URLs. If found, a recursive subsequent search is done
 using their values.
+
 .ti +4
-special_result_attribute = member
+special_result_attribute = memberdn
 
 DN recursion retrieves the same result_attributes as the
 main query, including the special attributes for further
@@ -326,6 +340,47 @@ that are included in the URI definition and are *also*
 listed in "result_attribute". If the URI lists any of the
 map's special result attributes, these are also retrieved
 and used recursively.
+.IP "\fBterminal_result_attribute (default: empty)\fR"
+When one or more terminal result attributes are found in an LDAP
+entry, all other result attributes are ignored and only the terminal
+result attributes are returned. This is useful for delegating expansion
+of group members to a particular host, by using an optional "maildrop"
+attribute on selected groups to route the group to a specific host,
+where the group is expanded, possibly via mailing-list manager or
+other special processing.
+
+.ti +4
+terminal_result_attribute = maildrop
+
+This feature is available with Postfix 2.4 or later.
+.IP "\fBleaf_result_attribute (default: empty)\fR"
+When one or more special result attributes are found in a non-terminal
+(see above) LDAP entry, leaf result attributes are excluded from the
+expansion of that entry. This is useful when expanding groups and the
+desired mail address attribute(s) of the member objects obtained via
+DN or URI recursion are also present in the group object. To only
+return the attribute values from the leaf objects and not the
+containing group, add the attribute to the leaf_result_attribute list,
+and not the result_attribute list, which is always expanded. Note,
+the default value of "result_attribute" is not empty, you may want to
+set it explicitly empty when using "leaf_result_attribute" to expand
+the group to a list of member DN addresses. If groups have both
+member DN references AND attributes that hold multiple string valued
+rfc822 addresses, then the string attributes go in "result_attribute".
+The attributes that represent the email addresses of objects
+referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
+
+.in +4
+result_attribute = memberaddr
+.br
+special_result_attribute = memberdn
+.br
+terminal_result_attribute = maildrop
+.br
+leaf_result_attribute = mail
+.in -4
+
+This feature is available with Postfix 2.4 or later.
 .IP "\fBscope (default: sub)\fR"
 The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
 These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
@@ -334,6 +389,7 @@ and LDAP_SCOPE_ONELEVEL.
 Whether or not to bind to the LDAP server. Newer LDAP
 implementations don't require clients to bind, which saves
 time. Example:
+
 .ti +4
 bind = no
 
@@ -346,6 +402,7 @@ should prevent the password from traversing the network in
 the clear.
 .IP "\fBbind_dn (default: empty)\fR"
 If you do have to bind, do it with this distinguished name. Example:
+
 .ti +4
 bind_dn = uid=postfix, dc=your, dc=com
 .IP "\fBbind_pw (default: empty)\fR"
@@ -357,6 +414,7 @@ main.cf, it is not possible to securely store the bind
 password. This is because main.cf needs to be world readable
 to allow local accounts to submit mail via the sendmail
 command. Example:
+
 .ti +4
 bind_pw = postfixpw
 .IP "\fBcache (IGNORED with a warning)\fR"
@@ -426,15 +484,18 @@ issue the STARTTLS command.
 
 LDAP SSL service can be requested by using a LDAP SSL URL
 in the server_host parameter:
+
 .ti +4
 server_host = ldaps://ldap.example.com:636
 
 STARTTLS can be turned on with the start_tls parameter:
+
 .ti +4
 start_tls = yes
 
 Both forms require LDAP protocol version 3, which has to be set
 explicitly with:
+
 .ti +4
 version = 3
 
@@ -488,21 +549,23 @@ Cipher suite to use in SSL/TLS negotiations.
 Here's a basic example for using LDAP to look up local(8)
 aliases.
 Assume that in main.cf, you have:
+
 .ti +4
 alias_maps = hash:/etc/aliases,
 .ti +8
 ldap:/etc/postfix/ldap-aliases.cf
 
 and in ldap:/etc/postfix/ldap-aliases.cf you have:
+
 .in +4
-server_host = ldap.my.com
+server_host = ldap.example.com
 .br
-search_base = dc=my, dc=com
+search_base = dc=example, dc=com
 .in -4
 
 Upon receiving mail for a local address "ldapuser" that
 isn't found in the /etc/aliases database, Postfix will
-search the LDAP server listening at port 389 on ldap.my.com.
+search the LDAP server listening at port 389 on ldap.example.com.
 It will bind anonymously, search for any directory entries
 whose mailacceptinggeneralid attribute is "ldapuser", read
 the "maildrop" attributes of those found, and build a list
diff --git a/postfix/man/man5/pcre_table.5 b/postfix/man/man5/pcre_table.5
index dc2cb3dfa..3242fcd1c 100644
--- a/postfix/man/man5/pcre_table.5
+++ b/postfix/man/man5/pcre_table.5
@@ -20,8 +20,8 @@ rewriting or mail routing. These tables are usually in
 
 Alternatively, lookup tables can be specified in Perl Compatible
 Regular Expression form. In this case, each input is compared
-against a list of patterns, and when a match is found the
-corresponding result is returned.
+against a list of patterns. When a match is found, the
+corresponding result is returned and the search is terminated.
 
 To find out what types of lookup tables your Postfix system
 supports use the "\fBpostconf -m\fR" command.
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index f35515d79..6f67cfb3b 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -1104,9 +1104,9 @@ precision.
 .PP
 The format of the "delays=a/b/c/d" logging is as follows:
 .IP \(bu
-a = time before the queue manager, including message transmission
+a = time from message arrival to last active queue entry
 .IP \(bu
-b = time in queue manager
+b = time from last active queue entry to connection setup
 .IP \(bu
 c = time in connection setup, including DNS, EHLO and TLS
 .IP \(bu
@@ -1805,7 +1805,7 @@ details. The table is not indexed by hostname for consistency with
 smtpd_discard_ehlo_keyword_address_maps.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH lmtp_discard_lhlo_keywords (default: $myhostname)
+.SH lmtp_discard_lhlo_keywords (default: empty)
 A case insensitive list of LHLO keywords (pipelining, starttls,
 auth, etc.) that the LMTP client will ignore in the LHLO response
 from a remote LMTP server.
@@ -2649,16 +2649,18 @@ masquerade_exceptions = root
 .ad
 .ft R
 .SH max_idle (default: 100s)
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.  This parameter
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.  This
+parameter
 is ignored by the Postfix queue manager and by other long-lived
 Postfix daemon processes.
 .PP
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
 .SH max_use (default: 100)
-The maximal number of connection requests before a Postfix daemon
-process terminates. This parameter is ignored by the Postfix queue
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.  This parameter
+is ignored by the Postfix queue
 manager and by other long-lived Postfix daemon processes.
 .SH maximal_backoff_time (default: 4000s)
 The maximal time between attempts to deliver a deferred message.
@@ -3543,7 +3545,10 @@ Do not change this unless you have a complete understanding of RFC 821.
 .SH relay_recipient_maps (default: empty)
 Optional lookup tables with all valid addresses in the domains
 that match $relay_domains. Specify @domain as a wild-card for
-domains that do not have a valid recipient list. Technically, tables
+domains that have no valid recipient list, and become a source of
+backscatter mail: Postfix accepts spam for non-existent recipients
+and then floods innocent people with undeliverable mail.  Technically,
+tables
 listed with $relay_recipient_maps are used as lists: Postfix needs
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.
@@ -4459,8 +4464,9 @@ smtp_tls_CApath = /etc/postfix/certs
 This feature is available in Postfix 2.2 and later.
 .SH smtp_tls_cert_file (default: empty)
 File with the Postfix SMTP client RSA certificate in PEM format.
-This file may also contain the client private key, and these may
-be the same as the server certificate and key file.
+This file may also contain the Postfix SMTP client private RSA key,
+and these may be the same as the Postfix SMTP server RSA certificate and key
+file.
 .PP
 Do not configure client certificates unless you \fBmust\fR present
 client TLS certificates to one or more servers. Client certificates are
@@ -4488,21 +4494,21 @@ parameters in main.cf if present.
 .PP
 In order to verify certificates, the CA certificate (in case
 of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the server certificate, the
-server certificate first, then the issuing CA(s).
+You should add these certificates to the client certificate, the
+client certificate first, then the issuing CA(s).
 .PP
 Example: the certificate for "client.dom.ain" was issued by
 "intermediate CA" which itself has a certificate of "root CA".
 Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
 root_CA.pem > client.pem".
 .PP
-If you want to accept remote SMTP server certificates issued
-by these CAs yourself, you can also add the CA certificates to the
-smtp_tls_CAfile, in which case it is not necessary to have them in
-the smtp_tls_cert_file or smtp_tls_dcert_file.
+If you also want to verify remote SMTP server certificates issued by
+these CAs, you can also add the CA certificates to the smtp_tls_CAfile,
+in which case it is not necessary to have them in the smtp_tls_cert_file
+or smtp_tls_dcert_file.
 .PP
-A certificate supplied here must be usable as SSL client certificate and
-hence pass the "openssl verify -purpose sslclient ..." test.
+A certificate supplied here must be usable as an SSL client certificate
+and hence pass the "openssl verify -purpose sslclient ..." test.
 .PP
 Example:
 .PP
@@ -4531,7 +4537,7 @@ This feature is available in Postfix version 2.2. It is not used with
 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
 .SH smtp_tls_dcert_file (default: empty)
 File with the Postfix SMTP client DSA certificate in PEM format.
-This file may also contain the server private key.
+This file may also contain the Postfix SMTP client private DSA key.
 .PP
 See the discussion under smtp_tls_cert_file for more details.
 .PP
@@ -4548,11 +4554,12 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
 This feature is available in Postfix 2.2 and later.
 .SH smtp_tls_dkey_file (default: $smtp_tls_dcert_file)
 File with the Postfix SMTP client DSA private key in PEM format.
-The private key must not be encrypted. In other words, the key must
-be accessible without password.
+This file may be combined with the Postfix SMTP client DSA certificate
+file specified with $smtp_tls_dcert_file.
 .PP
-This file may be combined with the server certificate file
-specified with $smtp_tls_cert_file.
+The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root").
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtp_tls_enforce_peername (default: yes)
@@ -4604,11 +4611,12 @@ key exchange with RSA authentication.
 This feature is available in Postfix 2.3 and later.
 .SH smtp_tls_key_file (default: $smtp_tls_cert_file)
 File with the Postfix SMTP client RSA private key in PEM format.
-This file may be combined with the client certificate file specified
-with $smtp_tls_cert_file.
+This file may be combined with the Postfix SMTP client RSA certificate
+file specified with $smtp_tls_cert_file.
 .PP
-The private key must not be encrypted. In other words, the key
-must be accessible without password.
+The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root").
 .PP
 Example:
 .PP
@@ -6586,7 +6594,7 @@ root CA issues special CA which then issues the actual certificate...).
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_tls_cert_file (default: empty)
 File with the Postfix SMTP server RSA certificate in PEM format.
-This file may also contain the server private key.
+This file may also contain the Postfix SMTP server private RSA key.
 .PP
 Public Internet MX hosts without certificates signed by a "reputable"
 CA must generate, and be prepared to present to most clients, a
@@ -6620,14 +6628,13 @@ Example: the certificate for "server.dom.ain" was issued by
 Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
 root_CA.pem > server.pem".
 .PP
-If you want to accept certificates issued by these CAs yourself,
-you can also add the CA certificates to the smtpd_tls_CAfile, in
-which case it is not necessary to have them in the smtpd_tls_dcert_file
-or smtpd_tls_cert_file.
+If you also want to verify client certificates issued by these
+CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which
+case it is not necessary to have them in the smtpd_tls_cert_file or
+smtpd_tls_dcert_file.
 .PP
-A certificate supplied here must be usable as SSL server
-certificate and hence pass the "openssl verify -purpose sslserver
-\e&..." test.
+A certificate supplied here must be usable as an SSL server certificate
+and hence pass the "openssl verify -purpose sslserver ..." test.
 .PP
 Example:
 .PP
@@ -6657,7 +6664,7 @@ This feature is available with Postfix version 2.2. It is not used with
 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
 .SH smtpd_tls_dcert_file (default: empty)
 File with the Postfix SMTP server DSA certificate in PEM format.
-This file may also contain the server private key.
+This file may also contain the Postfix SMTP server private key.
 .PP
 See the discussion under smtpd_tls_cert_file for more details.
 .PP
@@ -6723,11 +6730,12 @@ smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
 This feature is available with Postfix version 2.2.
 .SH smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)
 File with the Postfix SMTP server DSA private key in PEM format.
-This file may be combined with the server certificate file specified
-with $smtpd_tls_dcert_file.
+This file may be combined with the Postfix SMTP server DSA certificate
+file specified with $smtpd_tls_dcert_file.
 .PP
-The private key must not be encrypted. In other words, the key
-must be accessible without password.
+The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root").
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_tls_exclude_ciphers (default: empty)
@@ -6763,11 +6771,13 @@ key exchange with RSA authentication.
 This feature is available in Postfix 2.3 and later.
 .SH smtpd_tls_key_file (default: $smtpd_tls_cert_file)
 File with the Postfix SMTP server RSA private key in PEM format.
-This file may be combined with the server certificate file specified
+This file may be combined with the Postfix SMTP server certificate
+file specified
 with $smtpd_tls_cert_file.
 .PP
-The private key must not be encrypted. In other words, the key
-must be accessible without password.
+The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root").
 .SH smtpd_tls_loglevel (default: 0)
 Enable additional Postfix SMTP server logging of TLS activity.
 Each logging level also includes the information that is logged at
diff --git a/postfix/man/man5/regexp_table.5 b/postfix/man/man5/regexp_table.5
index 43af5f38b..96a87dd37 100644
--- a/postfix/man/man5/regexp_table.5
+++ b/postfix/man/man5/regexp_table.5
@@ -20,8 +20,8 @@ rewriting or mail routing. These tables are usually in
 
 Alternatively, lookup tables can be specified in POSIX regular
 expression form. In this case, each input is compared against a
-list of patterns, and when a match is found the corresponding
-result is returned.
+list of patterns. When a match is found, the corresponding
+result is returned and the search is terminated.
 
 To find out what types of lookup tables your Postfix system
 supports use the "\fBpostconf -m\fR" command.
diff --git a/postfix/man/man5/relocated.5 b/postfix/man/man5/relocated.5
index e1d65a2d6..ebfe3ee4a 100644
--- a/postfix/man/man5/relocated.5
+++ b/postfix/man/man5/relocated.5
@@ -19,17 +19,17 @@ Normally, the \fBrelocated\fR(5) table is specified as a text file
 that serves as input to the \fBpostmap\fR(1) command.
 The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
 is used for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/relocated\fR" in order to rebuild the indexed
-file after changing the relocated table.
+"\fBpostmap /etc/postfix/relocated\fR" to rebuild an indexed
+file after changing the corresponding relocated table.
 
 When the table is provided via other means such as NIS, LDAP
 or SQL, the same lookups are done as for ordinary indexed files.
 
 Alternatively, the table can be provided as a regular-expression
 map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In that case, the lookups are
-done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+can be directed to TCP-based server. In those case, the lookups
+are done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 
 Table lookups are case insensitive.
 .SH "CASE FOLDING"
@@ -98,7 +98,7 @@ directed to a TCP-based server. For a description of regular
 expression lookup table syntax, see \fBregexp_table\fR(5) or
 \fBpcre_table\fR(5). For a description of the TCP client/server
 table lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.3.
+This feature is not available up to and including Postfix version 2.4.
 
 Each pattern is a regular expression that is applied to the entire
 address being looked up. Thus, \fIuser@domain\fR mail addresses are not
@@ -119,7 +119,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.3.
+This feature is not available up to and including Postfix version 2.4.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/man/man5/transport.5 b/postfix/man/man5/transport.5
index e37cfe151..92a30338b 100644
--- a/postfix/man/man5/transport.5
+++ b/postfix/man/man5/transport.5
@@ -49,17 +49,17 @@ Normally, the \fBtransport\fR(5) table is specified as a text file
 that serves as input to the \fBpostmap\fR(1) command.
 The result, an indexed file in \fBdbm\fR or \fBdb\fR format, is used
 for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/transport\fR" in order to rebuild the indexed
-file after changing the transport table.
+"\fBpostmap /etc/postfix/transport\fR" to rebuild an indexed
+file after changing the corresponding transport table.
 
 When the table is provided via other means such as NIS, LDAP
 or SQL, the same lookups are done as for ordinary indexed files.
 
 Alternatively, the table can be provided as a regular-expression
 map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In that case, the lookups are
-done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+can be directed to TCP-based server. In those case, the lookups
+are done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 .SH "CASE FOLDING"
 .na
 .nf
@@ -249,7 +249,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.3.
+This feature is not available up to and including Postfix version 2.4.
 
 Each lookup operation uses the entire recipient address once.  Thus,
 \fIsome.domain.hierarchy\fR is not looked up via its parent domains,
@@ -287,6 +287,7 @@ Use "\fBpostconf readme_directory\fR" or
 "\fBpostconf html_directory\fR" to locate this information.
 .na
 .nf
+ADDRESS_REWRITING_README, address rewriting guide
 DATABASE_README, Postfix lookup table overview
 FILTER_README, external content filter
 .SH "LICENSE"
diff --git a/postfix/man/man5/virtual.5 b/postfix/man/man5/virtual.5
index 0ea07d0af..5c3cb1da2 100644
--- a/postfix/man/man5/virtual.5
+++ b/postfix/man/man5/virtual.5
@@ -45,17 +45,17 @@ Normally, the \fBvirtual\fR(5) alias table is specified as a text file
 that serves as input to the \fBpostmap\fR(1) command.
 The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
 is used for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/virtual\fR" in order to rebuild the indexed
-file after changing the text file.
+"\fBpostmap /etc/postfix/virtual\fR" to rebuild an indexed
+file after changing the corresponding text file.
 
 When the table is provided via other means such as NIS, LDAP
 or SQL, the same lookups are done as for ordinary indexed files.
 
 Alternatively, the table can be provided as a regular-expression
 map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In that case, the lookups are
-done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+can be directed to TCP-based server. In those case, the lookups
+are done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 .SH "CASE FOLDING"
 .na
 .nf
@@ -103,6 +103,13 @@ mapping can be applied to non-local addresses.
 .IP "@\fIdomain address, address, ...\fR"
 Redirect mail for other users in \fIdomain\fR to \fIaddress\fR.
 This form has the lowest precedence.
+.sp
+Note: @\fIdomain\fR is a wild-card. With this form, the
+Postfix SMTP server accepts
+mail for any recipient in \fIdomain\fR, regardless of whether
+that recipient exists.  This may turn your mail system into
+a backscatter source that returns undeliverable spam to
+innocent people.
 .SH "RESULT ADDRESS REWRITING"
 .na
 .nf
@@ -221,7 +228,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.3.
+This feature is not available up to and including Postfix version 2.4.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
@@ -283,8 +290,8 @@ Use "\fBpostconf readme_directory\fR" or
 "\fBpostconf html_directory\fR" to locate this information.
 .na
 .nf
-DATABASE_README, Postfix lookup table overview
 ADDRESS_REWRITING_README, address rewriting guide
+DATABASE_README, Postfix lookup table overview
 VIRTUAL_README, domain hosting guide
 .SH "LICENSE"
 .na
diff --git a/postfix/man/man8/anvil.8 b/postfix/man/man8/anvil.8
index f4aca61f2..8703e8683 100644
--- a/postfix/man/man8/anvil.8
+++ b/postfix/man/man8/anvil.8
@@ -230,11 +230,11 @@ request before it is terminated by a built-in watchdog timer.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/bounce.8 b/postfix/man/man8/bounce.8
index 0e100933b..76c66e399 100644
--- a/postfix/man/man8/bounce.8
+++ b/postfix/man/man8/bounce.8
@@ -103,11 +103,11 @@ and body_checks.
 The mail system name that is displayed in Received: headers, in
 the SMTP greeting banner, and in bounced mail.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBnotify_classes (resource, software)\fR"
 The list of error classes that are reported to the postmaster.
 .IP "\fBprocess_id (read-only)\fR"
diff --git a/postfix/man/man8/cleanup.8 b/postfix/man/man8/cleanup.8
index bf83d73c0..e6876820b 100644
--- a/postfix/man/man8/cleanup.8
+++ b/postfix/man/man8/cleanup.8
@@ -333,11 +333,11 @@ mail that is still queued.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBmyhostname (see 'postconf -d' output)\fR"
 The internet hostname of this mail system.
 .IP "\fBmyorigin ($myhostname)\fR"
diff --git a/postfix/man/man8/discard.8 b/postfix/man/man8/discard.8
index 48256947b..7a9cd7dae 100644
--- a/postfix/man/man8/discard.8
+++ b/postfix/man/man8/discard.8
@@ -74,11 +74,11 @@ by the mail system.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/error.8 b/postfix/man/man8/error.8
index 854837691..d774d74af 100644
--- a/postfix/man/man8/error.8
+++ b/postfix/man/man8/error.8
@@ -15,8 +15,8 @@ Postfix error/retry mail delivery agent
 The Postfix \fBerror\fR(8) delivery agent processes delivery
 requests from
 the queue manager. Each request specifies a queue file, a sender
-address, a domain or host name that is treated as the reason for
-non-delivery, and recipient information.
+address, the reason for non-delivery (specified as the
+next-hop destination), and recipient information.
 The reason may be prefixed with an RFC 3463-compatible detail code.
 This program expects to be run from the \fBmaster\fR(8) process
 manager.
@@ -81,11 +81,11 @@ by the mail system.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBnotify_classes (resource, software)\fR"
 The list of error classes that are reported to the postmaster.
 .IP "\fBprocess_id (read-only)\fR"
diff --git a/postfix/man/man8/flush.8 b/postfix/man/man8/flush.8
index c85d6eb44..91313b9f9 100644
--- a/postfix/man/man8/flush.8
+++ b/postfix/man/man8/flush.8
@@ -110,11 +110,11 @@ is deleted.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
 What Postfix features match subdomains of "domain.tld" automatically,
 instead of requiring an explicit ".domain.tld" pattern.
diff --git a/postfix/man/man8/local.8 b/postfix/man/man8/local.8
index 324bb2a27..445200745 100644
--- a/postfix/man/man8/local.8
+++ b/postfix/man/man8/local.8
@@ -545,11 +545,11 @@ communication channel.
 .IP "\fBlocal_command_shell (empty)\fR"
 Optional shell program for \fBlocal\fR(8) delivery to non-Postfix command.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprepend_delivered_header (command, file, forward)\fR"
 The message delivery contexts where the Postfix \fBlocal\fR(8) delivery
 agent prepends a Delivered-To:  message header with the address
diff --git a/postfix/man/man8/master.8 b/postfix/man/man8/master.8
index 05e7b839a..bc20cda9d 100644
--- a/postfix/man/man8/master.8
+++ b/postfix/man/man8/master.8
@@ -101,11 +101,11 @@ Use the "\fBpostfix reload\fR" command after a configuration change.
 The default maximal number of Postfix child processes that provide
 a given service.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBservice_throttle_time (60s)\fR"
 How long the Postfix \fBmaster\fR(8) waits before forking a server that
 appears to be malfunctioning.
diff --git a/postfix/man/man8/pickup.8 b/postfix/man/man8/pickup.8
index ece84a09d..2c7204091 100644
--- a/postfix/man/man8/pickup.8
+++ b/postfix/man/man8/pickup.8
@@ -87,11 +87,11 @@ communication channel.
 Upon input, long lines are chopped up into pieces of at most
 this length; upon delivery, long lines are reconstructed.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/pipe.8 b/postfix/man/man8/pipe.8
index d2ccd3175..e8e7747c2 100644
--- a/postfix/man/man8/pipe.8
+++ b/postfix/man/man8/pipe.8
@@ -128,8 +128,8 @@ Prepend "\fB>\fR" to lines starting with "\fBFrom \fR". This is expected
 by, for example, \fBUUCP\fR software.
 .RE
 .IP "\fBnull_sender\fR=\fIreplacement\fR (default: MAILER-DAEMON)"
-Replace the null sender address, which is typically used
-for delivery status notifications, with the specified text
+Replace the null sender address (typically used for delivery
+status notifications) with the specified text
 when expanding the \fB$sender\fR command-line macro, and
 when generating a From_ or Return-Path: message header.
 
@@ -351,11 +351,11 @@ communication channel.
 The UNIX system account that owns the Postfix queue and most Postfix
 daemon processes.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/proxymap.8 b/postfix/man/man8/proxymap.8
index 4cf7464a6..975e230a3 100644
--- a/postfix/man/man8/proxymap.8
+++ b/postfix/man/man8/proxymap.8
@@ -118,11 +118,11 @@ request before it is terminated by a built-in watchdog timer.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/qmqpd.8 b/postfix/man/man8/qmqpd.8
index b19fb1c93..6ca72e751 100644
--- a/postfix/man/man8/qmqpd.8
+++ b/postfix/man/man8/qmqpd.8
@@ -119,11 +119,11 @@ request before it is terminated by a built-in watchdog timer.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/scache.8 b/postfix/man/man8/scache.8
index 310ee8af4..4b200166a 100644
--- a/postfix/man/man8/scache.8
+++ b/postfix/man/man8/scache.8
@@ -120,8 +120,8 @@ request before it is terminated by a built-in watchdog timer.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/showq.8 b/postfix/man/man8/showq.8
index c8b802623..44791fa8e 100644
--- a/postfix/man/man8/showq.8
+++ b/postfix/man/man8/showq.8
@@ -71,11 +71,11 @@ The recipient of mail addressed to the null address.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index 198d25c7d..fd63091dc 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -39,7 +39,7 @@ may be used by any SMTP+LMTP client for a subsequent transaction.
 
 By default, connection caching is enabled temporarily for
 destinations that have a high volume of mail in the active
-queue. Session caching can be enabled permanently for
+queue. Connection caching can be enabled permanently for
 specific destinations.
 .SH "SMTP DESTINATION SYNTAX"
 .na
@@ -222,7 +222,7 @@ Lookup tables, indexed by the remote LMTP server address, with
 case insensitive lists of LHLO keywords (pipelining, starttls,
 auth, etc.) that the LMTP client will ignore in the LHLO response
 from a remote LMTP server.
-.IP "\fBlmtp_discard_lhlo_keywords ($myhostname)\fR"
+.IP "\fBlmtp_discard_lhlo_keywords (empty)\fR"
 A case insensitive list of LHLO keywords (pipelining, starttls,
 auth, etc.) that the LMTP client will ignore in the LHLO response
 from a remote LMTP server.
@@ -524,11 +524,11 @@ communication channel.
 .IP "\fBlmtp_tcp_port (24)\fR"
 The default TCP port that the Postfix LMTP client connects to.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index f76921ba0..21ab94646 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -829,11 +829,11 @@ the SMTP greeting banner, and in bounced mail.
 The UNIX system account that owns the Postfix queue and most Postfix
 daemon processes.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBmyhostname (see 'postconf -d' output)\fR"
 The internet hostname of this mail system.
 .IP "\fBmynetworks (see 'postconf -d' output)\fR"
diff --git a/postfix/man/man8/spawn.8 b/postfix/man/man8/spawn.8
index df72c346a..21418fc13 100644
--- a/postfix/man/man8/spawn.8
+++ b/postfix/man/man8/spawn.8
@@ -112,11 +112,11 @@ communication channel.
 The UNIX system account that owns the Postfix queue and most Postfix
 daemon processes.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/man/man8/trivial-rewrite.8 b/postfix/man/man8/trivial-rewrite.8
index 396147f95..7252e4388 100644
--- a/postfix/man/man8/trivial-rewrite.8
+++ b/postfix/man/man8/trivial-rewrite.8
@@ -224,11 +224,11 @@ The recipient of mail addressed to the null address.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBrelocated_maps (empty)\fR"
 Optional lookup tables with new contact information for users or
 domains that no longer exist.
diff --git a/postfix/man/man8/virtual.8 b/postfix/man/man8/virtual.8
index 72fdf2acd..9cf898111 100644
--- a/postfix/man/man8/virtual.8
+++ b/postfix/man/man8/virtual.8
@@ -260,11 +260,11 @@ sub-second delay values.
 The time limit for sending or receiving information over an internal
 communication channel.
 .IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.
 .IP "\fBmax_use (100)\fR"
-The maximal number of connection requests before a Postfix daemon
-process terminates.
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.
 .IP "\fBprocess_id (read-only)\fR"
 The process ID of a Postfix command or daemon process.
 .IP "\fBprocess_name (read-only)\fR"
diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html
index 1d66b4fe9..d3ff04385 100644
--- a/postfix/proto/ADDRESS_VERIFICATION_README.html
+++ b/postfix/proto/ADDRESS_VERIFICATION_README.html
@@ -21,7 +21,8 @@
 
 <p> The sender/recipient address verification feature described in this
 document is suitable only for low-traffic sites. It performs poorly
-under high load and may cause your site to be blacklisted by some
+under high load; excessive sender address verification activity may
+even cause your site to be blacklisted by some
 providers. See the "<a href="#limitations">Limitations</a>" section
 below for details. </p>
 
diff --git a/postfix/proto/DATABASE_README.html b/postfix/proto/DATABASE_README.html
index ab2cf804f..7718c7d21 100644
--- a/postfix/proto/DATABASE_README.html
+++ b/postfix/proto/DATABASE_README.html
@@ -364,7 +364,7 @@ described in tcp_table(5). The lookup table name is "tcp:host:port"
 where "host" specifies a symbolic hostname or a numeric IP address,
 and "port" specifies a symbolic service name or a numeric port
 number. This protocol is not available up to and including Postfix
-version 2.2.  </dd>
+version 2.4.  </dd>
 
 <dt> <b>unix</b> (read-only) </dt>
 
diff --git a/postfix/proto/LDAP_README.html b/postfix/proto/LDAP_README.html
index f9573a897..7b8b60857 100644
--- a/postfix/proto/LDAP_README.html
+++ b/postfix/proto/LDAP_README.html
@@ -41,6 +41,8 @@ it to each. </p>
 
 <li><a href="#example_virtual">Example: virtual domains/addresses</a>
 
+<li><a href="#example_group">Example: expanding LDAP groups</a>
+
 <li><a href="#other">Other uses of LDAP lookups</a>
 
 <li><a href="#hmmmm">Notes and things to think about</a>
@@ -152,14 +154,14 @@ alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
 
 <blockquote> 
 <pre>
-server_host = ldap.my.com
-search_base = dc=my, dc=com
+server_host = ldap.example.com
+search_base = dc=example, dc=com
 </pre>
 </blockquote> 
 
