From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 6 Feb 2016 05:00:00 +0000 (-0500)
Subject: postfix-3.1-20160206-nonprod
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3317fda642bea3f62969b558550c4a733371d91c;p=thirdparty%2Fpostfix.git

postfix-3.1-20160206-nonprod
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index fe38bee66..08a14d5d1 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -22139,3 +22139,16 @@ Apologies for any names omitted.
 
 	Portability: added a tls_random_source default setting for
 	MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
+
+20150118
+
+	Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
+	security levels ranging from 0 to 5. Level "0" is backwards
+	compatible, and other levels are increasingly restrictive.
+	Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.
+
+20161205
+
+	Portability: Postfix TLS support uses /dev/urandom if
+	available and no system-specific setting exists in sys_defs.h.
+	Files: makedefs, util/sys_defs.h.
diff --git a/postfix/INSTALL b/postfix/INSTALL
index 776cee39c..8b1378917 100644
--- a/postfix/INSTALL
+++ b/postfix/INSTALL
@@ -1,1150 +1 @@
-Postfix Installation From Source Code
-
--------------------------------------------------------------------------------
-
-1 - Purpose of this document
-
-If you are using a pre-compiled version of Postfix, you should start with
-BASIC_CONFIGURATION_README and the general documentation referenced by it.
-INSTALL is only a bootstrap document to get Postfix up and running from scratch
-with the minimal number of steps; it should not be considered part of the
-general documentation.
-
-This document describes how to build, install and configure a Postfix system so
-that it can do one of the following:
-
-  * Send mail only, without changing an existing Sendmail installation.
-  * Send and receive mail via a virtual host interface, still without any
-    change to an existing Sendmail installation.
-  * Run Postfix instead of Sendmail.
-
-Topics covered in this document:
-
- 1. Purpose of this document
- 2. Typographical conventions
- 3. Documentation
- 4. Building on a supported system
- 5. Porting Postfix to an unsupported system
- 6. Installing the software after successful compilation
- 7. Configuring Postfix to send mail only
- 8. Configuring Postfix to send and receive mail via virtual interface
- 9. Running Postfix instead of Sendmail
-10. Mandatory configuration file edits
-11. To chroot or not to chroot
-12. Care and feeding of the Postfix system
-
-2 - Typographical conventions
-
-In the instructions below, a command written as
-
-    # command
-
-should be executed as the superuser.
-
-A command written as
-
-    $ command
-
-should be executed as an unprivileged user.
-
-3 - Documentation
-
-Documentation is available as README files (start with the file README_FILES/
-AAAREADME), as HTML web pages (point your browser to "html/index.html") and as
-UNIX-style manual pages.
-
-You should view the README files with a pager such as more(1) or less(1),
-because the files use backspace characters in order to produce bold font. To
-print a README file without backspace characters, use the col(1) command. For
-example:
-
-    $ col -bx <file | lpr
-
-In order to view the manual pages before installing Postfix, point your MANPATH
-environment variable to the "man" subdirectory; be sure to use an absolute
-path.
-
-    $ export MANPATH; MANPATH="`pwd`/man:$MANPATH"
-    $ setenv MANPATH "`pwd`/man:$MANPATH"
-
-Of particular interest is the postconf(5) manual page that lists all the 500+
-configuration parameters. The HTML version of this text makes it easy to
-navigate around.
-
-All Postfix source files have their own built-in manual page. Tools to extract
-those embedded manual pages are available in the mantools directory.
-
-4 - Building on a supported system
-
-Postfix development happens on FreeBSD and MacOS X, with regular tests on Linux
-(Fedora, Ubuntu) and Solaris. Support for other systems relies on feedback from
-their users, and may not always be up-to-date.
-
-OpenBSD is partially supported. The libc resolver does not implement the
-documented "internal resolver options which are [...] set by changing fields in
-the _res structure" (documented in the OpenBSD 5.6 resolver(3) manpage). This
-results in too many DNS queries, and false positives for queries that should
-fail.
-
-Overview of topics:
-
-  * 4.1 - Getting started
-  * 4.2 - What compiler to use
-  * 4.3 - Building with Postfix position-independent executables (Postfix >=
-    3.0)
-  * 4.4 - Building with Postfix dynamically-linked libraries and database
-    plugins (Postfix >= 3.0)
-  * 4.5 - Building with optional features
-  * 4.6 - Overriding built-in parameter default settings
-  * 4.7 - Overriding other compile-time features
-  * 4.8 - Support for thousands of processes
-  * 4.9 - Compiling Postfix, at last
-
-4.1 - Getting started
-
-On Solaris, the "make" command and other development utilities are in /usr/ccs/
-bin, so you MUST have /usr/ccs/bin in your command search path. If these files
-do not exist, you need to install the development packages first.
-
-If you need to build Postfix for multiple architectures from a single source-
-code tree, use the "lndir" command to build a shadow tree with symbolic links
-to the source files.
-
-If at any time in the build process you get messages like: "make: don't know
-how to ..." you should be able to recover by running the following command from
-the Postfix top-level directory:
-
-    $ make -f Makefile.init makefiles
-
-If you copied the Postfix source code after building it on another machine, it
-is a good idea to cd into the top-level directory and first do this:
-
-    $ make tidy
-
-This will get rid of any system dependencies left over from compiling the
-software elsewhere.
-
-4.2 - What compiler to use
-
-To build with GCC, or with the native compiler if people told me that is better
-for your system, just cd into the top-level Postfix directory of the source
-tree and type:
-
-    $ make
-
-To build with a non-default compiler, you need to specify the name of the
-compiler. Here are a few examples:
-
-    $ make makefiles CC=/opt/SUNWspro/bin/cc	    (Solaris)
-    $ make
-
-    $ make makefiles CC="/opt/ansic/bin/cc -Ae"     (HP-UX)
-    $ make
-
-    $ make makefiles CC="purify cc"
-    $ make
-
-and so on. In some cases, optimization will be turned off automatically.
-
-4.3 - Building with Postfix position-independent executables (Postfix >= 3.0)
-
-On some systems Postfix can be built with Position-Independent Executables. PIE
-is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout
-Randomization):
-
-    $ make makefiles pie=yes ...other arguments...
-
-(Specify "make makefiles pie=no" to explicitly disable Postfix position-
-independent executable support).
-
-Postfix PIE support appears to work on Fedora Core 20, Ubuntu 14.04, FreeBSD 9
-and 10, and NetBSD 6 (all with the default system compilers).
-
-Whether the "pie=yes" above has any effect depends on the compiler. Some
-compilers always produce PIE executables, and some may even complain that the
-Postfix build option is redundant.
-
-4.4 - Building with Postfix dynamically-linked libraries and database plugins
-(Postfix >= 3.0)
-
-Postfix dynamically-linked library and database plugin support exists for
-recent versions of Linux, FreeBSD and MacOS X. Dynamically-linked library
-builds may become the default at some point in the future.
-
-Overview of topics:
-
-  * 4.4.1 Turning on Postfix dynamically-linked library support
-  * 4.4.2 Turning on Postfix database-plugin support
-  * 4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
-  * 4.4.4 Tips for distribution maintainers
-
-Note: directories with Postfix dynamically-linked libraries or database plugins
-should contain only postfix-related files. Postfix dynamically-linked libraries
-and database plugins should not be installed in a "public" system directory
-such as /usr/lib or /usr/local/lib. Linking Postfix dynamically-linked library
-or database-plugin files into non-Postfix programs is not supported. Postfix
-dynamically-linked libraries and database plugins implement a Postfix-internal
-API that changes without maintaining compatibility.
-
-4.4.1 Turning on Postfix dynamically-linked library support
-
-Postfix can be built with Postfix dynamically-linked libraries (files typically
-named libpostfix-*.so). Postfix dynamically-linked libraries add minor run-time
-overhead and result in significantly-smaller Postfix executable files.
-
-Specify "shared=yes" on the "make makefiles" command line to build Postfix with
-dynamically-linked library support.
-
-    $ make makefiles shared=yes ...other arguments...
-    $ make
-
-(Specify "make makefiles shared=no" to explicitly disable Postfix dynamically-
-linked library support).
-
-This installs dynamically-linked libraries in $shlib_directory, typically /usr/
-lib/postfix or /usr/local/lib/postfix, with file names libpostfix-name.so,
-where the name is a source-code directory name such as "util" or "global".
-
-See section 4.4.3 "Customizing Postfix dynamically-linked libraries and
-database plugins" below for how to customize the Postfix dynamically-linked
-library location, including support to upgrade a running mail system safely.
-
-4.4.2 Turning on Postfix database-plugin support
-
-Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients (database plugins) with the Debian-style dynamicmaps feature.
-Postfix 3.0 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
-pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
-distribute or install pre-compiled Postfix packages.
-
-Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients with the Debian-style
-dynamicmaps feature.
-
-    $ make makefiles dynamicmaps=yes ...other arguments...
-    $ make
-
-(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
-database-plugin support).
-
-This implicitly enables dynamically-linked library support, installs the
-configuration file dynamicmaps.cf in $meta_directory (usually, /etc/postfix or
-/usr/local/etc/postfix), and installs database plugins in $shlib_directory (see
-above). Database plugins are named postfix-type.so where the type is a database
-type such as "cdb" or "ldap".
-
-    NOTE: The Postfix 3.0 build procedure expects that you specify database
-    library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
-    With Postfix 3.0 and later, the old AUXLIBS variable still supports
-    building a statically-loaded database client, but only the new AUXLIBS_CDB
-    etc. variables support building a dynamically-loaded or statically-loaded
-    CDB etc. database client. See CDB_README, LDAP_README, etc. for details.
-
-    Failure to follow this advice will defeat the purpose of dynamic database
-    client loading. Every Postfix executable file will have database library
-    dependencies. And that was exactly what dynamic database client loading was
-    meant to avoid.
-
-See the next section for how to customize the location and version of Postfix
-database plugins and the location of the file dynamicmaps.cf.
-
-4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
-
-Customizing build-time and run-time options for Postfix dynamically-linked
-libraries and database plugins
-
-The build-time environment variables SHLIB_CFLAGS, SHLIB_RPATH, and
-SHLIB_SUFFIX provide control over how Postfix libraries and plugins are
-compiled, linked, and named.
-
-    $ make makefiles SHLIB_CFLAGS=flags SHLIB_RPATH=rpath SHLIB_SUFFIX=suffix
-    ...other arguments...
-    $ make
-
-See section 4.7 "Overriding other compile-time features" below for details.
-
-Customizing the location of Postfix dynamically-linked libraries and database
-plugins
-
-As a reminder, the directories with Postfix dynamically-linked libraries or
-database plugins should contain only Postfix-related files. Linking these files
-into other programs is not supported.
-
-To override the default location of Postfix dynamically-linked libraries and
-database plugins specify, for example:
-
-    $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
-
-If you intend to upgrade Postfix without stopping the mail system, then you
-should append the Postfix release version to the shlib_directory pathname, to
-eliminate the possibility that programs will link with dynamically-linked
-libraries or database plugins from the wrong Postfix version. For example:
-
-    $ make makefiles shared=yes \
-	shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-The command "make makefiles name=value..." will replace the string MAIL_VERSION
-at the end of a configuration parameter value with the Postfix release version.
-Do not try to specify something like $mail_version on this command line. This
-produces inconsistent results with different versions of the make(1) command.
-
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built (the symptom is that Postfix programs
-fail because the run-time linker cannot find the files libpostfix-*.so). No
-ldconfig command is needed if you keep the files libpostfix-*.so in the
-compiled-in default $shlib_directory location.
-
-    # make upgrade shlib_directory=/usr/local/lib/postfix ...
-    # make install shlib_directory=/usr/local/lib/postfix ...
-
-To append the Postfix release version to the pathname if you intend to upgrade
-Postfix without stopping the mail system:
-
-    # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-    # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-See also the comments above for appending MAIL_VERSION with the "make
-makefiles" command.
-
-Customizing the location of dynamicmaps.cf and other files
-
-The meta_directory parameter has the same default setting as the
-config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
-
-You can override the default meta_directory location at compile time or after
-Postfix is built. To override the default location at compile time specify, for
-example:
-
-    % make makefiles meta_directory=/usr/libexec/postfix ...
-
-Here is a tip if you want to make a pathname dependent on the Postfix release
-version: the command "make makefiles name=value..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-You can override the meta_directory setting after Postfix is built, with "make
-install" or "make upgrade".
-
-    # make upgrade meta_directory=/usr/libexec/postfix ...
-    # make install meta_directory=/usr/libexec/postfix ...
-
-As with the command "make makefiles, the command "make install/upgrade
-name=value..." will replace the string MAIL_VERSION at the end of a
-configuration parameter value with the Postfix release version. Do not try to
-specify something like $mail_version on this command line. This produces
-inconsistent results with different versions of the make(1) command.
-
-4.4.4 Tips for distribution maintainers
-
-  * The shlib_directory parameter setting also provides the default directory
-    for database plugin files with a relative pathname in the file
-    dynamicmaps.cf.
-
-  * The meta_directory parameter specifies the location of the files
-    dynamicmaps.cf, postfix-files, and some multi-instance template files. The
-    meta_directory parameter has the same default value as the config_directory
-    parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
-    backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
-    $daemon_directory" in main.cf before installing or upgrading Postfix, or
-    specify "meta_directory = /path/name" on the "make makefiles", "make
-    install" or "make upgrade" command line.
-
-  * The configuration file dynamicmaps.cf will automatically include files
-    under the directory dynamicmaps.cf.d, just like the configuration file
-    postfix-files will automatically include files under the directory postfix-
-    files.d. Thanks to this, you can install or deinstall a database plugin
-    package without having to edit postfix-files or dynamicmaps.cf. Instead,
-    you give that plugin its own configuration files dynamicmaps.cf.d and
-    postfix-files.d, and you add or remove those configuration files along with
-    the database plugin dynamically-linked object.
-
-  * Each configuration file under the directory dynamicmaps.cf.d must have the
-    same format as the configuration file dynamicmaps.cf. There is no
-    requirement that these configuration file *names* have a specific format.
-
-  * Each configuration file under the directory postfix-files.d must have the
-    same format as the configuration file postfix-files. There is no
-    requirement that these configuration file *names* have a specific format.
-
-4.5 - Building with optional features
-
-By default, Postfix builds as a mail system with relatively few bells and
-whistles. Support for third-party databases etc. must be configured when
-Postfix is compiled. The following documents describe how to build Postfix with
-support for optional features:
-
-     _____________________________________________________________
-    |Optional feature		       |Document     |Availability|
-    |__________________________________|_____________|____________|
-    |Berkeley DB database	       |DB_README    |Postfix 1.0 |
-    |__________________________________|_____________|____________|
-    |LMDB database		       |LMDB_README  |Postfix 2.11|
-    |__________________________________|_____________|____________|
-    |LDAP database		       |LDAP_README  |Postfix 1.0 |
-    |__________________________________|_____________|____________|
-    |MySQL database		       |MYSQL_README |Postfix 1.0 |
-    |__________________________________|_____________|____________|
-    |Perl compatible regular expression|PCRE_README  |Postfix 1.0 |
-    |__________________________________|_____________|____________|
-    |PostgreSQL database	       |PGSQL_README |Postfix 2.0 |
-    |__________________________________|_____________|____________|
-    |SASL authentication	       |SASL_README  |Postfix 1.0 |
-    |__________________________________|_____________|____________|
-    |SQLite database		       |SQLITE_README|Postfix 2.8 |
-    |__________________________________|_____________|____________|
-    |STARTTLS session encryption       |TLS_README   |Postfix 2.2 |
-    |__________________________________|_____________|____________|
-
-Note: IP version 6 support is compiled into Postfix on operating systems that
-have IPv6 support. See the IPV6_README file for details.
-
-4.6 - Overriding built-in parameter default settings
-
-4.6.1 - Postfix 3.0 and later
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
-    $ make makefiles config_directory=/some/where ...other arguments...
-    $ make
-
-The command "make makefiles name=value ..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
-     __________________________________________
-    |parameter name	  |typical default     |
-    |_____________________|____________________|
-    |command_directory	  |/usr/sbin	       |
-    |_____________________|____________________|
-    |config_directory	  |/etc/postfix        |
-    |_____________________|____________________|
-    |default_database_type|hash 	       |
-    |_____________________|____________________|
-    |daemon_directory	  |/usr/libexec/postfix|
-    |_____________________|____________________|
-    |data_directory	  |/var/lib/postfix    |
-    |_____________________|____________________|
-    |html_directory	  |no		       |
-    |_____________________|____________________|
-    |mail_spool_directory |/var/mail	       |
-    |_____________________|____________________|
-    |mailq_path 	  |/usr/bin/mailq      |
-    |_____________________|____________________|
-    |manpage_directory	  |/usr/local/man      |
-    |_____________________|____________________|
-    |meta_directory	  |/etc/postfix        |
-    |_____________________|____________________|
-    |newaliases_path	  |/usr/bin/newaliases |
-    |_____________________|____________________|
-    |openssl_path	  |openssl	       |
-    |_____________________|____________________|
-    |queue_directory	  |/var/spool/postfix  |
-    |_____________________|____________________|
-    |readme_directory	  |no		       |
-    |_____________________|____________________|
-    |sendmail_path	  |/usr/sbin/sendmail  |
-    |_____________________|____________________|
-    |shlib_directory	  |/usr/lib/postfix    |
-    |_____________________|____________________|
-
-4.6.2 - All Postfix versions
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
-    $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
-    $ make
-
-IMPORTANT: Be sure to get the quotes right. These details matter a lot.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
-     ____________________________________________________________
-    |Macro name       |default value for    |typical default	 |
-    |_________________|_____________________|____________________|
-    |DEF_COMMAND_DIR  |command_directory    |/usr/sbin		 |
-    |_________________|_____________________|____________________|
-    |DEF_CONFIG_DIR   |config_directory     |/etc/postfix	 |
-    |_________________|_____________________|____________________|
-    |DEF_DB_TYPE      |default_database_type|hash		 |
-    |_________________|_____________________|____________________|
-    |DEF_DAEMON_DIR   |daemon_directory     |/usr/libexec/postfix|
-    |_________________|_____________________|____________________|
-    |DEF_DATA_DIR     |data_directory	    |/var/lib/postfix	 |
-    |_________________|_____________________|____________________|
-    |DEF_MAILQ_PATH   |mailq_path	    |/usr/bin/mailq	 |
-    |_________________|_____________________|____________________|
-    |DEF_HTML_DIR     |html_directory	    |no 		 |
-    |_________________|_____________________|____________________|
-    |DEF_MANPAGE_DIR  |manpage_directory    |/usr/local/man	 |
-    |_________________|_____________________|____________________|
-    |DEF_NEWALIAS_PATH|newaliases_path	    |/usr/bin/newaliases |
-    |_________________|_____________________|____________________|
-    |DEF_QUEUE_DIR    |queue_directory	    |/var/spool/postfix  |
-    |_________________|_____________________|____________________|
-    |DEF_README_DIR   |readme_directory     |no 		 |
-    |_________________|_____________________|____________________|
-    |DEF_SENDMAIL_PATH|sendmail_path	    |/usr/sbin/sendmail  |
-    |_________________|_____________________|____________________|
-
-Note: the data_directory parameter (for caches and pseudo-random numbers) was
-introduced with Postfix version 2.5.
-
-4.7 - Overriding other compile-time features
-
-The general method to override Postfix compile-time features is as follows:
-
-    $ make makefiles name=value name=value...
-    $ make
-
-The following is an extensive list of names and values.
-
- _____________________________________________________________________________
-|Name/Value		       |Description				      |
-|______________________________|______________________________________________|
-|			       |Specifies one or more non-default object      |
-|			       |libraries. Postfix 3.0 and later specify some |
-|			       |of their database library dependencies with   |
-|AUXLIBS="object_library..."   |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB,      |
-|			       |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL,   |
-|			       |AUXLIBS_SDBM, and AUXLIBS_SQLITE,	      |
-|			       |respectively.				      |
-|______________________________|______________________________________________|
-|CC=compiler_command	       |Specifies a non-default compiler. On many     |
-|			       |systems, the default is gcc.		      |
-|______________________________|______________________________________________|
-|			       |Specifies non-default compiler arguments, for |
-|CCARGS="compiler_arguments..."|example, a non-default include directory. The |
-|			       |following directives turn off Postfix features|
-|			       |at compile time:			      |
-|______________________________|______________________________________________|
-||			       |Do not build with Berkeley DB support. By     |
-||			       |default, Berkeley DB support is compiled in on|
-||-DNO_DB		       |platforms that are known to support this      |
-||			       |feature. If you override this, then you       |
-||			       |probably should also override DEF_DB_TYPE as  |
-||			       |described in section 4.6.		      |
-||_____________________________|______________________________________________|
-||-DNO_DNSSEC		       |Do not build with DNSSEC support, even if the |
-||			       |resolver library appears to support it.       |
-||_____________________________|______________________________________________|
-||			       |Do not build with Solaris /dev/poll support.  |
-||-DNO_DEVPOLL		       |By default, /dev/poll support is compiled in  |
-||			       |on Solaris versions that are known to support |
-||			       |this feature.				      |
-||_____________________________|______________________________________________|
-||			       |Do not build with Linux EPOLL support. By     |
-||-DNO_EPOLL		       |default, EPOLL support is compiled in on      |
-||			       |platforms that are known to support this      |
-||			       |feature.				      |
-||_____________________________|______________________________________________|
-||			       |Do not build with EAI (SMTPUTF8) support. By  |
-||-DNO_EAI		       |default, EAI support is compiled in when the  |
-||			       |"icuuc" library and header files are found.   |
-||_____________________________|______________________________________________|
-||			       |Do not require support for C99 "inline"       |
-||-DNO_INLINE		       |functions. Instead, implement argument	      |
-||			       |typechecks for non-printf/scanf-like functions|
-||			       |with ternary operators and unreachable code.  |
-||_____________________________|______________________________________________|
-||			       |Do not build with IPv6 support. By default,   |
-||			       |IPv6 support is compiled in on platforms that |
-||-DNO_IPV6		       |are known to have IPv6 support. Note: this    |
-||			       |directive is for debugging and testing only.  |
-||			       |It is not guaranteed to work on all platforms.|
-||_____________________________|______________________________________________|
-||			       |Do not build with FreeBSD / NetBSD / OpenBSD /|
-||-DNO_KQUEUE		       |MacOSX KQUEUE support. By default, KQUEUE     |
-||			       |support is compiled in on platforms that are  |
-||			       |known to support it.			      |
-||_____________________________|______________________________________________|
-||			       |Do not build with NIS or NISPLUS support. NIS |
-||-DNO_NIS		       |is not available on some recent Linux	      |
-||			       |distributions.				      |
-||_____________________________|______________________________________________|
-||			       |Do not build with NISPLUS support. NISPLUS is |
-||-DNO_NISPLUS		       |not available on some recent Solaris	      |
-||			       |distributions.				      |
-||_____________________________|______________________________________________|
-||			       |Do not build with PCRE support. By default,   |
-||-DNO_PCRE		       |PCRE support is compiled in when the pcre-    |
-||			       |config utility is installed.		      |
-||_____________________________|______________________________________________|
-||			       |Disable support for POSIX getpwnam_r/	      |
-||-DNO_POSIX_GETPW_R	       |getpwuid_r. By default Postfix uses these     |
-||			       |where they are known to be available.	      |
-||_____________________________|______________________________________________|
-||			       |Use setjmp()/longjmp() instead of sigsetjmp()/|
-||-DNO_SIGSETJMP	       |siglongjmp(). By default, Postfix uses	      |
-||			       |sigsetjmp()/siglongjmp() when they are known  |
-||			       |to be available.			      |
-||_____________________________|______________________________________________|
-|			       |Specifies a non-default compiler debugging    |
-|DEBUG=debug_level	       |level. The default is "-g". Specify DEBUG= to |
-|			       |turn off debugging.			      |
-|______________________________|______________________________________________|
-|			       |Specifies a non-default optimization level.   |
-|OPT=optimization_level        |The default is "-O". Specify OPT= to turn off |
-|			       |optimization.				      |
-|______________________________|______________________________________________|
-|			       |Specifies non-default compiler options for    |
-|SHLIB_CFLAGS=flags	       |building Postfix dynamically-linked libraries |
-|			       |and database plugins. The typical default is  |
-|			       |"-fPIC".				      |
-|______________________________|______________________________________________|
-|			       |Specifies a non-default runpath for Postfix   |
-|SHLIB_RPATH=rpath	       |dynamically-linked libraries. The typical     |
-|			       |default is "'-Wl,-rpath,${SHLIB_DIR}'".       |
-|______________________________|______________________________________________|
-|			       |Specifies a non-default suffix for Postfix    |
-|SHLIB_SUFFIX=suffix	       |dynamically-linked libraries and database     |
-|			       |plugins. The typical default is ".so".	      |
-|______________________________|______________________________________________|
-|			       |Specifies non-default compiler warning options|
-|WARN="warning_flags..."       |for use when "make" is invoked in a source    |
-|			       |subdirectory only.			      |
-|______________________________|______________________________________________|
-
-4.8 - Support for thousands of processes
-
-The number of connections that Postfix can manage simultaneously is limited by
-the number of processes that it can run. This number in turn is limited by the
-number of files and sockets that a single process can open. For example, the
-Postfix queue manager has a separate connection to each delivery process, and
-the anvil(8) server has one connection per smtpd(8) process.
-
-Postfix version 2.4 and later have no built-in limits on the number of open
-files or sockets, when compiled on systems that support one of the following:
-
-  * BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
-  * Solaris 8 /dev/poll,
-  * Linux 2.6 epoll(4).
-
-With other Postfix versions or operating systems, the number of file
-descriptors per process is limited by the value of the FD_SETSIZE macro. If you
-expect to run more than 1000 mail delivery processes, you may need to override
-the definition of the FD_SETSIZE macro to make select() work correctly:
-
-    $ make makefiles CCARGS=-DFD_SETSIZE=2048
-
-Warning: the above has no effect on some Linux versions. Apparently, on these
-systems the FD_SETSIZE value can be changed only by using undocumented
-interfaces. Currently, that means including <bits/types.h> directly (which is
-not allowed) and overriding the __FD_SETSIZE macro. Beware, undocumented
-interfaces can change at any time and without warning.
-
-But wait, there is more: none of this will work unless the operating system is
-configured to handle thousands of connections. See the TUNING_README guide for
-examples of how to increase the number of open sockets or files.
-
-4.9 - Compiling Postfix, at last
-
-If the command
-
-    $ make
-
-is successful, then you can proceed to install Postfix (section 6).
-
-If the command produces compiler error messages, it may be time to search the
-web or to ask the postfix-users@postfix.org mailing list, but be sure to search
-the mailing list archives first. Some mailing list archives are linked from
-http://www.postfix.org/.
-
-5 - Porting Postfix to an unsupported system
-
-Each system type that Postfix knows is identified by a unique name. Examples:
-SUNOS5, FREEBSD4, and so on. When porting Postfix to a new system, the first
-step is to choose a SYSTEMTYPE name for the new system. You must use a name
-that includes at least the major version of the operating system (such as
-SUNOS4 or LINUX2), so that different releases of the same system can be
-supported without confusion.
-
-Add a case statement to the "makedefs" shell script in the source code top-
-level directory that recognizes the new system reliably, and that emits the
-right system-specific information. Be sure to make the code robust against user
-PATH settings; if the system offers multiple UNIX flavors (e.g. BSD and SYSV)
-be sure to build for the native flavor, instead of the emulated one.
-
-Add an "#ifdef SYSTEMTYPE" section to the central util/sys_defs.h include file.
-You may have to invent new feature macro names. Please choose sensible feature
-macro names such as HAS_DBM or FIONREAD_IN_SYS_FILIO_H.
-
-I strongly recommend against using "#ifdef SYSTEMTYPE" in individual source
-files. While this may look like the quickest solution, it will create a mess
-when newer versions of the same SYSTEMTYPE need to be supported. You're likely
-to end up placing "#ifdef" sections all over the source code again.
-
-6 - Installing the software after successful compilation
-
-This text describes how to install Postfix from source code. See the
-PACKAGE_README file if you are building a package for distribution to other
-systems.
-
-6.1 - Save existing Sendmail binaries
-
-IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix,
-you may need to keep the old sendmail program running for some time in order to
-flush the mail queue.
-
-  * Some systems implement a mail switch mechanism where different MTAs
-    (Postfix, Sendmail, etc.) can be installed at the same time, while only one
-    of them is actually being used. Examples of such switching mechanisms are
-    the FreeBSD mailwrapper(8) or the Linux mail switch. In this case you
-    should try to "flip" the switch to "Postfix" before installing Postfix.
-
-  * If your system has no mail switch mechanism, execute the following commands
-    (your sendmail, newaliases and mailq programs may be in a different place):
-
-    # mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
-    # mv /usr/bin/newaliases /usr/bin/newaliases.OFF
-    # mv /usr/bin/mailq /usr/bin/mailq.OFF
-    # chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
-	/usr/bin/mailq.OFF
-
-6.2 - Create account and groups
-
-Before you install Postfix for the first time you need to create an account and
-a group:
-
-  * Create a user account "postfix" with a user id and group id that are not
-    used by any other user account. Preferably, this is an account that no-one
-    can log into. The account does not need an executable login shell, and
-    needs no existing home directory. My password and group file entries look
-    like this:
-
-	/etc/passwd:
-	    postfix:*:12345:12345:postfix:/no/where:/no/shell
-
-	/etc/group:
-	    postfix:*:12345:
-
-    Note: there should be no whitespace before "postfix:".
-
-  * Create a group "postdrop" with a group id that is not used by any other
-    user account. Not even by the postfix user account. My group file entry
-    looks like:
-
-	/etc/group:
-	    postdrop:*:54321:
-
-    Note: there should be no whitespace before "postdrop:".
-
-6.3 - Install Postfix
-
-To install or upgrade Postfix from compiled source code, run one of the
-following commands as the super-user:
-
-    # make install	 (interactive version, first time install)
-
-    # make upgrade	 (non-interactive version, for upgrades)
-
-  * The interactive version ("make install") asks for pathnames for Postfix
-    data and program files, and stores your preferences in the main.cf file. If
-    you don't want Postfix to overwrite non-Postfix "sendmail", "mailq" and
-    "newaliases" files, specify pathnames that end in ".postfix".
-
-  * The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf
-    file from a previous installation. If the file does not exist, use
-    interactive installation ("make install") instead.
-
-  * If you specify name=value arguments on the "make install" or "make upgrade"
-    command line, then these will take precedence over compiled-in default
-    settings or main.cf settings.
-
-    The command "make install/upgrade name=value ..." will replace the string
-    MAIL_VERSION at the end of a configuration parameter value with the Postfix
-    release version. Do not try to specify something like $mail_version on this
-    command line. This produces inconsistent results with different versions of
-    the make(1) command.
-
-6.4 - Configure Postfix
-
-Proceed to the section on how you wish to run Postfix on your particular
-machine:
-
-  * Send mail only, without changing an existing Sendmail installation (section
-    7).
-
-  * Send and receive mail via a virtual host interface, still without any
-    change to an existing Sendmail installation (section 8).
-
-  * Run Postfix instead of Sendmail (section 9).
-
-7 - Configuring Postfix to send mail only
-
-If you are going to use Postfix to send mail only, there is no need to change
-your existing sendmail setup. Instead, set up your mail user agent so that it
-calls the Postfix sendmail program directly.
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order
-to avoid conflicts with the real sendmail. Put a "#" character in front of the
-line that defines the smtpd service:
-
-    /etc/postfix/master.cf:
-	#smtp	   inet  n	 -	 n	 -	 -	 smtpd
-
-Start the Postfix system:
-
-    # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
-    # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
-    $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
-    $ mailq
-
-    $ sendmail -bp
-
-    $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-8 - Configuring Postfix to send and receive mail via virtual interface
-
-Alternatively, you can use the Postfix system to send AND receive mail while
-leaving your Sendmail setup intact, by running Postfix on a virtual interface
-address. Simply configure your mail user agent to directly invoke the Postfix
-sendmail program.
-
-To create a virtual network interface address, study your system ifconfig
-manual page. The command syntax could be any of:
-
-    # ifconfig le0:1 <address> netmask <mask> up
-    # ifconfig en0 alias <address> netmask 255.255.255.255
-
-In the /etc/postfix/main.cf file, I would specify
-
-    /etc/postfix/main.cf:
-	myhostname = virtual.host.tld
-	inet_interfaces = $myhostname
-	mydestination = $myhostname
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-Start the Postfix system:
-
-    # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
-    # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
-    $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
-    $ mailq
-
-    $ sendmail -bp
-
-    $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-9 - Running Postfix instead of Sendmail
-
-Prior to installing Postfix you should save any existing sendmail program files
-as described in section 6. Be sure to keep the old sendmail running for at
-least a couple days to flush any unsent mail. To do so, stop the sendmail
-daemon and restart it as:
-
-    # /usr/sbin/sendmail.OFF -q
-
-Note: this is old sendmail syntax. Newer versions use separate processes for
-mail submission and for running the queue.
-
-After you have visited the "Mandatory configuration file edits" section below,
-you can start the Postfix system with:
-
-    # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
-    # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
-    $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
-    $ mailq
-
-    $ sendmail -bp
-
-    $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-10 - Mandatory configuration file edits
-
-Note: the material covered in this section is covered in more detail in the
-BASIC_CONFIGURATION_README document. The information presented below is
-targeted at experienced system administrators.
-
-10.1 - Postfix configuration files
-
-By default, Postfix configuration files are in /etc/postfix. The two most
-important files are main.cf and master.cf; these files must be owned by root.
-Giving someone else write permission to main.cf or master.cf (or to their
-parent directories) means giving root privileges to that person.
-
-In /etc/postfix/main.cf, you will have to set up a minimal number of
-configuration parameters. Postfix configuration parameters resemble shell
-variables, with two important differences: the first one is that Postfix does
-not know about quotes like the UNIX shell does.
-
-You specify a configuration parameter as:
-
-    /etc/postfix/main.cf:
-	parameter = value
-
-and you use it by putting a "$" character in front of its name:
-
-    /etc/postfix/main.cf:
-	other_parameter = $parameter
-
-You can use $parameter before it is given a value (that is the second main
-difference with UNIX shell variables). The Postfix configuration language uses
-lazy evaluation, and does not look at a parameter value until it is needed at
-runtime.
-
-Whenever you make a change to the main.cf or master.cf file, execute the
-following command in order to refresh a running mail system:
-
-    # postfix reload
-
-10.2 - Default domain for unqualified addresses
-
-First of all, you must specify what domain will be appended to an unqualified
-address (i.e. an address without @domain.tld). The "myorigin" parameter
-defaults to the local hostname, but that is probably OK only for very small
-sites.
-
-Some examples (use only one):
-
-    /etc/postfix/main.cf:
-	myorigin = $myhostname	  (send mail as "user@$myhostname")
-	myorigin = $mydomain	  (send mail as "user@$mydomain")
-
-10.3 - What domains to receive locally
-
-Next you need to specify what mail addresses Postfix should deliver locally.
-
-Some examples (use only one):
-
-    /etc/postfix/main.cf:
-	mydestination = $myhostname, localhost.$mydomain, localhost
-	mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
-	mydestination = $myhostname
-
-The first example is appropriate for a workstation, the second is appropriate
-for the mailserver for an entire domain. The third example should be used when
-running on a virtual host interface.
-
-10.4 - Proxy/NAT interface addresses
-
-The proxy_interfaces parameter specifies all network addresses that Postfix
-receives mail on by way of a proxy or network address translation unit. You may
-specify symbolic hostnames instead of network addresses.
-
-IMPORTANT: You must specify your proxy/NAT external addresses when your system
-is a backup MX host for other domains, otherwise mail delivery loops will
-happen when the primary MX host is down.
-
-Example: host behind NAT box running a backup MX host.
-
-    /etc/postfix/main.cf:
-	proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address)
-
-10.5 - What local clients to relay mail from
-
-If your machine is on an open network then you must specify what client IP
-addresses are authorized to relay their mail through your machine into the
-Internet. The default setting includes all subnetworks that the machine is
-attached to. This may give relay permission to too many clients. My own
-settings are:
-
-    /etc/postfix/main.cf:
-	mynetworks = 168.100.189.0/28, 127.0.0.0/8
-
-10.6 - What relay destinations to accept from strangers
-
-If your machine is on an open network then you must also specify whether
-Postfix will forward mail from strangers. The default setting will forward mail
-to all domains (and subdomains of) what is listed in $mydestination. This may
-give relay permission for too many destinations. Recommended settings (use only
-one):
-
-    /etc/postfix/main.cf:
-	relay_domains = 	   (do not forward mail from strangers)
-	relay_domains = $mydomain  (my domain and subdomains)
-	relay_domains = $mydomain, other.domain.tld, ...
-
-10.7 - Optional: configure a smart host for remote delivery
-
-If you're behind a firewall, you should set up a relayhost. If you can, specify
-the organizational domain name so that Postfix can use DNS lookups, and so that
-it can fall back to a secondary MX host when the primary MX host is down.
-Otherwise just specify a hard-coded hostname.
-
-Some examples (use only one):
-
-    /etc/postfix/main.cf:
-	relayhost = $mydomain
-	relayhost = [mail.$mydomain]
-
-The form enclosed with [] eliminates DNS MX lookups.
-
-By default, the SMTP client will do DNS lookups even when you specify a relay
-host. If your machine has no access to a DNS server, turn off SMTP client DNS
-lookups like this:
-
-    /etc/postfix/main.cf:
-	disable_dns_lookups = yes
-
-The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
-and/or dial-up networks.
-
-10.8 - Create the aliases database
-
-Postfix uses a Sendmail-compatible aliases(5) table to redirect mail for local
-(8) recipients. Typically, this information is kept in two files: in a text
-file /etc/aliases and in an indexed file /etc/aliases.db. The command "postconf
-alias_maps" will tell you the exact location of the text file.
-
-First, be sure to update the text file with aliases for root, postmaster and
-"postfix" that forward mail to a real person. Postfix has a sample aliases file
-/etc/postfix/aliases that you can adapt to local conditions.
-
-    /etc/aliases:
-	root: you
-	postmaster: root
-	postfix: root
-	bin: root
-	etcetera...
-
-Note: there should be no whitespace before the ":".
-
-Finally, build the indexed aliases file with one of the following commands:
-
-    # newaliases
-    # sendmail -bi
-
-11 - To chroot or not to chroot
-
-Postfix daemon processes can be configured (via master.cf) to run in a chroot
-jail. The processes run at a fixed low privilege and with access only to the
-Postfix queue directories (/var/spool/postfix). This provides a significant
-barrier against intrusion. The barrier is not impenetrable, but every little
-bit helps.
-
-With the exception of Postfix daemons that deliver mail locally and/or that
-execute non-Postfix commands, every Postfix daemon can run chrooted.
-
-Sites with high security requirements should consider to chroot all daemons
-that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also
-the lmtp(8) client. The author's own porcupine.org mail server runs all daemons
-chrooted that can be chrooted.
-
-The default /etc/postfix/master.cf file specifies that no Postfix daemon runs
-chrooted. In order to enable chroot operation, edit the file /etc/postfix/
-master.cf. Instructions are in the file.
-
-Note that a chrooted daemon resolves all filenames relative to the Postfix
-queue directory (/var/spool/postfix). For successful use of a chroot jail, most
-UNIX systems require you to bring in some files or device nodes. The examples/
-chroot-setup directory in the source code distribution has a collection of
-scripts that help you set up Postfix chroot environments on different operating
-systems.
-
-Additionally, you almost certainly need to configure syslogd so that it listens
-on a socket inside the Postfix queue directory. Examples for specific systems:
-
-FreeBSD:
-
-    # mkdir -p /var/spool/postfix/var/run
-    # syslogd -l /var/spool/postfix/var/run/log
-
-Linux, OpenBSD:
-
-    # mkdir -p /var/spool/postfix/dev
-    # syslogd -a /var/spool/postfix/dev/log
-
-12 - Care and feeding of the Postfix system
-
-Postfix daemon processes run in the background, and log problems and normal
-activity to the syslog daemon. The names of logfiles are specified in /etc/
-syslog.conf. At the very least you need something like:
-
-    /etc/syslog.conf:
-	mail.err				    /dev/console
-	mail.debug				    /var/log/maillog
-
-IMPORTANT: the syslogd will not create files. You must create them before
-(re)starting syslogd.
-
-IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g.,
--/var/log/maillog, otherwise the syslogd will use more system resources than
-Postfix does.
-
-Hopefully, the number of problems will be small, but it is a good idea to run
-every night before the syslog files are rotated:
-
-    # postfix check
-    # egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-  * The first line (postfix check) causes Postfix to report file permission/
-    ownership discrepancies.
-
-  * The second line looks for problem reports from the mail software, and
-    reports how effective the relay and junk mail access blocks are. This may
-    produce a lot of output. You will want to apply some postprocessing to
-    eliminate uninteresting information.
-
-The DEBUG_README document describes the meaning of the "warning" etc. labels in
-Postfix logging.
 
diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL
index 0becd5d10..e69de29bb 100644
--- a/postfix/README_FILES/INSTALL
+++ b/postfix/README_FILES/INSTALL
@@ -1,1150 +0,0 @@
-PPoossttffiixx IInnssttaallllaattiioonn FFrroomm SSoouurrccee CCooddee
-
--------------------------------------------------------------------------------
-
-11 -- PPuurrppoossee ooff tthhiiss ddooccuummeenntt
-
-If you are using a pre-compiled version of Postfix, you should start with
-BASIC_CONFIGURATION_README and the general documentation referenced by it.
-INSTALL is only a bootstrap document to get Postfix up and running from scratch
-with the minimal number of steps; it should not be considered part of the
-general documentation.
-
-This document describes how to build, install and configure a Postfix system so
-that it can do one of the following:
-
-  * Send mail only, without changing an existing Sendmail installation.
-  * Send and receive mail via a virtual host interface, still without any
-    change to an existing Sendmail installation.
-  * Run Postfix instead of Sendmail.
-
-Topics covered in this document:
-
- 1. Purpose of this document
- 2. Typographical conventions
- 3. Documentation
- 4. Building on a supported system
- 5. Porting Postfix to an unsupported system
- 6. Installing the software after successful compilation
- 7. Configuring Postfix to send mail only
- 8. Configuring Postfix to send and receive mail via virtual interface
- 9. Running Postfix instead of Sendmail
-10. Mandatory configuration file edits
-11. To chroot or not to chroot
-12. Care and feeding of the Postfix system
-
-22 -- TTyyppooggrraapphhiiccaall ccoonnvveennttiioonnss
-
-In the instructions below, a command written as
-
-    # command
-
-should be executed as the superuser.
-
-A command written as
-
-    $ command
-
-should be executed as an unprivileged user.
-
-33 -- DDooccuummeennttaattiioonn
-
-Documentation is available as README files (start with the file README_FILES/
-AAAREADME), as HTML web pages (point your browser to "html/index.html") and as
-UNIX-style manual pages.
-
-You should view the README files with a pager such as more(1) or less(1),
-because the files use backspace characters in order to produce bboolldd font. To
-print a README file without backspace characters, use the col(1) command. For
-example:
-
-    $ col -bx <file | lpr
-
-In order to view the manual pages before installing Postfix, point your MANPATH
-environment variable to the "man" subdirectory; be sure to use an absolute
-path.
-
-    $ export MANPATH; MANPATH="`pwd`/man:$MANPATH"
-    $ setenv MANPATH "`pwd`/man:$MANPATH"
-
-Of particular interest is the postconf(5) manual page that lists all the 500+
-configuration parameters. The HTML version of this text makes it easy to
-navigate around.
-
-All Postfix source files have their own built-in manual page. Tools to extract
-those embedded manual pages are available in the mantools directory.
-
-44 -- BBuuiillddiinngg oonn aa ssuuppppoorrtteedd ssyysstteemm
-
-Postfix development happens on FreeBSD and MacOS X, with regular tests on Linux
-(Fedora, Ubuntu) and Solaris. Support for other systems relies on feedback from
-their users, and may not always be up-to-date.
-
-OpenBSD is partially supported. The libc resolver does not implement the
-documented "internal resolver options which are [...] set by changing fields in
-the _res structure" (documented in the OpenBSD 5.6 resolver(3) manpage). This
-results in too many DNS queries, and false positives for queries that should
-fail.
-
-Overview of topics:
-
-  * 4.1 - Getting started
-  * 4.2 - What compiler to use
-  * 4.3 - Building with Postfix position-independent executables (Postfix >=
-    3.0)
-  * 4.4 - Building with Postfix dynamically-linked libraries and database
-    plugins (Postfix >= 3.0)
-  * 4.5 - Building with optional features
-  * 4.6 - Overriding built-in parameter default settings
-  * 4.7 - Overriding other compile-time features
-  * 4.8 - Support for thousands of processes
-  * 4.9 - Compiling Postfix, at last
-
-44..11 -- GGeettttiinngg ssttaarrtteedd
-
-On Solaris, the "make" command and other development utilities are in /usr/ccs/
-bin, so you MUST have /usr/ccs/bin in your command search path. If these files
-do not exist, you need to install the development packages first.
-
-If you need to build Postfix for multiple architectures from a single source-
-code tree, use the "lndir" command to build a shadow tree with symbolic links
-to the source files.
-
-If at any time in the build process you get messages like: "make: don't know
-how to ..." you should be able to recover by running the following command from
-the Postfix top-level directory:
-
-    $ make -f Makefile.init makefiles
-
-If you copied the Postfix source code after building it on another machine, it
-is a good idea to cd into the top-level directory and first do this:
-
-    $ make tidy
-
-This will get rid of any system dependencies left over from compiling the
-software elsewhere.
-
-44..22 -- WWhhaatt ccoommppiilleerr ttoo uussee
-
-To build with GCC, or with the native compiler if people told me that is better
-for your system, just cd into the top-level Postfix directory of the source
-tree and type:
-
-    $ make
-
-To build with a non-default compiler, you need to specify the name of the
-compiler. Here are a few examples:
-
-    $ make makefiles CC=/opt/SUNWspro/bin/cc        (Solaris)
-    $ make
-
-    $ make makefiles CC="/opt/ansic/bin/cc -Ae"     (HP-UX)
-    $ make
-
-    $ make makefiles CC="purify cc"
-    $ make
-
-and so on. In some cases, optimization will be turned off automatically.
-
-44..33 -- BBuuiillddiinngg wwiitthh PPoossttffiixx ppoossiittiioonn--iinnddeeppeennddeenntt eexxeeccuuttaabblleess ((PPoossttffiixx >>== 33..00))
-
-On some systems Postfix can be built with Position-Independent Executables. PIE
-is used by the ASLR exploit mitigation technique (ASLR = Address-Space Layout
-Randomization):
-
-    $ make makefiles pie=yes ...other arguments...
-
-(Specify "make makefiles pie=no" to explicitly disable Postfix position-
-independent executable support).
-
-Postfix PIE support appears to work on Fedora Core 20, Ubuntu 14.04, FreeBSD 9
-and 10, and NetBSD 6 (all with the default system compilers).
-
-Whether the "pie=yes" above has any effect depends on the compiler. Some
-compilers always produce PIE executables, and some may even complain that the
-Postfix build option is redundant.
-
-44..44 -- BBuuiillddiinngg wwiitthh PPoossttffiixx ddyynnaammiiccaallllyy--lliinnkkeedd lliibbrraarriieess aanndd ddaattaabbaassee pplluuggiinnss
-((PPoossttffiixx >>== 33..00))
-
-Postfix dynamically-linked library and database plugin support exists for
-recent versions of Linux, FreeBSD and MacOS X. Dynamically-linked library
-builds may become the default at some point in the future.
-
-Overview of topics:
-
-  * 4.4.1 Turning on Postfix dynamically-linked library support
-  * 4.4.2 Turning on Postfix database-plugin support
-  * 4.4.3 Customizing Postfix dynamically-linked libraries and database plugins
-  * 4.4.4 Tips for distribution maintainers
-
-Note: directories with Postfix dynamically-linked libraries or database plugins
-should contain only postfix-related files. Postfix dynamically-linked libraries
-and database plugins should not be installed in a "public" system directory
-such as /usr/lib or /usr/local/lib. Linking Postfix dynamically-linked library
-or database-plugin files into non-Postfix programs is not supported. Postfix
-dynamically-linked libraries and database plugins implement a Postfix-internal
-API that changes without maintaining compatibility.
-
-44..44..11 TTuurrnniinngg oonn PPoossttffiixx ddyynnaammiiccaallllyy--lliinnkkeedd lliibbrraarryy ssuuppppoorrtt
-
-Postfix can be built with Postfix dynamically-linked libraries (files typically
-named libpostfix-*.so). Postfix dynamically-linked libraries add minor run-time
-overhead and result in significantly-smaller Postfix executable files.
-
-Specify "shared=yes" on the "make makefiles" command line to build Postfix with
-dynamically-linked library support.
-
-    $ make makefiles shared=yes ...other arguments...
-    $ make
-
-(Specify "make makefiles shared=no" to explicitly disable Postfix dynamically-
-linked library support).
-
-This installs dynamically-linked libraries in $shlib_directory, typically /usr/
-lib/postfix or /usr/local/lib/postfix, with file names libpostfix-name.so,
-where the name is a source-code directory name such as "util" or "global".
-
-See section 4.4.3 "Customizing Postfix dynamically-linked libraries and
-database plugins" below for how to customize the Postfix dynamically-linked
-library location, including support to upgrade a running mail system safely.
-
-44..44..22 TTuurrnniinngg oonn PPoossttffiixx ddaattaabbaassee--pplluuggiinn ssuuppppoorrtt
-
-Additionally, Postfix can be built to support dynamic loading of Postfix
-database clients (database plugins) with the Debian-style dynamicmaps feature.
-Postfix 3.0 supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:,
-pgsql:, sdbm:, and sqlite: database clients. Dynamic loading is useful when you
-distribute or install pre-compiled Postfix packages.
-
-Specify "dynamicmaps=yes" on the "make makefiles" command line to build Postfix
-with support to dynamically load Postfix database clients with the Debian-style
-dynamicmaps feature.
-
-    $ make makefiles dynamicmaps=yes ...other arguments...
-    $ make
-
-(Specify "make makefiles dynamicmaps=no" to explicitly disable Postfix
-database-plugin support).
-
-This implicitly enables dynamically-linked library support, installs the
-configuration file dynamicmaps.cf in $meta_directory (usually, /etc/postfix or
-/usr/local/etc/postfix), and installs database plugins in $shlib_directory (see
-above). Database plugins are named postfix-type.so where the type is a database
-type such as "cdb" or "ldap".
-
-    NOTE: The Postfix 3.0 build procedure expects that you specify database
-    library dependencies with variables named AUXLIBS_CDB, AUXLIBS_LDAP, etc.
-    With Postfix 3.0 and later, the old AUXLIBS variable still supports
-    building a statically-loaded database client, but only the new AUXLIBS_CDB
-    etc. variables support building a dynamically-loaded or statically-loaded
-    CDB etc. database client. See CDB_README, LDAP_README, etc. for details.
-
-    Failure to follow this advice will defeat the purpose of dynamic database
-    client loading. Every Postfix executable file will have database library
-    dependencies. And that was exactly what dynamic database client loading was
-    meant to avoid.
-
-See the next section for how to customize the location and version of Postfix
-database plugins and the location of the file dynamicmaps.cf.
-
-44..44..33 CCuussttoommiizziinngg PPoossttffiixx ddyynnaammiiccaallllyy--lliinnkkeedd lliibbrraarriieess aanndd ddaattaabbaassee pplluuggiinnss
-
-CCuussttoommiizziinngg bbuuiilldd--ttiimmee aanndd rruunn--ttiimmee ooppttiioonnss ffoorr PPoossttffiixx ddyynnaammiiccaallllyy--lliinnkkeedd
-lliibbrraarriieess aanndd ddaattaabbaassee pplluuggiinnss
-
-The build-time environment variables SHLIB_CFLAGS, SHLIB_RPATH, and
-SHLIB_SUFFIX provide control over how Postfix libraries and plugins are
-compiled, linked, and named.
-
-    $ make makefiles SHLIB_CFLAGS=flags SHLIB_RPATH=rpath SHLIB_SUFFIX=suffix
-    ...other arguments...
-    $ make
-
-See section 4.7 "Overriding other compile-time features" below for details.
-
-CCuussttoommiizziinngg tthhee llooccaattiioonn ooff PPoossttffiixx ddyynnaammiiccaallllyy--lliinnkkeedd lliibbrraarriieess aanndd ddaattaabbaassee
-pplluuggiinnss
-
-As a reminder, the directories with Postfix dynamically-linked libraries or
-database plugins should contain only Postfix-related files. Linking these files
-into other programs is not supported.
-
-To override the default location of Postfix dynamically-linked libraries and
-database plugins specify, for example:
-
-    $ make makefiles shared=yes shlib_directory=/usr/local/lib/postfix ...
-
-If you intend to upgrade Postfix without stopping the mail system, then you
-should append the Postfix release version to the shlib_directory pathname, to
-eliminate the possibility that programs will link with dynamically-linked
-libraries or database plugins from the wrong Postfix version. For example:
-
-    $ make makefiles shared=yes \
-        shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-The command "make makefiles name=value..." will replace the string MAIL_VERSION
-at the end of a configuration parameter value with the Postfix release version.
-Do not try to specify something like $mail_version on this command line. This
-produces inconsistent results with different versions of the make(1) command.
-
-You can change the shlib_directory setting after Postfix is built, with "make
-install" or "make upgrade". However, you may have to run ldconfig if you change
-shlib_directory after Postfix is built (the symptom is that Postfix programs
-fail because the run-time linker cannot find the files libpostfix-*.so). No
-ldconfig command is needed if you keep the files libpostfix-*.so in the
-compiled-in default $shlib_directory location.
-
-    # make upgrade shlib_directory=/usr/local/lib/postfix ...
-    # make install shlib_directory=/usr/local/lib/postfix ...
-
-To append the Postfix release version to the pathname if you intend to upgrade
-Postfix without stopping the mail system:
-
-    # make upgrade shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-    # make install shlib_directory=/usr/local/lib/postfix/MAIL_VERSION ...
-
-See also the comments above for appending MAIL_VERSION with the "make
-makefiles" command.
-
-CCuussttoommiizziinngg tthhee llooccaattiioonn ooff ddyynnaammiiccmmaappss..ccff aanndd ootthheerr ffiilleess
-
-The meta_directory parameter has the same default setting as the
-config_directory parameter, typically /etc/postfix or /usr/local/etc/postfix.
-
-You can override the default meta_directory location at compile time or after
-Postfix is built. To override the default location at compile time specify, for
-example:
-
-    % make makefiles meta_directory=/usr/libexec/postfix ...
-
-Here is a tip if you want to make a pathname dependent on the Postfix release
-version: the command "make makefiles name=value..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-You can override the meta_directory setting after Postfix is built, with "make
-install" or "make upgrade".
-
-    # make upgrade meta_directory=/usr/libexec/postfix ...
-    # make install meta_directory=/usr/libexec/postfix ...
-
-As with the command "make makefiles, the command "make install/upgrade
-name=value..." will replace the string MAIL_VERSION at the end of a
-configuration parameter value with the Postfix release version. Do not try to
-specify something like $mail_version on this command line. This produces
-inconsistent results with different versions of the make(1) command.
-
-44..44..44 TTiippss ffoorr ddiissttrriibbuuttiioonn mmaaiinnttaaiinneerrss
-
-  * The shlib_directory parameter setting also provides the default directory
-    for database plugin files with a relative pathname in the file
-    dynamicmaps.cf.
-
-  * The meta_directory parameter specifies the location of the files
-    dynamicmaps.cf, postfix-files, and some multi-instance template files. The
-    meta_directory parameter has the same default value as the config_directory
-    parameter (typically, /etc/postfix or /usr/local/etc/postfix). For
-    backwards compatibility with Postfix 2.6 .. 2.11, specify "meta_directory =
-    $daemon_directory" in main.cf before installing or upgrading Postfix, or
-    specify "meta_directory = /path/name" on the "make makefiles", "make
-    install" or "make upgrade" command line.
-
-  * The configuration file dynamicmaps.cf will automatically include files
-    under the directory dynamicmaps.cf.d, just like the configuration file
-    postfix-files will automatically include files under the directory postfix-
-    files.d. Thanks to this, you can install or deinstall a database plugin
-    package without having to edit postfix-files or dynamicmaps.cf. Instead,
-    you give that plugin its own configuration files dynamicmaps.cf.d and
-    postfix-files.d, and you add or remove those configuration files along with
-    the database plugin dynamically-linked object.
-
-  * Each configuration file under the directory dynamicmaps.cf.d must have the
-    same format as the configuration file dynamicmaps.cf. There is no
-    requirement that these configuration file *names* have a specific format.
-
-  * Each configuration file under the directory postfix-files.d must have the
-    same format as the configuration file postfix-files. There is no
-    requirement that these configuration file *names* have a specific format.
-
-44..55 -- BBuuiillddiinngg wwiitthh ooppttiioonnaall ffeeaattuurreess
-
-By default, Postfix builds as a mail system with relatively few bells and
-whistles. Support for third-party databases etc. must be configured when
-Postfix is compiled. The following documents describe how to build Postfix with
-support for optional features:
-
-     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
-    |OOppttiioonnaall ffeeaattuurree                  |DDooccuummeenntt     |AAvvaaiillaabbiilliittyy|
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |Berkeley DB database              |DB_README    |Postfix 1.0 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |LMDB database                     |LMDB_README  |Postfix 2.11|
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |LDAP database                     |LDAP_README  |Postfix 1.0 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |MySQL database                    |MYSQL_README |Postfix 1.0 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |Perl compatible regular expression|PCRE_README  |Postfix 1.0 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |PostgreSQL database               |PGSQL_README |Postfix 2.0 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |SASL authentication               |SASL_README  |Postfix 1.0 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |SQLite database                   |SQLITE_README|Postfix 2.8 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-    |STARTTLS session encryption       |TLS_README   |Postfix 2.2 |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |
-
-Note: IP version 6 support is compiled into Postfix on operating systems that
-have IPv6 support. See the IPV6_README file for details.
-
-44..66 -- OOvveerrrriiddiinngg bbuuiilltt--iinn ppaarraammeetteerr ddeeffaauulltt sseettttiinnggss
-
-44..66..11 -- PPoossttffiixx 33..00 aanndd llaatteerr
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
-    $ make makefiles config_directory=/some/where ...other arguments...
-    $ make
-
-The command "make makefiles name=value ..." will replace the string
-MAIL_VERSION at the end of a configuration parameter value with the Postfix
-release version. Do not try to specify something like $mail_version on this
-command line. This produces inconsistent results with different versions of the
-make(1) command.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
-     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
-    |ppaarraammeetteerr nnaammee       |ttyyppiiccaall ddeeffaauulltt     |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |command_directory    |/usr/sbin           |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |config_directory     |/etc/postfix        |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |default_database_type|hash                |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |daemon_directory     |/usr/libexec/postfix|
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |data_directory       |/var/lib/postfix    |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |html_directory       |no                  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |mail_spool_directory |/var/mail           |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |mailq_path           |/usr/bin/mailq      |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |manpage_directory    |/usr/local/man      |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |meta_directory       |/etc/postfix        |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |newaliases_path      |/usr/bin/newaliases |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |openssl_path         |openssl             |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |queue_directory      |/var/spool/postfix  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |readme_directory     |no                  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |sendmail_path        |/usr/sbin/sendmail  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |shlib_directory      |/usr/lib/postfix    |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-
-44..66..22 -- AAllll PPoossttffiixx vveerrssiioonnss
-
-All Postfix configuration parameters can be changed by editing a Postfix
-configuration file, except for one: the parameter that specifies the location
-of Postfix configuration files. In order to build Postfix with a configuration
-directory other than /etc/postfix, use:
-
-    $ make makefiles CCARGS='-DDEF_CONFIG_DIR=\"/some/where\"'
-    $ make
-
-IMPORTANT: Be sure to get the quotes right. These details matter a lot.
-
-Parameters whose defaults can be specified in this way are listed below. See
-the postconf(5) manpage for a description (command: "nroff -man man/man5/
-postconf.5 | less").
-
-     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
-    |MMaaccrroo nnaammee       |ddeeffaauulltt vvaalluuee ffoorr    |ttyyppiiccaall ddeeffaauulltt     |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_COMMAND_DIR  |command_directory    |/usr/sbin           |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_CONFIG_DIR   |config_directory     |/etc/postfix        |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_DB_TYPE      |default_database_type|hash                |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_DAEMON_DIR   |daemon_directory     |/usr/libexec/postfix|
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_DATA_DIR     |data_directory       |/var/lib/postfix    |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_MAILQ_PATH   |mailq_path           |/usr/bin/mailq      |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_HTML_DIR     |html_directory       |no                  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_MANPAGE_DIR  |manpage_directory    |/usr/local/man      |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_NEWALIAS_PATH|newaliases_path      |/usr/bin/newaliases |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_QUEUE_DIR    |queue_directory      |/var/spool/postfix  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_README_DIR   |readme_directory     |no                  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-    |DEF_SENDMAIL_PATH|sendmail_path        |/usr/sbin/sendmail  |
-    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-
-Note: the data_directory parameter (for caches and pseudo-random numbers) was
-introduced with Postfix version 2.5.
-
-44..77 -- OOvveerrrriiddiinngg ootthheerr ccoommppiillee--ttiimmee ffeeaattuurreess
-
-The general method to override Postfix compile-time features is as follows:
-
-    $ make makefiles name=value name=value...
-    $ make
-
-The following is an extensive list of names and values.
-
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
-|NNaammee//VVaalluuee                    |DDeessccrriippttiioonn                                   |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies one or more non-default object      |
-|                              |libraries. Postfix 3.0 and later specify some |
-|                              |of their database library dependencies with   |
-|AUXLIBS="object_library..."   |AUXLIBS_CDB, AUXLIBS_LDAP, AUXLIBS_LMDB,      |
-|                              |AUXLIBS_MYSQL, AUXLIBS_PCRE, AUXLIBS_PGSQL,   |
-|                              |AUXLIBS_SDBM, and AUXLIBS_SQLITE,             |
-|                              |respectively.                                 |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|CC=compiler_command           |Specifies a non-default compiler. On many     |
-|                              |systems, the default is gcc.                  |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies non-default compiler arguments, for |
-|CCARGS="compiler_arguments..."|example, a non-default include directory. The |
-|                              |following directives turn off Postfix features|
-|                              |at compile time:                              |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with Berkeley DB support. By     |
-||                             |default, Berkeley DB support is compiled in on|
-||-DNO_DB                      |platforms that are known to support this      |
-||                             |feature. If you override this, then you       |
-||                             |probably should also override DEF_DB_TYPE as  |
-||                             |described in section 4.6.                     |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||-DNO_DNSSEC                  |Do not build with DNSSEC support, even if the |
-||                             |resolver library appears to support it.       |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with Solaris /dev/poll support.  |