 <p> Upon receiving mail for a local address "ldapuser" that isn't
 found in the /etc/aliases database, Postfix will search the LDAP
-server listening at port 389 on ldap.my.com. It will bind anonymously,
+server listening at port 389 on ldap.example.com. It will bind anonymously,
 search for any directory entries whose mailacceptinggeneralid
 attribute is "ldapuser", read the "maildrop" attributes of those
 found, and build a list of their maildrops, which will be treated
@@ -176,7 +178,7 @@ of your virtual recipient's mailacceptinggeneralid attributes are
 fully qualified with their virtual domains. Finally, if you want
 to designate a directory entry as the default user for a virtual
 domain, just give it an additional mailacceptinggeneralid (or the
-equivalent in your directory) of "@virtual.dom". That's right, no
+equivalent in your directory) of "@fake.dom". That's right, no
 user part. If you don't want a catchall user, omit this step and
 mail to unknown users in the domain will simply bounce. </p>
 
@@ -212,12 +214,221 @@ go to this entry ... </p>
 maildrop, e.g. "normaluser@fake.dom" and "normaluser@real.dom".
 </p>
 
+<h2><a name="example_group">Example: expanding LDAP groups</a></h2>
+
+<p> LDAP is frequently used to store group member information, and Postfix
+supports expanding a group's email address to the list of email addresses
+of the group members. There are a number of ways of handling LDAP groups,
+which will be illustrated via the mock LDAP entries and implied schema
+below.  This shows two group entries "agroup" and "bgroup" and four
+user entries "auser", "buser", "cuser" and "duser". The group "agroup"
+has the users "auser" (1) and "buser" (2) as members via DN references
+in the multi-valued attribute "memberdn", and direct email addresses of
+two external users "auser@example.org" (3) and "buser@example.org" (4)
+stored in the multi-valued attribute "memberaddr".  The same is true of
+"bgroup" and "cuser"/"duser" (6)/(7)/(8)/(9), but "bgroup" also has a
+"maildrop" attribute of "bgroup@mlm.example.com" (5): </p>
+
+<blockquote> 
+<pre>
+     dn: cn=agroup, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapgroup
+     cn: agroup
+     mail: agroup@example.com
+1 -&gt; memberdn: uid=auser, dc=example, dc=com
+2 -&gt; memberdn: uid=buser, dc=example, dc=com
+3 -&gt; memberaddr: auser@example.org
+4 -&gt; memberaddr: buser@example.org
+</pre>
+<br>
+
+<pre>
+     dn: cn=bgroup, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapgroup
+     cn: bgroup
+     mail: bgroup@example.com
+5 -&gt; maildrop: bgroup@mlm.example.com
+6 -&gt; memberdn: uid=cuser, dc=example, dc=com
+7 -&gt; memberdn: uid=duser, dc=example, dc=com
+8 -&gt; memberaddr: cuser@example.org
+9 -&gt; memberaddr: duser@example.org
+</pre>
+<br>
+
+<pre>
+     dn: uid=auser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: auser
+10 -&gt; mail: auser@example.com
+11 -&gt; maildrop: auser@mailhub.example.com
+</pre>
+<br>
+
+<pre>
+     dn: uid=buser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: buser
+12 -&gt; mail: buser@example.com
+13 -&gt; maildrop: buser@mailhub.example.com
+</pre>
+<br>
+
+<pre>
+     dn: uid=cuser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: cuser
+14 -&gt; mail: cuser@example.com
+</pre>
+<br>
+
+<pre>
+     dn: uid=duser, dc=example, dc=com
+     objectclass: top
+     objectclass: ldapuser
+     uid: duser
+15 -&gt; mail: duser@example.com
+</pre>
+<br>
+
+</blockquote> 
+
+<p> Our first use case ignores the "memberdn" attributes, and assumes
+that groups hold only direct "memberaddr" strings as in (3), (4), (8) and
+(9). The goal is to map the group address to the list of constituent
+"memberaddr" values. This is simple, ignoring the various connection
+related settings (hosts, ports, bind settings, timeouts, ...) we have:
+</p>
+
+<blockquote> 
+<pre>
+    simple.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr
+    $ postmap -q agroup@example.com ldap:simple.cf
+    auser@example.org,buser@example.org
+</pre>
+</blockquote> 
+
+<p> We search "dc=example, dc=com". The "mail" attribute is used in the
+query_filter to locate the right group, the "result_attribute" setting
+described in ldap_table(5) is used to specify that "memberaddr" values
+from the matching group are to be returned as a comma separated list.
+Always check tables using postmap(1) with the "-q" option, before
+deploying them into production use in main.cf. </p>
+
+<p> Our second use case also expands "memberdn" attributes (1), (2),
+(6) and (7), follows the DN references and returns the "maildrop" of the
+referenced user entries. Here we use the "special_result_attribute"
+setting from ldap_table(5) to designate the "memberdn" attribute
+as holding DNs of the desired member entries. The "result_attribute"
+setting selects which attributes are returned from the selected DNs. It
+is important to choose a result attribute that is not also present in
+the group object, because result attributes are collected from both
+the group and the member DNs. In this case we choose "maildrop" and
+assume for the moment that groups never have a "maildrop" (the "bgroup"
+"maildrop" attribute is for a different use case). The returned data for
+"auser" and "buser" is from items (11) and (13) in the mock data. </p>
+
+<blockquote> 
+<pre>
+    special.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr, maildrop
+        special_result_attribute = memberdn
+    $ postmap -q agroup@example.com ldap:special.cf
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+</pre>
+</blockquote> 
+
+<p> Note: if the desired member object result attribute is always also
+present in the group, you get suprising results, the expansion also
+returns the address of the group. This is a known limitation of Postfix
+releases prior to 2.4, and is addressed in the new with Postfix 2.4
+"leaf_result_attribute" feature described in ldap_table(5). </p>
+
+<p> Our third use case has some groups that are expanded immediately,
+and other groups that are forwarded to a dedicated mailing list manager
+host for delayed expansion. This uses two LDAP tables, one for users
+and forwarded groups and a second for groups that can be expanded
+immediately. It is assumed that groups that require forwarding are
+never nested members of groups that are directly expanded. </p>
+
+<blockquote> 
+<pre>
+    no_expand.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = maildrop
+    expand.cf
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr, maildrop
+        special_result_attribute = memberdn
+    $ postmap -q auser@example.com ldap:no_expand.cf ldap:expand.cf
+    auser@mailhub.example.com
+    $ postmap -q agroup@example.com ldap:no_expand.cf ldap:expand.cf
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+    $ postmap -q bgroup@example.com ldap:no_expand.cf ldap:expand.cf
+    bgroup@mlm.example.com
+</pre>
+</blockquote> 
+
+<p> Non-group objects and groups with delayed expansion (those that have a
+maildrop attribute) are rewritten to a single maildrop value. Groups that
+don't have a maildrop are expanded as the second use case. This admits
+a more elegant solution with Postfix 2.4 and later. </p>
+
+<p> Our final use case is the same as the third, but this time uses new
+features in Postfix 2.4. We now are able to use just one LDAP table and
+no longer need to assume that forwarded groups are never nested inside
+expanded groups. </p>
+
+<blockquote> 
+<pre>
+    fancy.cf:
+        ...
+        search_base = dc=example, dc=com
+        query_filter = mail=%s
+        result_attribute = memberaddr
+        special_result_attribute = memberdn
+        terminal_result_attribute = maildrop
+        leaf_result_attribute = mail
+    $ postmap -q auser@example.com ldap:fancy.cf
+    auser@mailhub.example.com
+    $ postmap -q cuser@example.com ldap:fancy.cf
+    cuser@example.com
+    $ postmap -q agroup@example.com ldap:fancy.cf
+    auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
+    $ postmap -q bgroup@example.com ldap:fancy.cf
+    bgroup@mlm.example.com
+</pre>
+</blockquote> 
+
+<p> Above, delayed expansion is enabled via "terminal_result_attribute",
+which, if present, is used as the sole result and all other expansion is
+suppressed. Otherwise, the "leaf_result_attribute" is only returned for
+leaf objects that don't have a "special_result_attribute" (non-groups),
+while the "result_attribute" (direct member address of groups) is returned
+at every level of recursive expansion, not just the leaf nodes. This fancy
+example illustrates all the features of Postfix 2.4 group expansion. </p>
+
 <h2><a name="other">Other uses of LDAP lookups</a></h2>
 
 Other common uses for LDAP lookups include rewriting senders and
 recipients with Postfix's canonical lookups, for example in order
 to make mail leaving your site appear to be coming from
-"First.Last@site.dom" instead of "userid@site.dom".
+"First.Last@example.com" instead of "userid@example.com".
 
 <h2><a name="hmmmm">Notes and things to think about</a></h2>
 
@@ -240,9 +451,9 @@ to make mail leaving your site appear to be coming from
 
 <blockquote>
 <pre>
-dn: cn=Accounting Staff List, dc=my, dc=com
+dn: cn=Accounting Staff List, dc=example, dc=com
 cn: Accounting Staff List
-o: my.com
+o: example.com
 objectclass: maillist
 mailacceptinggeneralid: accountingstaff
 mailacceptinggeneralid: accounting-staff
diff --git a/postfix/proto/QSHAPE_README.html b/postfix/proto/QSHAPE_README.html
index 2418eba7b..16394a138 100644
--- a/postfix/proto/QSHAPE_README.html
+++ b/postfix/proto/QSHAPE_README.html
@@ -19,17 +19,11 @@
 
 <h2>Purpose of this document </h2>
 
-<p> This document describes the qshape(1) program which helps the
-administrator understand the Postfix queue message distribution
-sorted by time and by sender or recipient domain. qshape(1) is
-bundled with the Postfix 2.1 source under the "auxiliary" directory.
-</p>
-
-<p> In order to understand the output of qshape(1), it useful to
-understand the various Postfix queues. To this end the role of each
-Postfix queue directory is described briefly in the "Background
-info:  Postfix queue directories" section near the end of this
-document.  </p>
+<p> This document is an introduction to Postfix queue congestion analysis.
+It explains how the qshape(1) program can help to track down the
+reason for queue congestion.  qshape(1) is bundled with Postfix
+2.1 and later source code, under the "auxiliary" directory. This
+document describes qshape(1) as bundled with Postfix 2.4.  </p>
 
 <p> This document covers the following topics: </p>
 
@@ -49,7 +43,7 @@ queue</a></li>
 
 <li><a href="#backlog">Example 4: High volume destination backlog</a>
 
-<li><a href="#queues">Background info: Postfix queue directories</a>
+<li><a href="#queues">Postfix queue directories</a>
 
 <ul>
 
@@ -71,7 +65,6 @@ queue</a></li>
 
 <h2><a name="qshape">Introducing the qshape tool</a></h2>
 
-
 <p> When mail is draining slowly or the queue is unexpectedly large,
 run qshape(1) as the super-user (root) to help zero in on the problem.
 The qshape(1) program displays a tabular view of the Postfix queue
@@ -124,6 +117,12 @@ minutes old and 12 older than 1280 minutes (1440 minutes in a day).
 
 </ul>
 
+<p> When the output is a terminal intermediate results showing the top 20
+domains (-n option) are displayed after every 1000 messages (-N option)
+and the final output also shows only the top 20 domains. This makes
+qshape useful even when the deferred queue is very large and it may
+otherwise take prohibitively long to read the entire deferred queue. </p>
+
 <p> By default, qshape shows statistics for the union of both the
 incoming and active queues which are the most relevant queues to
 look at when analyzing performance. </p>
@@ -132,8 +131,8 @@ look at when analyzing performance. </p>
 
 <blockquote>
 <pre>
-$ qshape deferred | less
-$ qshape incoming active deferred | less
+$ qshape deferred
+$ qshape incoming active deferred
 </pre>
 </blockquote>
 
@@ -157,11 +156,11 @@ a burst of mail started, and when it stopped. </p>
 <p> The problem destinations or sender domains appear near the top
 left corner of the output table. Remember that the active queue
 can accommodate up to 20000 ($qmgr_message_active_limit) messages.
-To check wether this limit has been reached, use: </p>
+To check whether this limit has been reached, use: </p>
 
 <blockquote>
 <pre>
-$ qshape -s active | head       <i>(show sender statistics)</i>
+$ qshape -s active       <i>(show sender statistics)</i>
 </pre>
 </blockquote>
 
@@ -169,13 +168,13 @@ $ qshape -s active | head       <i>(show sender statistics)</i>
 not yet saturated, any high volume sender domains show near the
 top of the output.
 
-<p> The active queue is also limited to at most 20000 recipient
-addresses ($qmgr_message_recipient_limit). To check for exhaustion
-of this limit use: </p>
+<p> With oqmgr(8) the active queue is also limited to at most 20000
+recipient addresses ($qmgr_message_recipient_limit). To check for
+exhaustion of this limit use: </p>
 
 <blockquote>
 <pre>
-$ qshape active | head          <i>(show recipient statistics)</i>
+$ qshape active          <i>(show recipient statistics)</i>
 </pre>
 </blockquote>
 
@@ -381,14 +380,17 @@ queue congestion is a greater cause for alarm; one might need to
 take measures to ensure that the mail is deferred instead or even
 add an access(5) rule asking the sender to try again later. </p>
 
-<p> If a high volume destination exhibits frequent bursts of
-consecutive connections refused by all MX hosts or "421 Server busy
-errors", it is possible for the queue manager to mark the destination
-as "dead" despite the transient nature of the errors. The destination
-will be retried again after the expiration of a $minimal_backoff_time
-timer.  If the error bursts are frequent enough it may be that only
-a small quantity of email is delivered before the destination is
-again marked "dead". </p>
+<p> If a high volume destination exhibits frequent bursts of consecutive
+connections refused by all MX hosts or "421 Server busy errors", it
+is possible for the queue manager to mark the destination as "dead"
+despite the transient nature of the errors. The destination will be
+retried again after the expiration of a $minimal_backoff_time timer.
+If the error bursts are frequent enough it may be that only a small
+quantity of email is delivered before the destination is again marked
+"dead". In some cases enabling static (not on demand) connection
+caching by listing the appropriate nexthop domain in a table included in
+"smtp_connection_cache_destinations" may help to reduce the error rate,
+because most messages will re-use existing connections. </p>
 
 <p> The MTA that has been observed most frequently to exhibit such
 bursts of errors is Microsoft Exchange, which refuses connections
@@ -396,17 +398,14 @@ under load. Some proxy virus scanners in front of the Exchange
 server propagate the refused connection to the client as a "421"
 error. </p>
 
-<p> Note that it is now possible to configure Postfix to exhibit
-similarly erratic behavior by misconfiguring the anvil(8) server
-(not included in Postfix 2.1.). Do not use anvil(8) for steady-state
-rate limiting, its purpose is DoS prevention and the rate limits
-set should be very generous! </p>
+<p> Note that it is now possible to configure Postfix to exhibit similarly
+erratic behavior by misconfiguring the anvil(8) service.  Do not use
+anvil(8) for steady-state rate limiting, its purpose is (unintentional)
+DoS prevention and the rate limits set should be very generous! </p>
 
-<p> In the long run it is hoped that the Postfix dead host detection
-and concurrency control mechanism will be tuned to be more "noise"
-tolerant.  If one finds oneself needing to deliver a high volume
-of mail to a destination that exhibits frequent brief bursts of
-errors, there is a subtle workaround. </p>
+<p> If one finds oneself needing to deliver a high volume of mail to a
+destination that exhibits frequent brief bursts of errors and connection
+caching does not solve the problem, there is a subtle workaround. </p>
 
 <ul>
 
@@ -417,12 +416,12 @@ transport for the destination in question. </p>
 transport (a number in the 10-20 range is typical). </p>
 
 <li> <p> IMPORTANT!!! In main.cf configure a very large initial
-and destination concurrency limit for this transport (say 200). </p>
+and destination concurrency limit for this transport (say 2000). </p>
 
 <pre>
 /etc/postfix/main.cf:
-    initial_destination_concurrency = 200
-    <i>transportname</i>_destination_concurrency_limit = 200
+    initial_destination_concurrency = 2000
+    <i>transportname</i>_destination_concurrency_limit = 2000
 </pre>
 
 <p> Where <i>transportname</i> is the name of the master.cf entry
@@ -430,13 +429,13 @@ in question. </p>
 
 </ul>
 
-<p> The effect of this surprising configuration is that up to 200
+<p> The effect of this surprising configuration is that up to 2000
 consecutive errors are tolerated without marking the destination
 dead, while the total concurrency remains reasonable (10-20
 processes). This trick is only for a very specialized situation:
 high volume delivery into a channel with multi-error bursts
 that is capable of high throughput, but is repeatedly throttled by
-the bursts of errors.
+the bursts of errors. </p>
 
 <p> When a destination is unable to handle the load even after the
 Postfix process limit is reduced to 1, a desperate measure is to
@@ -472,7 +471,7 @@ updated when SMTP connection caching is introduced.  </p>
 <p> Hopefully a more elegant solution to these problems will be
 found in the future. </p>
 
-<h2><a name="queues">Background info: Postfix queue directories</a></h2>
+<h2><a name="queues">Postfix queue directories</a></h2>
 
 <p> The following sections describe Postfix queues: their purpose,
 what normal behavior looks like, and how to diagnose abnormal
@@ -497,8 +496,8 @@ to notify the pickup(8) service of its arrival. </p>
 <p> All mail that enters the main Postfix queue does so via the
 cleanup(8) service. The cleanup service is responsible for envelope
 and header rewriting, header and body regular expression checks,
-automatic bcc recipient processing and guaranteed insertion of the
-message into the Postfix "incoming" queue. </p>
+automatic bcc recipient processing, milter content processing, and
+reliable insertion of the message into the Postfix "incoming" queue. </p>
 
 <p> In the absence of excessive CPU consumption in cleanup(8) header
 or body regular expression checks or other software consuming all
@@ -514,9 +513,10 @@ one message at a time at a rate that does not exceed the reciprocal
 disk I/O latency (+ CPU if not negligible) of the cleanup service.
 </p>
 
-<p> Congestion in this queue is indicative of an excessive local
-message submission rate or perhaps excessive CPU consumption in
-the cleanup(8) service due to excessive body_checks. </p>
+<p> Congestion in this queue is indicative of an excessive local message
+submission rate or perhaps excessive CPU consumption in the cleanup(8)
+service due to excessive body_checks, or (Postfix &ge; 2.3) high latency
+milters. </p>
 
 <p> Note, that once the active queue is full, the cleanup service
 will attempt to slow down message injection by pausing $in_flow_delay
@@ -524,10 +524,10 @@ for each message. In this case "maildrop" queue congestion may be
 a consequence of congestion downstream, rather than a problem in
 its own right. </p>
 
-<p> Note also, that one should not attempt to deliver large volumes
-of mail via the pickup(8) service. High volume sites must avoid
-using content filters that reinject scanned mail via Postfix
-sendmail(1) and postdrop(1). </p>
+<p> Note, you should not attempt to deliver large volumes of mail via
+the pickup(8) service. High volume sites should avoid using "simple"
+content filters that re-inject scanned mail via Postfix sendmail(1)
+and postdrop(1). </p>
 
 <p> A high arrival rate of locally submitted mail may be an indication
 of an uncaught forwarding loop, or a run-away notification program.
@@ -545,20 +545,19 @@ size of the "maildrop" queue. </p>
 <p> The administrator can define "smtpd" access(5) policies, or
 cleanup(8) header/body checks that cause messages to be automatically
 diverted from normal processing and placed indefinitely in the
-"hold" queue.  Messages placed in the "hold" queue stay there until
+"hold" queue. Messages placed in the "hold" queue stay there until
 the administrator intervenes. No periodic delivery attempts are
 made for messages in the "hold" queue. The postsuper(1) command
 can be used to manually release messages into the "deferred" queue.
 </p>
 
-<p> Messages can potentially stay in the "hold" queue for a time
-exceeding the normal maximal queue lifetime (after which undelivered
-messages are bounced back to the sender). If such "old" messages
-need to be released from the "hold" queue, they should typically
-be moved into the "maildrop" queue, so that the message gets a new
-timestamp and is given more than one opportunity to be delivered.
-Messages that are "young" can be moved directly into the "deferred"
-queue. </p>
+<p> Messages can potentially stay in the "hold" queue longer than
+$maximal_queue_lifetime. If such "old" messages need to be released from
+the "hold" queue, they should typically be moved into the "maildrop"
+queue using "postsuper -r", so that the message gets a new timestamp and
+is given more than one opportunity to be delivered.  Messages that are
+"young" can be moved directly into the "deferred" queue using
+"postsuper -H". </p>
 
 <p> The "hold" queue plays little role in Postfix performance, and
 monitoring of the "hold" queue is typically more closely motivated
@@ -589,11 +588,15 @@ messages into the active queue as soon as they become available.
 
 <p> The incoming queue grows when the message input rate spikes
 above the rate at which the queue manager can import messages into
-the active queue. The main factor slowing down the queue manager
-is transport queries to the trivial-rewrite service. If the queue
+the active queue. The main factors slowing down the queue manager
+are disk I/O and lookup queries to the trivial-rewrite service. If the queue
 manager is routinely not keeping up, consider not using "slow"
 lookup services (MySQL, LDAP, ...) for transport lookups or speeding
-up the hosts that provide the lookup service.  </p>
+up the hosts that provide the lookup service.  If the problem is I/O
+starvation, consider striping the queue over more disks, faster controllers
+with a battery write cache, or other hardware improvements. At the very
+least, make sure that the queue directory is mounted with the "noatime"
+option if applicable to the underlying filesystem. </p>
 
 <p> The in_flow_delay parameter is used to clamp the input rate
 when the queue manager starts to fall behind. The cleanup(8) service
@@ -645,26 +648,40 @@ combination; the group size is capped by the transport's recipient
 concurrency limit.  </p>
 
 <p> Multiple recipient groups (from one or more messages) are queued
-for delivery via the common transport/nexthop combination. The
-destination concurrency limit for the transports caps the number
+for delivery grouped by transport/nexthop combination. The
+<b>destination</b> concurrency limit for the transports caps the number
 of simultaneous delivery attempts for each nexthop. Transports with
-a recipient concurrency limit of 1 are special: these are grouped
-by the actual recipient address rather than the nexthop, thereby
-enabling per-recipient concurrency limits rather than per-domain
+a <b>recipient</b> concurrency limit of 1 are special: these are grouped
+by the actual recipient address rather than the nexthop, yielding
+per-recipient concurrency limits rather than per-domain
 concurrency limits. Per-recipient limits are appropriate when
 performing final delivery to mailboxes rather than when relaying
 to a remote server.  </p>
 
 <p> Congestion occurs in the active queue when one or more destinations
-drain slower than the corresponding message input rate. If a
-destination is down for some time, the queue manager will mark it
-dead, and immediately defer all mail for the destination without
+drain slower than the corresponding message input rate. </p>
+
+<p> Input into the active queue comes both from new mail in the "incoming"
+queue, and retries of mail in the "deferred" queue. Should the "deferred"
+queue get really large, retries of old mail can dominate the arrival
+rate of new mail. Systems with more CPU, faster disks and more network
+bandwidth can deal with larger deferred queues, but as a rule of thumb
+the deferred queue scales to somewhere between 100,000 and 1,000,000
+messages with good performance unlikely above that "limit". Systems with
+queues this large should typically stop accepting new mail, or put the
+backlog "on hold" until the underlying issue is fixed (provided that
+there is enough capacity to handle just the new mail). </p>
+
+<p> When a destination is down for some time, the queue manager will
+mark it dead, and immediately defer all mail for the destination without
 trying to assign it to a delivery agent. In this case the messages
-will quickly leave the active queue and end up in the deferred
-queue. If the destination is instead simply slow, or there is a
-problem causing an excessive arrival rate the active queue will
-grow and will become dominated by mail to the congested destination.
-</p>
+will quickly leave the active queue and end up in the deferred queue
+(with Postfix &lt; 2.4, this is done directly by the queue manager,
+with Postfix &ge; 2.4 this is done via the "retry" delivery agent). </p>
+
+<p> When the destination is instead simply slow, or there is a problem
+causing an excessive arrival rate the active queue will grow and will
+become dominated by mail to the congested destination.  </p>
 
 <p> The only way to reduce congestion is to either reduce the input
 rate or increase the throughput. Increasing the throughput requires
@@ -691,28 +708,56 @@ a high average latency. If the number of outbound SMTP connections
 is draining slowly and the system and network are not loaded, raise
 the "smtp" and/or "relay" process limits!  </p>
 
-<p> Especially for the "relay" transport, consider lower SMTP
-connection timeouts (1-5 seconds) and higher than default destination
-concurrency limits. Compute the expected latency when 1 out of N
-of the MX hosts for a high volume site is down and not responding,
-and make sure that the configured concurrency divided by this
-latency exceeds the required steady-state message rate. If the
-destination is managed by you, consider load balancers in front of
-groups of MX hosts. Load balancers have higher uptime and will be
-able to hide individual MX host failures.  </p>
-
-<p> If necessary, dedicate and tune custom transports for high
-volume destinations.  </p>
-
-<p> Another common cause of congestion is unwarranted flushing of
-the entire deferred queue. The deferred queue holds messages that
-are likely to fail to be delivered and are also likely to be slow
-to fail delivery (timeouts). This means that the most common reaction
-to a large deferred queue (flush it!) is more than likely counter-
-productive, and is likely to make the problem worse. Do not flush
-the deferred queue unless you expect that most of its content has
-recently become deliverable (e.g. relayhost back up after an outage)!
-</p>
+<p> When a high volume destination is served by multiple MX hosts with
+typically low delivery latency, performance can suffer dramatically when
+one of the MX hosts is unresponsive and SMTP connections to that host
+timeout. For example, if there are 2 equal weight MX hosts, the SMTP
+connection timeout is 30 seconds and one of the MX hosts is down, the
+average SMTP connection will take approximately 15 seconds to complete.
+With a default per-destination concurrency limit of 20 connections,
+throughput falls to just over 1 message per second. </p>
+
+<p> The best way to avoid bottlenecks when one or more MX hosts is
+non-responsive is to use connection caching. Connection caching was
+introduced with Postfix 2.2 and is by default enabled on demand for
+destinations with a backlog of mail in the active queue. When connection
+caching is in effect for a particular destination, established connections
+are re-used to send additional messages, this reduces the number of
+connections made per message delivery and maintains good throughput even
+in the face of partial unavailability of the destination's MX hosts. </p>
+
+<p> If connection caching is not available (Postfix &lt; 2.2) or does
+not provide a sufficient latency reduction, especially for the "relay"
+transport used to forward mail to "your own" domains, consider setting
+lower than default SMTP connection timeouts (1-5 seconds) and higher
+than default destination concurrency limits. This will further reduce
+latency and provide more concurrency to maintain throughput should
+latency rise. </p>
+
+<p> Setting high concurrency limits to domains that are not your own may
+be viewed as hostile by the receiving system, and steps may be taken
+to prevent you from monopolizing the destination system's resources.
+The defensive measures may substantially reduce your throughput or block
+access entirely. Do not set aggressive concurrency limits to remote
+domains without coordinating with the administrators of the target
+domain. </p>
+
+<p> If necessary, dedicate and tune custom transports for selected high
+volume destinations. The "relay" transport is provided for forwarding mail
+to domains for which your server is a primary or backup MX host. These can
+make up a substantial fraction of your email traffic. Use the "relay" and
+not the "smtp" transport to send email to these domains. Using the "relay"
+transport allocates a separate delivery agent pool to these destinations
+and allows separate tuning of timeouts and concurrency limits. </p>
+
+<p> Another common cause of congestion is unwarranted flushing of the
+entire deferred queue. The deferred queue holds messages that are likely
+to fail to be delivered and are also likely to be slow to fail delivery
+(time out). As a result the most common reaction to a large deferred queue
+(flush it!) is more than likely counter-productive, and typically makes
+the congestion worse. Do not flush the deferred queue unless you expect
+that most of its content has recently become deliverable (e.g. relayhost
+back up after an outage)!  </p>
 
 <p> Note that whenever the queue manager is restarted, there may
 already be messages in the active queue directory, but the "real"
@@ -723,7 +768,7 @@ queue scan to refill the active queue. The process of moving all
 the messages back and forth, redoing transport table (trivial-rewrite(8)
 resolve service) lookups, and re-importing the messages back into
 memory is expensive. At all costs, avoid frequent restarts of the
-queue manager.  </p>
+queue manager (e.g. via frequent execution of "postfix reload").  </p>
 
 <h3> <a name="deferred_queue"> The "deferred" queue </a> </h3>
 
@@ -732,20 +777,19 @@ and for some recipients delivery failed for a transient reason (it
 might succeed later), the message is placed in the deferred queue.
 </p>
 
-<p> The queue manager scans the deferred queue periodically. The
-scan interval is controlled by the queue_run_delay parameter.
-While a deferred queue scan is in progress, if an incoming queue
-scan is also in progress (ideally these are brief since the incoming
-queue should be short), the queue manager alternates between bringing
-a new "incoming" message and a new "deferred" message into the
-queue.  This "round-robin" strategy prevents starvation of either
-the incoming or the deferred queues.  </p>
+<p> The queue manager scans the deferred queue periodically. The scan
+interval is controlled by the queue_run_delay parameter.  While a deferred
+queue scan is in progress, if an incoming queue scan is also in progress
+(ideally these are brief since the incoming queue should be short), the
+queue manager alternates between looking for messages in the "incoming"
+queue and in the "deferred" queue. This "round-robin" strategy prevents
+starvation of either the incoming or the deferred queues.  </p>
 
 <p> Each deferred queue scan only brings a fraction of the deferred
 queue back into the active queue for a retry. This is because each
 message in the deferred queue is assigned a "cool-off" time when
 it is deferred.  This is done by time-warping the modification
-times of the queue file into the future. The queue file is not
+time of the queue file into the future. The queue file is not
 eligible for a retry if its modification time is not yet reached.
 </p>
 
@@ -756,28 +800,34 @@ within the limits. This means that young messages are initially
 retried more often than old messages.  </p>
 
 <p> If a high volume site routinely has large deferred queues, it
-may be useful to adjust the queue_run_delay, minimal_backoff_time
-and maximal_backoff_time to provide short enough delays on first
-failure, with perhaps longer delays after multiple failures, to
-reduce the retransmission rate of old messages and thereby reduce
-the quantity of previously deferred mail in the active queue.  </p>
+may be useful to adjust the queue_run_delay, minimal_backoff_time and
+maximal_backoff_time to provide short enough delays on first failure
+(Postfix &ge; 2.4 has a sensibly low minimal backoff time by default),
+with perhaps longer delays after multiple failures, to reduce the
+retransmission rate of old messages and thereby reduce the quantity
+of previously deferred mail in the active queue.  If you want a really
+low minimal_backoff_time, you may also want to lower queue_run_delay,
+but understand that more frequent scans will increase the demand for
+disk I/O. </p>
 