-||-DNO_DEVPOLL                 |By default, /dev/poll support is compiled in  |
-||                             |on Solaris versions that are known to support |
-||                             |this feature.                                 |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with Linux EPOLL support. By     |
-||-DNO_EPOLL                   |default, EPOLL support is compiled in on      |
-||                             |platforms that are known to support this      |
-||                             |feature.                                      |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with EAI (SMTPUTF8) support. By  |
-||-DNO_EAI                     |default, EAI support is compiled in when the  |
-||                             |"icuuc" library and header files are found.   |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not require support for C99 "inline"       |
-||-DNO_INLINE                  |functions. Instead, implement argument        |
-||                             |typechecks for non-printf/scanf-like functions|
-||                             |with ternary operators and unreachable code.  |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with IPv6 support. By default,   |
-||                             |IPv6 support is compiled in on platforms that |
-||-DNO_IPV6                    |are known to have IPv6 support. Note: this    |
-||                             |directive is for debugging and testing only.  |
-||                             |It is not guaranteed to work on all platforms.|
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with FreeBSD / NetBSD / OpenBSD /|
-||-DNO_KQUEUE                  |MacOSX KQUEUE support. By default, KQUEUE     |
-||                             |support is compiled in on platforms that are  |
-||                             |known to support it.                          |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with NIS or NISPLUS support. NIS |
-||-DNO_NIS                     |is not available on some recent Linux         |
-||                             |distributions.                                |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with NISPLUS support. NISPLUS is |
-||-DNO_NISPLUS                 |not available on some recent Solaris          |
-||                             |distributions.                                |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Do not build with PCRE support. By default,   |
-||-DNO_PCRE                    |PCRE support is compiled in when the pcre-    |
-||                             |config utility is installed.                  |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Disable support for POSIX getpwnam_r/         |
-||-DNO_POSIX_GETPW_R           |getpwuid_r. By default Postfix uses these     |
-||                             |where they are known to be available.         |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-||                             |Use setjmp()/longjmp() instead of sigsetjmp()/|
-||-DNO_SIGSETJMP               |siglongjmp(). By default, Postfix uses        |
-||                             |sigsetjmp()/siglongjmp() when they are known  |
-||                             |to be available.                              |
-|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies a non-default compiler debugging    |
-|DEBUG=debug_level             |level. The default is "-g". Specify DEBUG= to |
-|                              |turn off debugging.                           |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies a non-default optimization level.   |
-|OPT=optimization_level        |The default is "-O". Specify OPT= to turn off |
-|                              |optimization.                                 |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies non-default compiler options for    |
-|SHLIB_CFLAGS=flags            |building Postfix dynamically-linked libraries |
-|                              |and database plugins. The typical default is  |
-|                              |"-fPIC".                                      |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies a non-default runpath for Postfix   |
-|SHLIB_RPATH=rpath             |dynamically-linked libraries. The typical     |
-|                              |default is "'-Wl,-rpath,${SHLIB_DIR}'".       |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies a non-default suffix for Postfix    |
-|SHLIB_SUFFIX=suffix           |dynamically-linked libraries and database     |
-|                              |plugins. The typical default is ".so".        |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-|                              |Specifies non-default compiler warning options|
-|WARN="warning_flags..."       |for use when "make" is invoked in a source    |
-|                              |subdirectory only.                            |
-|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
-
-44..88 -- SSuuppppoorrtt ffoorr tthhoouussaannddss ooff pprroocceesssseess
-
-The number of connections that Postfix can manage simultaneously is limited by
-the number of processes that it can run. This number in turn is limited by the
-number of files and sockets that a single process can open. For example, the
-Postfix queue manager has a separate connection to each delivery process, and
-the anvil(8) server has one connection per smtpd(8) process.
-
-Postfix version 2.4 and later have no built-in limits on the number of open
-files or sockets, when compiled on systems that support one of the following:
-
-  * BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
-  * Solaris 8 /dev/poll,
-  * Linux 2.6 epoll(4).
-
-With other Postfix versions or operating systems, the number of file
-descriptors per process is limited by the value of the FD_SETSIZE macro. If you
-expect to run more than 1000 mail delivery processes, you may need to override
-the definition of the FD_SETSIZE macro to make select() work correctly:
-
-    $ make makefiles CCARGS=-DFD_SETSIZE=2048
-
-Warning: the above has no effect on some Linux versions. Apparently, on these
-systems the FD_SETSIZE value can be changed only by using undocumented
-interfaces. Currently, that means including <bits/types.h> directly (which is
-not allowed) and overriding the __FD_SETSIZE macro. Beware, undocumented
-interfaces can change at any time and without warning.
-
-But wait, there is more: none of this will work unless the operating system is
-configured to handle thousands of connections. See the TUNING_README guide for
-examples of how to increase the number of open sockets or files.
-
-44..99 -- CCoommppiilliinngg PPoossttffiixx,, aatt llaasstt
-
-If the command
-
-    $ make
-
-is successful, then you can proceed to install Postfix (section 6).
-
-If the command produces compiler error messages, it may be time to search the
-web or to ask the postfix-users@postfix.org mailing list, but be sure to search
-the mailing list archives first. Some mailing list archives are linked from
-http://www.postfix.org/.
-
-55 -- PPoorrttiinngg PPoossttffiixx ttoo aann uunnssuuppppoorrtteedd ssyysstteemm
-
-Each system type that Postfix knows is identified by a unique name. Examples:
-SUNOS5, FREEBSD4, and so on. When porting Postfix to a new system, the first
-step is to choose a SYSTEMTYPE name for the new system. You must use a name
-that includes at least the major version of the operating system (such as
-SUNOS4 or LINUX2), so that different releases of the same system can be
-supported without confusion.
-
-Add a case statement to the "makedefs" shell script in the source code top-
-level directory that recognizes the new system reliably, and that emits the
-right system-specific information. Be sure to make the code robust against user
-PATH settings; if the system offers multiple UNIX flavors (e.g. BSD and SYSV)
-be sure to build for the native flavor, instead of the emulated one.
-
-Add an "#ifdef SYSTEMTYPE" section to the central util/sys_defs.h include file.
-You may have to invent new feature macro names. Please choose sensible feature
-macro names such as HAS_DBM or FIONREAD_IN_SYS_FILIO_H.
-
-I strongly recommend against using "#ifdef SYSTEMTYPE" in individual source
-files. While this may look like the quickest solution, it will create a mess
-when newer versions of the same SYSTEMTYPE need to be supported. You're likely
-to end up placing "#ifdef" sections all over the source code again.
-
-66 -- IInnssttaalllliinngg tthhee ssooffttwwaarree aafftteerr ssuucccceessssffuull ccoommppiillaattiioonn
-
-This text describes how to install Postfix from source code. See the
-PACKAGE_README file if you are building a package for distribution to other
-systems.
-
-66..11 -- SSaavvee eexxiissttiinngg SSeennddmmaaiill bbiinnaarriieess
-
-IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix,
-you may need to keep the old sendmail program running for some time in order to
-flush the mail queue.
-
-  * Some systems implement a mail switch mechanism where different MTAs
-    (Postfix, Sendmail, etc.) can be installed at the same time, while only one
-    of them is actually being used. Examples of such switching mechanisms are
-    the FreeBSD mailwrapper(8) or the Linux mail switch. In this case you
-    should try to "flip" the switch to "Postfix" before installing Postfix.
-
-  * If your system has no mail switch mechanism, execute the following commands
-    (your sendmail, newaliases and mailq programs may be in a different place):
-
-    # mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
-    # mv /usr/bin/newaliases /usr/bin/newaliases.OFF
-    # mv /usr/bin/mailq /usr/bin/mailq.OFF
-    # chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
-        /usr/bin/mailq.OFF
-
-66..22 -- CCrreeaattee aaccccoouunntt aanndd ggrroouuppss
-
-Before you install Postfix for the first time you need to create an account and
-a group:
-
-  * Create a user account "postfix" with a user id and group id that are not
-    used by any other user account. Preferably, this is an account that no-one
-    can log into. The account does not need an executable login shell, and
-    needs no existing home directory. My password and group file entries look
-    like this:
-
-        /etc/passwd:
-            postfix:*:12345:12345:postfix:/no/where:/no/shell
-
-        /etc/group:
-            postfix:*:12345:
-
-    Note: there should be no whitespace before "postfix:".
-
-  * Create a group "postdrop" with a group id that is not used by any other
-    user account. Not even by the postfix user account. My group file entry
-    looks like:
-
-        /etc/group:
-            postdrop:*:54321:
-
-    Note: there should be no whitespace before "postdrop:".
-
-66..33 -- IInnssttaallll PPoossttffiixx
-
-To install or upgrade Postfix from compiled source code, run one of the
-following commands as the super-user:
-
-    # make install       (interactive version, first time install)
-
-    # make upgrade       (non-interactive version, for upgrades)
-
-  * The interactive version ("make install") asks for pathnames for Postfix
-    data and program files, and stores your preferences in the main.cf file. IIff
-    yyoouu ddoonn''tt wwaanntt PPoossttffiixx ttoo oovveerrwwrriittee nnoonn--PPoossttffiixx ""sseennddmmaaiill"",, ""mmaaiillqq"" aanndd
-    ""nneewwaalliiaasseess"" ffiilleess,, ssppeecciiffyy ppaatthhnnaammeess tthhaatt eenndd iinn ""..ppoossttffiixx"".
-
-  * The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf
-    file from a previous installation. If the file does not exist, use
-    interactive installation ("make install") instead.
-
-  * If you specify name=value arguments on the "make install" or "make upgrade"
-    command line, then these will take precedence over compiled-in default
-    settings or main.cf settings.
-
-    The command "make install/upgrade name=value ..." will replace the string
-    MAIL_VERSION at the end of a configuration parameter value with the Postfix
-    release version. Do not try to specify something like $mail_version on this
-    command line. This produces inconsistent results with different versions of
-    the make(1) command.
-
-66..44 -- CCoonnffiigguurree PPoossttffiixx
-
-Proceed to the section on how you wish to run Postfix on your particular
-machine:
-
-  * Send mail only, without changing an existing Sendmail installation (section
-    7).
-
-  * Send and receive mail via a virtual host interface, still without any
-    change to an existing Sendmail installation (section 8).
-
-  * Run Postfix instead of Sendmail (section 9).
-
-77 -- CCoonnffiigguurriinngg PPoossttffiixx ttoo sseenndd mmaaiill oonnllyy
-
-If you are going to use Postfix to send mail only, there is no need to change
-your existing sendmail setup. Instead, set up your mail user agent so that it
-calls the Postfix sendmail program directly.
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order
-to avoid conflicts with the real sendmail. Put a "#" character in front of the
-line that defines the smtpd service:
-
-    /etc/postfix/master.cf:
-        #smtp      inet  n       -       n       -       -       smtpd
-
-Start the Postfix system:
-
-    # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
-    # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
-    $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
-    $ mailq
-
-    $ sendmail -bp
-
-    $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-88 -- CCoonnffiigguurriinngg PPoossttffiixx ttoo sseenndd aanndd rreecceeiivvee mmaaiill vviiaa vviirrttuuaall iinntteerrffaaccee
-
-Alternatively, you can use the Postfix system to send AND receive mail while
-leaving your Sendmail setup intact, by running Postfix on a virtual interface
-address. Simply configure your mail user agent to directly invoke the Postfix
-sendmail program.
-
-To create a virtual network interface address, study your system ifconfig
-manual page. The command syntax could be any of:
-
-    # iiffccoonnffiigg llee00::11 <<aaddddrreessss>> nneettmmaasskk <<mmaasskk>> uupp
-    # iiffccoonnffiigg eenn00 aalliiaass <<aaddddrreessss>> nneettmmaasskk 225555..225555..225555..225555
-
-In the /etc/postfix/main.cf file, I would specify
-
-    /etc/postfix/main.cf:
-        myhostname = virtual.host.tld
-        inet_interfaces = $myhostname
-        mydestination = $myhostname
-
-Follow the instructions in the "Mandatory configuration file edits" in section
-10, and review the "To chroot or not to chroot" text in section 11.
-
-Start the Postfix system:
-
-    # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
-    # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
-    $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
-    $ mailq
-
-    $ sendmail -bp
-
-    $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-99 -- RRuunnnniinngg PPoossttffiixx iinnsstteeaadd ooff SSeennddmmaaiill
-
-Prior to installing Postfix you should save any existing sendmail program files
-as described in section 6. Be sure to keep the old sendmail running for at
-least a couple days to flush any unsent mail. To do so, stop the sendmail
-daemon and restart it as:
-
-    # /usr/sbin/sendmail.OFF -q
-
-Note: this is old sendmail syntax. Newer versions use separate processes for
-mail submission and for running the queue.
-
-After you have visited the "Mandatory configuration file edits" section below,
-you can start the Postfix system with:
-
-    # postfix start
-
-or, if you feel nostalgic, use the Postfix sendmail command:
-
-    # sendmail -bd -qwhatever
-
-and watch your maillog file for any error messages. The pathname is /var/log/
-maillog, /var/log/mail, /var/log/syslog, or something else. Typically, the
-pathname is defined in the /etc/syslog.conf file.
-
-    $ egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-Note: the most important error message is logged first. Later messages are not
-as useful.
-
-In order to inspect the mail queue, use one of the following commands:
-
-    $ mailq
-
-    $ sendmail -bp
-
-    $ postqueue -p
-
-See also the "Care and feeding" section 12 below.
-
-1100 -- MMaannddaattoorryy ccoonnffiigguurraattiioonn ffiillee eeddiittss
-
-Note: the material covered in this section is covered in more detail in the
-BASIC_CONFIGURATION_README document. The information presented below is
-targeted at experienced system administrators.
-
-1100..11 -- PPoossttffiixx ccoonnffiigguurraattiioonn ffiilleess
-
-By default, Postfix configuration files are in /etc/postfix. The two most
-important files are main.cf and master.cf; these files must be owned by root.
-Giving someone else write permission to main.cf or master.cf (or to their
-parent directories) means giving root privileges to that person.
-
-In /etc/postfix/main.cf, you will have to set up a minimal number of
-configuration parameters. Postfix configuration parameters resemble shell
-variables, with two important differences: the first one is that Postfix does
-not know about quotes like the UNIX shell does.
-
-You specify a configuration parameter as:
-
-    /etc/postfix/main.cf:
-        parameter = value
-
-and you use it by putting a "$" character in front of its name:
-
-    /etc/postfix/main.cf:
-        other_parameter = $parameter
-
-You can use $parameter before it is given a value (that is the second main
-difference with UNIX shell variables). The Postfix configuration language uses
-lazy evaluation, and does not look at a parameter value until it is needed at
-runtime.
-
-Whenever you make a change to the main.cf or master.cf file, execute the
-following command in order to refresh a running mail system:
-
-    # postfix reload
-
-1100..22 -- DDeeffaauulltt ddoommaaiinn ffoorr uunnqquuaalliiffiieedd aaddddrreesssseess
-
-First of all, you must specify what domain will be appended to an unqualified
-address (i.e. an address without @domain.tld). The "myorigin" parameter
-defaults to the local hostname, but that is probably OK only for very small
-sites.
-
-Some examples (use only one):
-
-    /etc/postfix/main.cf:
-        myorigin = $myhostname    (send mail as "user@$myhostname")
-        myorigin = $mydomain      (send mail as "user@$mydomain")
-
-1100..33 -- WWhhaatt ddoommaaiinnss ttoo rreecceeiivvee llooccaallllyy
-
-Next you need to specify what mail addresses Postfix should deliver locally.
-
-Some examples (use only one):
-
-    /etc/postfix/main.cf:
-        mydestination = $myhostname, localhost.$mydomain, localhost
-        mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
-        mydestination = $myhostname
-
-The first example is appropriate for a workstation, the second is appropriate
-for the mailserver for an entire domain. The third example should be used when
-running on a virtual host interface.
-
-1100..44 -- PPrrooxxyy//NNAATT iinntteerrffaaccee aaddddrreesssseess
-
-The proxy_interfaces parameter specifies all network addresses that Postfix
-receives mail on by way of a proxy or network address translation unit. You may
-specify symbolic hostnames instead of network addresses.
-
-IMPORTANT: You must specify your proxy/NAT external addresses when your system
-is a backup MX host for other domains, otherwise mail delivery loops will
-happen when the primary MX host is down.
-
-Example: host behind NAT box running a backup MX host.
-
-    /etc/postfix/main.cf:
-        proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address)
-
-1100..55 -- WWhhaatt llooccaall cclliieennttss ttoo rreellaayy mmaaiill ffrroomm
-
-If your machine is on an open network then you must specify what client IP
-addresses are authorized to relay their mail through your machine into the
-Internet. The default setting includes all subnetworks that the machine is
-attached to. This may give relay permission to too many clients. My own
-settings are:
-
-    /etc/postfix/main.cf:
-        mynetworks = 168.100.189.0/28, 127.0.0.0/8
-
-1100..66 -- WWhhaatt rreellaayy ddeessttiinnaattiioonnss ttoo aacccceepptt ffrroomm ssttrraannggeerrss
-
-If your machine is on an open network then you must also specify whether
-Postfix will forward mail from strangers. The default setting will forward mail
-to all domains (and subdomains of) what is listed in $mydestination. This may
-give relay permission for too many destinations. Recommended settings (use only
-one):
-
-    /etc/postfix/main.cf:
-        relay_domains =            (do not forward mail from strangers)
-        relay_domains = $mydomain  (my domain and subdomains)
-        relay_domains = $mydomain, other.domain.tld, ...
-
-1100..77 -- OOppttiioonnaall:: ccoonnffiigguurree aa ssmmaarrtt hhoosstt ffoorr rreemmoottee ddeelliivveerryy
-
-If you're behind a firewall, you should set up a relayhost. If you can, specify
-the organizational domain name so that Postfix can use DNS lookups, and so that
-it can fall back to a secondary MX host when the primary MX host is down.
-Otherwise just specify a hard-coded hostname.
-
-Some examples (use only one):
-
-    /etc/postfix/main.cf:
-        relayhost = $mydomain
-        relayhost = [mail.$mydomain]
-
-The form enclosed with [] eliminates DNS MX lookups.
-
-By default, the SMTP client will do DNS lookups even when you specify a relay
-host. If your machine has no access to a DNS server, turn off SMTP client DNS
-lookups like this:
-
-    /etc/postfix/main.cf:
-        disable_dns_lookups = yes
-
-The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
-and/or dial-up networks.
-
-1100..88 -- CCrreeaattee tthhee aalliiaasseess ddaattaabbaassee
-
-Postfix uses a Sendmail-compatible aliases(5) table to redirect mail for local
-(8) recipients. Typically, this information is kept in two files: in a text
-file /etc/aliases and in an indexed file /etc/aliases.db. The command "postconf
-alias_maps" will tell you the exact location of the text file.
-
-First, be sure to update the text file with aliases for root, postmaster and
-"postfix" that forward mail to a real person. Postfix has a sample aliases file
-/etc/postfix/aliases that you can adapt to local conditions.
-
-    /etc/aliases:
-        root: you
-        postmaster: root
-        postfix: root
-        bin: root
-        etcetera...
-
-Note: there should be no whitespace before the ":".
-
-Finally, build the indexed aliases file with one of the following commands:
-
-    # newaliases
-    # sendmail -bi
-
-1111 -- TToo cchhrroooott oorr nnoott ttoo cchhrroooott
-
-Postfix daemon processes can be configured (via master.cf) to run in a chroot
-jail. The processes run at a fixed low privilege and with access only to the
-Postfix queue directories (/var/spool/postfix). This provides a significant
-barrier against intrusion. The barrier is not impenetrable, but every little
-bit helps.
-
-With the exception of Postfix daemons that deliver mail locally and/or that
-execute non-Postfix commands, every Postfix daemon can run chrooted.
-
-Sites with high security requirements should consider to chroot all daemons
-that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also
-the lmtp(8) client. The author's own porcupine.org mail server runs all daemons
-chrooted that can be chrooted.
-
-The default /etc/postfix/master.cf file specifies that no Postfix daemon runs
-chrooted. In order to enable chroot operation, edit the file /etc/postfix/
-master.cf. Instructions are in the file.
-
-Note that a chrooted daemon resolves all filenames relative to the Postfix
-queue directory (/var/spool/postfix). For successful use of a chroot jail, most
-UNIX systems require you to bring in some files or device nodes. The examples/
-chroot-setup directory in the source code distribution has a collection of
-scripts that help you set up Postfix chroot environments on different operating
-systems.
-
-Additionally, you almost certainly need to configure syslogd so that it listens
-on a socket inside the Postfix queue directory. Examples for specific systems:
-
-FreeBSD:
-
-    # mkdir -p /var/spool/postfix/var/run
-    # syslogd -l /var/spool/postfix/var/run/log
-
-Linux, OpenBSD:
-
-    # mkdir -p /var/spool/postfix/dev
-    # syslogd -a /var/spool/postfix/dev/log
-
-1122 -- CCaarree aanndd ffeeeeddiinngg ooff tthhee PPoossttffiixx ssyysstteemm
-
-Postfix daemon processes run in the background, and log problems and normal
-activity to the syslog daemon. The names of logfiles are specified in /etc/
-syslog.conf. At the very least you need something like:
-
-    /etc/syslog.conf:
-        mail.err                                    /dev/console
-        mail.debug                                  /var/log/maillog
-
-IMPORTANT: the syslogd will not create files. You must create them before
-(re)starting syslogd.
-
-IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g.,
--/var/log/maillog, otherwise the syslogd will use more system resources than
-Postfix does.
-
-Hopefully, the number of problems will be small, but it is a good idea to run
-every night before the syslog files are rotated:
-
-    # postfix check
-    # egrep '(reject|warning|error|fatal|panic):' /some/log/file
-
-  * The first line (postfix check) causes Postfix to report file permission/
-    ownership discrepancies.
-
-  * The second line looks for problem reports from the mail software, and
-    reports how effective the relay and junk mail access blocks are. This may
-    produce a lot of output. You will want to apply some postprocessing to
-    eliminate uninteresting information.
-
-The DEBUG_README document describes the meaning of the "warning" etc. labels in
-Postfix logging.
-
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 28b6b8808..5483dda1a 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -6,6 +6,11 @@ Wish list:
 
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
 
+	Fix bold "[" and "]" in manpages; these are not part of the
+	command line.
+
+	Add Google credits to manpages.
+
 	Remove this file from the stable release.
 
 	Things to do after the stable release:
@@ -13,12 +18,9 @@ Wish list:
 	Specify WARN_UNUSED_RESULT for all library functions that
 	pass, deliver, bounce or defer a delivery request.
 
-	Specify WARN_UNUSED_RESULT for mac_expand(), after making
-	smtp_reply_footer() undoable.
-
-	Type-checking wrappers for htable(3), ctable(3) and other
-	modules that take and return a void* pointer. This is
-	the next best thing to C++ style HTABLE<payload_type>.
+	Invent some kind of type-checking wrappers for htable(3),
+	ctable(3) and other modules that take and return a void*
+	pointer. We already did that for variadic functions.
 
 	TLS certificate provenance: indicate whether a subject
 	name/issuer are verified or not (for example, change the
diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files
index 12592d204..a433f4f9a 100644
--- a/postfix/conf/postfix-files
+++ b/postfix/conf/postfix-files
@@ -171,6 +171,7 @@ $manpage_directory/man1/postcat.1:f:root:-:644
 $manpage_directory/man1/postconf.1:f:root:-:644
 $manpage_directory/man1/postdrop.1:f:root:-:644
 $manpage_directory/man1/postfix.1:f:root:-:644
+$manpage_directory/man1/postfix-tls.1:f:root:-:644
 $manpage_directory/man1/postkick.1:f:root:-:644
 $manpage_directory/man1/postlock.1:f:root:-:644
 $manpage_directory/man1/postlog.1:f:root:-:644
diff --git a/postfix/conf/postfix-tls-script b/postfix/conf/postfix-tls-script
index 7e3cb8c37..4c824943a 100644
--- a/postfix/conf/postfix-tls-script
+++ b/postfix/conf/postfix-tls-script
@@ -2,16 +2,190 @@
 