 <p> One common cause of large deferred queues is failure to validate
 recipients at the SMTP input stage. Since spammers routinely launch
 dictionary attacks from unrepliable sender addresses, the bounces
-for invalid recipient addresses clog the deferred queue (and at
-high volumes proportionally clog the active queue). Recipient
-validation is strongly recommended through use of the local_recipient_maps
-and relay_recipient_maps parameters.  </p>
+for invalid recipient addresses clog the deferred queue (and at high
+volumes proportionally clog the active queue). Recipient validation
+is strongly recommended through use of the local_recipient_maps and
+relay_recipient_maps parameters. Even when bounces drain quickly they
+inundate innocent victims of forgery with unwanted email. To avoid
+this, do not accept mail for invalid recipients. </p>
 
 <p> When a host with lots of deferred mail is down for some time,
 it is possible for the entire deferred queue to reach its retry
 time simultaneously. This can lead to a very full active queue once
 the host comes back up. The phenomenon can repeat approximately
 every maximal_backoff_time seconds if the messages are again deferred
-after a brief burst of congestion. Ideally, in the future Postfix
+after a brief burst of congestion. Perhaps, a future Postfix release
 will add a random offset to the retry time (or use a combination
-of strategies) to reduce the chances of repeated complete deferred
+of strategies) to reduce the odds of repeated complete deferred
 queue flushes.  </p>
 
 <h2><a name="credits">Credits</a></h2>
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index b9c662aaf..fd3441892 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -149,7 +149,7 @@ their CCARGS and AUXLIBS into the above command line. </p>
 
 <h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
 
-<p> Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, 
+<p> Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, 
 which are available from: </p>
 
 <blockquote>
@@ -160,11 +160,11 @@ ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
 
 <p> IMPORTANT: if you install the Cyrus SASL libraries as per the
 default, you will have to symlink /usr/lib/sasl -&gt; /usr/local/lib/sasl
-for version 1.5.5 or /usr/lib/sasl2 -&gt; /usr/local/lib/sasl2 for
-version 2.1.1. </p>
+for version 1.5.x or /usr/lib/sasl2 -&gt; /usr/local/lib/sasl2 for
+version 2.1.x. </p>
 
-<p> Reportedly, Microsoft Internet Explorer version 5 requires the
-non-standard SASL LOGIN authentication method. To enable this
+<p> Reportedly, Microsoft Outlook (Express) requires the
+non-standard LOGIN authentication method. To enable this
 authentication method, specify ``./configure --enable-login''. </p>
 
 <h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>
@@ -178,7 +178,7 @@ and that the Cyrus SASL libraries are in /usr/local/lib. </p>
 
 <dl>
 
-<dt> (for Cyrus SASL version 1.5.5):
+<dt> (for Cyrus SASL version 1.5.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -186,7 +186,7 @@ and that the Cyrus SASL libraries are in /usr/local/lib. </p>
     -I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
 </pre>
 
-<dt> (for Cyrus SASL version 2.1.1):
+<dt> (for Cyrus SASL version 2.1.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -201,7 +201,7 @@ otherwise ld.so will not find the SASL shared library: </p>
 
 <dl>
 
-<dt> (for Cyrus SASL version 1.5.5):
+<dt> (for Cyrus SASL version 1.5.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -210,7 +210,7 @@ otherwise ld.so will not find the SASL shared library: </p>
     -R/usr/local/lib -lsasl"
 </pre>
 
-<dt> (for Cyrus SASL version 2.1.1):
+<dt> (for Cyrus SASL version 2.1.x):
 <dd>
 <pre>
 % make tidy # if you have left-over files from a previous build
@@ -258,8 +258,9 @@ SMTP server</a></h2>
 
 <p> Older Microsoft SMTP client software implements a non-standard
 version of the AUTH protocol syntax, and expects that the SMTP
-server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
-stuff".  To accommodate such clients (in addition to conformant
+server replies to EHLO with "250 AUTH=mechanism-list" instead of
+"250 AUTH mechanism-list".  To accommodate such clients (in addition
+to conformant
 clients) use the following: </p>
 
 <blockquote>
@@ -318,22 +319,41 @@ the Dovecot authentication server. </p>
 <h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
 SMTP server</a></h2>
 
-<p> In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or
-/usr/local/lib/sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to
-specify how the server should validate client passwords. </p>
+<p> You need to configure how the Cyrus SASL library should
+authenticate a client's username and password. These settings must
+be stored in a separate configuration file. </p>
+
+<p> The name of the configuration file (default: smtpd.conf) will
+be constructed from a value sent by Postfix to the Cyrus SASL
+library, which adds the suffix .conf. The value is configured using
+one of the following variables: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    # Postfix 2.3 and later
+    smtpd_sasl_path = smtpd
+    # Postfix < 2.3
+    smtpd_sasl_application_name = smtpd
+</pre>
+</blockquote>
+
+<p> Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/
+(Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL
+version 2.1.x). </p>
 
 <p> Note: some Postfix distributions are modified and look for 
-the smtpd.conf file in /etc/postfix. </p>
+the smtpd.conf file in /etc/postfix/sasl. </p>
 
 <p> Note: some Cyrus SASL distributions look for the smtpd.conf
 file in /etc/sasl2. </p>
 
 <ul>
 
-<li> <p> To authenticate against the UNIX password database, try: </p>
+<li> <p> To authenticate against the UNIX password database, use: </p>
 
 <dl>
-<dt> (Cyrus SASL version 1.5.5)
+<dt> (Cyrus SASL version 1.5.x)
 <dd>
 <pre>
 /usr/local/lib/sasl/smtpd.conf:
@@ -341,39 +361,13 @@ file in /etc/sasl2. </p>
 
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
-<dd>
-<pre>
-/usr/local/lib/sasl2/smtpd.conf:
-    pwcheck_method: pwcheck
-</pre>
-
-</dl>
-
-<p> The name of the file in /usr/local/lib/sasl (Cyrus SASL version
-1.5.5) or /usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by
-the SASL
-library for configuration can be set with: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/main.cf:
-    smtpd_sasl_application_name = smtpd (Postfix &lt; 2.3)
-    smtpd_sasl_path = smtpd (Postfix 2.3 and later)
-</pre>
-</blockquote>
+<p> IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck
+and waits for authentication requests. Postfix processes must have
+read+execute permission to this directory or authentication attempts
+will fail. </p>
 
 <p> The pwcheck daemon is contained in the cyrus-sasl source tarball. </p>
 
-<p> IMPORTANT: postfix processes need to have group read+execute
-permission for the /var/pwcheck directory, otherwise authentication
-attempts will fail. </p>
-
-<li> <p> Alternately, in Cyrus SASL 1.5.26 and later (including
-2.1.1), try: </p>
-
-<dl>
-
 <dt> (Cyrus SASL version 1.5.26)
 <dd>
 <pre>
@@ -381,11 +375,12 @@ attempts will fail. </p>
     pwcheck_method: saslauthd
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
+<dt> (Cyrus SASL version 2.1.x)
 <dd>
 <pre>
 /usr/local/lib/sasl2/smtpd.conf:
     pwcheck_method: saslauthd
+    mech_list: PLAIN LOGIN
 </pre>
 
 </dl>
@@ -395,27 +390,38 @@ tarball.  It is more flexible than the pwcheck daemon, in that it
 can authenticate against PAM and various other sources. To use PAM,
 start saslauthd with "-a pam". </p>
 
+<p> IMPORTANT: saslauthd usually establishes a UNIX domain socket
+in /var/run/saslauthd and waits for authentication requests. Postfix
+processes must have read+execute permission to this directory or
+authentication attempts will fail. </p>
+
+<p> Note: The directory where saslauthd puts the socket is configurable.
+See the command-line option "-m /path/to/socket" in the saslauthd
+--help listing. </p>
+
 <li> <p> To authenticate against Cyrus SASL's own password database: </p>
 
 <dl>
-<dt> (Cyrus SASL version 1.5.5)
+<dt> (Cyrus SASL version 1.5.x)
 <dd>
 <pre>
 /usr/local/lib/sasl/smtpd.conf:
-    pwcheck_method:  sasldb
+    pwcheck_method: sasldb
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
+<dt> (Cyrus SASL version 2.1.x)
 <dd>
 <pre>
 /usr/local/lib/sasl2/smtpd.conf:
-    pwcheck_method:  auxprop
+    pwcheck_method: auxprop
+    auxprop_plugin: sasldb
+    mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 </pre>
 
 </dl>
 
 <p> This will use the Cyrus SASL password file (default: /etc/sasldb in
-version 1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained
+version 1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained
 with the saslpasswd or saslpasswd2 command (part of the Cyrus SASL
 software). On some poorly-supported systems the saslpasswd command needs
 to be run multiple times before it stops complaining.  The Postfix SMTP
@@ -430,13 +436,13 @@ domain (realm) to a fully qualified domain name. </p>
 <p> EXAMPLE: </p>
 
 <dl>
-<dt> (Cyrus SASL version 1.5.5)
+<dt> (Cyrus SASL version 1.5.x)
 <dd>
 <pre>
 % saslpasswd -c -u `postconf -h myhostname` exampleuser
 </pre>
 
-<dt> (Cyrus SASL version 2.1.1)
+<dt> (Cyrus SASL version 2.1.x)
 <dd>
 <pre>
 % saslpasswd2 -c -u `postconf -h myhostname` exampleuser
@@ -445,8 +451,8 @@ domain (realm) to a fully qualified domain name. </p>
 </dl>
 
 <p> You can find out SASL's idea about the realms of the users
-in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.5) or
-<i>sasldblistusers2</i> (Cyrus SASL version 2.1.1). </p>
+in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.x) or
+<i>sasldblistusers2</i> (Cyrus SASL version 2.1.x). </p>
 
 <p> On the Postfix side, you can have only one realm per smtpd
 instance, and only the users belonging to that realm would be able to
@@ -462,18 +468,14 @@ realm used by smtpd: </p>
 
 </ul>
 
-<p> IMPORTANT: all users must be able to authenticate using ALL
-authentication mechanisms advertised by Postfix, otherwise the
-negotiation might end up with an unsupported mechanism, and
-authentication would fail.  For example if you configure SASL to
-use <i>saslauthd</i> for authentication against PAM (pluggable
-authentication modules), only the PLAIN and LOGIN mechanisms are
-supported and stand a chance to succeed, yet the SASL library would also
-advertise other mechanisms, such as DIGEST-MD5.  This happens because
-those mechanisms are made available by other plugins, and the SASL
-library have no way to know that your only valid authentication source
-is PAM.  Thus you might need to limit the list of mechanisms advertised
-by Postfix. </p>
+<p> IMPORTANT: The Cyrus SASL password verification services pwcheck
+and saslauthd can only support the plaintext mechanisms PLAIN or
+LOGIN.  However, the Cyrus SASL library doesn't know this, and will
+happily advertise other authentication mechanisms that the SASL
+library implements, such as DIGEST-MD5. As a result, if an SMTP
+client chooses any mechanism other than PLAIN or LOGIN while pwcheck
+or saslauthd are used, authentication will fail. Thus you may need
+to limit the list of mechanisms advertised by Postfix. </p>
 
 <ul> 
 
@@ -481,7 +483,9 @@ by Postfix. </p>
 library files from the SASL plug-in directory (and again whenever
 the system is updated). </p>
 
-<li> <p> With Cyrus SASL version 2.1.1 or later: </p>
+<li> <p> With Cyrus SASL version 2.1.x or later the mech_list variable
+can specify a list of authentication mechanisms that Cyrus SASL may
+offer: </p>
 
 <blockquote>
 <pre>
@@ -497,17 +501,17 @@ used for authentication. </p>
 
 <ul>
 
-<li> <p> With Cyrus SASL version 1.5.5 your only choice is to
+<li> <p> With Cyrus SASL version 1.5.x your only choice is to
 delete the corresponding library files from the SASL plug-in 
 directory. </p>
 
-<li> <p> With SASL version 2.1.1: </p>
+<li> <p> With SASL version 2.1.x: </p>
 
 <blockquote>
 <pre>
 /usr/local/lib/sasl2/smtpd.conf:
-    pwcheck_method:  auxprop
-    auxprop_plugin:  sql
+    pwcheck_method: auxprop
+    auxprop_plugin: sql
 </pre>
 </blockquote>
 
@@ -570,8 +574,10 @@ to recover from the base64-encoded form. </p>
 <h2><a name="debugging">Trouble shooting the SASL internals</a></h2>
 
 <p> In the Cyrus SASL sources you'll find a subdirectory named
-"sample".  Run make there, "su" to the user <i>postfix</i> (or
-whatever your <i>mail_owner</i> directive is set to):
+"sample".  Run make there, then create a symbolic link from sample.conf
+to smtpd.conf in your Cyrus SASL library directory /usr/local/lib/sasl2.
+"su" to the user <i>postfix</i> (or whatever your <i>mail_owner</i>
+directive is set to): </p>
 
 <blockquote>
 <pre>
@@ -580,10 +586,11 @@ whatever your <i>mail_owner</i> directive is set to):
 </blockquote>
 
 <p> then run the resulting sample server and client in separate
-terminals.  Strace / ktrace / truss the server to see what makes
-it unhappy, and fix the problem.  Repeat the previous step until
-you can successfully authenticate with the sample client.  Only
-then get back to Postfix. </p>
+terminals.  The sample applications send log messages to the syslog
+facility auth.  Check the log to fix the problem or run strace /
+ktrace / truss on the server to see what makes it unhappy. Repeat
+the previous step until you can successfully authenticate with the
+sample client. Only then get back to Postfix. </p>
 
 <h2><a name="client_sasl">Enabling SASL authentication in the
 Postfix SMTP client</a></h2>
@@ -612,6 +619,12 @@ table. </p>
 </pre>
 </blockquote>
 
+<p> The Postfix SASL client password file is opened before the SMTP
+server enters the optional chroot jail, so you can keep the file
+in /etc/postfix and set permissions read / write only for root to
+keep the username:password combinations away from other system
+users. </p>
+
 <p> Postfix version 2.3 supports-per-sender SASL password
 information. To search the Postfix SASL password by sender 
 before it searches by destination, specify: </p>
@@ -645,10 +658,6 @@ for example: </p>
 </pre>
 </blockquote>
 
-<p> The Postfix SASL client password file is opened before the SMTP server
-enters the optional chroot jail, so you can keep the file in
-/etc/postfix. </p>
-
 <p> Note: Some SMTP servers support authentication mechanisms that,
 although available on the client system, may not in practice work or
 possess the appropriate credentials to authenticate to the server. It
@@ -664,7 +673,7 @@ into consideration:  </p>
 </blockquote>
 
 <p> In the above example, Postfix will decline to use mechanisms
-that require special infrastructure such as Kerberos. </p>
+that require special infrastructure such as Kerberos or TLS. </p>
 
 <p> The Postfix SMTP client is backwards compatible with SMTP
 servers that use the non-standard "AUTH=method..." syntax in response
@@ -694,6 +703,9 @@ smtpd_sasl_application_name into smtpd_sasl_path.
 <li> The Dovecot SMTP server-only plug-in was originally implemented by
 Timo Sirainen of Procontrol, Finland.
 
+<li> Patrick Ben Koetter revised this document for Postfix 2.4 and
+made much needed updates.
+
 </ul>
 
 </body>
diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html
index 6030d6183..b2056a0c3 100644
--- a/postfix/proto/SMTPD_POLICY_README.html
+++ b/postfix/proto/SMTPD_POLICY_README.html
@@ -26,11 +26,12 @@ that runs outside Postfix. </p>
 
 <p> With this policy delegation mechanism, a simple <a href="#greylist">
 greylist </a> policy can be implemented with only a dozen lines of
-Perl, as is shown at the end of this document. Another example of
-policy delegation is the SPF policy server by Meng Wong at
-http://spf.pobox.com/.  Examples of both policies can be found in
-the Postfix source code, in the directory examples/smtpd-policy.
-</p>
+Perl, as is shown at the end of this document. A complete example
+can be found in the Postfix source code, in the directory
+examples/smtpd-policy. </p>
+
+<p> Another example of policy delegation is the SPF policy server
+at http://www.openspf.org/Software.  </p>
 
 <p> Policy delegation is now the preferred method for adding policies
 to Postfix. It's much easier to develop a new feature in few lines
diff --git a/postfix/proto/TLS_LEGACY_README.html b/postfix/proto/TLS_LEGACY_README.html
index ba1dff037..a46f99c58 100644
--- a/postfix/proto/TLS_LEGACY_README.html
+++ b/postfix/proto/TLS_LEGACY_README.html
@@ -829,7 +829,7 @@ is correctly configured to supply its intermediate CA certificate). </p>
 <pre>
 /etc/postfix/main.cf:
     smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-    smtp_tls_dkey_file = $smtpd_tls_cert_file
+    smtp_tls_dkey_file = $smtp_tls_dcert_file
 </pre>  
 </blockquote>
 
@@ -857,7 +857,7 @@ privileges) from the files in the directory when the information
 is needed. Thus, the $smtp_tls_CApath directory needs to be accessible
 inside the optional chroot jail.  </p>
 
-<p> The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is
+<p> The choice between $smtp_tls_CAfile and $smtp_tls_CApath is
 a space/time tradeoff. If there are many trusted CAs, the cost of
 preloading them all into memory may not pay off in reduced access time
 when the certificate is needed.  </p>
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 0d341714b..289829f0a 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -969,7 +969,7 @@ is correctly configured to supply its intermediate CA certificate). </p>
 <pre>
 /etc/postfix/main.cf:
     smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-    smtp_tls_dkey_file = $smtpd_tls_cert_file
+    smtp_tls_dkey_file = $smtp_tls_dcert_file
 </pre>  
 </blockquote>
 
@@ -997,7 +997,7 @@ privileges) from the files in the directory when the information
 is needed. Thus, the $smtp_tls_CApath directory needs to be accessible
 inside the optional chroot jail.  </p>
 
-<p> The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is
+<p> The choice between $smtp_tls_CAfile and $smtp_tls_CApath is
 a space/time tradeoff. If there are many trusted CAs, the cost of
 preloading them all into memory may not pay off in reduced access time
 when the certificate is needed.  </p>
diff --git a/postfix/proto/TUNING_README.html b/postfix/proto/TUNING_README.html
index 9882044aa..0ad9830bc 100644
--- a/postfix/proto/TUNING_README.html
+++ b/postfix/proto/TUNING_README.html
@@ -224,7 +224,8 @@ seconds or $smtpd_error_sleep_time, whichever is more.  </p>
 
 <h2><a name="conn_limit">Measures against clients that make too many connections</a></h2>
 
-<p> Note: this feature is not included with Postfix version 2.1. </p>
+<p> Note: the anvil(8) service was introduced with Postfix version
+2.2. </p>
 
 <p> The Postfix smtpd(8) server can limit the number of simultaneous
 connections from the same SMTP client, as well as the number of
diff --git a/postfix/proto/VIRTUAL_README.html b/postfix/proto/VIRTUAL_README.html
index eea8bafd3..7139d0934 100644
--- a/postfix/proto/VIRTUAL_README.html
+++ b/postfix/proto/VIRTUAL_README.html
@@ -432,9 +432,13 @@ domain!  </p>
 
 <li> <p> Lines 4, 7-13: The virtual_mailbox_maps parameter specifies
 the lookup table with all valid recipient addresses. The lookup
-result is ignored by Postfix.  In the above example, info@example.com
-and sales@example.com are listed as valid addresses, and mail for
-anything else is rejected with "User unknown". If you intend to
+result value is ignored by Postfix.  In the above example,
+info@example.com
+and sales@example.com are listed as valid addresses; other mail for
+example.com is rejected with "User unknown" by the Postfix SMTP
+server. It's left up to the non-Postfix delivery agent to reject
+non-existent recipients from local submission or from local alias
+expansion.  If you intend to
 use LDAP, MySQL or PgSQL instead of local files, be sure to review
 the <a href="#local_vs_database"> "local files versus databases"</a>
 section at the top of this document! </p>
diff --git a/postfix/proto/access b/postfix/proto/access
index 2e2af8615..261ca8b2e 100644
--- a/postfix/proto/access
+++ b/postfix/proto/access
@@ -2,7 +2,7 @@
 # NAME
 #	access 5
 # SUMMARY
-#	Postfix access table format
+#	Postfix SMTP server access table
 # SYNOPSIS
 #	\fBpostmap /etc/postfix/access\fR
 #
@@ -10,29 +10,28 @@
 #
 #	\fBpostmap -q - /etc/postfix/access <\fIinputfile\fR
 # DESCRIPTION
-#	The optional \fBaccess\fR(5) table directs the Postfix SMTP server
-#	to selectively reject or accept mail. Access can be allowed or
-#	denied for specific host names, domain names, networks, host
-#	addresses or mail addresses.
-#
-#	For an example, see the EXAMPLE section at the end of this
-#	manual page.
+#	The Postfix SMTP server supports access control on remote
+#	SMTP client information: host names, network addresses, and
+#	envelope sender
+#	or recipient addresses.  See \fBheader_checks\fR(5) or
+#	\fBbody_checks\fR(5) for access control on the content of
+#	email messages.
 #
 #	Normally, the \fBaccess\fR(5) table is specified as a text file
 #	that serves as input to the \fBpostmap\fR(1) command.
 #	The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
-#	is used for fast searching by the mail system. Execute the command
-#	"\fBpostmap /etc/postfix/access\fR" in order to rebuild the indexed
-#	file after changing the access table.
+#	is used for fast searching by the mail system. Execute the
+#	command "\fBpostmap /etc/postfix/access\fR" to rebuild an
+#	indexed file after changing the corresponding text file.
 #
 #	When the table is provided via other means such as NIS, LDAP
 #	or SQL, the same lookups are done as for ordinary indexed files.
 #
 #	Alternatively, the table can be provided as a regular-expression
 #	map where patterns are given as regular expressions, or lookups
-#	can be directed to TCP-based server. In that case, the lookups are
-#	done in a slightly different way as described below under
-#	"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+#	can be directed to TCP-based server. In those cases, the lookups
+#	are done in a slightly different way as described below under
+#	"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 # CASE FOLDING
 # .ad
 # .fi
@@ -175,7 +174,8 @@
 #	specified, otherwise reply with a generic error response message.
 # .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
 #	Defer the request if some later restriction would result in a
-#	REJECT action. Reply with "\fB450\fI optional text...\fR when the
+#	REJECT action. Reply with "\fB450 4.7.1 \fI optional
+#	text...\fR when the
 #	optional text is specified, otherwise reply with a generic error
 #	response message.
 # .sp
@@ -183,7 +183,7 @@
 # .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
 #	Defer the request if some later restriction would result in a
 #	an explicit or implicit PERMIT action.
-#	Reply with "\fB450\fI optional text...\fR when the
+#	Reply with "\fB450 4.7.1 \fI optional text...\fR when the
 #	optional text is specified, otherwise reply with a generic error
 #	response message.
 # .sp
@@ -260,20 +260,21 @@
 # .sp
 #	Note: use "\fBpostsuper -r\fR" to release mail that was kept on
 #	hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-#	or \fB$bounce_queue_lifetime\fR, or longer.
+#	or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
+#	only for mail that will not expire within a few delivery attempts.
 # .sp
 #	Note: this action currently affects all recipients of the message.
 # .sp
 #	This feature is available in Postfix 2.0 and later.
 # .IP "\fBPREPEND \fIheadername: headervalue\fR"
 #	Prepend the specified message header to the message.
-#	When this action is used multiple times, the first prepended
-#	header appears before the second etc. prepended header.
-# .sp
-#	Note: this action does not support multi-line message headers.
+#	When more than one PREPEND action executes, the first
+#	prepended header appears before the second etc. prepended
+#	header.
 # .sp
-#	Note: this action must be used before the message content
-#	is received; it cannot be used in \fBsmtpd_end_of_data_restrictions\fR.
+#	Note: this action must execute before the message content
+#	is received; it cannot execute in the context of
+#	\fBsmtpd_end_of_data_restrictions\fR.
 # .sp
 #	This feature is available in Postfix 2.1 and later.
 # .IP "\fBREDIRECT \fIuser@domain\fR"
@@ -339,7 +340,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.3.
+#	This feature is not available up to and including Postfix version 2.4.
 #
 #	Each lookup operation uses the entire query string once.
 #	Depending on the application, that string is an entire client
diff --git a/postfix/proto/aliases b/postfix/proto/aliases
index 4aab46b31..2ac242c9f 100644
--- a/postfix/proto/aliases
+++ b/postfix/proto/aliases
@@ -69,8 +69,8 @@
 #	When the command fails, a limited amount of command output is
 #	mailed back to the sender.  The file \fB/usr/include/sysexits.h\fR
 #	defines the expected exit status codes. For example, use
-#	\fB|"exit 67"\fR to simulate a "user unknown" error, and
-#	\fB|"exit 0"\fR to implement an expensive black hole.
+#	\fB"|exit 67"\fR to simulate a "user unknown" error, and
+#	\fB"|exit 0"\fR to implement an expensive black hole.
 # .IP \fB:include:\fI/file/name\fR
 #	Mail is sent to the destinations listed in the named file.
 #	Lines in \fB:include:\fR files have the same syntax
diff --git a/postfix/proto/bounce b/postfix/proto/bounce
index 842cad9b8..113fea84f 100644
--- a/postfix/proto/bounce
+++ b/postfix/proto/bounce
@@ -24,7 +24,8 @@
 # GENERAL PROCEDURE
 # .ad
 # .fi
-#	To create customized bounce template file, create a temporary
+#	To create a customized bounce template file, create a
+#	temporary
 #	copy of the file \fB/etc/postfix/bounce.cf.default\fR and
 #	edit the temporary file.
 #
diff --git a/postfix/proto/canonical b/postfix/proto/canonical
index 1aeb6e752..cc65ec407 100644
--- a/postfix/proto/canonical
+++ b/postfix/proto/canonical
@@ -19,17 +19,17 @@
 #	that serves as input to the \fBpostmap\fR(1) command.
 #	The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
 #	is used for fast searching by the mail system. Execute the command
-#	"\fBpostmap /etc/postfix/canonical\fR" in order to rebuild the indexed
-#	file after changing the text file.
+#	"\fBpostmap /etc/postfix/canonical\fR" to rebuild an indexed
+#	file after changing the corresponding text file.
 #
 #	When the table is provided via other means such as NIS, LDAP
 #	or SQL, the same lookups are done as for ordinary indexed files.
 #
 #	Alternatively, the table can be provided as a regular-expression
 #	map where patterns are given as regular expressions, or lookups
-#	can be directed to TCP-based server. In that case, the lookups are
-#	done in a slightly different way as described below under
-#	"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+#	can be directed to TCP-based server. In those cases, the lookups
+#	are done in a slightly different way as described below under
+#	"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 #
 #	By default the \fBcanonical\fR(5) mapping affects both message
 #	header addresses (i.e. addresses that appear inside messages)
@@ -49,10 +49,9 @@
 #	by legacy mail systems.
 #
 #	The \fBcanonical\fR(5) mapping is not to be confused with \fIvirtual
-#	domain\fR support. Use the \fBvirtual\fR(5) map for that purpose.
-#
-#	The \fBcanonical\fR(5) mapping is not to be confused with local aliasing.
-#	Use the \fBaliases\fR(5) map for that purpose.
+#	alias\fR support or with local aliasing. To change the destination
+#	but not the headers, use the \fBvirtual\fR(5) or \fBaliases\fR(5)
+#	map instead.
 # CASE FOLDING
 # .ad
 # .fi
@@ -97,6 +96,13 @@
 # .IP "@\fIdomain address\fR"
 #	Replace other addresses in \fIdomain\fR by \fIaddress\fR.
 #	This form has the lowest precedence.
+# .sp
+#	Note: @\fIdomain\fR is a wild-card. When this form is applied
+#	to recipient addresses, the Postfix SMTP server accepts
+#	mail for any recipient in \fIdomain\fR, regardless of whether
+#	that recipient exists.  This may turn your mail system into
+#	a backscatter source that returns undeliverable spam to
+#	innocent people.
 # RESULT ADDRESS REWRITING
 # .ad
 # .fi
@@ -146,7 +152,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.3.
+#	This feature is not available up to and including Postfix version 2.4.
 #	
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/proto/cidr_table b/postfix/proto/cidr_table
index 478326222..68b3a08e6 100644
--- a/postfix/proto/cidr_table
+++ b/postfix/proto/cidr_table
@@ -11,7 +11,10 @@
 #	The Postfix mail system uses optional lookup tables.
 #	These tables are usually in \fBdbm\fR or \fBdb\fR format.
 #	Alternatively, lookup tables can be specified in CIDR
-#	(Classless Inter-Domain Routing) form.
+#	(Classless Inter-Domain Routing) form. In this case, each
+#	input is compared against a list of patterns. When a match
+#	is found, the corresponding result is returned and the search
+#	is terminated.
 #
 #	To find out what types of lookup tables your Postfix system
 #	supports use the "\fBpostconf -m\fR" command.
@@ -81,7 +84,6 @@
 # AUTHOR(S)
 #	The CIDR table lookup code was originally written by:
 #	Jozsef Kadlecsik
-#	kadlec@blackhole.kfki.hu
 #	KFKI Research Institute for Particle and Nuclear Physics
 #	POB. 49
 #	1525 Budapest, Hungary
diff --git a/postfix/proto/generic b/postfix/proto/generic
index d19dfde45..7c4374ced 100644
--- a/postfix/proto/generic
+++ b/postfix/proto/generic
@@ -33,7 +33,7 @@
 #	command.  The result, an indexed file in \fBdbm\fR or
 #	\fBdb\fR format, is used for fast searching by the mail
 #	system. Execute the command "\fBpostmap /etc/postfix/generic\fR"
-#	in order to rebuild the indexed file after changing the
+#	to rebuild an indexed file after changing the corresponding
 #	text file.
 #
 #	When the table is provided via other means such as NIS, LDAP
@@ -41,9 +41,9 @@
 #
 #	Alternatively, the table can be provided as a regular-expression
 #	map where patterns are given as regular expressions, or lookups
-#	can be directed to TCP-based server. In that case, the lookups are
-#	done in a slightly different way as described below under
-#	"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+#	can be directed to TCP-based server. In those case, the lookups
+#	are done in a slightly different way as described below under
+#	"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 # CASE FOLDING
 # .ad
 # .fi
@@ -130,7 +130,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.3.
+#	This feature is not available up to and including Postfix version 2.4.
 #	
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/proto/header_checks b/postfix/proto/header_checks
index 97da52b72..5aa8c1533 100644
--- a/postfix/proto/header_checks
+++ b/postfix/proto/header_checks
@@ -16,11 +16,16 @@
 # .br
 #	\fBpostmap -fq - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
 # DESCRIPTION
-#	Postfix provides a simple built-in content inspection mechanism that
-#	examines incoming mail one message header or one message body line
-#	at a time. Each input is compared against a list of patterns, and
-#	when a match is found the corresponding action is executed.
-#	This feature is implemented by the Postfix \fBcleanup\fR(8) server.
+#	The Postfix \fBcleanup\fR(8) server supports access control
+#	on the content of message headers and message body lines.
+#	See \fBaccess\fR(5) for access control on remote SMTP client
+#	information.
+#
+#	Each message header or message body line is compared against
+#	a list of patterns.
+#	When a match is found the corresponding action is executed, and
+#	the matching process is repeated for the next message header or
+#	message body line.
 #
 #	For examples, see the EXAMPLES section at the end of this
 #	manual page.
@@ -191,7 +196,8 @@
 # .sp
 #	Note: use "\fBpostsuper -r\fR" to release mail that was kept on
 #	hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-#	or \fB$bounce_queue_lifetime\fR, or longer.
+#	or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
+#	only for mail that will not expire within a few delivery attempts.
 # .sp
 #	Note: this action affects all recipients of the message.
 # .sp
diff --git a/postfix/proto/ldap_table b/postfix/proto/ldap_table
index d8d2d2ef0..7ca455730 100644
--- a/postfix/proto/ldap_table
+++ b/postfix/proto/ldap_table
@@ -16,6 +16,7 @@
 #
 #	In order to use LDAP lookups, define an LDAP source as a lookup
 #	table in main.cf, for example:
+#
 # .ti +4
 #	alias_maps = ldap:/etc/postfix/ldap-aliases.cf
 #
@@ -77,6 +78,7 @@
 #	return the key itself.
 #
 #	For example, NEVER do this in a map defining $mydestination:
+#
 # .in +4
 #	query_filter = domain=* 
 # .br
@@ -84,6 +86,7 @@
 # .in -4
 #
 #	Do this instead:
+#
 # .in +4
 #	query_filter = domain=%s 
 # .br
@@ -98,6 +101,7 @@
 #	strings.
 # .IP "\fBserver_host (default: localhost)\fR"
 #	The name of the host running the LDAP server, e.g.
+#
 # .ti +4
 #	server_host = ldap.example.com
 #
@@ -106,11 +110,13 @@
 #	trying them in order should the first one fail. It should also
 #	be possible to give each server in the list a different port
 #	(overriding \fBserver_port\fR below), by naming them like
+#
 # .ti +4
 #	server_host = ldap.example.com:1444
 #
 #	With OpenLDAP, a (list of) LDAP URLs can be used to specify both
 #	the hostname(s) and the port(s):
+#
 # .ti +4
 #	server_host = ldap://ldap.example.com:1444
 # .ti +8
@@ -120,20 +126,24 @@
 #	including connections over UNIX domain sockets, and LDAP SSL
 #	(the last one provided that OpenLDAP was compiled with support
 #	for SSL):
+#
 # .ti +4
 #	server_host = ldapi://%2Fsome%2Fpath
 # .ti +8
 #		ldaps://ldap.example.com:636
 # .IP "\fBserver_port (default: 389)\fR"
 #	The port the LDAP server listens on, e.g.
+#
 # .ti +4
 #	server_port = 778
 # .IP "\fBtimeout (default: 10 seconds)\fR"
 #	The number of seconds a search can take before timing out, e.g.
+#
 # .ti +4
 #	timeout = 5
 # .IP "\fBsearch_base (No default; you must configure this)\fR"
 #	The RFC2253 base DN at which to conduct the search, e.g.
+#
 # .ti +4
 #	search_base = dc=your, dc=com
 # .IP
@@ -176,6 +186,7 @@
 #	The RFC2254 filter used to search the directory, where \fB%s\fR
 #	is a substitute for the address Postfix is trying to resolve,
 #	e.g.
+#
 # .ti +4
 #	query_filter = (&(mail=%s)(paid_up=true))
 #
@@ -285,6 +296,7 @@
 #	are eligible for lookup: 'user' lookups, bare domain lookups
 #	and "@domain" lookups are not performed. This can significantly
 #	reduce the query load on the LDAP server.
+#
 # .ti +4
 #	domain = postfix.org, hash:/etc/postfix/searchdomains
 #
@@ -298,14 +310,16 @@
 #	The attribute(s) Postfix will read from any directory
 #	entries returned by the lookup, to be resolved to an email
 #	address.
+#
 # .ti +4
 #	result_attribute = mailbox, maildrop
-# .IP "\fBspecial_result_attribute (No default)\fR"
+# .IP "\fBspecial_result_attribute (default: empty)\fR"
 #	The attribute(s) of directory entries that can contain DNs
 #	or URLs. If found, a recursive subsequent search is done
 #	using their values.
+#
 # .ti +4
-#	special_result_attribute = member
+#	special_result_attribute = memberdn
 #
 #	DN recursion retrieves the same result_attributes as the
 #	main query, including the special attributes for further
@@ -314,6 +328,47 @@
 #	listed in "result_attribute". If the URI lists any of the
 #	map's special result attributes, these are also retrieved
 #	and used recursively.
+# .IP "\fBterminal_result_attribute (default: empty)\fR"
+#	When one or more terminal result attributes are found in an LDAP
+#	entry, all other result attributes are ignored and only the terminal
+#	result attributes are returned. This is useful for delegating expansion
+#	of group members to a particular host, by using an optional "maildrop"
+#	attribute on selected groups to route the group to a specific host,
+#	where the group is expanded, possibly via mailing-list manager or
+#	other special processing.
+#
+# .ti +4
+#	terminal_result_attribute = maildrop
+#
+#	This feature is available with Postfix 2.4 or later.
+# .IP "\fBleaf_result_attribute (default: empty)\fR"
+#	When one or more special result attributes are found in a non-terminal
+#	(see above) LDAP entry, leaf result attributes are excluded from the
+#	expansion of that entry. This is useful when expanding groups and the
+#	desired mail address attribute(s) of the member objects obtained via
+#	DN or URI recursion are also present in the group object. To only
+#	return the attribute values from the leaf objects and not the
+#	containing group, add the attribute to the leaf_result_attribute list,
+#	and not the result_attribute list, which is always expanded. Note,
+#	the default value of "result_attribute" is not empty, you may want to
+#	set it explicitly empty when using "leaf_result_attribute" to expand
+#	the group to a list of member DN addresses. If groups have both
+#	member DN references AND attributes that hold multiple string valued
+#	rfc822 addresses, then the string attributes go in "result_attribute".
+#	The attributes that represent the email addresses of objects
+#	referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
+#
+# .in +4
+#	result_attribute = memberaddr
+# .br
+#	special_result_attribute = memberdn
+# .br
+#	terminal_result_attribute = maildrop
+# .br
+#	leaf_result_attribute = mail
+# .in -4
+#
+#	This feature is available with Postfix 2.4 or later.
 # .IP "\fBscope (default: sub)\fR"
 #	The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
 #	These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
@@ -322,6 +377,7 @@
 #	Whether or not to bind to the LDAP server. Newer LDAP
 #	implementations don't require clients to bind, which saves
 #	time. Example:
+#
 # .ti +4
 #	bind = no
 #
@@ -334,6 +390,7 @@
 #	the clear.
 # .IP "\fBbind_dn (default: empty)\fR"
 #	If you do have to bind, do it with this distinguished name. Example:
+#
 # .ti +4
 #	bind_dn = uid=postfix, dc=your, dc=com
 # .IP "\fBbind_pw (default: empty)\fR"
@@ -345,6 +402,7 @@
 #	password. This is because main.cf needs to be world readable
 #	to allow local accounts to submit mail via the sendmail
 #	command. Example:
+#
 # .ti +4
 #	bind_pw = postfixpw
 # .IP "\fBcache (IGNORED with a warning)\fR"
@@ -412,15 +470,18 @@
 #
 #	LDAP SSL service can be requested by using a LDAP SSL URL
 #	in the server_host parameter:
+#
 # .ti +4
 #	server_host = ldaps://ldap.example.com:636
 #
 #	STARTTLS can be turned on with the start_tls parameter:
+#
 # .ti +4
 #	start_tls = yes
 #
 #	Both forms require LDAP protocol version 3, which has to be set
 #	explicitly with:
+#
 # .ti +4
 #	version = 3
 #
@@ -472,21 +533,23 @@
 #	Here's a basic example for using LDAP to look up local(8)
 #	aliases.
 #	Assume that in main.cf, you have:
+#
 # .ti +4
 #	alias_maps = hash:/etc/aliases,
 # .ti +8
 #	ldap:/etc/postfix/ldap-aliases.cf
 #
 #	and in ldap:/etc/postfix/ldap-aliases.cf you have:
+#
 # .in +4
-#	server_host = ldap.my.com
+#	server_host = ldap.example.com
 # .br
-#	search_base = dc=my, dc=com
+#	search_base = dc=example, dc=com
 # .in -4
 #
 #	Upon receiving mail for a local address "ldapuser" that
 #	isn't found in the /etc/aliases database, Postfix will
-#	search the LDAP server listening at port 389 on ldap.my.com.
+#	search the LDAP server listening at port 389 on ldap.example.com.
 #	It will bind anonymously, search for any directory entries
 #	whose mailacceptinggeneralid attribute is "ldapuser", read
 #	the "maildrop" attributes of those found, and build a list
diff --git a/postfix/proto/pcre_table b/postfix/proto/pcre_table
index a2620d2ca..8f54da366 100644
--- a/postfix/proto/pcre_table
+++ b/postfix/proto/pcre_table
@@ -14,8 +14,8 @@
 #
 #	Alternatively, lookup tables can be specified in Perl Compatible
 #	Regular Expression form. In this case, each input is compared
-#	against a list of patterns, and when a match is found the
-#	corresponding result is returned.
+#	against a list of patterns. When a match is found, the
+#	corresponding result is returned and the search is terminated.
 #
 #	To find out what types of lookup tables your Postfix system
 #	supports use the "\fBpostconf -m\fR" command.
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 844ecf173..e8d4b9e55 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -2565,8 +2565,9 @@ masquerade_exceptions = root
 %PARAM max_idle 100s
 