 #++
 # NAME
-#	postfix-tls-script 1
+#	postfix-tls 1
 # SUMMARY
-#	Postfix TLS support management
+#	Postfix TLS management
 # SYNOPSIS
-#	\fBpostfix-tls-script\fR \fIcommand\fR
+#	\fBpostfix tls\fR \fIsubcommand\fB ...\fR
 # DESCRIPTION
-#	The \fBpostfix-tls-script\fR script enables support for opportunistic
-#	TLS in the Postfix SMTP client and/or server.  It generates or updates
-#	TLS private keys and and self-signed certificates.  It executes in an
-#	environment that is set up by the \fBpostfix\fR(1) command.
+#	The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature enables
+#	opportunistic TLS in the Postfix SMTP client and/or server,
+#	and manages Postfix SMTP server private keys and certificates.
+#
+#	The following subcommands are available:
+# .IP "\fBenable-client\fR [\fB-r \fIrandsource\fR]"
+#	Enable opportunistic TLS in the Postfix SMTP client, if all
+#	SMTP client TLS settings are at their default values.
+#	Otherwise, suggest parameter settings without making any
+#	changes.
+# .sp
+#	Specify \fIrandsource\fR to update the value of the
+#	\fBtls_random_source\fR configuration parameter (typically,
+#	/dev/urandom).  Prepend \fBdev:\fR to device paths or
+#	\fBegd:\fR to EGD socket paths.
+# .IP "\fBenable-server\fR [\fB-r \fIrandsource\fR] [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+#	Create a new private key and self-signed server certificate
+#	and enable opportunistic TLS in the Postfix SMTP server,
+#	if all SMTP server TLS settings are at their default values.
+#	Otherwise, suggest parameter settings without making any
+#	changes.
+# .sp
+#	The \fIrandsource\fR parameter is as with \fBenable-client\fR
+#	above, and the remaining options are as with \fBnew-server-key\fR
+#	below.
+# .IP "\fBnew-server-key\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+#	Create a new private key and self-signed server certificate,
+#	but do not deploy them. Log and display commands to deploy
+#	the new key and corresponding certificate.  Also log and
+#	display commands to output a corresponding CSR or TLSA
+#	records which may be needed to obtain a CA certificate or
+#	to update DNS before the new key can be deployed.
+# .sp
+#	The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
+#	defaults to 2048.  If you choose the \fBecdsa\fR  \fIalgorithm\fR
+#	then \fIbits\fR will be an EC curve name (by default
+#	\fBsecp256r1\fR, also known as prime256v1).  Curves other
+#	than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
+#	are unlikely to be widely interoperable.  When generating
+#	EC keys, use one of these three.  DSA keys are obsolete and
+#	are not supported.
+# .sp
+#	Note: ECDSA support requires OpenSSL 1.0.0 or later and may
+#	not be available on your system.  Not all client systems
+#	will support ECDSA, so you'll generally want to deploy both
+#	RSA and ECDSA certificates to make use of ECDSA with
+#	compatible clients and RSA with the rest. If you want to
+#	deploy certificate chains with intermediate CAs for both
+#	RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
+#	versions may not handle multiple chain files correctly.
+# .sp
+#	The first \fIhostname\fR argument will be the \fBCommonName\fR
+#	of both the subject and issuer of the self-signed certificate.
+#	It, and any additional \fIhostname\fR arguments, will also
+#	be listed as DNS alternative names in the certificate.  If
+#	no \fIhostname\fR is provided the value of the \fBmyhostname\fR
+#	main.cf parameter will be used.
+# .sp
+#	For RSA, the generated private key and certificate files
+#	are named \fBkey-\fIyyyymmdd-hhmmss\fB.pem\fR and
+#	\fBcert-\fIyyyymmdd-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
+#	is the calendar date and \fIhhmmss\fR is the time of day
+#	in UTC.  For ECDSA, the file names start with \fBeckey-\fR
+#	and \fBeccert-\fR instead of \fBkey-\fR and \fBcert-\fR
+#	respectively.
+# .sp
+#	Before deploying the new key and certificate with DANE,
+#	update the DNS with new DANE TLSA records, then wait for
+#	secondary nameservers to update and then for stale records
+#	in remote DNS caches to expire.
+# .sp
+#	Before deploying a new CA certificate make sure to include
+#	all the required intermediate issuing CA certificates in
+#	the certificate chain file.  The server certificate must
+#	be the first certificate in the chain file.  Overwrite and
+#	deploy the file with the original self-signed certificate
+#	that was generated together with the key.
+# .IP "\fBnew-server-cert\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+#	This is just like \fBnew-server-key\fR except that, rather
+#	than generating a new private key, any currently deployed
+#	private key is copied to the new key file.  Thus if you're
+#	publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
+#	no need to update DNS records.  The \fIalgorithm\fB and
+#	\fIbits\fR arguments are used only if no key of the same
+#	algorithm is already configured.
+# .sp
+#	This command is rarely needed, because the self-signed
+#	certificates generated have a 100-year nominal expiration
+#	time.  The underlying public key algorithms may well be
+#	obsoleted by quantum computers long before then.
+# .sp
+#	The most plausible reason for using this command is when
+#	the system hostname changes, and you'd like the name in the
+#	certificate to match the new hostname (not required for
+#	DANE "3 1 1", but some needlessly picky non-DANE opportunistic
+#	TLS clients may log warnings or even refuse to communicate).
+# .IP "\fBdeploy-server-cert \fIcertfile\fB \fIkeyfile\fR"
+#	This subcommand deploys the certificates in \fIcertfile\fR
+#	and private key in \fIkeyfile\fR (which are typically
+#	generated by the commands above, which will also log and
+#	display the full command needed to deploy the generated key
+#	and certificate).  After the new certificate and key are
+#	deployed any obsolete keys and certificates may be removed
+#	by hand.   The \fIkeyfile\fR and \fIcertfile\fR filenames
+#	are relative to the Postfix configuration directory.
+# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB
+# ...\fR]"
+#	Write to stdout a certificate signing request (CSR) for the
+#	specified \fIkeyfile\fR.
+# .sp
+#	Instead of a filename, \fIkeyfile\fR may specify one of the
+#	supported key algorithm names (see "\fBpostconf -T
+#	public-key-algorithms\fR"). In that case, the corresponding
+#	setting from main.cf is used to locate the \fIkeyfile\fR.
+#	The default \fIkeyfile\fR value is \fBrsa\fR.
+# .sp
+#	Zero or more \fIhostname\fR values can be specified.  The
+#	default \fIhostname\fR is the value of \fBmyhostname\fR
+#	main.cf parameter.
+# .IP "\fBoutput-server-tlsa\fR [\fB-h \fIhostname\fR] [\fIkeyfile\fB ...\fR]"
+#	Write to stdout a DANE TLSA RRset suitable for a port 25
+#	SMTP server on host \fIhostname\fR with keys from any of
+#	the specified \fIkeyfile\fR values.  The default \fIhostname\fR
+#	is the value of the \fBmyhostname\fR main.cf parameter.
+# .sp
+#	Instead of filenames, the \fIkeyfile\fR list may specify
+#	names of supported public key algorithms (see "\fBpostconf
+#	-T public-key-algorithms\fR").  In that case, the actual
+#	\fIkeyfile\fR list uses the values of the corresponding
+#	Postfix server TLS key file parameters.  If a parameter
+#	value is empty or equal to \fBnone\fR, then no TLSA record
+#	is output for that algorithm.
+# .sp
+#	The default \fIkeyfile\fR list consists of the two supported
+#	algorithms \fBrsa\fR and \fBecdsa\fR.
+# CONFIGURATION PARAMETERS
+# .ad 
+# .fi
+#	The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature reads
+#	or updates the following configuration parameters.
+# .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
+#	The location of all postfix administrative commands.
+# .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+#	The default location of the Postfix main.cf and master.cf
+#	configuration files.
+# .IP "\fBopenssl_path (openssl)\fR"
+#	The location of the OpenSSL command line program \fBopenssl\fR(1).
+# .IP "\fBsmtp_tls_loglevel (0)\fR"
+#	Enable additional Postfix SMTP client logging of TLS activity.
+# .IP "\fBsmtp_tls_security_level (empty)\fR"
+#	The default SMTP TLS security level for the Postfix SMTP client;
+#	when a non-empty value is specified, this overrides the obsolete
+#	parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
+#	Name of the file containing the optional Postfix SMTP client
+#	TLS session cache.
+# .IP "\fBsmtpd_tls_cert_file (empty)\fR"
+#	File with the Postfix SMTP server RSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
+#	File with the Postfix SMTP server ECDSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
+#	File with the Postfix SMTP server ECDSA private key in PEM format.
+# .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
+#	File with the Postfix SMTP server RSA private key in PEM format.
+# .IP "\fBsmtpd_tls_loglevel (0)\fR"
+#	Enable additional Postfix SMTP server logging of TLS activity.
+# .IP "\fBsmtpd_tls_received_header (no)\fR"
+#	Request that the Postfix SMTP server produces Received:  message
+#	headers that include information about the protocol and cipher used,
+#	as well as the remote SMTP client CommonName and client certificate issuer
+#	CommonName.
+# .IP "\fBsmtpd_tls_security_level (empty)\fR"
+#	The SMTP TLS security level for the Postfix SMTP server; when
+#	a non-empty value is specified, this overrides the obsolete parameters
+#	smtpd_use_tls and smtpd_enforce_tls.
+# .IP "\fBtls_random_source (see 'postconf -d' output)\fR"
+#	The external entropy source for the in-memory \fBtlsmgr\fR(8) pseudo
+#	random number generator (PRNG) pool.
 # SEE ALSO
 #	master(8) Postfix master program
 #	postfix(1) Postfix administrative interface
@@ -23,15 +197,25 @@
 #	Viktor Dukhovni
 #--
 
+RSA_BITS=2048		# default
+EC_CURVE=secp256r1	# default
+
 case $daemon_directory in
 "") echo This script must be run by the postfix command. 1>&2
     echo Do not run directly. 1>&2
-    exit 1
+    exit 1;;
 esac
 
 umask 022
 SHELL=/bin/sh
 
+postconf=$command_directory/postconf
+LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
+INFO="$LOGGER -p info"
+WARN="$LOGGER -p warn"
+ERROR="$LOGGER -p error"
+FATAL="$LOGGER -p fatal"
+
 #
 # Can't do much without these in place.
 #
@@ -43,25 +227,34 @@ cd $command_directory || {
     exit 1
 }
 
-postconf=$command_directory/postconf
-LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
-INFO="$LOGGER -p info"
-WARN="$LOGGER -p warn"
-FATAL="$LOGGER -p fatal"
+check_getopt() {
+    OPTIND=1
+    a=
+    b=
+    c=
+    set -- -a 1 -b 2 -c -- -pos
+    while getopts :a:b:c o
+    do
+	case $o in
+	a) a="${OPTARG}";;
+	b) b="${OPTARG}";;
+	c) c=3;;
+	*) return 1;;
+	esac
+    done
+    shift `expr ${OPTIND} - 1`
+    if [ "${a}" != "1" -o "${b}" != 2 -o "${c}" != 3 \
+	 -o "${OPTIND}" -ne 7 -o "$1" != "-pos" ]; then
+	return 1
+    fi
+}
 
-# Make this our *last* "cd", so all the key/cert generation runs in the
-# configuration directory.
-#
-cd $config_directory || {
-    $FATAL no Postfix configuration directory $config_directory!
+check_getopt || {
+    $FATAL "/bin/sh does not implement a compatible 'getopts' built-in"
     exit 1
 }
 
-#$postconf -d | grep '^smtpd_tls_cert_file =' >/dev/null || {
-#    mail_version=`$postconf -dh mail_version`
-#    $FATAL "Postfix $mail_version is not compiled with TLS support"
-#    exit 1
-#}
+# ----- BEGIN OpenSSL-specific -----
 
 # No need to set the location of the OpenSSL command in each Postfix instance,
 # the value from the default instance is used for all instances.
@@ -73,6 +266,62 @@ openssl=`$postconf -c $default_config_directory -xh openssl_path`
     exit 1
 }
 
+# ----- END OpenSSL-specific -----
+
+# Make this our *last* "cd", so all the key/cert generation runs in the
+# configuration directory.
+#
+test -n "$config_directory" && cd $config_directory || {
+    $FATAL no Postfix configuration directory $config_directory!
+    exit 1
+}
+
+# Do we support TLS and if so which algorithms?
+#
+$postconf -T compile-version | grep . >/dev/null || {
+    mail_version=`$postconf -dh mail_version`
+    $FATAL "Postfix $mail_version is not compiled with TLS support"
+    exit 1
+}
+rsa=
+ecdsa=
+for _algo in `$postconf -T public-key-algorithms | egrep '^(rsa|ecdsa)$'`
+do
+    eval $_algo=$_algo
+done
+
+# ----- BEGIN OpenSSL-specific -----
+
+if [ -n "${ecdsa}" ]; then
+    $openssl ecparam -name secp256r1 >/dev/null 2>&1 || {
+	cat <<-EOM | $WARN
+	Postfix supports ECDSA, but the $openssl command does not. Consider
+	setting the openssl_path parameter to a more capable version of the
+	command-line utility than $openssl (with PATH=$PATH).
+	EOM
+	ecdsa=
+    }
+fi
+if [ -n "${rsa}" ]; then
+   DEFALG=rsa
+elif [ -n "${ecdsa}" ]; then
+   DEFALG=ecdsa
+else
+    mail_version=`$postconf -dh mail_version`
+    $FATAL "Postfix $mail_version does not support either RSA or ECDSA"
+    exit 1
+fi
+
+# Make sure stdin is open when testing
+if [ -r /dev/stdin ] < /dev/null; then
+    stdin=/dev/stdin
+elif [ -r /dev/fd/0 ] </dev/null; then
+    stdin=/dev/fd/0
+else
+    $FATAL No /dev/fd/0 or /dev/stdin found
+    exit 1
+fi
+
 hex_sha256() {
     $openssl dgst -binary -sha256 | od -An -vtx1 | tr -d ' \012'
 }
@@ -81,7 +330,7 @@ hex_sha256() {
 #
 null256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 tmp=`hex_sha256 </dev/null 2>/dev/null`
-if [ "$tmp" != "$null256" ]; then
+if [ "${tmp}" != "${null256}" ]; then
     cat <<EOF >&2
 Your $openssl does not support the SHA2-256 digest algorithm. To enable
 'postfix tls', install an OpenSSL that does. Install its openssl(1) command
@@ -92,26 +341,20 @@ EOF
     exit 1
 fi
 
-if [ -r /dev/stdin ]; then
-    stdin=/dev/stdin
-elif [ -r /dev/fd/0 ]; then
-    stdin=/dev/fd/0
-else
-    $FATAL No /dev/fd/0 or /dev/stdin found
-    exit 1
-fi
-
 read_key() {
     [ -n "$1" -a -f "$1" ] || return 1
 
     # Old OpenSSL versions return success even for unsupported sub-commands!
-    # So we inspect the output instead.  Don't prompt if the key is password
+    # So we inspect the output instead.	 Don't prompt if the key is password
     # protected.
     #
-    for cmd in pkey rsa; do
-        $openssl $cmd -passin "pass:umask 077" -in "$1" |
-            grep . && return 0
-    done 2>/dev/null
+    while read cmd key_algo key_param cert_param; do
+	$openssl $cmd -passin "pass:umask 077" -in "$1" |
+	    grep . && return 0
+    done 2>/dev/null <<-EOF
+	rsa rsa smtpd_tls_key_file smtpd_tls_cert_file
+	ec ecdsa smtpd_tls_eckey_file smtpd_tls_eccert_file
+	EOF
     return 1
 }
 
@@ -121,272 +364,684 @@ pubkey_dgst() {
     # Old OpenSSL versions return success even for unsupported sub-commands!
     # So we inspect the output instead.
     #
-    for cmd in pkey rsa; do
-        $openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
-        $openssl $cmd -pubin -outform DER |
-        hex_sha256 | egrep -v "$null256" && return 0
+    for cmd in ec rsa; do
+	$openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
+	$openssl $cmd -pubin -outform DER |
+	hex_sha256 | egrep -v "${null256}" && return 0
     done 2>/dev/null
     return 1
 }
 
-set_fqdn() {
-    if [ -n "$1" ]; then fqdn=$1; return 0; fi
-    fqdn=`$postconf -xh myhostname` || return 1
-    case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
-}
+cert_pubkey_dgst() {
+    [ -n "$1" -a -f "$1" ] || return 1
 
-set_key() {
-    # Re-use any original private key
+    # Old OpenSSL versions return success even for unsupported sub-commands!
+    # So we inspect the output instead.
     #
-    key=$1
-    if [ -z "$key" ]
-    then
-        key=`$postconf -nxh smtpd_tls_key_file`
-        if [ -z "$key" ]; then
-            $FATAL "no private key configured"
-            return 1
-        fi
-    fi
-    read_key "${key}" >/dev/null && return 0
-    $FATAL "no private key found in file: $key"
+    for cmd in ec rsa; do
+	$openssl x509 -pubkey -noout -in "$1" |
+	$openssl $cmd -pubin -outform DER |
+	hex_sha256 | egrep -v "${null256}" && return 0
+    done 2>/dev/null
     return 1
 }
 
-new_cert() {
-    set_fqdn
-    stamp=`date +%Y%m%d-%H%M%S`
+copy_key() {
+    _algo=$1; shift
+    _bits=$1; shift
+    _fold=$1; shift
+    _fnew=$1; shift
+    _umask=`umask`
+
+    umask 077
+    read_key "${_fold}" > "${_fnew}"	# sets key_algo of current key
+    _ret=$?
+    umask "${_umask}"
 
-    newcert="cert-${stamp}.pem"
-    conf_cert_file="\${config_directory}/${newcert}"
-    if [ -r "${newcert}" ]; then
-	$FATAL "New certificate file already exists: ${newcert}"
+    if [ "${_ret}" -ne 0 ]; then
+	$FATAL "Error copying private key from '${_fold}' to '${_fnew}'"
 	return 1
     fi
-
-    newkey="key-${stamp}.pem"
-    conf_key_file="\${config_directory}/${newkey}"
-    if [ -r "${newkey}" ]; then
-	$FATAL "New key file already exists: ${newkey}"
+    if [ "${key_algo}" != "${_algo}" ]; then
+	$FATAL "Key algorithm '$key_algo' of '${_fold}' is not '${_algo}'"
 	return 1
     fi
+    # XXX: We'd need C-code in postconf to portably check for compatible "bits"
+}
+
+create_key() {
+    _algo=$1
+    _bits=$2
+    _fnew=$3
+    _umask=`umask`
 
-    if [ $# -gt 0 ]; then
-        (umask 077; read_key "$1" > "${newkey}") ||
-            { rm "${newkey}"; return 1; }
+    case $_algo in
+        "") $FATAL "Internal error: empty algorithm"; return 1;;
+      $rsa) set -- "${openssl}" genrsa -out "${_fnew}" "${_bits}";;
+    $ecdsa) set -- "${openssl}" ecparam -param_enc named_curve -genkey \
+		-out "${_fnew}" -name "${_bits}";;
+	 *) $FATAL "Internal error: bad algorithm '${_algo}'"
+	    return 1;;
+    esac
+
+    umask 077
+    _err=`"$@" 2>&1`
+    _ret=$?
+    umask "${_umask}"
+
+    if [ "${_ret}" -ne 0 ]; then
+	echo "${_err}" | $WARN
+	$FATAL "error generating new ${_algo} ${_bits} private key"
+	return 1
     fi
+}
 
-    # Re-use any existing key
-    #
-    _newkey=
-    if [ ! -f "${newkey}" ]; then
-	_err=`umask 077; $openssl genrsa -out "${newkey}" 2048 2>&1` || {
-	    echo "$_err" | $WARN
-	    $FATAL "error generating new private key"
-	    rm -f "${newkey}"
-	    return 1
-	}
-        _newkey="${newkey}"
+create_cert() {
+    _k=$1; shift
+    _c=$1; shift
+    set_fqdn "$1"
+    if [ $# -gt 0 ]; then shift; fi
+    set -- "$fqdn" "$@"
+
+    if [ -r "${_c}" ]; then
+	$FATAL "New certificate file already exists: ${_c}"
+	return 1
     fi
 
     # Generate a new self-signed (~100 year) certificate
     #
-    printf "[req]\n%s\n%s\n[dn]\n%s\n[ext]\n%s\n%s\n%s\n[alt]\n%s\n" \
-            "default_md = sha256" "distinguished_name = dn" "CN_default=" \
-	    "basicConstraints = CA:false" \
-	    "extendedKeyUsage = serverAuth" \
-	    "subjectAltName = @alt" "DNS=${fqdn}" |
-    $openssl req -x509 -sha256 -new -key "${newkey}" -config $stdin \
-        -extensions ext -subj "/CN=${fqdn}" -days 36525 -out "${newcert}" || {
-        rm -f "${newcert}"
-        if [ -n "${_newkey}" ]; then rm -f "${_newkey}"; fi
-        $FATAL "error generating self-signed SSL certificate"
-        return 1
+    (
+	echo "default_md = sha256"
+	echo "x509_extensions = v3"
+	echo "prompt = yes"
+	echo "distinguished_name = dn"
+	echo "[dn]"
+	echo "[v3]"
+	echo "basicConstraints = CA:false"
+	echo "subjectKeyIdentifier = hash"
+	echo "extendedKeyUsage = serverAuth, clientAuth"
+	echo "subjectAltName = @alts"
+	echo "[alts]"
+	i=1; for dns in "$@"; do
+	    # XXX map empty to $myhostname
+	    echo "DNS.$i = $dns"
+	    i=`expr $i + 1`
+	done
+    ) | $openssl req -x509 -config $stdin -new -key "${_k}" \
+	    -subj "/CN=$fqdn" -days 36525 -out "${_c}" || {
+	rm -f "${_c}" "${_k}"
+	$FATAL "error generating self-signed SSL certificate"
+	return 1
     }
 }
 
+output_server_csr() {
+    set_keyfile "$1" || return 1
+    shift
+    set_fqdn "$1" || return 1
+    shift
+    set -- "$fqdn" "$@"
+    (
+	echo "default_md = sha256"
+	echo "req_extensions = v3"
+	echo "prompt = yes"
+	echo "distinguished_name = dn"
+	echo "[dn]"
+	echo "[v3]"
+	echo "subjectKeyIdentifier = hash"
+	echo "extendedKeyUsage = serverAuth, clientAuth"
+	echo "subjectAltName = @alts"
+	echo "[alts]"
+	i=1; for dns in "$@"; do
+	    echo "DNS.$i = $dns"
+	    i=`expr $i + 1`
+	done
+    ) | $openssl req -config $stdin -new -key "$keyfile" -subj /
+}
+
+# ----- END OpenSSL-specific -----
+
+info_enable_client() {
+	cat <<-EOM
+	*** Non-default SMTP client TLS settings detected, no changes made.
+	For opportunistic TLS in the Postfix SMTP client, the below settings
+	are typical:
+	  smtp_tls_security_level = may
+	  smtp_tls_loglevel = 1
+	EOM
+	if get_cache_db_type dbtype
+	then
+	    echo "  smtp_tls_session_cache_database = ${dbtype}:\${data_directory}/smtp_scache"
+	fi
+}
+
+info_client_deployed() {
+	cat <<-EOM
+	Enabled opportunistic TLS in the Postfix SMTP client, run:
+	  # postfix reload
+	if you want the new settings to take effect immediately.
+	EOM
+}
+
+info_enable_server() {
+	cat <<-EOM
+	*** Non-default SMTP server TLS settings detected, no changes made.
+	For opportunistic TLS in the Postfix SMTP server, the below settings
+	are typical:
+	  smtpd_tls_security_level = may
+	  smtpd_tls_loglevel = 1
+	You can use "postfix tls new-server-cert" to create a new certificate.
+	Or, "postfix tls new-server-key" to also force a new private key.
+	If you publish DANE TLSA records, see:
+	  https://tools.ietf.org/html/rfc7671#section-8
+	  https://tools.ietf.org/html/rfc7671#section-5.1
+	  https://tools.ietf.org/html/rfc7671#section-5.2
+	  https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
+	EOM
+}
+
+# args: certfile keyfile deploy
+info_created() {
+	cat <<-EOM
+	New private key and self-signed certificate created. To deploy run:
+	  # postfix tls deploy-server-cert $1 $2
+	EOM
+}
+
+# args: certfile keyfile deploy
+info_server_deployed() {
+	if [ "$3" = "enable" ]; then
+	    echo "Enabled opportunistic TLS in the Postfix SMTP server"
+	fi
+	cat <<-EOM
+	New TLS private key and certificate deployed, run:
+	  # postfix reload
+	if you want the new settings to take effect immediately.
+	EOM
+}
+
+# args: certfile keyfile deploy
+info_csr() {
+	cat <<-EOM
+	To generate a CSR run:
+	  # postfix tls output-server-csr -k $2 [<hostname> ...]
+	EOM
+	if [ -z "$3" ]; then
+	    echo "Save the signed certificate chain in ${config_directory}/$1, and deploy as above."
+	else
+	    echo "Save the signed certificate chain in ${config_directory}/$1."
+	fi
+}
+
+# args: certfile keyfile deploy
+info_tlsa() {
+	# If already deployed, info for how to show all the deployed keys.
+	# Otherwise, just the new keys, so that TLSA records can be updated
+	# first.
+	if [ -n "$3" ]; then shift $#; fi
+	cat <<-EOM
+	To generate TLSA records run:
+	  # postfix tls output-server-tlsa [-h <hostname>] $2
+	EOM
+}
+
+# args: certfile keyfile deploy
+info_dane_dns() {
+	# If already deployed, too late to wait, otherwise advise updating TLSA
+	# RRs before deployment.
+	if [ -n "$3" ]; then
+	    cat <<-EOM
+	(If you have DANE TLSA RRs, update them as soon as possible to match
+	the newly deployed keys).
+	EOM
+	else
+	    cat <<-EOM
+	(deploy after updating the DNS and waiting for stale RRs to expire).
+	EOM
+	fi
+}
+
+set_fqdn() {
+    if [ -n "$1" ]; then fqdn=$1; return 0; fi
+    fqdn=`$postconf -xh myhostname` || return 1
+    case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
+}
+
+set_keyfile() {
+    keyfile=$1
+    case $keyfile in
+	"") : empty ok;;
+      $rsa) keyfile=`$postconf -nxh smtpd_tls_key_file`;;
+    $ecdsa) keyfile=`$postconf -nxh smtpd_tls_eckey_file`;;
+    esac
+    if [ "${keyfile}" = "none" ]; then keyfile= ; fi
+}
+
+check_key() {
+    read_key "$1" >/dev/null && return 0
+    $FATAL "no private key found in file: $1"
+    return 1
+}
+
+# Create new key or copy existing if specified.
+#
+ensure_key() {
+    _algo=$1; shift
+    _bits=$1; shift
+    stamp=`TZ=UTC date +%Y%m%d-%H%M%S`
+
+    case $_algo in
+	"") $FATAL "Internal error: empty algorithm "; return 1;;
+      $rsa) keyfile="key-${stamp}.pem";   certfile="cert-${stamp}.pem";;
+    $ecdsa) keyfile="eckey-${stamp}.pem"; certfile="eccert-${stamp}.pem";;
+	 *) $FATAL "Internal error: bad algorithm '${_algo}'"
+	    return 1;;
+    esac
+
+    if [ -r "${keyfile}" ]; then
+	$FATAL "New private key file already exists: ${keyfile}"
+	return 1
+    fi
+    if [ -r "${certfile}" ]; then
+	$FATAL "New certificate file already exists: ${certfile}"
+	return 1
+    fi
+
+    if [ -n "$1" ]; then
+	copy_key "${_algo}" "${_bits}" "$1" "${keyfile}" && return 0
+    else
+	create_key "${_algo}" "${_bits}" "${keyfile}" && return 0
+    fi
+    rm -f "${keyfile}"
+    return 1
+}
+
 init_random_source() {
-    rnd=`$postconf -xh tls_random_source`
-    if [ -n "$rnd" ]
-    then
-        return 0
+    tls_random_source=$1
+
+    if [ -z "${tls_random_source}" ]; then
+	tls_random_source=`$postconf -xh tls_random_source`
+    fi
+    if [ -n "${tls_random_source}" ]; then
+	return 0
     fi
     if [ -r /dev/urandom ]
     then
-        echo "Setting tls_random_source to dev:/dev/urandom"
-        $postconf -e 'tls_random_source = dev:/dev/urandom' || exit 1
+	tls_random_source=dev:/dev/urandom
     else
-        $FATAL no default TLS random source defined and no /dev/urandom
-        return 1
+	$FATAL no default TLS random source defined and no /dev/urandom
+	return 1
     fi
 }
 