 <p>
-The maximum amount of time that an idle Postfix daemon process
-waits for the next service request before exiting.  This parameter
+The maximum amount of time that an idle Postfix daemon process waits
+for an incoming connection before terminating voluntarily.  This
+parameter
 is ignored by the Postfix queue manager and by other long-lived
 Postfix daemon processes.
 </p>
@@ -2579,8 +2580,9 @@ The default time unit is s (seconds).
 %PARAM max_use 100
 
 <p>
-The maximal number of connection requests before a Postfix daemon
-process terminates. This parameter is ignored by the Postfix queue
+The maximal number of incoming connections that a Postfix daemon
+process will service before terminating voluntarily.  This parameter
+is ignored by the Postfix queue
 manager and by other long-lived Postfix daemon processes.
 </p>
 
@@ -3317,7 +3319,10 @@ Do not change this unless you have a complete understanding of RFC 821.
 
 <p> Optional lookup tables with all valid addresses in the domains
 that match $relay_domains. Specify @domain as a wild-card for
-domains that do not have a valid recipient list. Technically, tables
+domains that have no valid recipient list, and become a source of
+backscatter mail: Postfix accepts spam for non-existent recipients
+and then floods innocent people with undeliverable mail.  Technically,
+tables
 listed with $relay_recipient_maps are used as lists: Postfix needs
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.  </p>
@@ -8125,7 +8130,7 @@ system.  </p>
 %PARAM smtpd_tls_cert_file
 
 <p> File with the Postfix SMTP server RSA certificate in PEM format.
-This file may also contain the server private key. </p>
+This file may also contain the Postfix SMTP server private RSA key. </p>
 
 <p> Public Internet MX hosts without certificates signed by a "reputable"
 CA must generate, and be prepared to present to most clients, a
@@ -8159,14 +8164,13 @@ server certificate first, then the issuing CA(s).  </p>
 Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
 root_CA.pem &gt; server.pem". </p>
 
-<p> If you want to accept certificates issued by these CAs yourself,
-you can also add the CA certificates to the smtpd_tls_CAfile, in
-which case it is not necessary to have them in the smtpd_tls_dcert_file
-or smtpd_tls_cert_file. </p>
+<p> If you also want to verify client certificates issued by these
+CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which
+case it is not necessary to have them in the smtpd_tls_cert_file or
+smtpd_tls_dcert_file. </p>
 
-<p> A certificate supplied here must be usable as SSL server
-certificate and hence pass the "openssl verify -purpose sslserver
-..." test. </p>
+<p> A certificate supplied here must be usable as an SSL server certificate
+and hence pass the "openssl verify -purpose sslserver ..." test. </p>
 
 <p> Example: </p>
 
@@ -8179,16 +8183,18 @@ smtpd_tls_cert_file = /etc/postfix/server.pem
 %PARAM smtpd_tls_key_file $smtpd_tls_cert_file
 
 <p> File with the Postfix SMTP server RSA private key in PEM format.
-This file may be combined with the server certificate file specified
+This file may be combined with the Postfix SMTP server certificate
+file specified
 with $smtpd_tls_cert_file. </p>
 
-<p> The private key must not be encrypted. In other words, the key
-must be accessible without password. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 %PARAM smtpd_tls_dcert_file
 
 <p> File with the Postfix SMTP server DSA certificate in PEM format.
-This file may also contain the server private key. <p>
+This file may also contain the Postfix SMTP server private key. <p>
 
 <p> See the discussion under smtpd_tls_cert_file for more details.
 </p>
@@ -8204,11 +8210,12 @@ smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
 %PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file
 
 <p> File with the Postfix SMTP server DSA private key in PEM format.
-This file may be combined with the server certificate file specified
-with $smtpd_tls_dcert_file. </p>
+This file may be combined with the Postfix SMTP server DSA certificate
+file specified with $smtpd_tls_dcert_file. </p>
 
-<p> The private key must not be encrypted. In other words, the key
-must be accessible without password. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 <p> This feature is available in Postfix 2.2 and later.  </p>
 
@@ -8504,8 +8511,9 @@ during TLS startup and shutdown handshake procedures. </p>
 %PARAM smtp_tls_cert_file
 
 <p> File with the Postfix SMTP client RSA certificate in PEM format.
-This file may also contain the client private key, and these may
-be the same as the server certificate and key file. </p>
+This file may also contain the Postfix SMTP client private RSA key,
+and these may be the same as the Postfix SMTP server RSA certificate and key
+file. </p>
 
 <p> Do not configure client certificates unless you <b>must</b> present
 client TLS certificates to one or more servers. Client certificates are
@@ -8526,21 +8534,21 @@ parameters in main.cf if present. </p>
 
 <p> In order to verify certificates, the CA certificate (in case
 of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the server certificate, the
-server certificate first, then the issuing CA(s). </p>
+You should add these certificates to the client certificate, the
+client certificate first, then the issuing CA(s). </p>
 
 <p> Example: the certificate for "client.dom.ain" was issued by
 "intermediate CA" which itself has a certificate of "root CA".
 Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
 root_CA.pem &gt; client.pem". </p>
 
-<p> If you want to accept remote SMTP server certificates issued
-by these CAs yourself, you can also add the CA certificates to the
-smtp_tls_CAfile, in which case it is not necessary to have them in
-the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
+<p> If you also want to verify remote SMTP server certificates issued by
+these CAs, you can also add the CA certificates to the smtp_tls_CAfile,
+in which case it is not necessary to have them in the smtp_tls_cert_file
+or smtp_tls_dcert_file. </p>
 
-<p> A certificate supplied here must be usable as SSL client certificate and
-hence pass the "openssl verify -purpose sslclient ..." test. </p>
+<p> A certificate supplied here must be usable as an SSL client certificate
+and hence pass the "openssl verify -purpose sslclient ..." test. </p>
 
 <p> Example: </p>
 
@@ -8553,11 +8561,12 @@ smtp_tls_cert_file = /etc/postfix/client.pem
 %PARAM smtp_tls_key_file $smtp_tls_cert_file
 
 <p> File with the Postfix SMTP client RSA private key in PEM format.
-This file may be combined with the client certificate file specified
-with $smtp_tls_cert_file. </p>
+This file may be combined with the Postfix SMTP client RSA certificate
+file specified with $smtp_tls_cert_file. </p>
 
-<p> The private key must not be encrypted. In other words, the key
-must be accessible without password. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 <p> Example: </p>
 
@@ -8842,18 +8851,19 @@ during TLS startup and shutdown handshake procedures. </p>
 %PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
 
 <p> File with the Postfix SMTP client DSA private key in PEM format.
-The private key must not be encrypted. In other words, the key must
-be accessible without password. </p>
+This file may be combined with the Postfix SMTP client DSA certificate
+file specified with $smtp_tls_dcert_file. </p>
 
-<p> This file may be combined with the server certificate file
-specified with $smtp_tls_cert_file. </p>
+<p> The private key must be accessible without a pass-phrase, i.e. it
+must not be encrypted, but file permissions should grant read/write
+access only to the system superuser account ("root"). </p>
 
 <p> This feature is available in Postfix 2.2 and later.  </p>
 
 %PARAM smtp_tls_dcert_file
 
 <p> File with the Postfix SMTP client DSA certificate in PEM format.
-This file may also contain the server private key. </p>
+This file may also contain the Postfix SMTP client private DSA key. </p>
 
 <p> See the discussion under smtp_tls_cert_file for more details.
 </p>
@@ -9026,9 +9036,9 @@ precision.  </p>
 
 <ul>
 
-<li> a = time before the queue manager, including message transmission
+<li> a = time from message arrival to last active queue entry
 
-<li> b = time in queue manager
+<li> b = time from last active queue entry to connection setup
 
 <li> c = time in connection setup, including DNS, EHLO and TLS
 
@@ -9127,7 +9137,7 @@ smtpd_discard_ehlo_keyword_address_maps. </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM lmtp_discard_lhlo_keywords $myhostname
+%PARAM lmtp_discard_lhlo_keywords 
 
 <p> A case insensitive list of LHLO keywords (pipelining, starttls,
 auth, etc.) that the LMTP client will ignore in the LHLO response
diff --git a/postfix/proto/regexp_table b/postfix/proto/regexp_table
index 5662d4603..ea4c703e7 100644
--- a/postfix/proto/regexp_table
+++ b/postfix/proto/regexp_table
@@ -14,8 +14,8 @@
 #
 #	Alternatively, lookup tables can be specified in POSIX regular
 #	expression form. In this case, each input is compared against a
-#	list of patterns, and when a match is found the corresponding
-#	result is returned.
+#	list of patterns. When a match is found, the corresponding
+#	result is returned and the search is terminated.
 #
 #	To find out what types of lookup tables your Postfix system
 #	supports use the "\fBpostconf -m\fR" command.
diff --git a/postfix/proto/relocated b/postfix/proto/relocated
index f1e1fe55b..34b6beee4 100644
--- a/postfix/proto/relocated
+++ b/postfix/proto/relocated
@@ -13,17 +13,17 @@
 #	that serves as input to the \fBpostmap\fR(1) command.
 #	The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
 #	is used for fast searching by the mail system. Execute the command
-#	"\fBpostmap /etc/postfix/relocated\fR" in order to rebuild the indexed
-#	file after changing the relocated table.
+#	"\fBpostmap /etc/postfix/relocated\fR" to rebuild an indexed
+#	file after changing the corresponding relocated table.
 #
 #	When the table is provided via other means such as NIS, LDAP
 #	or SQL, the same lookups are done as for ordinary indexed files.
 #
 #	Alternatively, the table can be provided as a regular-expression
 #	map where patterns are given as regular expressions, or lookups
-#	can be directed to TCP-based server. In that case, the lookups are
-#	done in a slightly different way as described below under
-#	"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+#	can be directed to TCP-based server. In those case, the lookups
+#	are done in a slightly different way as described below under
+#	"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 #
 #	Table lookups are case insensitive.
 # CASE FOLDING
@@ -82,7 +82,7 @@
 #	expression lookup table syntax, see \fBregexp_table\fR(5) or
 #	\fBpcre_table\fR(5). For a description of the TCP client/server
 #	table lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.3.
+#	This feature is not available up to and including Postfix version 2.4.
 #
 #	Each pattern is a regular expression that is applied to the entire
 #	address being looked up. Thus, \fIuser@domain\fR mail addresses are not
@@ -101,7 +101,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.3.
+#	This feature is not available up to and including Postfix version 2.4.
 #
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/proto/transport b/postfix/proto/transport
index 0a6029f2b..6f1985496 100644
--- a/postfix/proto/transport
+++ b/postfix/proto/transport
@@ -43,17 +43,17 @@
 #	that serves as input to the \fBpostmap\fR(1) command.
 #	The result, an indexed file in \fBdbm\fR or \fBdb\fR format, is used
 #	for fast searching by the mail system. Execute the command
-#	"\fBpostmap /etc/postfix/transport\fR" in order to rebuild the indexed
-#	file after changing the transport table.
+#	"\fBpostmap /etc/postfix/transport\fR" to rebuild an indexed
+#	file after changing the corresponding transport table.
 #
 #	When the table is provided via other means such as NIS, LDAP
 #	or SQL, the same lookups are done as for ordinary indexed files.
 #
 #	Alternatively, the table can be provided as a regular-expression
 #	map where patterns are given as regular expressions, or lookups
-#	can be directed to TCP-based server. In that case, the lookups are
-#	done in a slightly different way as described below under
-#	"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+#	can be directed to TCP-based server. In those case, the lookups
+#	are done in a slightly different way as described below under
+#	"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 # CASE FOLDING
 # .ad
 # .fi
@@ -229,7 +229,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.3.
+#	This feature is not available up to and including Postfix version 2.4.
 #
 #	Each lookup operation uses the entire recipient address once.  Thus,
 #	\fIsome.domain.hierarchy\fR is not looked up via its parent domains,
@@ -261,6 +261,7 @@
 #	"\fBpostconf html_directory\fR" to locate this information.
 # .na
 # .nf
+#	ADDRESS_REWRITING_README, address rewriting guide
 #	DATABASE_README, Postfix lookup table overview
 #	FILTER_README, external content filter
 # LICENSE
diff --git a/postfix/proto/virtual b/postfix/proto/virtual
index 7f60d562b..256b97716 100644
--- a/postfix/proto/virtual
+++ b/postfix/proto/virtual
@@ -39,17 +39,17 @@
 #	that serves as input to the \fBpostmap\fR(1) command.
 #	The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
 #	is used for fast searching by the mail system. Execute the command
-#	"\fBpostmap /etc/postfix/virtual\fR" in order to rebuild the indexed
-#	file after changing the text file.
+#	"\fBpostmap /etc/postfix/virtual\fR" to rebuild an indexed
+#	file after changing the corresponding text file.
 #
 #	When the table is provided via other means such as NIS, LDAP
 #	or SQL, the same lookups are done as for ordinary indexed files.
 #
 #	Alternatively, the table can be provided as a regular-expression
 #	map where patterns are given as regular expressions, or lookups
-#	can be directed to TCP-based server. In that case, the lookups are
-#	done in a slightly different way as described below under
-#	"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
+#	can be directed to TCP-based server. In those case, the lookups
+#	are done in a slightly different way as described below under
+#	"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
 # CASE FOLDING
 # .ad
 # .fi
@@ -91,6 +91,13 @@
 # .IP "@\fIdomain address, address, ...\fR"
 #	Redirect mail for other users in \fIdomain\fR to \fIaddress\fR.
 #	This form has the lowest precedence.
+# .sp
+#	Note: @\fIdomain\fR is a wild-card. With this form, the
+#	Postfix SMTP server accepts
+#	mail for any recipient in \fIdomain\fR, regardless of whether
+#	that recipient exists.  This may turn your mail system into
+#	a backscatter source that returns undeliverable spam to
+#	innocent people.
 # RESULT ADDRESS REWRITING
 # .ad
 # .fi
@@ -199,7 +206,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.3.
+#	This feature is not available up to and including Postfix version 2.4.
 #
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
@@ -253,8 +260,8 @@
 #	"\fBpostconf html_directory\fR" to locate this information.
 # .na
 # .nf
-#	DATABASE_README, Postfix lookup table overview
 #	ADDRESS_REWRITING_README, address rewriting guide
+#	DATABASE_README, Postfix lookup table overview
 #	VIRTUAL_README, domain hosting guide
 # LICENSE
 # .ad
diff --git a/postfix/src/anvil/Makefile.in b/postfix/src/anvil/Makefile.in
index 62946461e..14772fa32 100644
--- a/postfix/src/anvil/Makefile.in
+++ b/postfix/src/anvil/Makefile.in
@@ -67,6 +67,7 @@ anvil.o: ../../include/mail_conf.h
 anvil.o: ../../include/mail_params.h
 anvil.o: ../../include/mail_proto.h
 anvil.o: ../../include/mail_server.h
+anvil.o: ../../include/mail_version.h
 anvil.o: ../../include/msg.h
 anvil.o: ../../include/mymalloc.h
 anvil.o: ../../include/stringops.h
diff --git a/postfix/src/anvil/anvil.c b/postfix/src/anvil/anvil.c
index e3e1d222a..ab42073a4 100644
--- a/postfix/src/anvil/anvil.c
+++ b/postfix/src/anvil/anvil.c
@@ -208,11 +208,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -267,6 +267,7 @@
 
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>
 #include <anvil_clnt.h>
 
@@ -945,6 +946,8 @@ static void post_jail_init(char *unused_name, char **unused_argv)
 	var_idle_limit = var_anvil_time_unit;
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the multi-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -955,6 +958,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     multi_server_main(argc, argv, anvil_service,
 		      MAIL_SERVER_TIME_TABLE, time_table,
 		      MAIL_SERVER_POST_INIT, post_jail_init,
diff --git a/postfix/src/bounce/Makefile.in b/postfix/src/bounce/Makefile.in
index ddfaaa2eb..09de6e9d0 100644
--- a/postfix/src/bounce/Makefile.in
+++ b/postfix/src/bounce/Makefile.in
@@ -107,6 +107,7 @@ bounce.o: ../../include/mail_params.h
 bounce.o: ../../include/mail_proto.h
 bounce.o: ../../include/mail_queue.h
 bounce.o: ../../include/mail_server.h
+bounce.o: ../../include/mail_version.h
 bounce.o: ../../include/msg.h
 bounce.o: ../../include/msg_stats.h
 bounce.o: ../../include/rcpt_buf.h
@@ -166,6 +167,7 @@ bounce_notify_service.o: ../../include/deliver_request.h
 bounce_notify_service.o: ../../include/dsn.h
 bounce_notify_service.o: ../../include/dsn_buf.h
 bounce_notify_service.o: ../../include/dsn_mask.h
+bounce_notify_service.o: ../../include/int_filt.h
 bounce_notify_service.o: ../../include/mail_addr.h
 bounce_notify_service.o: ../../include/mail_error.h
 bounce_notify_service.o: ../../include/mail_params.h
@@ -191,6 +193,7 @@ bounce_notify_util.o: ../../include/dsn.h
 bounce_notify_util.o: ../../include/dsn_buf.h
 bounce_notify_util.o: ../../include/dsn_mask.h
 bounce_notify_util.o: ../../include/events.h
+bounce_notify_util.o: ../../include/int_filt.h
 bounce_notify_util.o: ../../include/iostuff.h
 bounce_notify_util.o: ../../include/is_header.h
 bounce_notify_util.o: ../../include/lex_822.h
@@ -228,6 +231,7 @@ bounce_notify_verp.o: ../../include/deliver_request.h
 bounce_notify_verp.o: ../../include/dsn.h
 bounce_notify_verp.o: ../../include/dsn_buf.h
 bounce_notify_verp.o: ../../include/dsn_mask.h
+bounce_notify_verp.o: ../../include/int_filt.h
 bounce_notify_verp.o: ../../include/mail_addr.h
 bounce_notify_verp.o: ../../include/mail_error.h
 bounce_notify_verp.o: ../../include/mail_params.h
@@ -254,6 +258,7 @@ bounce_one_service.o: ../../include/deliver_request.h
 bounce_one_service.o: ../../include/dsn.h
 bounce_one_service.o: ../../include/dsn_buf.h
 bounce_one_service.o: ../../include/dsn_mask.h
+bounce_one_service.o: ../../include/int_filt.h
 bounce_one_service.o: ../../include/mail_addr.h
 bounce_one_service.o: ../../include/mail_error.h
 bounce_one_service.o: ../../include/mail_params.h
@@ -309,6 +314,7 @@ bounce_trace_service.o: ../../include/deliver_request.h
 bounce_trace_service.o: ../../include/dsn.h
 bounce_trace_service.o: ../../include/dsn_buf.h
 bounce_trace_service.o: ../../include/dsn_mask.h
+bounce_trace_service.o: ../../include/int_filt.h
 bounce_trace_service.o: ../../include/mail_addr.h
 bounce_trace_service.o: ../../include/mail_error.h
 bounce_trace_service.o: ../../include/mail_params.h
@@ -332,6 +338,7 @@ bounce_warn_service.o: ../../include/cleanup_user.h
 bounce_warn_service.o: ../../include/dsn.h
 bounce_warn_service.o: ../../include/dsn_buf.h
 bounce_warn_service.o: ../../include/dsn_mask.h
+bounce_warn_service.o: ../../include/int_filt.h
 bounce_warn_service.o: ../../include/mail_addr.h
 bounce_warn_service.o: ../../include/mail_error.h
 bounce_warn_service.o: ../../include/mail_params.h
diff --git a/postfix/src/bounce/bounce.c b/postfix/src/bounce/bounce.c
index c09d36eed..483aa54c9 100644
--- a/postfix/src/bounce/bounce.c
+++ b/postfix/src/bounce/bounce.c
@@ -91,11 +91,11 @@
 /*	The mail system name that is displayed in Received: headers, in
 /*	the SMTP greeting banner, and in bounced mail.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBnotify_classes (resource, software)\fR"
 /*	The list of error classes that are reported to the postmaster.
 /* .IP "\fBprocess_id (read-only)\fR"
@@ -154,6 +154,7 @@
 #include <mail_proto.h>
 #include <mail_queue.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_conf.h>
 #include <bounce.h>
 #include <mail_addr.h>
@@ -576,8 +577,8 @@ static void post_jail_init(char *service_name, char **unused_argv)
     /*
      * Special case: dump bounce templates. This is not part of the master(5)
      * public interface. This internal interface is used by the postconf
-     * command. It was implemented before bounce templates were isolated
-     * into modules that could have been called directly.
+     * command. It was implemented before bounce templates were isolated into
+     * modules that could have been called directly.
      */
     if (strcmp(service_name, "dump_templates") == 0) {
 	bounce_templates_dump(VSTREAM_OUT, bounce_templates);
@@ -604,6 +605,8 @@ static void post_jail_init(char *service_name, char **unused_argv)
     dsn_buf = dsb_create();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -626,6 +629,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Pass control to the single-threaded service skeleton.
      */
diff --git a/postfix/src/cleanup/Makefile.in b/postfix/src/cleanup/Makefile.in
index ecd317a6c..fa98471ae 100644
--- a/postfix/src/cleanup/Makefile.in
+++ b/postfix/src/cleanup/Makefile.in
@@ -319,6 +319,7 @@ cleanup.o: ../../include/mail_params.h
 cleanup.o: ../../include/mail_proto.h
 cleanup.o: ../../include/mail_server.h
 cleanup.o: ../../include/mail_stream.h
+cleanup.o: ../../include/mail_version.h
 cleanup.o: ../../include/maps.h
 cleanup.o: ../../include/match_list.h
 cleanup.o: ../../include/match_ops.h
diff --git a/postfix/src/cleanup/cleanup.c b/postfix/src/cleanup/cleanup.c
index 6e555ca10..5747f8c94 100644
--- a/postfix/src/cleanup/cleanup.c
+++ b/postfix/src/cleanup/cleanup.c
@@ -303,11 +303,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
 /*	The internet hostname of this mail system.
 /* .IP "\fBmyorigin ($myhostname)\fR"
@@ -386,6 +386,7 @@
 #include <mail_params.h>
 #include <record.h>
 #include <rec_type.h>
+#include <mail_version.h>
 
 /* Single-threaded server skeleton. */
 
@@ -502,11 +503,18 @@ static void pre_accept(char *unused_name, char **unused_argv)
     }
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
 {
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Clean up an incomplete queue file in case of a fatal run-time error,
      * or after receiving SIGTERM from the master at shutdown time.
diff --git a/postfix/src/cleanup/cleanup_init.c b/postfix/src/cleanup/cleanup_init.c
index 2791f32e6..13e792e52 100644
--- a/postfix/src/cleanup/cleanup_init.c
+++ b/postfix/src/cleanup/cleanup_init.c
@@ -202,7 +202,7 @@ CONFIG_STR_TABLE cleanup_str_table[] = {
     VAR_BODY_CHECKS, DEF_BODY_CHECKS, &var_body_checks, 0, 0,
     VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
     VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0,
-    VAR_RCPT_WITHELD, DEF_RCPT_WITHELD, &var_rcpt_witheld, 1, 0,
+    VAR_RCPT_WITHELD, DEF_RCPT_WITHELD, &var_rcpt_witheld, 0, 0,
     VAR_MASQ_CLASSES, DEF_MASQ_CLASSES, &var_masq_classes, 0, 0,
     VAR_SEND_BCC_MAPS, DEF_SEND_BCC_MAPS, &var_send_bcc_maps, 0, 0,
     VAR_RCPT_BCC_MAPS, DEF_RCPT_BCC_MAPS, &var_rcpt_bcc_maps, 0, 0,
diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c
index be6b2ed1c..2087c0908 100644
--- a/postfix/src/cleanup/cleanup_message.c
+++ b/postfix/src/cleanup/cleanup_message.c
@@ -691,7 +691,7 @@ static void cleanup_header_done_callback(void *context)
 #define VISIBLE_RCPT	((1 << HDR_TO) | (1 << HDR_RESENT_TO) \
 			| (1 << HDR_CC) | (1 << HDR_RESENT_CC))
 
-    if ((state->headers_seen & VISIBLE_RCPT) == 0)
+    if ((state->headers_seen & VISIBLE_RCPT) == 0 && *var_rcpt_witheld)
 	cleanup_out_format(state, REC_TYPE_NORM, "%s", var_rcpt_witheld);
 
     /*
diff --git a/postfix/src/cleanup/cleanup_out.c b/postfix/src/cleanup/cleanup_out.c
index a5c5bf68d..904208071 100644
--- a/postfix/src/cleanup/cleanup_out.c
+++ b/postfix/src/cleanup/cleanup_out.c
@@ -198,7 +198,8 @@ void    cleanup_out_header(CLEANUP_STATE *state, VSTRING *header_buf)
 	}
 	if (line == start) {
 	    cleanup_out_string(state, REC_TYPE_NORM, line);
-	    if (line_len < REC_TYPE_PTR_PAYL_SIZE)
+	    if ((state->milters || cleanup_milters)
+		&& line_len < REC_TYPE_PTR_PAYL_SIZE)
 		rec_pad(state->dst, REC_TYPE_DTXT,
 			REC_TYPE_PTR_PAYL_SIZE - line_len);
 	} else if (IS_SPACE_TAB(*line)) {
diff --git a/postfix/src/discard/Makefile.in b/postfix/src/discard/Makefile.in
index e39100098..00a5d5c34 100644
--- a/postfix/src/discard/Makefile.in
+++ b/postfix/src/discard/Makefile.in
@@ -67,6 +67,7 @@ discard.o: ../../include/dsn_util.h
 discard.o: ../../include/flush_clnt.h
 discard.o: ../../include/mail_queue.h
 discard.o: ../../include/mail_server.h
+discard.o: ../../include/mail_version.h
 discard.o: ../../include/msg.h
 discard.o: ../../include/msg_stats.h
 discard.o: ../../include/recipient_list.h
diff --git a/postfix/src/discard/discard.c b/postfix/src/discard/discard.c
index 04855889b..17bdeceee 100644
--- a/postfix/src/discard/discard.c
+++ b/postfix/src/discard/discard.c
@@ -60,11 +60,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -121,6 +121,7 @@
 #include <flush_clnt.h>
 #include <sent.h>
 #include <dsn_util.h>
+#include <mail_version.h>
 
 /* Single server skeleton. */
 
@@ -225,10 +226,18 @@ static void pre_init(char *unused_name, char **unused_argv)
     flush_init();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
 {
+
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, discard_service,
 		       MAIL_SERVER_PRE_INIT, pre_init,
 		       0);
diff --git a/postfix/src/error/Makefile.in b/postfix/src/error/Makefile.in
index 8e1d097c5..a9453126f 100644
--- a/postfix/src/error/Makefile.in
+++ b/postfix/src/error/Makefile.in
@@ -70,6 +70,7 @@ error.o: ../../include/iostuff.h
 error.o: ../../include/mail_proto.h
 error.o: ../../include/mail_queue.h
 error.o: ../../include/mail_server.h
+error.o: ../../include/mail_version.h
 error.o: ../../include/msg.h
 error.o: ../../include/msg_stats.h
 error.o: ../../include/recipient_list.h
diff --git a/postfix/src/error/error.c b/postfix/src/error/error.c
index 77ae72ca8..019900b2b 100644
--- a/postfix/src/error/error.c
+++ b/postfix/src/error/error.c
@@ -9,8 +9,8 @@
 /*	The Postfix \fBerror\fR(8) delivery agent processes delivery
 /*	requests from
 /*	the queue manager. Each request specifies a queue file, a sender
-/*	address, a domain or host name that is treated as the reason for
-/*	non-delivery, and recipient information.
+/*	address, the reason for non-delivery (specified as the
+/*	next-hop destination), and recipient information.
 /*	The reason may be prefixed with an RFC 3463-compatible detail code.
 /*	This program expects to be run from the \fBmaster\fR(8) process
 /*	manager.
@@ -67,11 +67,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBnotify_classes (resource, software)\fR"
 /*	The list of error classes that are reported to the postmaster.
 /* .IP "\fBprocess_id (read-only)\fR"
@@ -126,6 +126,7 @@
 #include <dsn_util.h>
 #include <sys_exits.h>
 #include <mail_proto.h>
+#include <mail_version.h>
 
 /* Single server skeleton. */
 
@@ -237,10 +238,18 @@ static void pre_init(char *unused_name, char **unused_argv)
     flush_init();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
 {
+
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, error_service,
 		       MAIL_SERVER_PRE_INIT, pre_init,
 		       0);
diff --git a/postfix/src/flush/Makefile.in b/postfix/src/flush/Makefile.in
index 8144eabbf..7578940f5 100644
--- a/postfix/src/flush/Makefile.in
+++ b/postfix/src/flush/Makefile.in
@@ -72,6 +72,7 @@ flush.o: ../../include/mail_proto.h
 flush.o: ../../include/mail_queue.h
 flush.o: ../../include/mail_scan_dir.h
 flush.o: ../../include/mail_server.h
+flush.o: ../../include/mail_version.h
 flush.o: ../../include/maps.h
 flush.o: ../../include/match_list.h
 flush.o: ../../include/match_ops.h
diff --git a/postfix/src/flush/flush.c b/postfix/src/flush/flush.c
index 06f19f15b..41ffafa87 100644
--- a/postfix/src/flush/flush.c
+++ b/postfix/src/flush/flush.c
@@ -96,11 +96,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
 /*	What Postfix features match subdomains of "domain.tld" automatically,
 /*	instead of requiring an explicit ".domain.tld" pattern.
@@ -173,6 +173,7 @@
 /* Global library. */
 
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_queue.h>
 #include <mail_proto.h>
 #include <mail_flush.h>
@@ -387,7 +388,7 @@ static int flush_send_service(const char *site, int how)
 /* flush_one_file - move one queue file to incoming queue */
 
 static int flush_one_file(const char *queue_id, VSTRING *queue_file,
-			            struct utimbuf * tbuf, int how)
+			          struct utimbuf * tbuf, int how)
 {
     const char *myname = "flush_one_file";
     const char *queue_name;
@@ -807,6 +808,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 				     var_fflush_domains);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -817,6 +820,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, flush_service,
 		       MAIL_SERVER_TIME_TABLE, time_table,
 		       MAIL_SERVER_PRE_INIT, pre_jail_init,
diff --git a/postfix/src/fsstone/fsstone.c b/postfix/src/fsstone/fsstone.c
index 26ff50c1e..026741231 100644
--- a/postfix/src/fsstone/fsstone.c
+++ b/postfix/src/fsstone/fsstone.c
@@ -150,6 +150,8 @@ static void usage(char *myname)
     msg_fatal("usage: %s [-cr] [-s size] messages directory_entries", myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     int     op_count;
@@ -161,6 +163,11 @@ int     main(int argc, char **argv)
     int     ch;
     int     size = 2;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     msg_vstream_init(argv[0], VSTREAM_ERR);
     while ((ch = GETOPT(argc, argv, "crs:")) != EOF) {
 	switch (ch) {
diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in
index 49e288d89..b6c602f0b 100644
--- a/postfix/src/global/Makefile.in
+++ b/postfix/src/global/Makefile.in
@@ -890,10 +890,12 @@ input_transp.o: cleanup_user.h
 input_transp.o: input_transp.c
 input_transp.o: input_transp.h
 input_transp.o: mail_params.h
+int_filt.o: ../../include/msg.h
 int_filt.o: ../../include/name_mask.h
 int_filt.o: ../../include/sys_defs.h
 int_filt.o: ../../include/vbuf.h
 int_filt.o: ../../include/vstring.h
+int_filt.o: cleanup_user.h
 int_filt.o: int_filt.c
 int_filt.o: int_filt.h
 int_filt.o: mail_params.h
@@ -1462,6 +1464,7 @@ post_mail.o: ../../include/vbuf.h
 post_mail.o: ../../include/vstream.h
 post_mail.o: ../../include/vstring.h
 post_mail.o: cleanup_user.h
+post_mail.o: int_filt.h
 post_mail.o: mail_date.h
 post_mail.o: mail_params.h
 post_mail.o: mail_proto.h
diff --git a/postfix/src/global/dict_ldap.c b/postfix/src/global/dict_ldap.c
index efd8c3927..fd35579d2 100644
--- a/postfix/src/global/dict_ldap.c
+++ b/postfix/src/global/dict_ldap.c
@@ -60,6 +60,14 @@
 /* .IP special_result_attribute
 /*	The attribute(s) of directory entries that can contain DNs or URLs.
 /*	If found, a recursive subsequent search is done using their values.
+/* .IP leaf_result_attribute
+/*	These are only returned for "leaf" LDAP entries, i.e. those that are
+/*	not "terminal" and have no values for any of the "special" result
+/*	attributes.
+/* .IP terminal_result_attribute
+/*	If found, the LDAP entry is considered a terminal LDAP object, not
+/*	subject to further direct or recursive expansion. Only the terminal
+/*	result attributes are returned.
 /* .IP scope
 /*	LDAP search scope: sub, base, or one.
 /* .IP bind
@@ -228,7 +236,9 @@ typedef struct {
     int     scope;
     char   *search_base;
     ARGV   *result_attributes;
-    int     num_attributes;		/* rest of list is DN's. */
+    int     num_terminal;		/* Number of terminal attributes. */
+    int     num_leaf;			/* Number of leaf attributes */
+    int     num_attributes;		/* Combined # of non-special attrs */
     int     bind;
     char   *bind_dn;
     char   *bind_pw;
@@ -256,7 +266,16 @@ typedef struct {
 
 #define DICT_LDAP_CONN(d) ((LDAP_CONN *)((d)->ht->value))
 
-
+ /*
+  * Bitrot: LDAP_API 3000 and up (OpenLDAP 2.2.x) deprecated ldap_unbind()
+  */
+#if LDAP_API_VERSION >= 3000
+#define dict_ldap_unbind(ld)		ldap_unbind_ext((ld), 0, 0)
+#define dict_ldap_abandon(ld, msg)	ldap_abandon_ext((ld), (msg), 0, 0)
+#else
+#define dict_ldap_unbind(ld)		ldap_unbind(ld)
+#define dict_ldap_abandon(ld, msg)	ldap_abandon((ld), (msg))
+#endif
 
 /*
  * Quoting rules.
@@ -325,8 +344,7 @@ static void dict_ldap_timeout(int unused_sig)
 static void dict_ldap_logprint(LDAP_CONST char *data)
 {
     const char *myname = "dict_ldap_debug";
-    char   *buf,
-           *p;
+    char   *buf, *p;
 
     buf = mystrdup(data);
     if (*buf) {
@@ -338,7 +356,7 @@ static void dict_ldap_logprint(LDAP_CONST char *data)
     myfree(buf);
 }
 
-static int dict_ldap_get_errno(LDAP * ld)
+static int dict_ldap_get_errno(LDAP *ld)
 {
     int     rc;
 
@@ -347,7 +365,7 @@ static int dict_ldap_get_errno(LDAP * ld)
     return rc;
 }
 
-static int dict_ldap_set_errno(LDAP * ld, int rc)
+static int dict_ldap_set_errno(LDAP *ld, int rc)
 {
     (void) ldap_set_option(ld, LDAP_OPT_ERROR_NUMBER, &rc);
     return rc;
@@ -367,10 +385,9 @@ static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
 	return (dict_ldap_get_errno(ld));
 
     if (dict_ldap_get_errno(ld) == LDAP_TIMEOUT) {
-	(void) ldap_abandon_ext(ld, msgid, 0, 0);
+	(void) dict_ldap_abandon(ld, msgid);
 	return (dict_ldap_set_errno(ld, LDAP_TIMEOUT));
     }
-
     return LDAP_SUCCESS;
 }
 
@@ -400,7 +417,7 @@ static int dict_ldap_bind_st(DICT_LDAP *dict_ldap)
 /* search_st - Synchronous search with timeout */
 
 static int search_st(LDAP *ld, char *base, int scope, char *query,
-			    char **attrs, int timeout, LDAPMessage **res)
+		             char **attrs, int timeout, LDAPMessage **res)
 {
     struct timeval mytimeval;
     int     msgid;
@@ -411,7 +428,7 @@ static int search_st(LDAP *ld, char *base, int scope, char *query,
     mytimeval.tv_usec = 0;
 
 #define WANTVALS 0
-#define USE_SIZE_LIM_OPT -1		/* Any negative value will do */
+#define USE_SIZE_LIM_OPT -1			/* Any negative value will do */
 
     if ((rc = ldap_search_ext(ld, base, scope, query, attrs, WANTVALS, 0, 0,
 			      &mytimeval, USE_SIZE_LIM_OPT,
@@ -506,7 +523,7 @@ static int dict_ldap_connect(DICT_LDAP *dict_ldap)
 #if defined(LDAP_OPT_DEBUG_LEVEL) && defined(LBER_OPT_LOG_PRINT_FN)
     if (dict_ldap->debuglevel > 0 &&
 	ber_set_option(NULL, LBER_OPT_LOG_PRINT_FN,
-		     (LDAP_CONST void *) dict_ldap_logprint) != LBER_OPT_SUCCESS)
+		(LDAP_CONST void *) dict_ldap_logprint) != LBER_OPT_SUCCESS)
 	msg_warn("%s: Unable to set ber logprint function.", myname);
 #if defined(LBER_OPT_DEBUG_LEVEL)
     if (ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL,
@@ -752,8 +769,8 @@ static void dict_ldap_conn_find(DICT_LDAP *dict_ldap)
  * This and the rest of the handling of multiple attributes, DNs and URLs
  * are thanks to LaMont Jones.
  */
-static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
-				         VSTRING *result, const char* name)
+static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage *res,
+				         VSTRING *result, const char *name)
 {
     static int recursion = 0;
     static int expansion;
@@ -768,6 +785,8 @@ static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
     int     valcount;
     LDAPURLDesc *url;
     const char *myname = "dict_ldap_get_values";
+    int     is_leaf = 1;		/* No recursion via this entry */
+    int     is_terminal = 0;		/* No expansion via this entry */
 
     if (++recursion == 1)
 	expansion = 0;
@@ -792,10 +811,45 @@ static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
 		     dict_ldap->size_limit);
 	    dict_errno = DICT_ERR_RETRY;
 	}
+
+	/*
+	 * Check for terminal attributes, these preclude expansion of all
+	 * other attributes, and DN/URI recursion. Any terminal attributes
+	 * are listed first in the attribute array.
+	 */
+	if (dict_ldap->num_terminal > 0) {
+	    for (i = 0; i < dict_ldap->num_terminal; ++i) {
+		attr = dict_ldap->result_attributes->argv[i];
+		if (!(vals = ldap_get_values_len(dict_ldap->ld, entry, attr)))
+		    continue;
+		is_terminal = (ldap_count_values_len(vals) > 0);
+		ldap_value_free_len(vals);
+		if (is_terminal)
+		    break;
+	    }
+	}
+
+	/*
+	 * Check for special attributes, these preclude expansion of
+	 * "leaf-only" attributes, and are at the end of the attribute array
+	 * after the terminal, leaf and regular attributes.
+	 */
+	if (is_terminal == 0 && dict_ldap->num_leaf > 0) {
+	    for (i = dict_ldap->num_attributes;
+		 dict_ldap->result_attributes->argv[i]; ++i) {
+		attr = dict_ldap->result_attributes->argv[i];
+		if (!(vals = ldap_get_values_len(dict_ldap->ld, entry, attr)))
+		    continue;
+		is_leaf = (ldap_count_values_len(vals) == 0);
+		ldap_value_free_len(vals);
+		if (!is_leaf)
+		    break;
+	    }
+	}
 	for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
-	     attr != NULL;
-	     ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
-							    entry, ber)) {
+	     attr != NULL; ldap_memfree(attr),
+	     attr = ldap_next_attribute(dict_ldap->ld, entry, ber)) {
+
 	    vals = ldap_get_values_len(dict_ldap->ld, entry, attr);
 	    if (vals == NULL) {
 		if (msg_verbose)
@@ -803,7 +857,6 @@ static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
 			     myname, recursion, attr);
 		continue;
 	    }
-
 	    valcount = ldap_count_values_len(vals);
 
 	    /*
@@ -830,36 +883,47 @@ static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
 	     * We compute the attribute type (ordinary or special) from its
 	     * index on the "result_attributes" list.
 	     */
-	    for (i = 0; dict_ldap->result_attributes->argv[i]; i++) {
-		if (strcasecmp(dict_ldap->result_attributes->argv[i], attr) == 0)
+	    for (i = 0; dict_ldap->result_attributes->argv[i]; i++)
+		if (strcasecmp(dict_ldap->result_attributes->argv[i],
+			       attr) == 0)
 		    break;
-	    }
 
 	    /*
 	     * Append each returned address to the result list, possibly
-	     * recursing (for dn or url attributes).
+	     * recursing (for dn or url attributes of non-terminal entries)
 	     */
-	    if (i < dict_ldap->num_attributes) {
-		/* Ordinary result attribute */
-		for (i = 0; i < valcount; i++) {
-		    if (db_common_expand(dict_ldap->ctx,
-					 dict_ldap->result_format,
-					 vals[i]->bv_val,
-					 name, result, 0)
-			&& dict_ldap->expansion_limit > 0
-			&& ++expansion > dict_ldap->expansion_limit) {
-			msg_warn("%s[%d]: %s: Expansion limit exceeded for key: '%s'",
-				 myname, recursion, dict_ldap->parser->name, name);
-			dict_errno = DICT_ERR_RETRY;
-			break;
+	    if (i < dict_ldap->num_attributes || is_terminal) {
+		if (is_terminal && i >= dict_ldap->num_terminal
+		    || !is_leaf &&
+		    i < dict_ldap->num_terminal + dict_ldap->num_leaf) {
+		    if (msg_verbose)
+			msg_info("%s[%d]: skipping %ld value(s) of %s "
+				 "attribute %s", myname, recursion, i,
+				 is_terminal ? "non-terminal" : "leaf-only",
+				 attr);
+		} else {
+		    /* Ordinary result attribute */
+		    for (i = 0; i < valcount; i++) {
+			if (db_common_expand(dict_ldap->ctx,
+					     dict_ldap->result_format,
+					     vals[i]->bv_val,
+					     name, result, 0)
+			    && dict_ldap->expansion_limit > 0
+			    && ++expansion > dict_ldap->expansion_limit) {
+			    msg_warn("%s[%d]: %s: Expansion limit exceeded "
+				     "for key: '%s'", myname, recursion,
+				     dict_ldap->parser->name, name);
+			    dict_errno = DICT_ERR_RETRY;
+			    break;
+			}
 		    }
+		    if (dict_errno != 0)
+			continue;
+		    if (msg_verbose)
+			msg_info("%s[%d]: search returned %ld value(s) for"
+				 " requested result attribute %s",
+				 myname, recursion, i, attr);
 		}
-		if (dict_errno != 0)
-		    continue;
-		if (msg_verbose)
-		    msg_info("%s[%d]: search returned %ld value(s) for"
-			     " requested result attribute %s",
-			     myname, recursion, i, attr);
 	    } else if (recursion < dict_ldap->recursion_limit
 		       && dict_ldap->result_attributes->argv[i]) {
 		/* Special result attribute */
@@ -872,7 +936,7 @@ static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
 			if (rc == 0) {
 			    rc = search_st(dict_ldap->ld, url->lud_dn,
 					   url->lud_scope, url->lud_filter,
-					   url->lud_attrs, dict_ldap->timeout,
+					 url->lud_attrs, dict_ldap->timeout,
 					   &resloop);
 			    ldap_free_urldesc(url);
 			}
@@ -973,7 +1037,6 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
 	    msg_info("%s: Skipping lookup of '%s'", myname, name);
 	return (0);
     }
-
 #define INIT_VSTR(buf, len) do { \
 	if (buf == 0) \
 	    buf = vstring_alloc(len); \
@@ -1026,28 +1089,27 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
 		 myname, dict_ldap->parser->name, dict_ldap->size_limit);
 
     /*
-     * Expand the search base and query. Skip lookup when the
-     * input key lacks sufficient domain components to satisfy
-     * all the requested %-substitutions.
-     *
-     * When the search base is not static, LDAP_NO_SUCH_OBJECT is
-     * expected and is therefore treated as a non-error: the lookup
-     * returns no results rather than a soft error.
+     * Expand the search base and query. Skip lookup when the input key lacks
+     * sufficient domain components to satisfy all the requested
+     * %-substitutions.
+     * 
+     * When the search base is not static, LDAP_NO_SUCH_OBJECT is expected and
+     * is therefore treated as a non-error: the lookup returns no results
+     * rather than a soft error.
      */
     if (!db_common_expand(dict_ldap->ctx, dict_ldap->search_base,
-    			  name, 0, base, rfc2253_quote)) {
-        if (msg_verbose > 1)
+			  name, 0, base, rfc2253_quote)) {
+	if (msg_verbose > 1)
 	    msg_info("%s: %s: Empty expansion for %s", myname,
 		     dict_ldap->parser->name, dict_ldap->search_base);
-        return (0);
+	return (0);
     }
-
     if (!db_common_expand(dict_ldap->ctx, dict_ldap->query,
 			  name, 0, query, rfc2254_quote)) {
-        if (msg_verbose > 1)
+	if (msg_verbose > 1)
 	    msg_info("%s: %s: Empty expansion for %s", myname,
 		     dict_ldap->parser->name, dict_ldap->query);
-        return (0);
+	return (0);
     }
 
     /*
@@ -1066,7 +1128,7 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
 	    msg_info("%s: Lost connection for LDAP source %s, reopening",
 		     myname, dict_ldap->parser->name);
 
-	ldap_unbind_ext(dict_ldap->ld, 0, 0);
+	dict_ldap_unbind(dict_ldap->ld);
 	dict_ldap->ld = DICT_LDAP_CONN(dict_ldap)->conn_ld = 0;
 	dict_ldap_connect(dict_ldap);
 
@@ -1077,14 +1139,14 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
 	    return (0);
 
 	rc = search_st(dict_ldap->ld, vstring_str(base), dict_ldap->scope,
-		       vstring_str(query), dict_ldap->result_attributes->argv,
+		     vstring_str(query), dict_ldap->result_attributes->argv,
 		       dict_ldap->timeout, &res);
 
     }
-
     switch (rc) {
 
     case LDAP_SUCCESS:
+
 	/*
 	 * Search worked; extract the requested result_attribute.
 	 */
@@ -1109,12 +1171,13 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
 	break;
 
     case LDAP_NO_SUCH_OBJECT:
-        /*
-	 * If the search base is input key dependent, then not finding it,
-	 * is equivalent to not finding the input key. Sadly, we cannot
-	 * detect misconfiguration in this case.
+
+	/*
+	 * If the search base is input key dependent, then not finding it, is
+	 * equivalent to not finding the input key. Sadly, we cannot detect
+	 * misconfiguration in this case.
 	 */
-    	if (dict_ldap->dynamic_base)
+	if (dict_ldap->dynamic_base)
 	    break;
 
 	msg_warn("%s: %s: Search base '%s' not found: %d: %s",
@@ -1124,6 +1187,7 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
 	break;
 
     default:
+
 	/*
 	 * Rats. The search didn't work.
 	 */
@@ -1134,7 +1198,7 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
 	 * Tear down the connection so it gets set up from scratch on the
 	 * next lookup.
 	 */
-	ldap_unbind_ext(dict_ldap->ld, 0, 0);
+	dict_ldap_unbind(dict_ldap->ld);
 	dict_ldap->ld = DICT_LDAP_CONN(dict_ldap)->conn_ld = 0;
 
 	/*
@@ -1171,7 +1235,7 @@ static void dict_ldap_close(DICT *dict)
 	    if (msg_verbose)
 		msg_info("%s: Closed connection handle for LDAP source %s",
 			 myname, dict_ldap->parser->name);
-	    ldap_unbind_ext(conn->conn_ld, 0, 0);
+	    dict_ldap_unbind(conn->conn_ld);
 	}
 	binhash_delete(conn_hash, ht->key, ht->key_len, myfree);
     }
@@ -1180,7 +1244,7 @@ static void dict_ldap_close(DICT *dict)
     myfree(dict_ldap->search_base);
     myfree(dict_ldap->query);
     if (dict_ldap->result_format)
-        myfree(dict_ldap->result_format);
+	myfree(dict_ldap->result_format);
     argv_free(dict_ldap->result_attributes);
     myfree(dict_ldap->bind_dn);
     myfree(dict_ldap->bind_pw);
@@ -1282,11 +1346,11 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
 		dict_ldap->ldap_ssl = 1;
 	    ldap_free_urldesc(url_desc);
 	    if (VSTRING_LEN(url_list) > 0)
-	    	VSTRING_ADDCH(url_list, ' ');
+		VSTRING_ADDCH(url_list, ' ');
 	    vstring_strcat(url_list, h);
 	} else {
 	    if (VSTRING_LEN(url_list) > 0)
-	    	VSTRING_ADDCH(url_list, ' ');
+		VSTRING_ADDCH(url_list, ' ');
 	    if (strrchr(h, ':'))
 		vstring_sprintf_append(url_list, "ldap://%s", h);
 	    else
@@ -1344,24 +1408,26 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
      */
     dict_ldap->timeout = cfg_get_int(dict_ldap->parser, "timeout", 10, 0, 0);
 
-#if 0	/* No benefit from changing this to match the MySQL/PGSQL syntax */
+#if 0						/* No benefit from changing
+						 * this to match the
+						 * MySQL/PGSQL syntax */
     if ((dict_ldap->query =
-    	     cfg_get_str(dict_ldap->parser, "query", 0, 0, 0)) == 0)
+	 cfg_get_str(dict_ldap->parser, "query", 0, 0, 0)) == 0)
 #endif
-        dict_ldap->query =
+	dict_ldap->query =
 	    cfg_get_str(dict_ldap->parser, "query_filter",
 			"(mailacceptinggeneralid=%s)", 0, 0);
 
     if ((dict_ldap->result_format =
-        cfg_get_str(dict_ldap->parser, "result_format", 0, 0, 0)) == 0)
-        dict_ldap->result_format =
-                cfg_get_str(dict_ldap->parser, "result_filter", "%s", 1, 0);
+	 cfg_get_str(dict_ldap->parser, "result_format", 0, 0, 0)) == 0)
+	dict_ldap->result_format =
+	    cfg_get_str(dict_ldap->parser, "result_filter", "%s", 1, 0);
 