-show_dane_info() {
-    echo "If you publish DANE TLSA records, see https://tools.ietf.org/html/rfc7671#section-8.1"
-}
-
 all_default() {
     prefix=$1; shift
     for var in "$@"
     do
-        val=`$postconf -nh "${prefix}${var}"`
-        if [ -n "$val" ]; then return 1; fi
+	val=`$postconf -nh "${prefix}${var}"`
+	if [ -n "$val" ]; then return 1; fi
     done
     return 0
 }
 
 # Select read-write database type for TLS session caches.
 #
-cache_dbtype() {
+get_cache_db_type() {
     var=$1; shift
     prio=0
     ret=1
-    dbtype=
     for _dbtype in `$postconf -m`
     do
-        _prio=0
-        case $_dbtype in
-         lmdb) _prio=2;;
-        btree) _prio=1;;
-        esac
-        if [ "$_prio" -gt "$prio" ]
-        then
-            eval "$var=\$_dbtype"
-            prio=$_prio
-            ret=0
-        fi
+	_prio=0
+	case $_dbtype in
+	 lmdb) _prio=2;;
+	btree) _prio=1;;
+	esac
+	if [ "$_prio" -gt "$prio" ]
+	then
+	    eval "$var=\$_dbtype"
+	    prio=$_prio
+	    ret=0
+	fi
     done
     return $ret
 }
 
+deploy_server_cert() {
+    certfile=$1; shift
+    keyfile=$1; shift
+    deploy=$1; shift
+
+    # Sets key_algo, key_param and cert_param
+    check_key "$keyfile" || return 1
+
+    cd=`cert_pubkey_dgst "${certfile}"` || {
+	$FATAL "error computing certificate public key digest"
+	return 1
+    }
+    kd=`pubkey_dgst "$keyfile"` || {
+	$FATAL "error computing public key digest"
+	return 1
+    }
+
+    if [ "$cd" != "$kd" ]; then
+	$FATAL "Certificate in ${certfile} does not match key in ${keyfile}"
+	return 1
+    fi
+
+    set -- \
+	"${key_param} = ${keyfile}" \
+	"${cert_param} = ${certfile}"
+
+    if [ "${deploy}" = "enable" ]; then
+	set -- "$@" \
+	    "smtpd_tls_security_level = may" \
+	    "smtpd_tls_received_header = yes" \
+	    "smtpd_tls_loglevel = 1"
+    fi
+
+    if [ -n "${tls_random_source}" ]; then
+	set -- "$@" "tls_random_source = ${tls_random_source}"
+    fi
+
+    # All in one shot, since postconf delays modifying "hot" main.cf files.
+    $postconf -e "$@" || return 1
+}
+
+# Prepare a new cert and perhaps re-use any existing private key.
+#
+new_server_cert() {
+    algo=$1; shift
+    bits=$1; shift
+    oldkey=$1; shift
+    deploy=$1; shift
+
+    # resets keyfile (copy or else new) and new certfile
+    ensure_key "$algo" "$bits" "${oldkey}" || return 1
+    create_cert "${keyfile}" "${certfile}" "$@" || return 1
+    if [ -n "${deploy}" ]; then
+	deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1
+    fi
+
+    (
+	if [ -z "${deploy}" ]; then
+	    info_created "${certfile}" "${keyfile}" "${deploy}"
+	else
+	    info_server_deployed "${certfile}" "${keyfile}" "${deploy}"
+	fi
+	info_csr "${certfile}" "${keyfile}" "${deploy}"
+	info_tlsa "${certfile}" "${keyfile}" "${deploy}"
+	if [ -z "${oldkey}" ]; then
+	    info_dane_dns "${certfile}" "${keyfile}" "${deploy}"
+	fi
+    ) | $INFO
+}
+
 enable_client() {
-    init_random_source || return 1
     if all_default smtp_ \
-        use_tls enforce_tls tls_enforce_peername tls_security_level tls_cert_file
+	use_tls enforce_tls tls_enforce_peername tls_security_level tls_cert_file
     then
-        echo "Enabling opportunistic TLS in the Postfix SMTP client"
-        if cache_dbtype dbtype
-        then
-            $postconf -e \
-                "smtp_tls_security_level = may" \
-                "smtp_tls_loglevel = 1" \
-                "smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
-        else
-            $postconf -e \
-                "smtp_tls_security_level = may" \
-                "smtp_tls_loglevel = 1"
-        fi
+	set -- \
+	    "smtp_tls_security_level = may" \
+	    "smtp_tls_loglevel = 1"
+
+	if get_cache_db_type dbtype
+	then
+	    set -- "$@" \
+		"smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
+	fi
+
+	if [ -n "${tls_random_source}" ]; then
+	    set -- "$@" "tls_random_source = ${tls_random_source}"
+	fi
+
+	# All in one shot, since postconf delays modifying "hot" main.cf files.
+	$postconf -e "$@" || return 1
+	info_client_deployed
     else
-        echo "*** Non-default SMTP client TLS settings detected."
-        echo "To enable opportunistic TLS in the Postfix SMTP client: "
-        echo "Set smtp_tls_security_level = may"
-        echo "and smtp_tls_loglevel = 1"
-        if cache_dbtype dbtype
-        then
-            echo "and smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
-        fi
+	info_enable_client
     fi | $INFO
 }
 
 enable_server() {
-    init_random_source || exit 1
+    algo=$1; shift
+    bits=$1; shift
+
     if all_default smtpd_ \
-        use_tls enforce_tls tls_security_level tls_cert_file
+	use_tls enforce_tls tls_security_level tls_cert_file
     then
-        new_cert || exit 1
-        echo "Enabling opportunistic TLS in the Postfix SMTP server"
-        $postconf -e \
-            "smtpd_tls_cert_file = ${conf_cert_file}" \
-            "smtpd_tls_key_file = ${conf_key_file}" \
-            "smtpd_tls_security_level = may" \
-            "smtpd_tls_received_header = yes" \
-            "smtpd_tls_loglevel = 1"
+	# algo bits keyfile deploy [hostnames ...]
+	new_server_cert "${algo}" "${bits}" "" "enable" "$@" || return 1
     else
-        echo "*** Non-default SMTP server TLS settings detected."
-        echo "Enable TLS manually as appropriate."
-        echo "Run \"postfix tls replace-cert\" to change your certificate"
-        echo "or \"postfix tls replace-key\" to also change the private key."
-        show_dane_info
-    fi | $INFO
-}
-
-create_key() {
-    # Prepare, but don't deploy, a new key.
-    #
-    new_cert || exit 1
-    (echo "To use the new certificate in the Postfix SMTP server"
-    echo "set smtpd_tls_key_file = ${conf_key_file}"
-    echo "and smtpd_tls_cert_file = ${conf_cert_file}"
-    show_dane_info) | $INFO
-}
-
-replace_key() {
-    # Prepare *and* deploy a new key and certificate.
-    #
-    new_cert || exit 1
-    $postconf -e \
-        "smtpd_tls_key_file = ${conf_key_file}" \
-        "smtpd_tls_cert_file = ${conf_cert_file}"
-    $INFO "New TLS private key and certificate configured"
-}
-
-create_cert() {
-    # Prepare, but don't deploy, a new cert,
-    # re-use a private key if applicable
-    #
-    key=`$postconf -nxh smtpd_tls_key_file`
-    new_cert ${key} || exit 1
-    (echo "To use the new certificate in the Postfix SMTP server"
-    echo "set smtpd_tls_key_file = ${conf_key_file}"
-    echo "and smtpd_tls_cert_file = ${conf_cert_file}"
-    show_dane_info) | $INFO
-}
-
-replace_cert() {
-    # Prepare and deploy a new cert,
-    # re-use a private key if applicable
-    #
-    key=`$postconf -nxh smtpd_tls_key_file`
-    new_cert ${key} || exit 1
-    $postconf -e \
-        "smtpd_tls_key_file = ${conf_key_file}" \
-        "smtpd_tls_cert_file = ${conf_cert_file}" || exit 1
-    $INFO "New TLS private key and certificate configured"
-}
-
-gen_csr() {
-    set_fqdn "$1" || return 1
-    set_key "$2" || return 1
-    $openssl req -new -sha256 -key "$key" -subj "/CN=$fqdn"
+	info_enable_server | $INFO
+    fi
 }
 
-gen_tlsa() {
-    set_fqdn "$1" || exit 1
-    set_key "$2" || exit 1
-    data=`pubkey_dgst "$key"`
+output_server_tlsa() {
+    hostname=$1
+    check_key "$2" || return 1
+    data=`pubkey_dgst "$2"` || return 1
     if [ -z "$data" ]
     then
-        $FATAL error computing SHA2-256 SPKI digest of "$key"
-        return 1
+	$FATAL error computing SHA2-256 SPKI digest of "$key"
+	return 1
     fi
-    echo "_25._tcp.$fqdn. IN TLSA 3 1 1 $data"
+    echo "_25._tcp.$hostname. IN TLSA 3 1 1 $data"
 }
 
 #
 # Parse JCL
 #
 case $1 in
+enable-client)
+	cmd=$1; shift; OPTIND=1
+	rand=
+	while getopts :r: _opt
+	do
+	    case $_opt in
+	    r) rand="${OPTARG}";;
+	    *) $FATAL "usage: postfix tls $cmd [-r devrandom]"
+	       exit 1;;
+	    esac
+	done
 
-enable-client) enable_client || exit 1;;
-enable-server) enable_server || exit 1;;
-   create-key) create_key || exit 1;;
-  create-cert) create_cert || exit 1;;
-  replace-key) replace_key || exit 1;;
- replace-cert) replace_cert || exit 1;;
-      gen-csr) shift; gen_csr "$@" || exit 1;;
-     gen-tlsa) shift; gen_tlsa "$@" || exit 1;;
-            *)
-    $ERROR "unknown tls command: '$1'"
-    $FATAL "usage: postfix tls enable-client (or enable-server, create-key, create-cert, replace-key, replace-cert, gen-csr, gen-tlsa)"
-    exit 1;;
+	# No positional arguments supported with enable-client
+	if [ $# -ge "${OPTIND}" ]; then
+	    $FATAL "usage: postfix tls $cmd [-r devrandom]"
+	    exit 1
+	fi
+	# But, shift anyway
+	shift `expr $OPTIND - 1`
+
+	init_random_source "${rand}" || exit 1
+	enable_client || exit 1
+	;;
+
+enable-server)
+	cmd=$1; shift; OPTIND=1
+	algo=$DEFALG
+	bits=
+	rand=
+	while getopts :a:b:r: _opt
+	do
+	    case $_opt in
+	    a) algo="${OPTARG}";;
+	    b) bits="${OPTARG}";;
+	    r) rand="${OPTARG}";;
+	    *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [-r devrandom] [hostname ...]"
+	       exit 1;;
+	    esac
+	done
+
+	# Here positional arguments are hostnames for the new certificate, as
+	# many as the user wants
+	shift `expr $OPTIND - 1`
+
+	case $algo in
+	    "") $FATAL "Internal error: empty algorithm "; return 1;;
+	  $rsa) : ${bits:=${RSA_BITS}};;
+	$ecdsa) : ${bits:=${EC_CURVE}};;
+	     *) $FATAL "Unsupported private key algorithm: $algo"
+		exit 1;;
+	esac
+
+	init_random_source "${rand}" || exit 1
+	enable_server "${algo}" "${bits}" "$@" || exit 1
+	;;
+
+new-server-key)
+	cmd=$1; shift; OPTIND=1
+	algo=$DEFALG
+	while getopts :a:b: _opt
+	do
+	    case $_opt in
+	    a) algo="${OPTARG}";;
+	    b) bits="${OPTARG}";;
+	    *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+	       exit 1;;
+	    esac
+	done
+
+	# Here positional arguments are hostnames for the new certificate, as
+	# many as the user wants
+	shift `expr $OPTIND - 1`
+
+	case $algo in
+	    "") $FATAL "Internal error: empty algorithm "; return 1;;
+	  $rsa) : ${bits:=${RSA_BITS}};;
+	$ecdsa) : ${bits:=${EC_CURVE}};;
+	     *) $FATAL "Unsupported public key algorithm: $algo"
+		exit 1;;
+	esac
+
+	# Force new key
+	new_server_cert "${algo}" "${bits}" "" "" "$@" || exit 1
+	;;
+
+new-server-cert)
+	cmd=$1; shift; OPTIND=1
+	algo=$DEFALG
+	while getopts :a:b: _opt
+	do
+	    case $_opt in
+	    a) algo="${OPTARG}";;
+	    b) bits="${OPTARG}";;
+	    *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+	       exit 1;;
+	    esac
+	done
+
+	# Here positional arguments are hostnames for the new certificate, as
+	# many as the user wants
+	shift `expr $OPTIND - 1`
+
+	case $algo in
+	    "") $FATAL "Invalid empty key algorithm"; exit 1;;
+	  $rsa) : ${bits:=${RSA_BITS}};;
+	$ecdsa) : ${bits:=${EC_CURVE}};;
+	     *) $FATAL "Unsupported private key algorithm: $algo"
+		exit 1;;
+	esac
+
+	# Existing keyfile or empty
+	set_keyfile "${algo}"
+
+	# Try to re-use (copy) existing key.
+	new_server_cert "${algo}" "${bits}" "${keyfile}" "" "$@" || exit 1
+	;;
+
+deploy-server-cert)
+	if [ $# -ne 3 ]; then
+	    $FATAL "usage: postfix tls $1 certfile keyfile"
+	    exit 1
+	fi
+	shift
+	deploy_server_cert "$@" || exit 1
+	info_server_deployed "$1" "$2" "deploy" | $INFO
+	;;
+
+output-server-csr)
+	cmd=$1; shift; OPTIND=1
+	k=
+	while getopts :k: _opt
+	do
+	    case $_opt in
+	    k) k="${OPTARG}";;
+	    *) $FATAL "usage: postfix tls $cmd [-k keyfile] [hostname ...]"
+	       exit 1;;
+	    esac
+	done
+
+	# Here positional arguments are hostnames for the new certificate, as
+	# many as the user wants
+	shift `expr $OPTIND - 1`
+
+	if [ -n "${k}" ]; then
+	    set_keyfile "${k}"
+	else
+	    for _algo in $rsa $ecdsa
+	    do
+		set_keyfile "${_algo}"
+		if [ -n "${keyfile}" ]; then
+		    break
+		fi
+	    done
+	fi
+
+	if [ -z "${keyfile}" -o ! -r "${keyfile}" ]; then
+	    $FATAL "No usable keyfile specified or configured"
+	    exit 1
+	fi
+
+	# Default <hostname> from $myhostname
+	if [ $# -eq 0 ]; then
+	    set_fqdn
+	    set -- "$fqdn"
+	fi
+
+	# Output a CSR for the requested names
+	output_server_csr "$keyfile" "$@" || exit 1
+	;;
+
+output-server-tlsa)
+	cmd=$1; shift; OPTIND=1
+	hostname=
+	while getopts :h: _opt
+	do
+	    case $_opt in
+	    h) hostname="${OPTARG}";;
+	    *) $FATAL "usage: postfix tls $cmd [-h hostname] [keyfile ...]"
+	       exit 1;;
+	    esac
+	done
+	set_fqdn "${hostname}"
+
+	# Here positional arguments are keyfiles for which we ouput "3 1 1"
+	# TLSA RRs, as many keyfiles as the user wants.  By default the live
+	# RSA and/or ECDSA keys.
+	shift `expr $OPTIND - 1`
+
+	if [ $# -eq 0 ]; then set -- $rsa $ecdsa; fi
+
+	found=
+	for _k in "$@"
+	do
+	    set_keyfile "${_k}"
+	    if [ -z "${keyfile}" ]; then continue; fi
+	    echo "; ${keyfile}"
+	    output_server_tlsa "${fqdn}" "${keyfile}" || exit 1
+	    found=1
+	done
+	if [ -z "${found}" ]; then
+	    $FATAL "No usable keyfiles specified or configured"
+	    exit 1
+	fi
+	;;
+
+*)
+	$ERROR "unknown tls command: '$1'"
+	$FATAL "usage: postfix tls enable-client (or enable-server, new-server-key, new-server-cert, deploy-server-cert, output-server-csr, output-server-tlsa)"
+	exit 1
+	;;
 
 esac
diff --git a/postfix/html/Makefile.in b/postfix/html/Makefile.in
index 23d355749..5eda8f7f2 100644
--- a/postfix/html/Makefile.in
+++ b/postfix/html/Makefile.in
@@ -15,7 +15,7 @@ COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
 	postqueue.1.html postsuper.1.html sendmail.1.html \
 	smtp-source.1.html smtp-sink.1.html posttls-finger.1.html \
 	qmqp-source.1.html qmqp-sink.1.html \
-	qshape.1.html
+	qshape.1.html postfix-tls.1.html
 CONFIG	= access.5.html aliases.5.html canonical.5.html relocated.5.html \
 	transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
 	cidr_table.5.html tcp_table.5.html header_checks.5.html \
@@ -177,6 +177,10 @@ postfix.1.html: ../src/postfix/postfix.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
 
+postfix-tls.1.html: ../conf/postfix-tls-script
+	PATH=../mantools:$$PATH; \
+	srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
+
 postkick.1.html: ../src/postkick/postkick.c
 	PATH=../mantools:$$PATH; \
 	srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@
diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html
index 225f590f0..329115f7e 100644
--- a/postfix/html/cleanup.8.html
+++ b/postfix/html/cleanup.8.html
@@ -505,5 +505,10 @@ CLEANUP(8)                                                          CLEANUP(8)
        P.O. Box 704
        Yorktown Heights, NY 10598, USA
 
+       Wietse Venema
+       Google, Inc.
+       111 8th Avenue
+       New York, NY 10011, USA
+
                                                                     CLEANUP(8)
 </pre> </body> </html>
diff --git a/postfix/html/postconf.1.html b/postfix/html/postconf.1.html
index 1ed022edc..bfd4848c8 100644
--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@@ -50,6 +50,10 @@ POSTCONF(1)                                                        POSTCONF(1)
 
        <b>postconf -t</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>template</i><b>_</b><i>file</i>]
 
+       <b>Managing TLS features:</b>
+
+       <b>postconf</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] <b>-T</b> <i>mode</i>
+
        <b>Managing other configuration:</b>
 
        <b>postconf -a</b>|<b>-A</b>|<b>-l</b>|<b>-m</b> [<b>-v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>]
@@ -402,6 +406,27 @@ POSTCONF(1)                                                        POSTCONF(1)
 
               This feature is available with Postfix 2.3 and later.
 
+       <b>-T</b> <i>mode</i>
+              If Postfix is compiled without TLS support, the <b>-T</b>  option  pro-
+              duces  no  output.   Otherwise, if an invalid <i>mode</i> is specified,
+              the <b>-T</b> option reports an error and exits with a non-zero  status
+              code. The valid modes are:
+
+              <b>compile-version</b>
+                     Output the OpenSSL version that Postfix was compiled with
+                     (i.e. the OpenSSL version in a header file).  The  output
+                     format is the same as with the command "<b>openssl version</b>".
+
+              <b>run-version</b>
+                     Output the OpenSSL version that Postfix is linked with at
+                     runtime (i.e. the OpenSSL version in a shared library).
+
+              <b>public-key-algorithms</b>
+                     Output  the  lower-case names of the supported public-key
+                     algorithms, one per-line.
+
+              This feature is available with Postfix 3.1 and later.
+
        <b>-v</b>     Enable verbose  logging  for  debugging  purposes.  Multiple  <b>-v</b>
               options make the software increasingly verbose.
 