     /*
-     * Must parse all templates before we can use db_common_expand()
-     * If data dependent substitutions are found in the search base,
-     * treat NO_SUCH_OBJECT search errors as a non-matching key, rather
-     * than a fatal run-time error.
+     * Must parse all templates before we can use db_common_expand() If data
+     * dependent substitutions are found in the search base, treat
+     * NO_SUCH_OBJECT search errors as a non-matching key, rather than a
+     * fatal run-time error.
      */
     dict_ldap->ctx = 0;
     dict_ldap->dynamic_base =
@@ -1375,8 +1441,8 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
     db_common_parse_domain(dict_ldap->parser, dict_ldap->ctx);
 
     /*
-     * Maps that use substring keys should only be used with the full
-     * input key.
+     * Maps that use substring keys should only be used with the full input
+     * key.
      */
     if (db_common_dict_partial(dict_ldap->ctx))
 	dict_ldap->dict.flags |= DICT_FLAG_PATTERN;
@@ -1385,14 +1451,29 @@ DICT   *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
     if (dict_flags & DICT_FLAG_FOLD_FIX)
 	dict_ldap->dict.fold_buf = vstring_alloc(10);
 
-    attr = cfg_get_str(dict_ldap->parser, "result_attribute",
-		       "maildrop", 0, 0);
+    /* Order matters, first the terminal attributes: */
+    attr = cfg_get_str(dict_ldap->parser, "terminal_result_attribute", "", 0, 0);
     dict_ldap->result_attributes = argv_split(attr, " ,\t\r\n");
+    dict_ldap->num_terminal = dict_ldap->result_attributes->argc;
+    myfree(attr);
+
+    /* Order matters, next the leaf-only attributes: */
+    attr = cfg_get_str(dict_ldap->parser, "leaf_result_attribute", "", 0, 0);
+    if (*attr)
+	argv_split_append(dict_ldap->result_attributes, attr, " ,\t\r\n");
+    dict_ldap->num_leaf =
+	dict_ldap->result_attributes->argc - dict_ldap->num_terminal;
+    myfree(attr);
+
+    /* Order matters, next the regular attributes: */
+    attr = cfg_get_str(dict_ldap->parser, "result_attribute", "maildrop", 0, 0);
+    if (*attr)
+	argv_split_append(dict_ldap->result_attributes, attr, " ,\t\r\n");
     dict_ldap->num_attributes = dict_ldap->result_attributes->argc;
     myfree(attr);
 
-    attr = cfg_get_str(dict_ldap->parser, "special_result_attribute",
-		       "", 0, 0);
+    /* Order matters, finally the special attributes: */
+    attr = cfg_get_str(dict_ldap->parser, "special_result_attribute", "", 0, 0);
     if (*attr)
 	argv_split_append(dict_ldap->result_attributes, attr, " ,\t\r\n");
     myfree(attr);
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index b19682762..1ce1228a5 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20070224"
+#define MAIL_RELEASE_DATE	"20070320"
 #define MAIL_VERSION_NUMBER	"2.4"
 
 #ifdef SNAPSHOT
@@ -47,6 +47,24 @@ extern char *var_mail_version;
 #define DEF_MAIL_RELEASE	MAIL_RELEASE_DATE
 extern char *var_mail_release;
 
+ /*
+  * The following macros stamp executable files as well as core dumps. This
+  * information helps to answer the following questions:
+  * 
+  * - What Postfix versions(s) are installed on this machine?
+  * 
+  * - Is this installation mixing multiple Postfix versions?
+  * 
+  * - What Postfix version generated this core dump?
+  */
+#include <string.h>
+
+#define MAIL_VERSION_STAMP_DECLARE \
+    char *mail_version_stamp
+
+#define MAIL_VERSION_STAMP_ALLOCATE \
+    mail_version_stamp = strdup(VAR_MAIL_VERSION "=" DEF_MAIL_VERSION)
+
 /* LICENSE
 /* .ad
 /* .fi
diff --git a/postfix/src/global/rec_type.h b/postfix/src/global/rec_type.h
index 80313b310..3edb5fcbd 100644
--- a/postfix/src/global/rec_type.h
+++ b/postfix/src/global/rec_type.h
@@ -57,7 +57,7 @@
 
 #define REC_TYPE_CONT	'L'		/* long data record */
 #define REC_TYPE_NORM	'N'		/* normal data record */
-#define REC_TYPE_DTXT	'w'		/* deleted data record */
+#define REC_TYPE_DTXT	'w'		/* padding (was: deleted data) */
 
 #define REC_TYPE_XTRA	'X'		/* start extracted records */
 
@@ -82,9 +82,12 @@
   * contains pure recipient sequences only, then the queue manager will not
   * have to read all the queue file records before starting delivery. This is
   * often the case with list mail, where such optimization is desirable.
+  * 
+  * XXX These definitions include the respective segment terminators to avoid
+  * special cases in the cleanup(8) envelope and extracted record processors.
   */
-#define REC_TYPE_ENV_RECIPIENT	"DRO/Kon"
-#define REC_TYPE_EXT_RECIPIENT	"DRO/Kon"
+#define REC_TYPE_ENV_RECIPIENT	"MDRO/Kon"
+#define REC_TYPE_EXT_RECIPIENT	"EDRO/Kon"
 
  /*
   * The types of records that I expect to see while processing different
diff --git a/postfix/src/local/Makefile.in b/postfix/src/local/Makefile.in
index bd9814b5f..f22a5646e 100644
--- a/postfix/src/local/Makefile.in
+++ b/postfix/src/local/Makefile.in
@@ -353,6 +353,7 @@ local.o: ../../include/mail_addr.h
 local.o: ../../include/mail_conf.h
 local.o: ../../include/mail_params.h
 local.o: ../../include/mail_server.h
+local.o: ../../include/mail_version.h
 local.o: ../../include/maps.h
 local.o: ../../include/mbox_conf.h
 local.o: ../../include/msg.h
diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c
index 623bd4782..557be6f4d 100644
--- a/postfix/src/local/local.c
+++ b/postfix/src/local/local.c
@@ -501,11 +501,11 @@
 /* .IP "\fBlocal_command_shell (empty)\fR"
 /*	Optional shell program for \fBlocal\fR(8) delivery to non-Postfix command.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprepend_delivered_header (command, file, forward)\fR"
 /*	The message delivery contexts where the Postfix \fBlocal\fR(8) delivery
 /*	agent prepends a Delivered-To:  message header with the address
@@ -595,6 +595,7 @@
 #include <mail_conf.h>
 #include <been_here.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <ext_prop.h>
 #include <maps.h>
 #include <flush_clnt.h>
@@ -845,6 +846,8 @@ static void pre_init(char *unused_name, char **unused_argv)
     flush_init();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -896,6 +899,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, local_service,
 		       MAIL_SERVER_INT_TABLE, int_table,
 		       MAIL_SERVER_STR_TABLE, str_table,
diff --git a/postfix/src/master/Makefile.in b/postfix/src/master/Makefile.in
index 2138f0a48..d8230c1b7 100644
--- a/postfix/src/master/Makefile.in
+++ b/postfix/src/master/Makefile.in
@@ -180,6 +180,7 @@ master_service.o: master.h
 master_service.o: master_service.c
 master_sig.o: ../../include/events.h
 master_sig.o: ../../include/iostuff.h
+master_sig.o: ../../include/killme_after.h
 master_sig.o: ../../include/msg.h
 master_sig.o: ../../include/posix_signals.h
 master_sig.o: ../../include/sys_defs.h
diff --git a/postfix/src/master/master.c b/postfix/src/master/master.c
index 3304b1cdb..ed9f94277 100644
--- a/postfix/src/master/master.c
+++ b/postfix/src/master/master.c
@@ -87,11 +87,11 @@
 /*	The default maximal number of Postfix child processes that provide
 /*	a given service.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBservice_throttle_time (60s)\fR"
 /*	How long the Postfix \fBmaster\fR(8) waits before forking a server that
 /*	appears to be malfunctioning.
@@ -209,6 +209,8 @@ static NORETURN usage(const char *me)
     msg_fatal("usage: %s [-c config_dir] [-D (debug)] [-d (don't detach from terminal)] [-e exit_time] [-t (test)] [-v]", me);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - main program */
 
 int     main(int argc, char **argv)
@@ -225,6 +227,11 @@ int     main(int argc, char **argv)
     WATCHDOG *watchdog;
     ARGV   *import_env;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Initialize.
      */
diff --git a/postfix/src/master/multi_server.c b/postfix/src/master/multi_server.c
index c4dbb5c7d..ede015d8b 100644
--- a/postfix/src/master/multi_server.c
+++ b/postfix/src/master/multi_server.c
@@ -393,7 +393,7 @@ static void multi_server_accept_local(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(multi_server_timeout, (char *) 0, time_left);
 	return;
@@ -430,7 +430,7 @@ static void multi_server_accept_pass(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(multi_server_timeout, (char *) 0, time_left);
 	return;
@@ -467,7 +467,7 @@ static void multi_server_accept_inet(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(multi_server_timeout, (char *) 0, time_left);
 	return;
@@ -626,6 +626,14 @@ NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...)
     if (redo_syslog_init)
 	msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
 
+    /*
+     * If not connected to stdin, stdin must not be a terminal.
+     */
+    if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
+	msg_vstream_init(var_procname, VSTREAM_ERR);
+	msg_fatal("do not run this command by hand");
+    }
+
     /*
      * Application-specific initialization.
      */
@@ -694,14 +702,6 @@ NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...)
     if (user_name)
 	user_name = var_mail_owner;
 
-    /*
-     * If not connected to stdin, stdin must not be a terminal.
-     */
-    if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
-	msg_vstream_init(var_procname, VSTREAM_ERR);
-	msg_fatal("do not run this command by hand");
-    }
-
     /*
      * Can options be required?
      */
diff --git a/postfix/src/master/single_server.c b/postfix/src/master/single_server.c
index 7e67eaa57..244b6798f 100644
--- a/postfix/src/master/single_server.c
+++ b/postfix/src/master/single_server.c
@@ -291,7 +291,7 @@ static void single_server_accept_local(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(single_server_timeout, (char *) 0, time_left);
 	return;
@@ -327,7 +327,7 @@ static void single_server_accept_pass(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(single_server_timeout, (char *) 0, time_left);
 	return;
@@ -363,7 +363,7 @@ static void single_server_accept_inet(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(single_server_timeout, (char *) 0, time_left);
 	return;
@@ -519,6 +519,14 @@ NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...)
     if (redo_syslog_init)
 	msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
 
+    /*
+     * If not connected to stdin, stdin must not be a terminal.
+     */
+    if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
+	msg_vstream_init(var_procname, VSTREAM_ERR);
+	msg_fatal("do not run this command by hand");
+    }
+
     /*
      * Application-specific initialization.
      */
@@ -584,14 +592,6 @@ NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...)
     if (user_name)
 	user_name = var_mail_owner;
 
-    /*
-     * If not connected to stdin, stdin must not be a terminal.
-     */
-    if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
-	msg_vstream_init(var_procname, VSTREAM_ERR);
-	msg_fatal("do not run this command by hand");
-    }
-
     /*
      * Can options be required?
      */
diff --git a/postfix/src/master/trigger_server.c b/postfix/src/master/trigger_server.c
index 1e0846207..e420d895e 100644
--- a/postfix/src/master/trigger_server.c
+++ b/postfix/src/master/trigger_server.c
@@ -315,7 +315,7 @@ static void trigger_server_accept_local(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(trigger_server_timeout, (char *) 0, time_left);
 	return;
@@ -361,7 +361,7 @@ static void trigger_server_accept_pass(int unused_event, char *context)
 	msg_fatal("select unlock: %m");
     if (fd < 0) {
 	if (errno != EAGAIN)
-	    msg_fatal("accept connection: %m");
+	    msg_error("accept connection: %m");
 	if (time_left >= 0)
 	    event_request_timer(trigger_server_timeout, (char *) 0, time_left);
 	return;
@@ -526,6 +526,14 @@ NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,..
     if (redo_syslog_init)
 	msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
 
+    /*
+     * If not connected to stdin, stdin must not be a terminal.
+     */
+    if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
+	msg_vstream_init(var_procname, VSTREAM_ERR);
+	msg_fatal("do not run this command by hand");
+    }
+
     /*
      * Application-specific initialization.
      */
@@ -591,14 +599,6 @@ NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,..
     if (user_name)
 	user_name = var_mail_owner;
 
-    /*
-     * If not connected to stdin, stdin must not be a terminal.
-     */
-    if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
-	msg_vstream_init(var_procname, VSTREAM_ERR);
-	msg_fatal("do not run this command by hand");
-    }
-
     /*
      * Can options be required?
      * 
diff --git a/postfix/src/milter/Makefile.in b/postfix/src/milter/Makefile.in
index 4b10cda9b..ce66bd170 100644
--- a/postfix/src/milter/Makefile.in
+++ b/postfix/src/milter/Makefile.in
@@ -100,6 +100,7 @@ milter8.o: ../../include/connect.h
 milter8.o: ../../include/header_opts.h
 milter8.o: ../../include/iostuff.h
 milter8.o: ../../include/is_header.h
+milter8.o: ../../include/mail_params.h
 milter8.o: ../../include/mail_proto.h
 milter8.o: ../../include/mime_state.h
 milter8.o: ../../include/msg.h
diff --git a/postfix/src/oqmgr/Makefile.in b/postfix/src/oqmgr/Makefile.in
index 136bd72e6..7c6b21cce 100644
--- a/postfix/src/oqmgr/Makefile.in
+++ b/postfix/src/oqmgr/Makefile.in
@@ -75,6 +75,7 @@ qmgr.o: ../../include/mail_params.h
 qmgr.o: ../../include/mail_proto.h
 qmgr.o: ../../include/mail_queue.h
 qmgr.o: ../../include/mail_server.h
+qmgr.o: ../../include/mail_version.h
 qmgr.o: ../../include/master_proto.h
 qmgr.o: ../../include/msg.h
 qmgr.o: ../../include/recipient_list.h
diff --git a/postfix/src/oqmgr/qmgr.c b/postfix/src/oqmgr/qmgr.c
index 84baa7cac..6b7b037a3 100644
--- a/postfix/src/oqmgr/qmgr.c
+++ b/postfix/src/oqmgr/qmgr.c
@@ -294,6 +294,7 @@
 #include <recipient_list.h>
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>			/* QMGR_SCAN constants */
 #include <mail_flow.h>
 #include <flush_clnt.h>
@@ -548,6 +549,8 @@ static void qmgr_post_init(char *unused_name, char **unused_argv)
     qmgr_deferred_run_event(0, (char *) 0);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -584,6 +587,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Use the trigger service skeleton, because no-one else should be
      * monitoring our service port while this process runs, and because we do
diff --git a/postfix/src/pickup/Makefile.in b/postfix/src/pickup/Makefile.in
index f416e3cb1..07e39f2e1 100644
--- a/postfix/src/pickup/Makefile.in
+++ b/postfix/src/pickup/Makefile.in
@@ -69,6 +69,7 @@ pickup.o: ../../include/mail_params.h
 pickup.o: ../../include/mail_proto.h
 pickup.o: ../../include/mail_queue.h
 pickup.o: ../../include/mail_server.h
+pickup.o: ../../include/mail_version.h
 pickup.o: ../../include/msg.h
 pickup.o: ../../include/mymalloc.h
 pickup.o: ../../include/rec_attr_map.h
diff --git a/postfix/src/pickup/pickup.c b/postfix/src/pickup/pickup.c
index 04514a448..153f36326 100644
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@@ -67,11 +67,11 @@
 /*	Upon input, long lines are chopped up into pieces of at most
 /*	this length; upon delivery, long lines are reconstructed.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -141,6 +141,7 @@
 #include <lex_822.h>
 #include <input_transp.h>
 #include <rec_attr_map.h>
+#include <mail_version.h>
 
 /* Single-threaded server skeleton. */
 
@@ -570,6 +571,8 @@ static void post_jail_init(char *unused_name, char **unused_argv)
 	input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the multi-threaded server skeleton */
 
 int     main(int argc, char **argv)
@@ -580,6 +583,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Use the multi-threaded skeleton, because no-one else should be
      * monitoring our service socket while this process runs.
diff --git a/postfix/src/pipe/Makefile.in b/postfix/src/pipe/Makefile.in
index f4e286670..c661d7420 100644
--- a/postfix/src/pipe/Makefile.in
+++ b/postfix/src/pipe/Makefile.in
@@ -77,6 +77,7 @@ pipe.o: ../../include/mail_conf.h
 pipe.o: ../../include/mail_copy.h
 pipe.o: ../../include/mail_params.h
 pipe.o: ../../include/mail_server.h
+pipe.o: ../../include/mail_version.h
 pipe.o: ../../include/msg.h
 pipe.o: ../../include/msg_stats.h
 pipe.o: ../../include/mymalloc.h
diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c
index 839b93108..164896ca6 100644
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@@ -118,8 +118,8 @@
 /*	by, for example, \fBUUCP\fR software.
 /* .RE
 /* .IP "\fBnull_sender\fR=\fIreplacement\fR (default: MAILER-DAEMON)"
-/*	Replace the null sender address, which is typically used
-/*	for delivery status notifications, with the specified text
+/*	Replace the null sender address (typically used for delivery
+/*	status notifications) with the specified text
 /*	when expanding the \fB$sender\fR command-line macro, and
 /*	when generating a From_ or Return-Path: message header.
 /*
@@ -329,11 +329,11 @@
 /*	The UNIX system account that owns the Postfix queue and most Postfix
 /*	daemon processes.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -400,6 +400,7 @@
 #include <recipient_list.h>
 #include <deliver_request.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_conf.h>
 #include <bounce.h>
 #include <defer.h>
@@ -1196,6 +1197,8 @@ static void pre_init(char *unused_name, char **unused_argv)
     flush_init();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -1205,6 +1208,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, pipe_service,
 		       MAIL_SERVER_TIME_TABLE, time_table,
 		       MAIL_SERVER_PRE_INIT, pre_init,
diff --git a/postfix/src/postalias/Makefile.in b/postfix/src/postalias/Makefile.in
index 109dd6f71..2e748382e 100644
--- a/postfix/src/postalias/Makefile.in
+++ b/postfix/src/postalias/Makefile.in
@@ -87,6 +87,7 @@ postalias.o: ../../include/mail_conf.h
 postalias.o: ../../include/mail_dict.h
 postalias.o: ../../include/mail_params.h
 postalias.o: ../../include/mail_task.h
+postalias.o: ../../include/mail_version.h
 postalias.o: ../../include/mkmap.h
 postalias.o: ../../include/msg.h
 postalias.o: ../../include/msg_syslog.h
diff --git a/postfix/src/postalias/postalias.c b/postfix/src/postalias/postalias.c
index 3a6e5683a..955116b99 100644
--- a/postfix/src/postalias/postalias.c
+++ b/postfix/src/postalias/postalias.c
@@ -236,6 +236,7 @@
 #include <mail_conf.h>
 #include <mail_dict.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mkmap.h>
 #include <mail_task.h>
 
@@ -598,6 +599,8 @@ static NORETURN usage(char *myname)
 	      myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     char   *path_name;
@@ -613,6 +616,11 @@ int     main(int argc, char **argv)
     int     sequence = 0;
     int     found;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
diff --git a/postfix/src/postcat/Makefile.in b/postfix/src/postcat/Makefile.in
index e92b6b71f..237bf6092 100644
--- a/postfix/src/postcat/Makefile.in
+++ b/postfix/src/postcat/Makefile.in
@@ -63,6 +63,7 @@ postcat.o: ../../include/mail_conf.h
 postcat.o: ../../include/mail_params.h
 postcat.o: ../../include/mail_proto.h
 postcat.o: ../../include/mail_queue.h
+postcat.o: ../../include/mail_version.h
 postcat.o: ../../include/msg.h
 postcat.o: ../../include/msg_vstream.h
 postcat.o: ../../include/rec_type.h
diff --git a/postfix/src/postcat/postcat.c b/postfix/src/postcat/postcat.c
index 7f043f4c3..1db3d506b 100644
--- a/postfix/src/postcat/postcat.c
+++ b/postfix/src/postcat/postcat.c
@@ -88,6 +88,7 @@
 #include <mail_queue.h>
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>
 
 /* Application-specific. */
@@ -239,6 +240,8 @@ static NORETURN usage(char *myname)
 	      myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     VSTRING *buffer;
@@ -258,6 +261,11 @@ int     main(int argc, char **argv)
     char  **cpp;
     int     tries;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * To minimize confusion, make sure that the standard file descriptors
      * are open before opening anything else. XXX Work around for 44BSD where
diff --git a/postfix/src/postconf/extract.awk b/postfix/src/postconf/extract.awk
index 25069f439..77cd7440f 100644
--- a/postfix/src/postconf/extract.awk
+++ b/postfix/src/postconf/extract.awk
@@ -22,7 +22,7 @@
     }
 }
 /^(static| )*CONFIG_STR_TABLE .*\{/,/\};/ { 
-    if ($1 ~ /VAR/) {
+    if ($1 ~ /^VAR/) {
 	print "char *" substr($3,2,length($3)-2) ";" > "str_vars.h"
 	if (++stab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
 	    print |"sed 's/[ 	][ 	]*/ /g' > str_table.h"
@@ -30,7 +30,7 @@
     }
 }
 /^(static| )*CONFIG_RAW_TABLE .*\{/,/\};/ { 
-    if ($1 ~ /VAR/) {
+    if ($1 ~ /^VAR/) {
 	print "char *" substr($3,2,length($3)-2) ";" > "raw_vars.h"
 	if (++rtab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
 	    print |"sed 's/[ 	][ 	]*/ /g' > raw_table.h"
@@ -38,7 +38,7 @@
     }
 }
 /^(static| )*CONFIG_BOOL_TABLE .*\{/,/\};/ { 
-    if ($1 ~ /VAR/) {
+    if ($1 ~ /^VAR/) {
 	print "int " substr($3,2,length($3)-2) ";" > "bool_vars.h"
 	if (++btab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
 	    print |"sed 's/[ 	][ 	]*/ /g' > bool_table.h"
@@ -46,7 +46,7 @@
     }
 }
 /^(static| )*CONFIG_TIME_TABLE .*\{/,/\};/ { 
-    if ($1 ~ /VAR/) {
+    if ($1 ~ /^VAR/) {
 	print "int " substr($3,2,length($3)-2) ";" > "time_vars.h"
 	if (++ttab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
 	    print |"sed 's/[ 	][ 	]*/ /g' > time_table.h" 
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 376644fe9..dfa03612d 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -960,6 +960,8 @@ static void show_parameters(int mode, char **names)
     }
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main */
 
 int     main(int argc, char **argv)
@@ -970,6 +972,11 @@ int     main(int argc, char **argv)
     int     junk;
     ARGV   *ext_argv = 0;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
diff --git a/postfix/src/postdrop/Makefile.in b/postfix/src/postdrop/Makefile.in
index 178b14ba9..06afb8492 100644
--- a/postfix/src/postdrop/Makefile.in
+++ b/postfix/src/postdrop/Makefile.in
@@ -68,6 +68,7 @@ postdrop.o: ../../include/mail_proto.h
 postdrop.o: ../../include/mail_queue.h
 postdrop.o: ../../include/mail_stream.h
 postdrop.o: ../../include/mail_task.h
+postdrop.o: ../../include/mail_version.h
 postdrop.o: ../../include/msg.h
 postdrop.o: ../../include/msg_syslog.h
 postdrop.o: ../../include/msg_vstream.h
diff --git a/postfix/src/postdrop/postdrop.c b/postfix/src/postdrop/postdrop.c
index 3bd19c8a4..7668df8da 100644
--- a/postfix/src/postdrop/postdrop.c
+++ b/postfix/src/postdrop/postdrop.c
@@ -126,6 +126,7 @@
 #include <mail_proto.h>
 #include <mail_queue.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_conf.h>
 #include <mail_task.h>
 #include <clean_env.h>
@@ -206,6 +207,8 @@ static void postdrop_cleanup(void)
     postdrop_sig(0);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -229,6 +232,12 @@ int     main(int argc, char **argv)
     const char *errstr;
     char   *junk;
     struct timeval start;
+    int     saved_errno;
+
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
 
     /*
      * Be consistent with file permissions.
@@ -427,9 +436,12 @@ int     main(int argc, char **argv)
 	    continue;
 	}
 	if (REC_PUT_BUF(dst->stream, rec_type, buf) < 0) {
-	    while ((rec_type = rec_get(VSTREAM_IN, buf, var_line_limit)) > 0
-		   && rec_type != REC_TYPE_END)
+	    /* rec_get() errors must not clobber errno. */
+	    saved_errno = errno;
+	    while (rec_get_raw(VSTREAM_IN, buf, var_line_limit,
+			       REC_FLAG_NONE) > 0)
 		 /* void */ ;
+	    errno = saved_errno;
 	    break;
 	}
 	if (rec_type == REC_TYPE_END)
@@ -441,8 +453,8 @@ int     main(int argc, char **argv)
      * Finish the file.
      */
     if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
-	postdrop_cleanup();
 	msg_warn("uid=%ld: %m", (long) uid);
+	postdrop_cleanup();
     }
 
     /*
diff --git a/postfix/src/postfix/Makefile.in b/postfix/src/postfix/Makefile.in
index f61f6703d..ef7c63cac 100644
--- a/postfix/src/postfix/Makefile.in
+++ b/postfix/src/postfix/Makefile.in
@@ -65,6 +65,7 @@ postfix.o: ../../include/argv.h
 postfix.o: ../../include/clean_env.h
 postfix.o: ../../include/mail_conf.h
 postfix.o: ../../include/mail_params.h
+postfix.o: ../../include/mail_version.h
 postfix.o: ../../include/msg.h
 postfix.o: ../../include/msg_syslog.h
 postfix.o: ../../include/msg_vstream.h
diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c
index 784526c47..d2bb01284 100644
--- a/postfix/src/postfix/postfix.c
+++ b/postfix/src/postfix/postfix.c
@@ -291,6 +291,7 @@
 
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 
 /* Additional installation parameters. */
 
@@ -311,6 +312,8 @@ static void check_setenv(char *name, char *value)
 	msg_fatal("setenv: %m");
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - run administrative script from controlled environment */
 
 int     main(int argc, char **argv)
@@ -332,6 +335,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
diff --git a/postfix/src/postkick/Makefile.in b/postfix/src/postkick/Makefile.in
index 527598be8..7271ed1d0 100644
--- a/postfix/src/postkick/Makefile.in
+++ b/postfix/src/postkick/Makefile.in
@@ -63,6 +63,7 @@ postkick.o: ../../include/iostuff.h
 postkick.o: ../../include/mail_conf.h
 postkick.o: ../../include/mail_params.h
 postkick.o: ../../include/mail_proto.h
+postkick.o: ../../include/mail_version.h
 postkick.o: ../../include/msg.h
 postkick.o: ../../include/msg_vstream.h
 postkick.o: ../../include/mymalloc.h
diff --git a/postfix/src/postkick/postkick.c b/postfix/src/postkick/postkick.c
index 8446f4069..93df8d0e3 100644
--- a/postfix/src/postkick/postkick.c
+++ b/postfix/src/postkick/postkick.c
@@ -96,6 +96,7 @@
 
 #include <mail_proto.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_conf.h>
 
 static NORETURN usage(char *myname)
@@ -103,6 +104,8 @@ static NORETURN usage(char *myname)
     msg_fatal("usage: %s [-c config_dir] [-v] class service request", myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     char   *class;
@@ -113,6 +116,11 @@ int     main(int argc, char **argv)
     char   *slash;
     int     c;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * To minimize confusion, make sure that the standard file descriptors
      * are open before opening anything else. XXX Work around for 44BSD where
diff --git a/postfix/src/postlock/Makefile.in b/postfix/src/postlock/Makefile.in
index b97c2b9d4..7024d7139 100644
--- a/postfix/src/postlock/Makefile.in
+++ b/postfix/src/postlock/Makefile.in
@@ -66,6 +66,7 @@ postlock.o: ../../include/dsn_util.h
 postlock.o: ../../include/iostuff.h
 postlock.o: ../../include/mail_conf.h
 postlock.o: ../../include/mail_params.h
+postlock.o: ../../include/mail_version.h
 postlock.o: ../../include/mbox_conf.h
 postlock.o: ../../include/mbox_open.h
 postlock.o: ../../include/msg.h
diff --git a/postfix/src/postlock/postlock.c b/postfix/src/postlock/postlock.c
index ab3a4ecf3..e2814bce3 100644
--- a/postfix/src/postlock/postlock.c
+++ b/postfix/src/postlock/postlock.c
@@ -112,6 +112,7 @@
 /* Global library. */
 
 #include <mail_params.h>
+#include <mail_version.h>
 #include <dot_lockfile.h>
 #include <deliver_flock.h>
 #include <mail_conf.h>
@@ -136,6 +137,8 @@ static void fatal_exit(void)
     exit(EX_TEMPFAIL);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - go for it */
 
 int     main(int argc, char **argv)
@@ -153,6 +156,11 @@ int     main(int argc, char **argv)
     char   *lock_style = 0;
     MBOX   *mp;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
diff --git a/postfix/src/postlog/Makefile.in b/postfix/src/postlog/Makefile.in
index d0e135930..5882fd33f 100644
--- a/postfix/src/postlog/Makefile.in
+++ b/postfix/src/postlog/Makefile.in
@@ -64,6 +64,7 @@ depend: $(MAKES)
 postlog.o: ../../include/mail_conf.h
 postlog.o: ../../include/mail_params.h
 postlog.o: ../../include/mail_task.h
+postlog.o: ../../include/mail_version.h
 postlog.o: ../../include/msg.h
 postlog.o: ../../include/msg_output.h
 postlog.o: ../../include/msg_syslog.h
diff --git a/postfix/src/postlog/postlog.c b/postfix/src/postlog/postlog.c
index ef6d37ea1..5ed28a152 100644
--- a/postfix/src/postlog/postlog.c
+++ b/postfix/src/postlog/postlog.c
@@ -97,6 +97,7 @@
 /* Global library. */
 
 #include <mail_params.h>		/* XXX right place for LOG_FACILITY? */
+#include <mail_version.h>
 #include <mail_conf.h>
 #include <mail_task.h>
 