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 26259e121..35cf22d4d 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -4094,7 +4094,7 @@ configuration parameter.  See there for details. </p>
 <DT><b><a name="lmtp_address_verify_target">lmtp_address_verify_target</a>
 (default: rcpt)</b></DT><DD>
 
-<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a>
 configuration parameter.  See there for details. </p>
 
 <p> This feature is available in Postfix 3.0 and later.  </p>
@@ -7328,9 +7328,9 @@ of the default Postfix instance.
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
     # NetBSD pkgsrc:
-    openssl_path = /usr/pkg/bin/openssl
+    <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/pkg/bin/openssl
     # Local build:
-    openssl_path = /usr/local/bin/openssl
+    <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/local/bin/openssl
 </pre>
 </blockquote>
 
diff --git a/postfix/html/postfix-manuals.html b/postfix/html/postfix-manuals.html
index 4767ce53e..18448053c 100644
--- a/postfix/html/postfix-manuals.html
+++ b/postfix/html/postfix-manuals.html
@@ -86,6 +86,8 @@ the following convention:  </p>
 
 <li> <a href="postfix.1.html">postfix(1)</a>, Postfix control program 
 
+<li> <a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management 
+
 <li> <a href="postkick.1.html">postkick(1)</a>, trigger Postfix daemon 
 
 <li> <a href="postlock.1.html">postlock(1)</a>, Postfix-compatible locking 
diff --git a/postfix/html/postfix-tls.1.html b/postfix/html/postfix-tls.1.html
new file mode 100644
index 000000000..51b312f15
--- /dev/null
+++ b/postfix/html/postfix-tls.1.html
@@ -0,0 +1,214 @@
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+<html> <head>
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+<title> Postfix manual - postfix-tls(1) </title>
+</head> <body> <pre>
+POSTFIX-TLS(1)                                                  POSTFIX-TLS(1)
+
+<b>NAME</b>
+       postfix-tls - Postfix TLS management
+
+<b>SYNOPSIS</b>
+       <b>postfix tls</b> <i>subcommand</i> <b>...</b>
+
+<b>DESCRIPTION</b>
+       The  "<b>postfix  tls</b> <i>subcommand</i> <b>...</b>" feature enables opportunistic TLS in
+       the Postfix SMTP client and/or server, and manages Postfix SMTP  server
+       private keys and certificates.
+
+       The following subcommands are available:
+
+       <b>enable-client</b> [<b>-r</b> <i>randsource</i>]
+              Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
+              client TLS settings are at  their  default  values.   Otherwise,
+              suggest parameter settings without making any changes.
+
+              Specify  <i>randsource</i> to update the value of the <b><a href="postconf.5.html#tls_random_source">tls_random_source</a></b>
+              configuration parameter (typically, /dev/urandom).  Prepend <b>dev:</b>
+              to device paths or <b>egd:</b> to EGD socket paths.
+
+       <b>enable-server</b> [<b>-r</b> <i>randsource</i>] [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+              Create  a new private key and self-signed server certificate and
+              enable opportunistic TLS in the Postfix SMTP server, if all SMTP
+              server  TLS  settings  are  at their default values.  Otherwise,
+              suggest parameter settings without making any changes.
+
+              The <i>randsource</i> parameter is as with <b>enable-client</b> above, and the
+              remaining options are as with <b>new-server-key</b> below.
+
+       <b>new-server-key</b> [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+              Create a new private key and self-signed server certificate, but
+              do not deploy them. Log and display commands to deploy  the  new
+              key  and  corresponding  certificate.  Also log and display com-
+              mands to output a corresponding CSR or TLSA records which may be
+              needed  to  obtain  a CA certificate or to update DNS before the
+              new key can be deployed.
+
+              The <i>algorithm</i> defaults to <b>rsa</b>, and <i>bits</i> defaults  to  2048.   If
+              you  choose  the  <b>ecdsa</b>  <i>algorithm</i> then <i>bits</i> will be an EC curve
+              name (by default <b>secp256r1</b>, also known as  prime256v1).   Curves
+              other  than <b>secp256r1</b>, <b>secp384r1</b> or <b>secp521r1</b> are unlikely to be
+              widely interoperable.  When generating EC keys, use one of these
+              three.  DSA keys are obsolete and are not supported.
+
+              Note:  ECDSA support requires OpenSSL 1.0.0 or later and may not
+              be available on your system.  Not all client systems  will  sup-
+              port  ECDSA,  so  you'll  generally  want to deploy both RSA and
+              ECDSA certificates to make use of ECDSA with compatible  clients
+              and  RSA with the rest. If you want to deploy certificate chains
+              with intermediate CAs for both RSA and  ECDSA,  you'll  want  at
+              least OpenSSL 1.0.2, as earlier versions may not handle multiple
+              chain files correctly.
+
+              The first <i>hostname</i> argument will be the <b>CommonName</b> of  both  the
+              subject  and issuer of the self-signed certificate.  It, and any
+              additional <i>hostname</i> arguments, will also be listed as DNS alter-
+              native names in the certificate.  If no <i>hostname</i> is provided the
+              value of the <b><a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html">main.cf</a> parameter will be used.
+
+              For RSA, the generated private key  and  certificate  files  are
+              named   <b>key-</b><i>yyyymmdd-hhmmss</i><b>.pem</b>   and  <b>cert-</b><i>yyyymmdd-hhmmss</i><b>.pem</b>,
+              where <i>yyyymmdd</i> is the calendar date and <i>hhmmss</i> is  the  time  of
+              day  in  UTC.   For  ECDSA, the file names start with <b>eckey-</b> and
+              <b>eccert-</b> instead of <b>key-</b> and <b>cert-</b> respectively.
+
+              Before deploying the new key and certificate with  DANE,  update
+              the  DNS  with  new  DANE  TLSA records, then wait for secondary
+              nameservers to update and then for stale records in  remote  DNS
+              caches to expire.
+
+              Before  deploying  a new CA certificate make sure to include all
+              the required intermediate issuing CA certificates  in  the  cer-
+              tificate  chain  file.  The server certificate must be the first
+              certificate in the chain file.  Overwrite and  deploy  the  file
+              with  the  original  self-signed  certificate that was generated
+              together with the key.
+
+       <b>new-server-cert</b> [<b>-a</b> <i>algorithm</i>] [<b>-b</b> <i>bits</i>] [<i>hostname</i> <b>...</b>]
+              This is just like <b>new-server-key</b> except that, rather than gener-
+              ating  a  new private key, any currently deployed private key is
+              copied to the new key file.  Thus if you're publishing DANE TLSA
+              "3  1  1"  or  "3  1  2" records, there is no need to update DNS
+              records.  The <i>algorithm</i> <b>and</b> <i>bits</i> arguments are used only  if  no
+              key of the same algorithm is already configured.
+
+              This  command is rarely needed, because the self-signed certifi-
+              cates generated have a 100-year nominal  expiration  time.   The
+              underlying  public key algorithms may well be obsoleted by quan-
+              tum computers long before then.
+
+              The most plausible reason for using this  command  is  when  the
+              system hostname changes, and you'd like the name in the certifi-
+              cate to match the new hostname (not required for DANE "3  1  1",
+              but some needlessly picky non-DANE opportunistic TLS clients may
+              log warnings or even refuse to communicate).
+
+       <b>deploy-server-cert</b> <i>certfile keyfile</i>
+              This subcommand deploys the certificates in <i>certfile</i> and private
+              key  in  <i>keyfile</i>  (which are typically generated by the commands
+              above, which will also log and display the full  command  needed
+              to  deploy  the  generated  key and certificate).  After the new
+              certificate and key are deployed any obsolete keys and  certifi-
+              cates  may  be removed by hand.   The <i>keyfile</i> and <i>certfile</i> file-
+              names are relative to the Postfix configuration directory.
+
+       <b>output-server-csr</b> [<b>-k</b> <i>keyfile</i>] [<i>hostname</i>
+              Write to stdout a certificate  signing  request  (CSR)  for  the
+              specified <i>keyfile</i>.
+
+              Instead  of a filename, <i>keyfile</i> may specify one of the supported
+              key algorithm names (see "<b>postconf  -T  public-key-algorithms</b>").
+              In  that case, the corresponding setting from <a href="postconf.5.html">main.cf</a> is used to
+              locate the <i>keyfile</i>.  The default <i>keyfile</i> value is <b>rsa</b>.
+
+              Zero or more <i>hostname</i> values  can  be  specified.   The  default
+              <i>hostname</i> is the value of <b><a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html">main.cf</a> parameter.
+
+       <b>output-server-tlsa</b> [<b>-h</b> <i>hostname</i>] [<i>keyfile</i> <b>...</b>]
+              Write  to  stdout  a DANE TLSA RRset suitable for a port 25 SMTP
+              server on host <i>hostname</i> with keys from any of the specified <i>key-</i>
+              <i>file</i>  values.   The default <i>hostname</i> is the value of the <b>myhost-</b>
+              <b>name</b> <a href="postconf.5.html">main.cf</a> parameter.
+
+              Instead of filenames, the <i>keyfile</i> list may specify names of sup-
+              ported  public key algorithms (see "<b>postconf -T public-key-algo-</b>
+              <b>rithms</b>").  In that case, the actual <i>keyfile</i> list uses the values
+              of the corresponding Postfix server TLS key file parameters.  If
+              a parameter value is empty or equal to <b>none</b>, then no TLSA record
+              is output for that algorithm.
+
+              The  default  <i>keyfile</i>  list  consists of the two supported algo-
+              rithms <b>rsa</b> and <b>ecdsa</b>.
+
+<b>CONFIGURATION PARAMETERS</b>
+       The "<b>postfix tls</b> <i>subcommand</i> <b>...</b>" feature reads or updates the following
+       configuration parameters.
+
+       <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
+              The location of all postfix administrative commands.
+
+       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
+              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              figuration files.
+
+       <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
+              The location of the OpenSSL command line program <b>openssl</b>(1).
+
+       <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
+              Enable additional Postfix SMTP client logging of TLS activity.
+
+       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
+              The default SMTP TLS security level for the Postfix SMTP client;
+              when a non-empty value is specified, this overrides the obsolete
+              parameters       <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,       <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,       and
+              <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+
+       <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
+              Name of the file containing the optional Postfix SMTP client TLS
+              session cache.
+
+       <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
+              File with the Postfix SMTP server RSA certificate in PEM format.
+
+       <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
+              File  with the Postfix SMTP server ECDSA certificate in PEM for-
+              mat.
+
+       <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
+              File with the Postfix SMTP server ECDSA private key in PEM  for-
+              mat.
+
+       <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
+              File with the Postfix SMTP server RSA private key in PEM format.
+
+       <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
+              Enable additional Postfix SMTP server logging of TLS activity.
+
+       <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
+              Request that the Postfix SMTP server produces Received:  message
+              headers  that  include information about the protocol and cipher
+              used, as well as the remote SMTP client  CommonName  and  client
+              certificate issuer CommonName.
+
+       <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
+              The  SMTP TLS security level for the Postfix SMTP server; when a
+              non-empty value is specified, this overrides the obsolete param-
+              eters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
+
+       <b><a href="postconf.5.html#tls_random_source">tls_random_source</a> (see 'postconf -d' output)</b>
+              The  external  entropy source for the in-memory <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> pseudo
+              random number generator (PRNG) pool.
+
+<b>SEE ALSO</b>
+       <a href="master.8.html">master(8)</a> Postfix master program
+       <a href="postfix.1.html">postfix(1)</a> Postfix administrative interface
+
+<b>LICENSE</b>
+       The Secure Mailer license must be distributed with this software.
+
+<b>AUTHOR(S)</b>
+       Viktor Dukhovni
+
+                                                                POSTFIX-TLS(1)
+</pre> </body> </html>
diff --git a/postfix/html/postfix.1.html b/postfix/html/postfix.1.html
index 1eddb43e2..76ff7715a 100644
--- a/postfix/html/postfix.1.html
+++ b/postfix/html/postfix.1.html
@@ -60,7 +60,7 @@ POSTFIX(1)                                                          POSTFIX(1)
 
        <b>status</b> Indicate if the Postfix mail system is currently running.
 
-       <b>set-permissions [</b><i>name</i>=<i>value ...</i><b>]</b>
+       <b>set-permissions</b> [<i>name</i>=<i>value ...</i>]
               Set the ownership and permissions of Postfix related  files  and
               directories, as specified in the <b>postfix-files</b> file.
 
@@ -73,14 +73,14 @@ POSTFIX(1)                                                          POSTFIX(1)
               fix   2.0   and   earlier,  use  "<b>$<a href="postconf.5.html#config_directory">config_directory</a>/post-install</b>
               <b>set-permissions</b>".
 
-       <b>tls</b> <i>subcommand...</i>
+       <b>tls</b> <i>subcommand</i> <b>...</b>
               Enable opportunistic TLS in the Postfix SMTP client  or  server,
-              or  generate or replace Postfix SMTP server TLS private keys and
-              certificates.  See the section "TLS SUBCOMMANDS" below.
+              and  manage  Postfix  SMTP  server TLS private keys and certifi-
+              cates.  See <a href="postfix-tls.1.html">postfix-tls(1)</a> for documentation.
 
               This feature is available in Postfix 3.1 and later.
 
-       <b>upgrade-configuration [</b><i>name</i>=<i>value ...</i><b>]</b>
+       <b>upgrade-configuration</b> [<i>name</i>=<i>value ...</i>]
               Update the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a>  files  with  information  that
               Postfix  needs  in order to run: add or update services, and add
               or update configuration parameter settings.
@@ -112,96 +112,16 @@ POSTFIX(1)                                                          POSTFIX(1)
        <b>-v</b>     Enable verbose  logging  for  debugging  purposes.  Multiple  <b>-v</b>
               options make the software increasingly verbose.
 
-<b>TLS SUBCOMMANDS</b>
-       The  "<b>postfix  tls</b> <i>subcommand...</i>" feature implements the following sub-
-       commands:
-
-       <b>enable-client</b>
-              Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
-              client TLS settings are at their default values. Otherwise, sug-
-              gest parameter settings without making any changes.
-
-       <b>enable-server</b>
-              Create a new private key  and  self-signed  server  certificate.
-              Enable opportunistic TLS in the Postfix SMTP server, if all SMTP
-              server TLS settings are at their default values. Otherwise, sug-
-              gest parameter settings without making any changes.
-
-       <b>create-key</b>
-              Create  a  new  2048-bit  RSA private key and self-signed server
-              certificate, but do not deploy them. Log and  display  suggested
-              <a href="postconf.5.html">main.cf</a>  settings  to  deploy the new key and certificate in the
-              Postfix SMTP server.
-
-              Before deploying the new key and certificate with DANE, use  the
-              command  "<b>postfix tls gen-tlsa</b> <i>hostname keyfile</i>" to write recom-
-              mended TLSA records to stdout.  Update the  DNS  with  new  DANE
-              TLSA records, then wait for secondary nameservers to update, and
-              wait for stale records in remote DNS caches to expire.
-
-              Before deploying the new key and certificate  with  PKI  in  the
-              Postfix  SMTP  server,  use the command "<b>postfix tls gen-csr</b>" to
-              obtain a certificate signing request (CSR) for the new key,  and
-              replace  the self-signed certificate with a CA-issued one before
-              deployment.
-
-              After taking zero or more of the above step(s), deploy  the  new
-              key  and  certificate  using the suggested <a href="postconf.5.html">main.cf</a> settings men-
-              tioned above.
-
-       <b>create-cert</b>
-              This is just like <b>create-key</b> except that, rather than generating
-              a  new private key, any currently deployed private key is copied
-              to the new key file.  Thus if you're publishing DANE TLSA  "3  1
-              1" records, there is no need to update DNS records.
-
-              This  command  is rarely needed, because the certificates gener-
-              ated have a 100-year nominal expiration time.  The RSA algorithm
-              may well be obsoleted by quantum computers long before then.
-
-              The  most plausible reason for using this command is when system
-              hostname changes, and you'd like the name in the certificate  to
-              match  the new hostname (not required for DANE "3 1 1", but some
-              needlessly picky non-DANE  opportunistic  TLS  clients  may  log
-              warnings or even refuse to communicate).
-
-       <b>replace-key</b>
-              This is like <b>create-key</b>, but immediately deploys the new private
-              key and self-signed server certificate.  Obsolete keys and  cer-
-              tificates  may  be  removed by hand. Files created with "<b>postfix</b>
-              <b>tls</b>" commands are named key-<i>yyyymmdd-hhmmss</i>.pem and  cert-<i>yyyym-</i>
-              <i>mdd-hhmmss</i>.pem,  where  <i>yyyymmdd</i> is the calendar date and <i>hhmmss</i>
-              is the time of day.
-
-       <b>replace-cert</b>
-              This is like <b>replace-key</b>, but copies any currently deployed pri-
-              vate  key if one exists, and immediately deploys the key and the
-              new self-signed server certificate.  This is safe with DANE TLSA
-              "3  1 1" records.  As noted before, replacement of just the cer-
-              tificate is rarely needed.
-
-       <b>gen-csr [</b><i>hostname</i><b>] [</b><i>keyfile</i><b>]</b>
-              Write to stdout a certificate  signing  request  (CSR)  for  the
-              specified  <i>hostname</i>  (by  default,  the  value of the <b><a href="postconf.5.html#myhostname">myhostname</a></b>
-              <a href="postconf.5.html">main.cf</a> parameter) and private key file <i>keyfile</i> (by default, the
-              value of the <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a></b> <a href="postconf.5.html">main.cf</a> parameter).
-
-       <b>gen-tlsa [</b><i>hostname</i><b>] [</b><i>keyfile</i><b>]</b>
-              Write  to  stdout a DANE TLSA record suitable for a port 25 SMTP
-              server on host <i>hostname</i> (default: the value  of  the  <b><a href="postconf.5.html#myhostname">myhostname</a></b>
-              <a href="postconf.5.html">main.cf</a>  parameter)  with private key file <i>keyfile</i> (default: the
-              value of the <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a></b> <a href="postconf.5.html">main.cf</a> parameter).
-
 <b>ENVIRONMENT</b>
-       The <a href="postfix.1.html"><b>postfix</b>(1)</a> command  exports  the  following  environment  variables
+       The  <a href="postfix.1.html"><b>postfix</b>(1)</a>  command  exports  the  following environment variables
        before executing the <b>postfix-script</b> file:
 
        <b>MAIL_CONFIG</b>
               This is set when the -c command-line option is present.
 
               With Postfix 2.6 and later, this environment variable forces the
-              <a href="postfix.1.html">postfix(1)</a> command to operate on the specified Postfix  instance
-              only.   This  behavior  is inherited by <a href="postfix.1.html">postfix(1)</a> commands that
+              <a href="postfix.1.html">postfix(1)</a>  command to operate on the specified Postfix instance
+              only.  This behavior is inherited by  <a href="postfix.1.html">postfix(1)</a>  commands  that
               run as a descendant of the current process.
 
        <b>MAIL_VERBOSE</b>
@@ -215,7 +135,7 @@ POSTFIX(1)                                                          POSTFIX(1)
        ment variables with the same names:
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
               figuration files.
 
        <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
@@ -225,22 +145,22 @@ POSTFIX(1)                                                          POSTFIX(1)
               The directory with Postfix support programs and daemon programs.
 
        <b><a href="postconf.5.html#html_directory">html_directory</a> (see 'postconf -d' output)</b>
-              The  location  of Postfix HTML files that describe how to build,
+              The location of Postfix HTML files that describe how  to  build,
               configure or operate a specific Postfix subsystem or feature.
 
        <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
-              The UNIX system account that owns the  Postfix  queue  and  most
+              The  UNIX  system  account  that owns the Postfix queue and most
               Postfix daemon processes.
 
        <b><a href="postconf.5.html#mailq_path">mailq_path</a> (see 'postconf -d' output)</b>
-              Sendmail  compatibility feature that specifies where the Postfix
+              Sendmail compatibility feature that specifies where the  Postfix
               <a href="mailq.1.html"><b>mailq</b>(1)</a> command is installed.
 
        <b><a href="postconf.5.html#manpage_directory">manpage_directory</a> (see 'postconf -d' output)</b>
               Where the Postfix manual pages are installed.
 
        <b><a href="postconf.5.html#newaliases_path">newaliases_path</a> (see 'postconf -d' output)</b>
-              Sendmail compatibility feature that specifies  the  location  of
+              Sendmail  compatibility  feature  that specifies the location of
               the <a href="newaliases.1.html"><b>newaliases</b>(1)</a> command.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
@@ -251,59 +171,64 @@ POSTFIX(1)                                                          POSTFIX(1)
               configure or operate a specific Postfix subsystem or feature.
 
        <b><a href="postconf.5.html#sendmail_path">sendmail_path</a> (see 'postconf -d' output)</b>
-              A Sendmail compatibility feature that specifies the location  of
+              A  Sendmail compatibility feature that specifies the location of
               the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command.
 
        <b><a href="postconf.5.html#setgid_group">setgid_group</a> (postdrop)</b>
-              The   group   ownership  of  set-gid  Postfix  commands  and  of
+              The  group  ownership  of  set-gid  Postfix  commands   and   of
               group-writable Postfix directories.
 
        Available in Postfix version 2.5 and later:
 
        <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b>
-              The directory with Postfix-writable  data  files  (for  example:
+              The  directory  with  Postfix-writable  data files (for example:
               caches, pseudo-random numbers).
 
        Available in Postfix version 3.0 and later:
 
        <b><a href="postconf.5.html#meta_directory">meta_directory</a> (see 'postconf -d' output)</b>
-              The  location of non-executable files that are shared among mul-
-              tiple Postfix instances, such as postfix-files,  dynamicmaps.cf,
-              and  the  multi-instance  template  files <a href="postconf.5.html">main.cf</a>.proto and <a href="master.5.html">mas-
+              The location of non-executable files that are shared among  mul-
+              tiple  Postfix instances, such as postfix-files, dynamicmaps.cf,
+              and the multi-instance template  files  <a href="postconf.5.html">main.cf</a>.proto  and  <a href="master.5.html">mas-
               ter.cf</a>.proto.
 