@@ -160,6 +161,8 @@ static void log_stream(int level, VSTREAM *fp)
     vstring_free(buf);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - logger */
 
 int     main(int argc, char **argv)
@@ -172,6 +175,11 @@ int     main(int argc, char **argv)
     int     log_flags = 0;
     int     level = MSG_INFO;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
diff --git a/postfix/src/postmap/Makefile.in b/postfix/src/postmap/Makefile.in
index a71a34f84..508fae4ec 100644
--- a/postfix/src/postmap/Makefile.in
+++ b/postfix/src/postmap/Makefile.in
@@ -87,6 +87,7 @@ postmap.o: ../../include/mail_conf.h
 postmap.o: ../../include/mail_dict.h
 postmap.o: ../../include/mail_params.h
 postmap.o: ../../include/mail_task.h
+postmap.o: ../../include/mail_version.h
 postmap.o: ../../include/mkmap.h
 postmap.o: ../../include/msg.h
 postmap.o: ../../include/msg_syslog.h
diff --git a/postfix/src/postmap/postmap.c b/postfix/src/postmap/postmap.c
index d2f15684a..5befc3e69 100644
--- a/postfix/src/postmap/postmap.c
+++ b/postfix/src/postmap/postmap.c
@@ -42,7 +42,7 @@
 /*	The \fIkey\fR and \fIvalue\fR are processed as is, except that
 /*	surrounding white space is stripped off. Unlike with Postfix alias
 /*	databases, quotes cannot be used to protect lookup keys that contain
-/*	special characters such as `#' or whitespace. 
+/*	special characters such as `#' or whitespace.
 /*
 /*	By default the lookup key is mapped to lowercase to make
 /*	the lookups case insensitive; as of Postfix 2.3 this case
@@ -245,6 +245,7 @@
 #include <mail_conf.h>
 #include <mail_dict.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mkmap.h>
 #include <mail_task.h>
 
@@ -427,7 +428,7 @@ static int postmap_queries(VSTREAM *in, char **maps, const int map_count,
 /* postmap_query - query a map and print the result to stdout */
 
 static int postmap_query(const char *map_type, const char *map_name,
-			           const char *key, int dict_flags)
+			         const char *key, int dict_flags)
 {
     DICT   *dict;
     const char *value;
@@ -450,7 +451,7 @@ static int postmap_query(const char *map_type, const char *map_name,
 /* postmap_deletes - apply multiple requests from stdin */
 
 static int postmap_deletes(VSTREAM *in, char **maps, const int map_count,
-			             int dict_flags)
+			           int dict_flags)
 {
     int     found = 0;
     VSTRING *keybuf = vstring_alloc(100);
@@ -495,7 +496,7 @@ static int postmap_deletes(VSTREAM *in, char **maps, const int map_count,
 /* postmap_delete - delete a (key, value) pair from a map */
 
 static int postmap_delete(const char *map_type, const char *map_name,
-			            const char *key, int dict_flags)
+			          const char *key, int dict_flags)
 {
     DICT   *dict;
     int     status;
@@ -509,7 +510,7 @@ static int postmap_delete(const char *map_type, const char *map_name,
 /* postmap_seq - print all map entries to stdout */
 
 static void postmap_seq(const char *map_type, const char *map_name,
-			          int dict_flags)
+			        int dict_flags)
 {
     DICT   *dict;
     const char *key;
@@ -543,6 +544,8 @@ static NORETURN usage(char *myname)
 	      myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     char   *path_name;
@@ -558,6 +561,11 @@ int     main(int argc, char **argv)
     int     sequence = 0;
     int     found;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
@@ -663,15 +671,15 @@ int     main(int argc, char **argv)
 	    usage(argv[0]);
 	if (strcmp(delkey, "-") == 0)
 	    exit(postmap_deletes(VSTREAM_IN, argv + optind, argc - optind,
-				   dict_flags | DICT_FLAG_LOCK) == 0);
+				 dict_flags | DICT_FLAG_LOCK) == 0);
 	found = 0;
 	while (optind < argc) {
 	    if ((path_name = split_at(argv[optind], ':')) != 0) {
 		found |= postmap_delete(argv[optind], path_name, delkey,
-					  dict_flags | DICT_FLAG_LOCK);
+					dict_flags | DICT_FLAG_LOCK);
 	    } else {
 		found |= postmap_delete(var_db_type, argv[optind], delkey,
-					  dict_flags | DICT_FLAG_LOCK);
+					dict_flags | DICT_FLAG_LOCK);
 	    }
 	    optind++;
 	}
@@ -681,14 +689,14 @@ int     main(int argc, char **argv)
 	    usage(argv[0]);
 	if (strcmp(query, "-") == 0)
 	    exit(postmap_queries(VSTREAM_IN, argv + optind, argc - optind,
-				   dict_flags | DICT_FLAG_LOCK) == 0);
+				 dict_flags | DICT_FLAG_LOCK) == 0);
 	while (optind < argc) {
 	    if ((path_name = split_at(argv[optind], ':')) != 0) {
 		found = postmap_query(argv[optind], path_name, query,
-					dict_flags | DICT_FLAG_LOCK);
+				      dict_flags | DICT_FLAG_LOCK);
 	    } else {
 		found = postmap_query(var_db_type, argv[optind], query,
-					dict_flags | DICT_FLAG_LOCK);
+				      dict_flags | DICT_FLAG_LOCK);
 	    }
 	    if (found)
 		exit(0);
@@ -699,10 +707,10 @@ int     main(int argc, char **argv)
 	while (optind < argc) {
 	    if ((path_name = split_at(argv[optind], ':')) != 0) {
 		postmap_seq(argv[optind], path_name,
-			      dict_flags | DICT_FLAG_LOCK);
+			    dict_flags | DICT_FLAG_LOCK);
 	    } else {
 		postmap_seq(var_db_type, argv[optind],
-			      dict_flags | DICT_FLAG_LOCK);
+			    dict_flags | DICT_FLAG_LOCK);
 	    }
 	    exit(0);
 	}
diff --git a/postfix/src/postqueue/Makefile.in b/postfix/src/postqueue/Makefile.in
index 7a0a39ca9..4e80a3c81 100644
--- a/postfix/src/postqueue/Makefile.in
+++ b/postfix/src/postqueue/Makefile.in
@@ -71,6 +71,7 @@ postqueue.o: ../../include/mail_proto.h
 postqueue.o: ../../include/mail_queue.h
 postqueue.o: ../../include/mail_run.h
 postqueue.o: ../../include/mail_task.h
+postqueue.o: ../../include/mail_version.h
 postqueue.o: ../../include/msg.h
 postqueue.o: ../../include/msg_syslog.h
 postqueue.o: ../../include/msg_vstream.h
diff --git a/postfix/src/postqueue/postqueue.c b/postfix/src/postqueue/postqueue.c
index 8013277be..dad7b592b 100644
--- a/postfix/src/postqueue/postqueue.c
+++ b/postfix/src/postqueue/postqueue.c
@@ -192,6 +192,7 @@
 
 #include <mail_proto.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_conf.h>
 #include <mail_task.h>
 #include <mail_run.h>
@@ -230,8 +231,8 @@
   * establish frequent proof of client liveliness with challenge/response, or
   * the client needs to restrict expensive requests to privileged users only.
   * 
-  * We don't have this problem with queue listings. The showq server detects
-  * an EPIPE error after reporting a few queue entries.
+  * We don't have this problem with queue listings. The showq server detects an
+  * EPIPE error after reporting a few queue entries.
   */
 #define PQ_MODE_DEFAULT		0	/* noop */
 #define PQ_MODE_MAILQ_LIST	1	/* list mail queue */
@@ -429,6 +430,8 @@ static NORETURN usage(void)
     msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site");
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -443,6 +446,11 @@ int     main(int argc, char **argv)
     ARGV   *import_env;
     int     bad_site;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
diff --git a/postfix/src/postsuper/Makefile.in b/postfix/src/postsuper/Makefile.in
index b131fe88b..0df70b1ad 100644
--- a/postfix/src/postsuper/Makefile.in
+++ b/postfix/src/postsuper/Makefile.in
@@ -63,6 +63,7 @@ postsuper.o: ../../include/mail_open_ok.h
 postsuper.o: ../../include/mail_params.h
 postsuper.o: ../../include/mail_queue.h
 postsuper.o: ../../include/mail_task.h
+postsuper.o: ../../include/mail_version.h
 postsuper.o: ../../include/msg.h
 postsuper.o: ../../include/msg_syslog.h
 postsuper.o: ../../include/msg_vstream.h
diff --git a/postfix/src/postsuper/postsuper.c b/postfix/src/postsuper/postsuper.c
index a8bcedde8..47f67485c 100644
--- a/postfix/src/postsuper/postsuper.c
+++ b/postfix/src/postsuper/postsuper.c
@@ -253,6 +253,7 @@
 #include <mail_task.h>
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_queue.h>
 #include <mail_open_ok.h>
 
@@ -988,6 +989,8 @@ static void fatal_warning(void)
     interrupted(0);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     int     fd;
@@ -1031,6 +1034,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
diff --git a/postfix/src/proxymap/Makefile.in b/postfix/src/proxymap/Makefile.in
index 565afbf6d..c4ccf673d 100644
--- a/postfix/src/proxymap/Makefile.in
+++ b/postfix/src/proxymap/Makefile.in
@@ -67,6 +67,7 @@ proxymap.o: ../../include/mail_conf.h
 proxymap.o: ../../include/mail_params.h
 proxymap.o: ../../include/mail_proto.h
 proxymap.o: ../../include/mail_server.h
+proxymap.o: ../../include/mail_version.h
 proxymap.o: ../../include/msg.h
 proxymap.o: ../../include/mymalloc.h
 proxymap.o: ../../include/stringops.h
diff --git a/postfix/src/proxymap/proxymap.c b/postfix/src/proxymap/proxymap.c
index 076d8089f..a9eb0c06b 100644
--- a/postfix/src/proxymap/proxymap.c
+++ b/postfix/src/proxymap/proxymap.c
@@ -102,11 +102,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -159,6 +159,7 @@
 
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>
 #include <dict_proxy.h>
 
@@ -429,6 +430,8 @@ static void pre_accept(char *unused_name, char **unused_argv)
     }
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the multi-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -450,6 +453,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     multi_server_main(argc, argv, proxymap_service,
 		      MAIL_SERVER_STR_TABLE, str_table,
 		      MAIL_SERVER_POST_INIT, post_jail_init,
diff --git a/postfix/src/qmgr/Makefile.in b/postfix/src/qmgr/Makefile.in
index 75b86bf91..d7db1a073 100644
--- a/postfix/src/qmgr/Makefile.in
+++ b/postfix/src/qmgr/Makefile.in
@@ -77,6 +77,7 @@ qmgr.o: ../../include/mail_params.h
 qmgr.o: ../../include/mail_proto.h
 qmgr.o: ../../include/mail_queue.h
 qmgr.o: ../../include/mail_server.h
+qmgr.o: ../../include/mail_version.h
 qmgr.o: ../../include/master_proto.h
 qmgr.o: ../../include/msg.h
 qmgr.o: ../../include/recipient_list.h
diff --git a/postfix/src/qmgr/qmgr.c b/postfix/src/qmgr/qmgr.c
index 4ab22b02d..4cc999671 100644
--- a/postfix/src/qmgr/qmgr.c
+++ b/postfix/src/qmgr/qmgr.c
@@ -346,6 +346,7 @@
 #include <recipient_list.h>
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>			/* QMGR_SCAN constants */
 #include <mail_flow.h>
 #include <flush_clnt.h>
@@ -615,6 +616,8 @@ static void qmgr_post_init(char *name, char **unused_argv)
     qmgr_deferred_run_event(0, (char *) 0);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -659,6 +662,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Use the trigger service skeleton, because no-one else should be
      * monitoring our service port while this process runs, and because we do
diff --git a/postfix/src/qmqpd/Makefile.in b/postfix/src/qmqpd/Makefile.in
index 84c5523b8..ef50fda86 100644
--- a/postfix/src/qmqpd/Makefile.in
+++ b/postfix/src/qmqpd/Makefile.in
@@ -72,6 +72,7 @@ qmqpd.o: ../../include/mail_params.h
 qmqpd.o: ../../include/mail_proto.h
 qmqpd.o: ../../include/mail_server.h
 qmqpd.o: ../../include/mail_stream.h
+qmqpd.o: ../../include/mail_version.h
 qmqpd.o: ../../include/match_list.h
 qmqpd.o: ../../include/match_ops.h
 qmqpd.o: ../../include/match_parent_style.h
diff --git a/postfix/src/qmqpd/qmqpd.c b/postfix/src/qmqpd/qmqpd.c
index 0254a3875..171ecae63 100644
--- a/postfix/src/qmqpd/qmqpd.c
+++ b/postfix/src/qmqpd/qmqpd.c
@@ -95,11 +95,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -165,6 +165,7 @@
 /* Global library. */
 
 #include <mail_params.h>
+#include <mail_version.h>
 #include <record.h>
 #include <rec_type.h>
 #include <mail_proto.h>
@@ -759,6 +760,8 @@ static void post_jail_init(char *unused_name, char **unused_argv)
     input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -775,6 +778,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Pass control to the single-threaded service skeleton.
      */
diff --git a/postfix/src/scache/Makefile.in b/postfix/src/scache/Makefile.in
index e5282e84f..c6ab06562 100644
--- a/postfix/src/scache/Makefile.in
+++ b/postfix/src/scache/Makefile.in
@@ -65,6 +65,7 @@ scache.o: ../../include/mail_conf.h
 scache.o: ../../include/mail_params.h
 scache.o: ../../include/mail_proto.h
 scache.o: ../../include/mail_server.h
+scache.o: ../../include/mail_version.h
 scache.o: ../../include/msg.h
 scache.o: ../../include/ring.h
 scache.o: ../../include/scache.h
diff --git a/postfix/src/scache/scache.c b/postfix/src/scache/scache.c
index 9d2b0dbb7..f75ec306a 100644
--- a/postfix/src/scache/scache.c
+++ b/postfix/src/scache/scache.c
@@ -102,8 +102,8 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -155,6 +155,7 @@
 /* Global library. */
 
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>
 #include <scache.h>
 
@@ -532,6 +533,8 @@ static void post_jail_init(char *unused_name, char **unused_argv)
     scache_start_time = event_time();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the multi-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -542,6 +545,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     multi_server_main(argc, argv, scache_service,
 		      MAIL_SERVER_TIME_TABLE, time_table,
 		      MAIL_SERVER_POST_INIT, post_jail_init,
diff --git a/postfix/src/sendmail/Makefile.in b/postfix/src/sendmail/Makefile.in
index cf9dbeeaa..262b9b8f8 100644
--- a/postfix/src/sendmail/Makefile.in
+++ b/postfix/src/sendmail/Makefile.in
@@ -76,6 +76,7 @@ sendmail.o: ../../include/mail_queue.h
 sendmail.o: ../../include/mail_run.h
 sendmail.o: ../../include/mail_stream.h
 sendmail.o: ../../include/mail_task.h
+sendmail.o: ../../include/mail_version.h
 sendmail.o: ../../include/mime_state.h
 sendmail.o: ../../include/msg.h
 sendmail.o: ../../include/msg_stats.h
diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c
index 242896e24..30fef831e 100644
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@@ -222,7 +222,7 @@
 /* .ad
 /* .fi
 /*	By design, this program is not set-user (or group) id. However,
-/*	it must handle data from untrusted users or untrusted machines.
+/*	it must handle data from untrusted, possibly remote, users.
 /*	Thus, the usual precautions need to be taken against malicious
 /*	inputs.
 /* DIAGNOSTICS
@@ -419,6 +419,7 @@
 #include <mail_queue.h>
 #include <mail_proto.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <record.h>
 #include <rec_type.h>
 #include <rec_streamlf.h>
@@ -897,6 +898,8 @@ static void tempfail(void)
     exit(EX_TEMPFAIL);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -924,6 +927,11 @@ int     main(int argc, char **argv)
     const char *dsn_envid = 0;
     int     saved_optind;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Be consistent with file permissions.
      */
@@ -1009,7 +1017,7 @@ int     main(int argc, char **argv)
     optind = saved_optind;
     mail_conf_read();
     if (strcmp(var_syslog_name, DEF_SYSLOG_NAME) != 0)
-        msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
+	msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
     get_mail_conf_str_table(str_table);
 
     if (chdir(var_queue_dir))
diff --git a/postfix/src/showq/Makefile.in b/postfix/src/showq/Makefile.in
index 2783e9700..d4cd349cb 100644
--- a/postfix/src/showq/Makefile.in
+++ b/postfix/src/showq/Makefile.in
@@ -72,6 +72,7 @@ showq.o: ../../include/mail_proto.h
 showq.o: ../../include/mail_queue.h
 showq.o: ../../include/mail_scan_dir.h
 showq.o: ../../include/mail_server.h
+showq.o: ../../include/mail_version.h
 showq.o: ../../include/msg.h
 showq.o: ../../include/mymalloc.h
 showq.o: ../../include/quote_822_local.h
diff --git a/postfix/src/showq/showq.c b/postfix/src/showq/showq.c
index 8cbb27897..8e1cc2d04 100644
--- a/postfix/src/showq/showq.c
+++ b/postfix/src/showq/showq.c
@@ -55,11 +55,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -122,6 +122,7 @@
 #include <mail_proto.h>
 #include <mail_date.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_scan_dir.h>
 #include <mail_conf.h>
 #include <record.h>
@@ -143,8 +144,8 @@ char   *var_empty_addr;
 #define SENDER_FORMAT	"%-11s %7ld %20.20s %s\n"
 #define DROP_FORMAT	"%-10s%c %7ld %20.20s (maildrop queue, sender UID %u)\n"
 
-static void showq_reasons(VSTREAM *, BOUNCE_LOG *, RCPT_BUF *, DSN_BUF *, 
-HTABLE *);
+static void showq_reasons(VSTREAM *, BOUNCE_LOG *, RCPT_BUF *, DSN_BUF *,
+			          HTABLE *);
 
 #define STR(x)	vstring_str(x)
 
@@ -260,8 +261,8 @@ static void showq_report(VSTREAM *client, char *queue, char *id,
 
 /* showq_reasons - show deferral reasons */
 
-static void showq_reasons(VSTREAM *client, BOUNCE_LOG *bp, RCPT_BUF *rcpt_buf, 
-DSN_BUF *dsn_buf, HTABLE *dup_filter)
+static void showq_reasons(VSTREAM *client, BOUNCE_LOG *bp, RCPT_BUF *rcpt_buf,
+			          DSN_BUF *dsn_buf, HTABLE *dup_filter)
 {
     char   *saved_reason = 0;
     int     padding;
@@ -395,6 +396,8 @@ static void showq_service(VSTREAM *client, char *unused_service, char **argv)
     }
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded server skeleton */
 
 int     main(int argc, char **argv)
@@ -408,6 +411,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, showq_service,
 		       MAIL_SERVER_INT_TABLE, int_table,
 		       MAIL_SERVER_STR_TABLE, str_table,
diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in
index 9b10ef251..8e578347d 100644
--- a/postfix/src/smtp/Makefile.in
+++ b/postfix/src/smtp/Makefile.in
@@ -9,7 +9,7 @@ HDRS	= smtp.h smtp_sasl.h smtp_addr.h smtp_reuse.h
 TESTSRC	= 
 DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
 CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
-TESTPROG= smtp_unalias smtp_map11 legacy levels
+TESTPROG= smtp_unalias smtp_map11
 PROG	= smtp
 INC_DIR	= ../../include
 LIBS	= ../../lib/libmaster.a ../../lib/libtls.a ../../lib/libdns.a \
@@ -65,12 +65,6 @@ smtp_unalias: smtp_unalias.c $(LIBS)
 smtp_map11: smtp_map11.c $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS) $(SYSLIBS)
 
-legacy:	legacy.c $(LIBS)
-	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS)
-
-levels: levels.c $(LIBS)
-	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS)
-
 # This needs trivial-rewrite service and myorigin==mydomain
 smtp_map11_test: smtp_map11 map11_map smtp_map11.ref
 	../postmap/postmap map11_map
@@ -91,42 +85,6 @@ depend: $(MAKES)
 	@$(EXPORT) make -f Makefile.in Makefile 1>&2
 
 # do not edit below this line - it is generated by 'make depend'
-legacy.o: ../../include/msg.h
-legacy.o: ../../include/stringops.h
-legacy.o: ../../include/sys_defs.h
-legacy.o: ../../include/vbuf.h
-legacy.o: ../../include/vstream.h
-legacy.o: ../../include/vstring.h
-legacy.o: ../../include/vstring_vstream.h
-legacy.o: legacy.c
-levels.o: ../../include/argv.h
-levels.o: ../../include/attr.h
-levels.o: ../../include/deliver_request.h
-levels.o: ../../include/dict.h
-levels.o: ../../include/dsn.h
-levels.o: ../../include/dsn_buf.h
-levels.o: ../../include/htable.h
-levels.o: ../../include/maps.h
-levels.o: ../../include/match_list.h
-levels.o: ../../include/match_ops.h
-levels.o: ../../include/msg.h
-levels.o: ../../include/msg_stats.h
-levels.o: ../../include/name_code.h
-levels.o: ../../include/name_mask.h
-levels.o: ../../include/recipient_list.h
-levels.o: ../../include/resolve_clnt.h
-levels.o: ../../include/scache.h
-levels.o: ../../include/string_list.h
-levels.o: ../../include/stringops.h
-levels.o: ../../include/sys_defs.h
-levels.o: ../../include/tls.h
-levels.o: ../../include/tok822.h
-levels.o: ../../include/vbuf.h
-levels.o: ../../include/vstream.h
-levels.o: ../../include/vstring.h
-levels.o: ../../include/vstring_vstream.h
-levels.o: levels.c
-levels.o: smtp.h
 lmtp_params.o: lmtp_params.c
 smtp.o: ../../include/argv.h
 smtp.o: ../../include/attr.h
@@ -141,6 +99,7 @@ smtp.o: ../../include/htable.h
 smtp.o: ../../include/mail_conf.h
 smtp.o: ../../include/mail_params.h
 smtp.o: ../../include/mail_server.h
+smtp.o: ../../include/mail_version.h
 smtp.o: ../../include/maps.h
 smtp.o: ../../include/match_list.h
 smtp.o: ../../include/match_ops.h
@@ -210,6 +169,7 @@ smtp_chat.o: ../../include/dsn.h
 smtp_chat.o: ../../include/dsn_buf.h
 smtp_chat.o: ../../include/dsn_util.h
 smtp_chat.o: ../../include/htable.h
+smtp_chat.o: ../../include/int_filt.h
 smtp_chat.o: ../../include/line_wrap.h
 smtp_chat.o: ../../include/mail_addr.h
 smtp_chat.o: ../../include/mail_error.h
diff --git a/postfix/src/smtp/legacy.c b/postfix/src/smtp/legacy.c
deleted file mode 100644
index 867d02ce9..000000000
--- a/postfix/src/smtp/legacy.c
+++ /dev/null
@@ -1,205 +0,0 @@
- /*
-  * The old legacy TLS per-site policy engine, implemented with multiple
-  * boolean variables, stripped down for exhaustive comparison with the new
-  * legacy policy engine.
-  */
-/* System library. */
-
-#include <sys_defs.h>
-#include <string.h>
-#include <stdlib.h>
-
-#ifdef STRCASECMP_IN_STRINGS_H
-#include <strings.h>
-#endif
-
-/* Utility library. */
-
-#include <msg.h>
-#include <vstring.h>
-#include <vstring_vstream.h>
-#include <stringops.h>
-
- /*
-  * Global policy variables.
-  */
-int     var_smtp_enforce_tls;
-int     var_smtp_tls_enforce_peername;
-int     var_smtp_use_tls;
-
- /*
-  * Simplified session structure.
-  */
-typedef struct {
-    int     tls_use_tls;
-    int     tls_enforce_tls;
-    int     tls_enforce_peername;
-} SMTP_SESSION;
-
- /*
-  * Per-site policies can override main.cf settings.
-  */
-typedef struct {
-    int     dont_use;			/* don't use TLS */
-    int     use;			/* useless, see above */
-    int     enforce;			/* must always use TLS */
-    int     enforce_peername;		/* must verify certificate name */
-} SMTP_TLS_SITE_POLICY;
-
-/* smtp_tls_site_policy - look up per-site TLS policy */
-
-static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy,
-				         const char *lookup)
-{
-
-    /*
-     * Initialize the default policy.
-     */
-    policy->dont_use = 0;
-    policy->use = 0;
-    policy->enforce = 0;
-    policy->enforce_peername = 0;
-
-    /*
-     * Look up a non-default policy.
-     */
-    if (strcasecmp(lookup, "-")) {
-	if (!strcasecmp(lookup, "NONE"))
-	    policy->dont_use = 1;
-	else if (!strcasecmp(lookup, "MAY"))
-	    policy->use = 1;
-	else if (!strcasecmp(lookup, "MUST"))
-	    policy->enforce = policy->enforce_peername = 1;
-	else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
-	    policy->enforce = 1;
-	else
-	    msg_fatal("unknown TLS policy '%s'", lookup);
-    }
-}
-
-static void policy(SMTP_SESSION *session, const char *host, const char *dest)
-{
-    SMTP_TLS_SITE_POLICY host_policy;
-    SMTP_TLS_SITE_POLICY rcpt_policy;
-
-    session->tls_use_tls = session->tls_enforce_tls = 0;
-    session->tls_enforce_peername = 0;
-
-    /*
-     * Override the main.cf TLS policy with an optional per-site policy.
-     */
-    smtp_tls_site_policy(&host_policy, host);
-    smtp_tls_site_policy(&rcpt_policy, dest);
-
-    /*
-     * Fix 200601: a combined per-site (NONE + MAY) policy changed global
-     * MUST into NONE, and all weaker global policies into MAY. This was
-     * discovered with exhaustive simulation. Fix verified by comparing
-     * exhaustive simulation results with Postfix 2.3 which re-implements
-     * per-site policies from the ground up.
-     */
-#ifdef FIX200601
-    if ((host_policy.dont_use || rcpt_policy.dont_use)
-	&& (host_policy.use || rcpt_policy.use)) {
-	host_policy.use = rcpt_policy.use = 0;
-	host_policy.dont_use = rcpt_policy.dont_use = 1;
-    }
-#endif
-
-    /*
-     * Set up TLS enforcement for this session.
-     */
-    if ((var_smtp_enforce_tls && !host_policy.dont_use && !rcpt_policy.dont_use)
-	|| host_policy.enforce || rcpt_policy.enforce)
-	session->tls_enforce_tls = session->tls_use_tls = 1;
-
-    /*
-     * Set up peername checking for this session.
-     * 
-     * We want to make sure that a MUST* entry in the tls_per_site table always
-     * has precedence. MUST always must lead to a peername check,
-     * MUST_NOPEERMATCH must always disable it. Only when no explicit setting
-     * has been found, the default will be used.
-     * 
-     * Fix 200601: a per-site MUST_NOPEERMATCH policy could not override a
-     * global MUST policy. Fix verified by comparing exhaustive simulation
-     * results with Postfix 2.3 which re-implements per-site policy from the
-     * ground up.
-     */
-    if (host_policy.enforce && host_policy.enforce_peername)
-	session->tls_enforce_peername = 1;
-    else if (rcpt_policy.enforce && rcpt_policy.enforce_peername)
-	session->tls_enforce_peername = 1;
-    else if (
-#ifdef FIX200601
-	     !host_policy.enforce && !rcpt_policy.enforce &&	/* Fix 200601 */
-#endif
-	     var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
-	session->tls_enforce_peername = 1;
-    else if ((var_smtp_use_tls && !host_policy.dont_use && !rcpt_policy.dont_use) || host_policy.use || rcpt_policy.use)
-	session->tls_use_tls = 1;
-}
-
-static void set_global_policy(const char *global)
-{
-    var_smtp_tls_enforce_peername = var_smtp_enforce_tls = var_smtp_use_tls = 0;
-
-    if (strcasecmp(global, "must") == 0) {
-	var_smtp_enforce_tls = 1;		/* XXX */
-	var_smtp_tls_enforce_peername = 1;
-    } else if (strcasecmp(global, "must_nopeermatch") == 0) {
-	var_smtp_enforce_tls = 1;
-    } else if (strcasecmp(global, "may") == 0) {
-	var_smtp_use_tls = 1;
-    } else if (strcasecmp(global, "-") !=0) {
-	msg_fatal("unknown global policy: %s", global);
-    }
-}
-
-static const char *print_policy(SMTP_SESSION *session)
-{
-    if (session->tls_enforce_peername && session->tls_enforce_tls)
-	return ("must");
-    if (session->tls_enforce_tls)
-	return ("must_nopeermatch");
-    if (session->tls_use_tls)
-	return ("may");
-    return ("none");
-}
-
-int     main(int argc, char **argv)
-{
-    SMTP_SESSION session;
-    VSTRING *buf = vstring_alloc(200);
-    char   *cp;
-    const char *global;
-    const char *host;
-    const char *dest;
-    const char *result;
-    const char *sep = " \t\r\n";
-
-    vstream_printf("%-20s %-20s %-20s %s\n",
-		   "host", "dest", "global", "result");
-    while (vstring_get_nonl(buf, VSTREAM_IN) >= 0) {
-	cp = vstring_str(buf);
-	if (*cp == 0 || *cp == '#') {
-	    vstream_printf("%s\n", cp);
-	} else {
-	    if ((host = mystrtok(&cp, sep)) == 0)
-		msg_fatal("missing host policy");
-	    if ((dest = mystrtok(&cp, sep)) == 0)
-		msg_fatal("missing nexthop policy");
-	    if ((global = mystrtok(&cp, sep)) == 0)
-		msg_fatal("missing global policy");
-	    if (mystrtok(&cp, sep) != 0)
-		msg_fatal("garbage after global policy");
-	    set_global_policy(global);
-	    policy(&session, host, dest);
-	    result = print_policy(&session);
-	    vstream_printf("%-20s %-20s %-20s %s\n",
-			   host, dest, global, result);
-	}
-	vstream_fflush(VSTREAM_OUT);
-    }
-    exit(0);
-}
diff --git a/postfix/src/smtp/levels.c b/postfix/src/smtp/levels.c
deleted file mode 100644
index 7ca90e605..000000000
--- a/postfix/src/smtp/levels.c
+++ /dev/null
@@ -1,194 +0,0 @@
- /*
-  * The new legacy TLS per-site policy engine, re-implemented in terms of
-  * enforcement levels, stripped down for exhaustive comparisons with the old
-  * legacy policy engine.
-  * 
-  * This is the code that will be used in Postfix 2.3 so that sites can upgrade
-  * Postfix without being forced to change to the new TLS policy model.
-  */
-
-/* System library. */
-
-#include <sys_defs.h>
-#include <string.h>
-#include <stdlib.h>
-
-#ifdef STRCASECMP_IN_STRINGS_H
-#include <strings.h>
-#endif
-
-/* Utility library. */
-
-#include <msg.h>
-#include <vstring.h>
-#include <vstring_vstream.h>
-#include <stringops.h>
-
- /*
-  * TLS levels
-  */
-#include <tls.h>
-
- /*
-  * Application-specific.
-  */
-#include <smtp.h>
-
- /*
-  * Global policy variables.
-  */
-int     var_smtp_enforce_tls;
-int     var_smtp_tls_enforce_peername;
-int     var_smtp_use_tls;
-
-/* smtp_tls_policy_lookup - look up per-site TLS policy */
-
-static void smtp_tls_policy_lookup(int *site_level, const char *lookup)
-{
-
-    /*
-     * Look up a non-default policy. In case of multiple lookup results, the
-     * precedence order is a permutation of the TLS enforcement level order:
-     * VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more
-     * specific policy including NONE, otherwise we choose the stronger
-     * enforcement level.
-     */
-    if (strcasecmp(lookup, "-")) {
-	if (!strcasecmp(lookup, "NONE")) {
-	    /* NONE overrides MAY or NOTFOUND. */
-	    if (*site_level <= TLS_LEV_MAY)
-		*site_level = TLS_LEV_NONE;
-	} else if (!strcasecmp(lookup, "MAY")) {
-	    /* MAY overrides NOTFOUND but not NONE. */
-	    if (*site_level < TLS_LEV_NONE)
-		*site_level = TLS_LEV_MAY;
-	} else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) {
-	    if (*site_level < TLS_LEV_ENCRYPT)
-		*site_level = TLS_LEV_ENCRYPT;
-	} else if (!strcasecmp(lookup, "MUST")) {
-	    if (*site_level < TLS_LEV_VERIFY)
-		*site_level = TLS_LEV_VERIFY;
-	} else {
-	    msg_fatal("unknown TLS policy '%s'", lookup);
-	}
-    }
-}
-
-static int policy(const char *host, const char *dest)
-{
-    int     global_level;
-    int     site_level;
-    int     tls_level;
-
-    /*
-     * Compute the global TLS policy. This is the default policy level when
-     * no per-site policy exists. It also is used to override a wild-card
-     * per-site policy.
-     */
-    if (var_smtp_enforce_tls)
-	global_level = var_smtp_tls_enforce_peername ?
-	    TLS_LEV_VERIFY : TLS_LEV_ENCRYPT;
-    else
-	global_level = var_smtp_use_tls ?
-	    TLS_LEV_MAY : TLS_LEV_NONE;
-
-    /*
-     * Compute the per-site TLS enforcement level. For compatibility with the
-     * original TLS patch, this algorithm is gives equal precedence to host
-     * and next-hop policies.
-     */
-    site_level = TLS_LEV_NOTFOUND;
-
-    smtp_tls_policy_lookup(&site_level, dest);
-    smtp_tls_policy_lookup(&site_level, host);
-
-    /*
-     * Override a wild-card per-site policy with a more specific global
-     * policy.
-     * 
-     * With the original TLS patch, 1) a per-site ENCRYPT could not override a
-     * global VERIFY, and 2) a combined per-site (NONE+MAY) policy produced
-     * inconsistent results: it changed a global VERIFY into NONE, while
-     * producing MAY with all weaker global policy settings.
-     * 
-     * With the current implementation, a combined per-site (NONE+MAY)
-     * consistently overrides global policy with NONE, and global policy can
-     * override only a per-site MAY wildcard. That is, specific policies
-     * consistently override wildcard policies, and (non-wildcard) per-site
-     * policies consistently override global policies.
-     */
-    if (site_level == TLS_LEV_NOTFOUND
-	|| (site_level == TLS_LEV_MAY
-	    && global_level > TLS_LEV_MAY))
-	tls_level = global_level;
-    else
-	tls_level = site_level;
-
-    return (tls_level);
-}
-
-static void set_global_policy(const char *global)
-{
-    var_smtp_tls_enforce_peername = var_smtp_enforce_tls = var_smtp_use_tls = 0;
-
-    if (strcasecmp(global, "must") == 0) {
-	var_smtp_enforce_tls = 1;		/* XXX */
-	var_smtp_tls_enforce_peername = 1;
-    } else if (strcasecmp(global, "must_nopeermatch") == 0) {
-	var_smtp_enforce_tls = 1;
-    } else if (strcasecmp(global, "may") == 0) {
-	var_smtp_use_tls = 1;
-    } else if (strcasecmp(global, "-") !=0) {
-	msg_fatal("unknown global policy: %s", global);
-    }
-}
-
-static const char *print_policy(int level)
-{
-    if (level == TLS_LEV_VERIFY)
-	return ("must");
-    if (level == TLS_LEV_ENCRYPT)
-	return ("must_nopeermatch");
-    if (level == TLS_LEV_MAY)
-	return ("may");
-    if (level == TLS_LEV_NONE)
-	return ("none");
-    msg_panic("unknown policy level %d", level);
-}
-
-int     main(int argc, char **argv)
-{
-    VSTRING *buf = vstring_alloc(200);
-    char   *cp;
-    const char *global;
-    const char *host;
-    const char *dest;
-    const char *result;
-    const char *sep = " \t\r\n";
-    int     level;
-
-    vstream_printf("%-20s %-20s %-20s %s\n",
-		   "host", "dest", "global", "result");
-    while (vstring_get_nonl(buf, VSTREAM_IN) > 0) {
-	cp = vstring_str(buf);
-	if (*cp == 0 || *cp == '#') {
-	    vstream_printf("%s\n", cp);
-	} else {
-	    if ((host = mystrtok(&cp, sep)) == 0)
-		msg_fatal("missing host policy");
-	    if ((dest = mystrtok(&cp, sep)) == 0)
-		msg_fatal("missing nexthop policy");
-	    if ((global = mystrtok(&cp, sep)) == 0)
-		msg_fatal("missing global policy");
-	    if (mystrtok(&cp, sep) != 0)
-		msg_fatal("garbage after global policy");
-	    set_global_policy(global);
-	    level = policy(host, dest);
-	    result = print_policy(level);
-	    vstream_printf("%-20s %-20s %-20s %s\n",
-			   host, dest, global, result);
-	}
-	vstream_fflush(VSTREAM_OUT);
-    }
-    exit(0);
-}
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 91ee7e814..29c91d586 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -33,7 +33,7 @@
 /*
 /*	By default, connection caching is enabled temporarily for
 /*	destinations that have a high volume of mail in the active
-/*	queue. Session caching can be enabled permanently for
+/*	queue. Connection caching can be enabled permanently for
 /*	specific destinations.
 /* SMTP DESTINATION SYNTAX
 /* .ad
@@ -200,7 +200,7 @@
 /*	case insensitive lists of LHLO keywords (pipelining, starttls,
 /*	auth, etc.) that the LMTP client will ignore in the LHLO response
 /*	from a remote LMTP server.
-/* .IP "\fBlmtp_discard_lhlo_keywords ($myhostname)\fR"
+/* .IP "\fBlmtp_discard_lhlo_keywords (empty)\fR"
 /*	A case insensitive list of LHLO keywords (pipelining, starttls,
 /*	auth, etc.) that the LMTP client will ignore in the LHLO response
 /*	from a remote LMTP server.
@@ -486,11 +486,11 @@
 /* .IP "\fBlmtp_tcp_port (24)\fR"
 /*	The default TCP port that the Postfix LMTP client connects to.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -602,6 +602,7 @@
 
 #include <deliver_request.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_conf.h>
 #include <debug_peer.h>
 #include <flush_clnt.h>
@@ -947,6 +948,8 @@ static void pre_accept(char *unused_name, char **unused_argv)
     }
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -955,6 +958,11 @@ int     main(int argc, char **argv)
 #include "lmtp_params.c"
     int     smtp_mode;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * XXX At this point, var_procname etc. are not initialized.
      */
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index ed8d3f75e..2d1a12c5f 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -581,12 +581,11 @@ int     smtp_helo(SMTP_STATE *state)
 	     * Send STARTTLS. Recurse when the server accepts STARTTLS, after
 	     * resetting the SASL and EHLO features lists.
 	     * 
-	     * XXX Reset the SASL mechanism list to avoid spurious warnings. We
-	     * need a routine to reset the list instead of groping data here.
+	     * Reset the SASL mechanism list to avoid spurious warnings.
 	     * 
-	     * XXX Should not there be an smtp_sasl_tls_security_options feature
-	     * to allow different mechanisms across TLS tunnels than across
-	     * plain-text connections?
+	     * Use the smtp_sasl_tls_security_options feature to allow SASL
+	     * mechanisms that may not be allowed with plain-text
+	     * connections.
 	     */
 	    smtp_chat_cmd(session, "STARTTLS");
 	    if ((resp = smtp_chat_resp(session))->code / 100 == 2) {
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index f38a0fe3c..601a1f538 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -775,11 +775,11 @@
 /*	The UNIX system account that owns the Postfix queue and most Postfix
 /*	daemon processes.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
 /*	The internet hostname of this mail system.
 /* .IP "\fBmynetworks (see 'postconf -d' output)\fR"
@@ -4401,6 +4401,8 @@ static void post_jail_init(char *unused_name, char **unused_argv)
 	anvil_clnt = anvil_clnt_create();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -4572,6 +4574,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Pass control to the single-threaded service skeleton.
      */
diff --git a/postfix/src/smtpstone/Makefile.in b/postfix/src/smtpstone/Makefile.in
index 6de57d175..3c0316e73 100644
--- a/postfix/src/smtpstone/Makefile.in
+++ b/postfix/src/smtpstone/Makefile.in
@@ -82,6 +82,7 @@ qmqp-sink.o: ../../include/events.h
 qmqp-sink.o: ../../include/inet_proto.h
 qmqp-sink.o: ../../include/iostuff.h
 qmqp-sink.o: ../../include/listen.h
+qmqp-sink.o: ../../include/mail_version.h
 qmqp-sink.o: ../../include/msg.h
 qmqp-sink.o: ../../include/msg_vstream.h
 qmqp-sink.o: ../../include/mymalloc.h
@@ -99,6 +100,7 @@ qmqp-source.o: ../../include/host_port.h
 qmqp-source.o: ../../include/inet_proto.h
 qmqp-source.o: ../../include/iostuff.h
 qmqp-source.o: ../../include/mail_date.h
+qmqp-source.o: ../../include/mail_version.h
 qmqp-source.o: ../../include/msg.h
 qmqp-source.o: ../../include/msg_vstream.h
 qmqp-source.o: ../../include/myaddrinfo.h
@@ -114,14 +116,20 @@ qmqp-source.o: ../../include/vbuf.h
 qmqp-source.o: ../../include/vstream.h
 qmqp-source.o: ../../include/vstring.h
 qmqp-source.o: qmqp-source.c
+smtp-sink.o: ../../include/chroot_uid.h
 smtp-sink.o: ../../include/events.h
 smtp-sink.o: ../../include/get_hostname.h
 smtp-sink.o: ../../include/inet_proto.h
 smtp-sink.o: ../../include/iostuff.h
 smtp-sink.o: ../../include/listen.h
+smtp-sink.o: ../../include/mail_date.h
+smtp-sink.o: ../../include/mail_version.h
+smtp-sink.o: ../../include/make_dirs.h
 smtp-sink.o: ../../include/msg.h
 smtp-sink.o: ../../include/msg_vstream.h
+smtp-sink.o: ../../include/myaddrinfo.h
 smtp-sink.o: ../../include/mymalloc.h
+smtp-sink.o: ../../include/myrand.h
 smtp-sink.o: ../../include/sane_accept.h
 smtp-sink.o: ../../include/smtp_stream.h
 smtp-sink.o: ../../include/stringops.h
@@ -138,6 +146,7 @@ smtp-source.o: ../../include/host_port.h
 smtp-source.o: ../../include/inet_proto.h
 smtp-source.o: ../../include/iostuff.h
 smtp-source.o: ../../include/mail_date.h
+smtp-source.o: ../../include/mail_version.h
 smtp-source.o: ../../include/msg.h
 smtp-source.o: ../../include/msg_vstream.h
 smtp-source.o: ../../include/myaddrinfo.h
diff --git a/postfix/src/smtpstone/qmqp-sink.c b/postfix/src/smtpstone/qmqp-sink.c
index 30390e627..f89cd194f 100644
--- a/postfix/src/smtpstone/qmqp-sink.c
+++ b/postfix/src/smtpstone/qmqp-sink.c
@@ -79,6 +79,7 @@
 /* Global library. */
 
 #include <qmqp_proto.h>
+#include <mail_version.h>
 
 /* Application-specific. */
 
@@ -239,6 +240,8 @@ static void usage(char *myname)
     msg_fatal("usage: %s [-cv] [-x time] [host]:port backlog", myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     int     sock;
@@ -248,6 +251,11 @@ int     main(int argc, char **argv)
     const char *protocols = INET_PROTO_NAME_ALL;
     INET_PROTO_INFO *proto_info;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Fix 20051207.
      */
diff --git a/postfix/src/smtpstone/qmqp-source.c b/postfix/src/smtpstone/qmqp-source.c
index 2606e6e11..33282ac40 100644
--- a/postfix/src/smtpstone/qmqp-source.c
+++ b/postfix/src/smtpstone/qmqp-source.c
@@ -110,6 +110,7 @@
 
 #include <mail_date.h>
 #include <qmqp_proto.h>
+#include <mail_version.h>
 
 /* Application-specific. */
 
@@ -442,6 +443,8 @@ static void usage(char *myname)
     msg_fatal("usage: %s -cv -s sess -l msglen -m msgs -C count -M myhostname -f from -t to -R delay -w delay host[:port]", myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - parse JCL and start the machine */
 
 int     main(int argc, char **argv)
@@ -463,6 +466,11 @@ int     main(int argc, char **argv)
     const char *protocols = INET_PROTO_NAME_ALL;
     INET_PROTO_INFO *proto_info;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     signal(SIGPIPE, SIG_IGN);
     msg_vstream_init(argv[0], VSTREAM_ERR);
 
diff --git a/postfix/src/smtpstone/smtp-sink.c b/postfix/src/smtpstone/smtp-sink.c
index b18278fa9..d5b0bcd7e 100644
--- a/postfix/src/smtpstone/smtp-sink.c
+++ b/postfix/src/smtpstone/smtp-sink.c
@@ -266,6 +266,7 @@
 
 #include <smtp_stream.h>
 #include <mail_date.h>
+#include <mail_version.h>
 
 /* Application-specific. */
 
@@ -1249,6 +1250,8 @@ static void usage(char *myname)
     msg_fatal("usage: %s [-468acCeEFLpPv] [-A abort_delay] [-f commands] [-h hostname] [-m max_concurrency] [-n quit_count] [-q commands] [-r commands] [-s commands] [-w delay] [-d dump-template] [-D dump-template] [-R root-dir] [-S start-string] [-u user_privs] [host]:port backlog", myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 int     main(int argc, char **argv)
 {
     int     backlog;
@@ -1258,6 +1261,11 @@ int     main(int argc, char **argv)
     const char *root_dir = 0;
     const char *user_privs = 0;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Fix 20051207.
      */
diff --git a/postfix/src/smtpstone/smtp-source.c b/postfix/src/smtpstone/smtp-source.c
index 9a736e14a..52306cf8c 100644
--- a/postfix/src/smtpstone/smtp-source.c
+++ b/postfix/src/smtpstone/smtp-source.c
@@ -137,6 +137,7 @@
 
 #include <smtp_stream.h>
 #include <mail_date.h>
+#include <mail_version.h>
 
 /* Application-specific. */
 
@@ -794,6 +795,8 @@ static void usage(char *myname)
     msg_fatal("usage: %s -cdLNov -s sess -l msglen -m msgs -C count -M myhostname -f from -t to -r rcptcount -R delay -w delay host[:port]", myname);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - parse JCL and start the machine */
 
 int     main(int argc, char **argv)
@@ -813,6 +816,11 @@ int     main(int argc, char **argv)
     const char *protocols = INET_PROTO_NAME_ALL;
     INET_PROTO_INFO *proto_info;
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     signal(SIGPIPE, SIG_IGN);
     msg_vstream_init(argv[0], VSTREAM_ERR);
 
diff --git a/postfix/src/spawn/Makefile.in b/postfix/src/spawn/Makefile.in
index 24d2cc2fe..1a89937db 100644
--- a/postfix/src/spawn/Makefile.in
+++ b/postfix/src/spawn/Makefile.in
@@ -62,6 +62,7 @@ spawn.o: ../../include/dict.h
 spawn.o: ../../include/mail_conf.h
 spawn.o: ../../include/mail_params.h
 spawn.o: ../../include/mail_server.h
+spawn.o: ../../include/mail_version.h
 spawn.o: ../../include/msg.h
 spawn.o: ../../include/mymalloc.h
 spawn.o: ../../include/set_eugid.h
diff --git a/postfix/src/spawn/spawn.c b/postfix/src/spawn/spawn.c
index 71345724a..90fe7987b 100644
--- a/postfix/src/spawn/spawn.c
+++ b/postfix/src/spawn/spawn.c
@@ -70,7 +70,7 @@
 /*	The amount of time the command is allowed to run before it is
 /*	terminated.
 /*
-/*	Postfix 2.4 and later support a suffix that specifies the 
+/*	Postfix 2.4 and later support a suffix that specifies the
 /*	time unit: s (seconds), m (minutes), h (hours), d (days),
 /*	w (weeks). The default time unit is seconds.
 /* MISCELLANEOUS
@@ -92,11 +92,11 @@
 /*	The UNIX system account that owns the Postfix queue and most Postfix
 /*	daemon processes.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -148,6 +148,10 @@
 #include <timed_wait.h>
 #include <set_eugid.h>
 
+/* Global library. */
+
+#include <mail_version.h>
+
 /* Single server skeleton. */
 
 #include <mail_params.h>
@@ -322,7 +326,7 @@ static void spawn_service(VSTREAM *client_stream, char *service, char **argv)
 static void pre_accept(char *unused_name, char **unused_argv)
 {
     const char *table;
- 
+
     if ((table = dict_changed_name()) != 0) {
 	msg_info("table %s has changed -- restarting", table);
 	exit(0);
@@ -336,6 +340,8 @@ static void drop_privileges(char *unused_name, char **unused_argv)
     set_eugid(var_owner_uid, var_owner_gid);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -345,6 +351,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, spawn_service,
 		       MAIL_SERVER_TIME_TABLE, time_table,
 		       MAIL_SERVER_POST_INIT, drop_privileges,
diff --git a/postfix/src/tlsmgr/Makefile.in b/postfix/src/tlsmgr/Makefile.in
index 05301e47b..a25208427 100644
--- a/postfix/src/tlsmgr/Makefile.in
+++ b/postfix/src/tlsmgr/Makefile.in
@@ -68,6 +68,7 @@ tlsmgr.o: ../../include/mail_conf.h
 tlsmgr.o: ../../include/mail_params.h
 tlsmgr.o: ../../include/mail_proto.h
 tlsmgr.o: ../../include/mail_server.h
+tlsmgr.o: ../../include/mail_version.h
 tlsmgr.o: ../../include/master_proto.h
 tlsmgr.o: ../../include/msg.h
 tlsmgr.o: ../../include/mymalloc.h
diff --git a/postfix/src/tlsmgr/tlsmgr.c b/postfix/src/tlsmgr/tlsmgr.c
index ed1018ec1..e4630193d 100644
--- a/postfix/src/tlsmgr/tlsmgr.c
+++ b/postfix/src/tlsmgr/tlsmgr.c
@@ -192,6 +192,7 @@
 
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <tls_mgr.h>
 #include <mail_proto.h>
 
@@ -876,6 +877,8 @@ static void tlsmgr_before_exit(char *unused_service_name, char **unused_argv)
 	tls_prng_exch_update(rand_exch);
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - the main program */
 
 int     main(int argc, char **argv)
@@ -904,6 +907,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     /*
      * Use the multi service skeleton, and require that no-one else is
      * monitoring our service port while this process runs.
diff --git a/postfix/src/trivial-rewrite/Makefile.in b/postfix/src/trivial-rewrite/Makefile.in
index eadb385c0..6b3ae51a3 100644
--- a/postfix/src/trivial-rewrite/Makefile.in
+++ b/postfix/src/trivial-rewrite/Makefile.in
@@ -146,6 +146,7 @@ trivial-rewrite.o: ../../include/mail_conf.h
 trivial-rewrite.o: ../../include/mail_params.h
 trivial-rewrite.o: ../../include/mail_proto.h
 trivial-rewrite.o: ../../include/mail_server.h
+trivial-rewrite.o: ../../include/mail_version.h
 trivial-rewrite.o: ../../include/maps.h
 trivial-rewrite.o: ../../include/msg.h
 trivial-rewrite.o: ../../include/resolve_clnt.h
diff --git a/postfix/src/trivial-rewrite/trivial-rewrite.c b/postfix/src/trivial-rewrite/trivial-rewrite.c
index 406c6c6f6..d539a5d2a 100644
--- a/postfix/src/trivial-rewrite/trivial-rewrite.c
+++ b/postfix/src/trivial-rewrite/trivial-rewrite.c
@@ -198,11 +198,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBrelocated_maps (empty)\fR"
 /*	Optional lookup tables with new contact information for users or
 /*	domains that no longer exist.
@@ -272,6 +272,7 @@
 /* Global library. */
 
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>
 #include <resolve_local.h>
 #include <mail_conf.h>
@@ -530,6 +531,8 @@ static void post_jail_init(char *unused_name, char **unused_argv)
     var_idle_limit = 1;
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the multi-threaded skeleton code */
 
 int     main(int argc, char **argv)
@@ -569,6 +572,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     multi_server_main(argc, argv, rewrite_service,
 		      MAIL_SERVER_STR_TABLE, str_table,
 		      MAIL_SERVER_BOOL_TABLE, bool_table,
diff --git a/postfix/src/util/attr_print0.c b/postfix/src/util/attr_print0.c
index 339388605..7c6767843 100644
--- a/postfix/src/util/attr_print0.c
+++ b/postfix/src/util/attr_print0.c
@@ -22,7 +22,7 @@
 /*	attr_scan0(). The stream is not flushed.
 /*
 /*	attr_vprint0() provides an alternate interface that is convenient
-/*	for calling from within variadoc functions.
+/*	for calling from within variadic functions.
 /*
 /*	Attributes are sent in the requested order as specified with the
 /*	attr_print0() argument list. This routine satisfies the formatting
diff --git a/postfix/src/util/attr_print64.c b/postfix/src/util/attr_print64.c
index f9cd51e0a..5fd3ed93b 100644
--- a/postfix/src/util/attr_print64.c
+++ b/postfix/src/util/attr_print64.c
@@ -22,7 +22,7 @@
 /*	attr_scan64(). The stream is not flushed.
 /*
 /*	attr_vprint64() provides an alternate interface that is convenient
-/*	for calling from within variadoc functions.
+/*	for calling from within variadic functions.
 /*
 /*	Attributes are sent in the requested order as specified with the
 /*	attr_print64() argument list. This routine satisfies the formatting
diff --git a/postfix/src/util/attr_print_plain.c b/postfix/src/util/attr_print_plain.c
index 61106f7e3..cc01c781f 100644
--- a/postfix/src/util/attr_print_plain.c
+++ b/postfix/src/util/attr_print_plain.c
@@ -22,7 +22,7 @@
 /*	attr_scan_plain(). The stream is not flushed.
 /*
 /*	attr_vprint_plain() provides an alternate interface that is convenient
-/*	for calling from within variadoc functions.
+/*	for calling from within variadic functions.
 /*
 /*	Attributes are sent in the requested order as specified with the
 /*	attr_print_plain() argument list. This routine satisfies the formatting
diff --git a/postfix/src/util/inet_listen.c b/postfix/src/util/inet_listen.c
index 0a68c1253..72f277cc3 100644
--- a/postfix/src/util/inet_listen.c
+++ b/postfix/src/util/inet_listen.c
@@ -161,8 +161,8 @@ int     inet_listen(const char *addr, int backlog, int block_mode)
 
 int     inet_accept(int fd)
 {
-    struct sockaddr_in sin;
-    SOCKADDR_SIZE len = sizeof(sin);
+    struct sockaddr_storage ss;
+    SOCKADDR_SIZE ss_len = sizeof(ss);
 
-    return (sane_accept(fd, (struct sockaddr *) & sin, &len));
+    return (sane_accept(fd, (struct sockaddr *) & ss, &ss_len));
 }
diff --git a/postfix/src/util/sane_accept.c b/postfix/src/util/sane_accept.c
index a4560c2c5..5c49aa036 100644
--- a/postfix/src/util/sane_accept.c
+++ b/postfix/src/util/sane_accept.c
@@ -108,7 +108,11 @@ int     sane_accept(int sock, struct sockaddr * sa, SOCKADDR_SIZE *len)
      * timer.
      */
 #if defined(BROKEN_READ_SELECT_ON_TCP_SOCKET) && defined(SO_KEEPALIVE)
-    else if (sa != 0 && sa->sa_family == AF_INET) {
+    else if (sa && (sa->sa_family == AF_INET
+#ifdef HAS_IPV6
+		    || sa->sa_family == AF_INET6
+#endif
+		    )) {
 	int     on = 1;
 
 	(void) setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE,
diff --git a/postfix/src/util/upass_listen.c b/postfix/src/util/upass_listen.c
index 22390949f..5eab759cb 100644
--- a/postfix/src/util/upass_listen.c
+++ b/postfix/src/util/upass_listen.c
@@ -68,7 +68,7 @@ int     upass_accept(int listen_fd)
     int     accept_fd;
     int     recv_fd;
 
-    accept_fd = sane_accept(listen_fd, (struct sockaddr *) 0, (int *) 0);
+    accept_fd = sane_accept(listen_fd, (struct sockaddr *) 0, (SOCKADDR_SIZE *) 0);
     if (accept_fd < 0) {
 	if (errno != EAGAIN)
 	    msg_warn("%s: accept connection: %m", myname);
@@ -140,7 +140,7 @@ static void upass_plumbing(int unused_event, char *context)
      * UNIX-domain connection before closing the connection. This wait needs
      * to be time limited.
      */
-    fd = sane_accept(info->unixsock, (struct sockaddr *) 0, (int *) 0);
+    fd = sane_accept(info->unixsock, (struct sockaddr *) 0, (SOCKADDR_SIZE *) 0);
     if (fd < 0) {
 	if (errno != EAGAIN)
 	    msg_fatal("%s: accept connection: %m", myname);
diff --git a/postfix/src/verify/Makefile.in b/postfix/src/verify/Makefile.in
index f9671f8da..0bb5c159d 100644
--- a/postfix/src/verify/Makefile.in
+++ b/postfix/src/verify/Makefile.in
@@ -65,11 +65,13 @@ verify.o: ../../include/dict.h
 verify.o: ../../include/dict_ht.h
 verify.o: ../../include/dsn.h
 verify.o: ../../include/htable.h
+verify.o: ../../include/int_filt.h
 verify.o: ../../include/iostuff.h
 verify.o: ../../include/mail_conf.h
 verify.o: ../../include/mail_params.h
 verify.o: ../../include/mail_proto.h
 verify.o: ../../include/mail_server.h
+verify.o: ../../include/mail_version.h
 verify.o: ../../include/msg.h
 verify.o: ../../include/msg_stats.h
 verify.o: ../../include/mymalloc.h
diff --git a/postfix/src/verify/verify.c b/postfix/src/verify/verify.c
index c1771fa56..13db73fd8 100644
--- a/postfix/src/verify/verify.c
+++ b/postfix/src/verify/verify.c
@@ -186,6 +186,7 @@
 
 #include <mail_conf.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_proto.h>
 #include <post_mail.h>
 #include <verify_clnt.h>
@@ -562,6 +563,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
     setsid();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the multi-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -579,6 +582,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     multi_server_main(argc, argv, verify_service,
 		      MAIL_SERVER_STR_TABLE, str_table,
 		      MAIL_SERVER_TIME_TABLE, time_table,
diff --git a/postfix/src/virtual/Makefile.in b/postfix/src/virtual/Makefile.in
index 51360fe43..9aed39f41 100644
--- a/postfix/src/virtual/Makefile.in
+++ b/postfix/src/virtual/Makefile.in
@@ -187,6 +187,7 @@ virtual.o: ../../include/mail_conf.h
 virtual.o: ../../include/mail_params.h
 virtual.o: ../../include/mail_queue.h
 virtual.o: ../../include/mail_server.h
+virtual.o: ../../include/mail_version.h
 virtual.o: ../../include/maps.h
 virtual.o: ../../include/mbox_conf.h
 virtual.o: ../../include/msg.h
diff --git a/postfix/src/virtual/virtual.c b/postfix/src/virtual/virtual.c
index 51329cf26..c52227874 100644
--- a/postfix/src/virtual/virtual.c
+++ b/postfix/src/virtual/virtual.c
@@ -224,11 +224,11 @@
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
 /* .IP "\fBmax_idle (100s)\fR"
-/*	The maximum amount of time that an idle Postfix daemon process
-/*	waits for the next service request before exiting.
+/*	The maximum amount of time that an idle Postfix daemon process waits
+/*	for an incoming connection before terminating voluntarily.
 /* .IP "\fBmax_use (100)\fR"
-/*	The maximal number of connection requests before a Postfix daemon
-/*	process terminates.
+/*	The maximal number of incoming connections that a Postfix daemon
+/*	process will service before terminating voluntarily.
 /* .IP "\fBprocess_id (read-only)\fR"
 /*	The process ID of a Postfix command or daemon process.
 /* .IP "\fBprocess_name (read-only)\fR"
@@ -303,6 +303,7 @@
 #include <deliver_request.h>
 #include <deliver_completed.h>
 #include <mail_params.h>
+#include <mail_version.h>
 #include <mail_conf.h>
 #include <mail_params.h>
 #include <mail_addr_find.h>
@@ -482,6 +483,8 @@ static void pre_init(char *unused_name, char **unused_argv)
     flush_init();
 }
 
+MAIL_VERSION_STAMP_DECLARE;
+
 /* main - pass control to the single-threaded skeleton */
 
 int     main(int argc, char **argv)
@@ -501,6 +504,11 @@ int     main(int argc, char **argv)
 	0,
     };
 
+    /*
+     * Fingerprint executables and core dumps.
+     */
+    MAIL_VERSION_STAMP_ALLOCATE;
+
     single_server_main(argc, argv, local_service,
 		       MAIL_SERVER_INT_TABLE, int_table,
 		       MAIL_SERVER_STR_TABLE, str_table,