        <b><a href="postconf.5.html#shlib_directory">shlib_directory</a> (see 'postconf -d' output)</b>
-              The location of Postfix dynamically-linked  libraries  (libpost-
-              fix-*.so),  and the default location of Postfix database plugins
-              (postfix-*.so) that have  a  relative  pathname  in  the  dynam-
+              The  location  of Postfix dynamically-linked libraries (libpost-
+              fix-*.so), and the default location of Postfix database  plugins
+              (postfix-*.so)  that  have  a  relative  pathname  in the dynam-
               icmaps.cf file.
 
+       Available in Postfix version 3.1 and later:
+
+       <b>openssl_path (openssl)</b>
+              The location of the OpenSSL command line program <b>openssl</b>(1).
+
        Other configuration parameters:
 
        <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
-              The  list  of environment parameters that a Postfix process will
+              The list of environment parameters that a Postfix  process  will
               import from a non-Postfix parent process.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              The mail system name that is prepended to the  process  name  in
-              syslog  records,  so  that  "smtpd" becomes, for example, "post-
+              The  mail  system  name that is prepended to the process name in
+              syslog records, so that "smtpd"  becomes,  for  example,  "post-
               fix/smtpd".
 
        Available in Postfix version 2.6 and later:
 
        <b><a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> (empty)</b>
-              An optional list of non-default Postfix  configuration  directo-
-              ries;  these  directories belong to additional Postfix instances
-              that share the Postfix executable files and  documentation  with
-              the  default  Postfix  instance,  and that are started, stopped,
+              An  optional  list of non-default Postfix configuration directo-
+              ries; these directories belong to additional  Postfix  instances
+              that  share  the Postfix executable files and documentation with
+              the default Postfix instance, and  that  are  started,  stopped,
               etc., together with the default Postfix instance.
 
        <b><a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> (empty)</b>
-              The pathname of a multi-instance manager command that the  <a href="postfix.1.html"><b>post-</b></a>
-              <a href="postfix.1.html"><b>fix</b>(1)</a>   command  invokes  when  the  <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
+              The  pathname of a multi-instance manager command that the <a href="postfix.1.html"><b>post-</b></a>
+              <a href="postfix.1.html"><b>fix</b>(1)</a>  command  invokes  when  the   <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
               parameter value is non-empty.
 
        <b><a href="postconf.5.html#multi_instance_group">multi_instance_group</a> (empty)</b>
@@ -313,15 +238,15 @@ POSTFIX(1)                                                          POSTFIX(1)
               The optional instance name of this Postfix instance.
 
        <b><a href="postconf.5.html#multi_instance_enable">multi_instance_enable</a> (no)</b>
-              Allow this Postfix instance to be started, stopped, etc.,  by  a
+              Allow  this  Postfix instance to be started, stopped, etc., by a
               multi-instance manager.
 
 <b>FILES</b>
-       Prior  to Postfix version 2.6, all of the following files were in <b>$<a href="postconf.5.html#config_directory">con</a>-</b>
+       Prior to Postfix version 2.6, all of the following files were in  <b>$<a href="postconf.5.html#config_directory">con</a>-</b>
        <b><a href="postconf.5.html#config_directory">fig_directory</a></b>. Some files are now in <b>$<a href="postconf.5.html#daemon_directory">daemon_directory</a></b> so that they can
        be shared among multiple instances that run the same Postfix version.
 
-       Use  the command "<b>postconf <a href="postconf.5.html#config_directory">config_directory</a></b>" or "<b>postconf <a href="postconf.5.html#daemon_directory">daemon_direc</a>-</b>
+       Use the command "<b>postconf <a href="postconf.5.html#config_directory">config_directory</a></b>" or "<b>postconf  <a href="postconf.5.html#daemon_directory">daemon_direc</a>-</b>
        <b><a href="postconf.5.html#daemon_directory">tory</a></b>" to expand the names into their actual values.
 
        $<a href="postconf.5.html#config_directory">config_directory</a>/<a href="postconf.5.html">main.cf</a>, Postfix configuration parameters
@@ -337,6 +262,7 @@ POSTFIX(1)                                                          POSTFIX(1)
        <a href="postcat.1.html">postcat(1)</a>, examine Postfix queue file
        <a href="postconf.1.html">postconf(1)</a>, Postfix configuration utility
        <a href="postfix.1.html">postfix(1)</a>, Postfix control program
+       <a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management
        <a href="postkick.1.html">postkick(1)</a>, trigger Postfix daemon
        <a href="postlock.1.html">postlock(1)</a>, Postfix-compatible locking
        <a href="postlog.1.html">postlog(1)</a>, Postfix-compatible logging
@@ -426,6 +352,11 @@ POSTFIX(1)                                                          POSTFIX(1)
        P.O. Box 704
        Yorktown Heights, NY 10598, USA
 
+       Wietse Venema
+       Google, Inc.
+       111 8th Avenue
+       New York, NY 10011, USA
+
        TLS support by:
        Lutz Jaenicke
        Brandenburg University of Technology
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 87d9a2e10..c0679b100 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -1292,6 +1292,11 @@ SMTPD(8)                                                              SMTPD(8)
        P.O. Box 704
        Yorktown Heights, NY 10598, USA
 
+       Wietse Venema
+       Google, Inc.
+       111 8th Avenue
+       New York, NY 10011, USA
+
        SASL support originally by:
        Till Franke
        SuSE Rhein/Main AG
diff --git a/postfix/makedefs b/postfix/makedefs
index 3615f7811..8393e7e5c 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -798,6 +798,11 @@ esac
 #		;;
 #esac
 
+#
+# We don't know all systems that have /dev/urandom, so we probe.
+#
+test -r /dev/urandom && CCARGS="$CCARGS -DHAS_DEV_URANDOM"
+
 #
 # PCRE 3.x has a pcre-config utility so we don't have to guess.
 #
diff --git a/postfix/man/Makefile.in b/postfix/man/Makefile.in
index 4e68fd911..e01ce2824 100644
--- a/postfix/man/Makefile.in
+++ b/postfix/man/Makefile.in
@@ -12,7 +12,7 @@ DAEMONS	= man8/bounce.8 man8/defer.8 man8/cleanup.8 man8/error.8 man8/local.8 \
 COMMANDS= man1/postalias.1 man1/postcat.1 man1/postconf.1 man1/postfix.1 \
 	man1/postkick.1 man1/postlock.1 man1/postlog.1 man1/postdrop.1 \
 	man1/postmap.1 man1/postmulti.1 man1/postqueue.1 man1/postsuper.1 \
-	man1/sendmail.1 man1/mailq.1 man1/newaliases.1
+	man1/sendmail.1 man1/mailq.1 man1/newaliases.1 man1/postfix-tls.1
 CONFIG	= man5/access.5 man5/aliases.5 man5/canonical.5 man5/relocated.5 \
 	man5/transport.5 man5/virtual.5 man5/pcre_table.5 man5/regexp_table.5 \
 	man5/cidr_table.5 man5/tcp_table.5 man5/header_checks.5 \
@@ -201,6 +201,11 @@ man1/postfix.1: ../src/postfix/postfix.c
 	    (cmp -s junk $? || mv junk $?) && rm -f junk
 	../mantools/srctoman $? >$@
 
+man1/postfix-tls.1: ../conf/postfix-tls-script
+	../mantools/fixman ../proto/postconf.proto $? >junk && \
+	    (cmp -s junk $? || mv junk $?) && rm -f junk
+	../mantools/srctoman - $? >$@
+
 man1/postkick.1: ../src/postkick/postkick.c
 	../mantools/fixman ../proto/postconf.proto $? >junk && \
 	    (cmp -s junk $? || mv junk $?) && rm -f junk
diff --git a/postfix/man/man1/postconf.1 b/postfix/man/man1/postconf.1
index ac60f0794..9d75ab28e 100644
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@@ -64,6 +64,10 @@ Postfix configuration utility
 \fBpostconf\fR \fB\-t\fR [\fB\-v\fR] [\fB\-c \fIconfig_dir\fR]
 [\fItemplate_file\fR]
 
+\fBManaging TLS features:\fR
+
+\fBpostconf\fR [\fB\-v\fR] [\fB\-c \fIconfig_dir\fR] \fB\-T \fImode\fR
+
 \fBManaging other configuration:\fR
 
 \fBpostconf\fR \fB\-a\fR|\fB\-A\fR|\fB\-l\fR|\fB\-m\fR [\fB\-v\fR]
@@ -417,6 +421,25 @@ empty template file name on the \fBpostconf\fR(1) command
 line (in shell language: "").
 
 This feature is available with Postfix 2.3 and later.
+.IP "\fB\-T \fImode\fB"
+If Postfix is compiled without TLS support, the \fB\-T\fR option
+produces no output.  Otherwise, if an invalid \fImode\fR is specified,
+the \fB\-T\fR option reports an error and exits with a non\-zero status
+code. The valid modes are:
+.RS
+.IP \fBcompile\-version\fR
+Output the OpenSSL version that Postfix was compiled with
+(i.e. the OpenSSL version in a header file). The output
+format is the same as with the command "\fBopenssl version\fR".
+.IP \fBrun\-version\fR
+Output the OpenSSL version that Postfix is linked with at
+runtime (i.e. the OpenSSL version in a shared library).
+.IP \fBpublic\-key\-algorithms\fR
+Output the lower\-case names of the supported public\-key
+algorithms, one per\-line.
+.RE
+.IP
+This feature is available with Postfix 3.1 and later.
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple
 \fB\-v\fR options make the software increasingly verbose.
diff --git a/postfix/man/man1/postfix-tls.1 b/postfix/man/man1/postfix-tls.1
new file mode 100644
index 000000000..2be1ae3b8
--- /dev/null
+++ b/postfix/man/man1/postfix-tls.1
@@ -0,0 +1,209 @@
+.TH POSTFIX-TLS 1 
+.ad
+.fi
+.SH NAME
+postfix-tls
+\-
+Postfix TLS management
+.SH "SYNOPSIS"
+.na
+.nf
+\fBpostfix tls\fR \fIsubcommand\fB ...\fR
+.SH DESCRIPTION
+.ad
+.fi
+The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature enables
+opportunistic TLS in the Postfix SMTP client and/or server,
+and manages Postfix SMTP server private keys and certificates.
+
+The following subcommands are available:
+.IP "\fBenable\-client\fR [\fB\-r \fIrandsource\fR]"
+Enable opportunistic TLS in the Postfix SMTP client, if all
+SMTP client TLS settings are at their default values.
+Otherwise, suggest parameter settings without making any
+changes.
+.sp
+Specify \fIrandsource\fR to update the value of the
+\fBtls_random_source\fR configuration parameter (typically,
+/dev/urandom).  Prepend \fBdev:\fR to device paths or
+\fBegd:\fR to EGD socket paths.
+.IP "\fBenable\-server\fR [\fB\-r \fIrandsource\fR] [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+Create a new private key and self\-signed server certificate
+and enable opportunistic TLS in the Postfix SMTP server,
+if all SMTP server TLS settings are at their default values.
+Otherwise, suggest parameter settings without making any
+changes.
+.sp
+The \fIrandsource\fR parameter is as with \fBenable\-client\fR
+above, and the remaining options are as with \fBnew\-server\-key\fR
+below.
+.IP "\fBnew\-server\-key\fR [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+Create a new private key and self\-signed server certificate,
+but do not deploy them. Log and display commands to deploy
+the new key and corresponding certificate.  Also log and
+display commands to output a corresponding CSR or TLSA
+records which may be needed to obtain a CA certificate or
+to update DNS before the new key can be deployed.
+.sp
+The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
+defaults to 2048.  If you choose the \fBecdsa\fR  \fIalgorithm\fR
+then \fIbits\fR will be an EC curve name (by default
+\fBsecp256r1\fR, also known as prime256v1).  Curves other
+than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
+are unlikely to be widely interoperable.  When generating
+EC keys, use one of these three.  DSA keys are obsolete and
+are not supported.
+.sp
+Note: ECDSA support requires OpenSSL 1.0.0 or later and may
+not be available on your system.  Not all client systems
+will support ECDSA, so you'll generally want to deploy both
+RSA and ECDSA certificates to make use of ECDSA with
+compatible clients and RSA with the rest. If you want to
+deploy certificate chains with intermediate CAs for both
+RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
+versions may not handle multiple chain files correctly.
+.sp
+The first \fIhostname\fR argument will be the \fBCommonName\fR
+of both the subject and issuer of the self\-signed certificate.
+It, and any additional \fIhostname\fR arguments, will also
+be listed as DNS alternative names in the certificate.  If
+no \fIhostname\fR is provided the value of the \fBmyhostname\fR
+main.cf parameter will be used.
+.sp
+For RSA, the generated private key and certificate files
+are named \fBkey\-\fIyyyymmdd\-hhmmss\fB.pem\fR and
+\fBcert\-\fIyyyymmdd\-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
+is the calendar date and \fIhhmmss\fR is the time of day
+in UTC.  For ECDSA, the file names start with \fBeckey\-\fR
+and \fBeccert\-\fR instead of \fBkey\-\fR and \fBcert\-\fR
+respectively.
+.sp
+Before deploying the new key and certificate with DANE,
+update the DNS with new DANE TLSA records, then wait for
+secondary nameservers to update and then for stale records
+in remote DNS caches to expire.
+.sp
+Before deploying a new CA certificate make sure to include
+all the required intermediate issuing CA certificates in
+the certificate chain file.  The server certificate must
+be the first certificate in the chain file.  Overwrite and
+deploy the file with the original self\-signed certificate
+that was generated together with the key.
+.IP "\fBnew\-server\-cert\fR [\fB\-a \fIalgorithm\fR] [\fB\-b \fIbits\fR] [\fIhostname\fB ...\fR]"
+This is just like \fBnew\-server\-key\fR except that, rather
+than generating a new private key, any currently deployed
+private key is copied to the new key file.  Thus if you're
+publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
+no need to update DNS records.  The \fIalgorithm\fB and
+\fIbits\fR arguments are used only if no key of the same
+algorithm is already configured.
+.sp
+This command is rarely needed, because the self\-signed
+certificates generated have a 100\-year nominal expiration
+time.  The underlying public key algorithms may well be
+obsoleted by quantum computers long before then.
+.sp
+The most plausible reason for using this command is when
+the system hostname changes, and you'd like the name in the
+certificate to match the new hostname (not required for
+DANE "3 1 1", but some needlessly picky non\-DANE opportunistic
+TLS clients may log warnings or even refuse to communicate).
+.IP "\fBdeploy\-server\-cert \fIcertfile\fB \fIkeyfile\fR"
+This subcommand deploys the certificates in \fIcertfile\fR
+and private key in \fIkeyfile\fR (which are typically
+generated by the commands above, which will also log and
+display the full command needed to deploy the generated key
+and certificate).  After the new certificate and key are
+deployed any obsolete keys and certificates may be removed
+by hand.   The \fIkeyfile\fR and \fIcertfile\fR filenames
+are relative to the Postfix configuration directory.
+.IP "\fBoutput\-server\-csr\fR [\fB\-k \fIkeyfile\fR] [\fIhostname\fB
+...\fR]"
+Write to stdout a certificate signing request (CSR) for the
+specified \fIkeyfile\fR.
+.sp
+Instead of a filename, \fIkeyfile\fR may specify one of the
+supported key algorithm names (see "\fBpostconf \-T
+public\-key\-algorithms\fR"). In that case, the corresponding
+setting from main.cf is used to locate the \fIkeyfile\fR.
+The default \fIkeyfile\fR value is \fBrsa\fR.
+.sp
+Zero or more \fIhostname\fR values can be specified.  The
+default \fIhostname\fR is the value of \fBmyhostname\fR
+main.cf parameter.
+.IP "\fBoutput\-server\-tlsa\fR [\fB\-h \fIhostname\fR] [\fIkeyfile\fB ...\fR]"
+Write to stdout a DANE TLSA RRset suitable for a port 25
+SMTP server on host \fIhostname\fR with keys from any of
+the specified \fIkeyfile\fR values.  The default \fIhostname\fR
+is the value of the \fBmyhostname\fR main.cf parameter.
+.sp
+Instead of filenames, the \fIkeyfile\fR list may specify
+names of supported public key algorithms (see "\fBpostconf
+\-T public\-key\-algorithms\fR").  In that case, the actual
+\fIkeyfile\fR list uses the values of the corresponding
+Postfix server TLS key file parameters.  If a parameter
+value is empty or equal to \fBnone\fR, then no TLSA record
+is output for that algorithm.
+.sp
+The default \fIkeyfile\fR list consists of the two supported
+algorithms \fBrsa\fR and \fBecdsa\fR.
+.SH "CONFIGURATION PARAMETERS"
+.na
+.nf
+.ad
+.fi
+The "\fBpostfix tls \fIsubcommand\fB ...\fR" feature reads
+or updates the following configuration parameters.
+.IP "\fBcommand_directory (see 'postconf -d' output)\fR"
+The location of all postfix administrative commands.
+.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+The default location of the Postfix main.cf and master.cf
+configuration files.
+.IP "\fBopenssl_path (openssl)\fR"
+The location of the OpenSSL command line program \fBopenssl\fR(1).
+.IP "\fBsmtp_tls_loglevel (0)\fR"
+Enable additional Postfix SMTP client logging of TLS activity.
+.IP "\fBsmtp_tls_security_level (empty)\fR"
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non\-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+.IP "\fBsmtp_tls_session_cache_database (empty)\fR"
+Name of the file containing the optional Postfix SMTP client
+TLS session cache.
+.IP "\fBsmtpd_tls_cert_file (empty)\fR"
+File with the Postfix SMTP server RSA certificate in PEM format.
+.IP "\fBsmtpd_tls_eccert_file (empty)\fR"
+File with the Postfix SMTP server ECDSA certificate in PEM format.
+.IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
+File with the Postfix SMTP server ECDSA private key in PEM format.
+.IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
+File with the Postfix SMTP server RSA private key in PEM format.
+.IP "\fBsmtpd_tls_loglevel (0)\fR"
+Enable additional Postfix SMTP server logging of TLS activity.
+.IP "\fBsmtpd_tls_received_header (no)\fR"
+Request that the Postfix SMTP server produces Received:  message
+headers that include information about the protocol and cipher used,
+as well as the remote SMTP client CommonName and client certificate issuer
+CommonName.
+.IP "\fBsmtpd_tls_security_level (empty)\fR"
+The SMTP TLS security level for the Postfix SMTP server; when
+a non\-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls.
+.IP "\fBtls_random_source (see 'postconf -d' output)\fR"
+The external entropy source for the in\-memory \fBtlsmgr\fR(8) pseudo
+random number generator (PRNG) pool.
+.SH "SEE ALSO"
+.na
+.nf
+master(8) Postfix master program
+postfix(1) Postfix administrative interface
+.SH "LICENSE"
+.na
+.nf
+.ad
+.fi
+The Secure Mailer license must be distributed with this software.
+.SH "AUTHOR(S)"
+.na
+.nf
+Viktor Dukhovni
diff --git a/postfix/man/man1/postfix.1 b/postfix/man/man1/postfix.1
index bebdb5f35..05dde9c11 100644
--- a/postfix/man/man1/postfix.1
+++ b/postfix/man/man1/postfix.1
@@ -60,7 +60,7 @@ Re\-read configuration files. Running processes terminate at their
 earliest convenience.
 .IP \fBstatus\fR
 Indicate if the Postfix mail system is currently running.
-.IP "\fBset\-permissions\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+.IP "\fBset\-permissions\fR [\fIname\fR=\fIvalue ...\fR]
 Set the ownership and permissions of Postfix related files and
 directories, as specified in the \fBpostfix\-files\fR file.
 .sp
@@ -72,13 +72,13 @@ already installed Postfix system.
 This feature is available in Postfix 2.1 and later.  With
 Postfix 2.0 and earlier, use "\fB$config_directory/post\-install
 set\-permissions\fR".
-.IP "\fBtls\fR \fIsubcommand...\fB\fR
-Enable opportunistic TLS in the Postfix SMTP client or server,
-or generate or replace Postfix SMTP server TLS private keys
-and certificates.  See the section "TLS SUBCOMMANDS" below.
+.IP "\fBtls\fR \fIsubcommand\fB ...\fR
+Enable opportunistic TLS in the Postfix SMTP client or
+server, and manage Postfix SMTP server TLS private keys and
+certificates.  See postfix\-tls(1) for documentation.
 .sp
 This feature is available in Postfix 3.1 and later.
-.IP "\fBupgrade\-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+.IP "\fBupgrade\-configuration\fR [\fIname\fR=\fIvalue ...\fR]
 Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
 that Postfix needs in order to run: add or update services, and add
 or update configuration parameter settings.
@@ -107,86 +107,6 @@ via the \fBdebugger_command\fR configuration parameter.
 .IP \fB\-v\fR
 Enable verbose logging for debugging purposes. Multiple \fB\-v\fR
 options make the software increasingly verbose.
-.SH "TLS SUBCOMMANDS"
-.na
-.nf
-.ad
-.fi
-The "\fBpostfix tls \fIsubcommand...\fR" feature implements the
-following subcommands:
-.IP "\fBenable\-client\fR"
-Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
-client TLS settings are at their default values. Otherwise,
-suggest parameter settings without making any changes.
-.IP "\fBenable\-server\fR"
-Create a new private key and self\-signed server certificate.
-Enable opportunistic TLS in the Postfix SMTP server, if all
-SMTP server TLS settings are at their default values. Otherwise,
-suggest parameter settings without making any changes.
-.IP "\fBcreate\-key\fR"
-Create a new 2048\-bit RSA private key and self\-signed server
-certificate, but do not deploy them. Log and display suggested
-main.cf settings to deploy the new key and certificate in
-the Postfix SMTP server.
-.sp
-Before deploying the new key and certificate with DANE, use the
-command "\fBpostfix tls gen\-tlsa \fIhostname keyfile\fR"
-to write recommended TLSA records to stdout.
-Update the DNS with new DANE TLSA records, then wait for
-secondary nameservers to update, and wait for stale records in
-remote DNS caches to expire.
-.sp
-Before deploying the new key and certificate with PKI in
-the Postfix SMTP server, use the command "\fBpostfix tls
-gen\-csr\fR" to obtain a certificate signing request (CSR)
-for the new key, and replace the self\-signed certificate
-with a CA\-issued one before deployment.
-.IP
-After taking zero or more of the above step(s), deploy the
-new key and certificate using the suggested main.cf settings
-mentioned above.
-.IP "\fBcreate\-cert\fR"
-This is just like \fBcreate\-key\fR except that, rather than
-generating a new private key, any currently deployed private
-key is copied to the new key file.  Thus if you're publishing
-DANE TLSA "3 1 1" records, there is no need to update DNS records.
-.sp
-This command is rarely needed, because the certificates generated
-have a 100\-year nominal expiration time.  The RSA algorithm may
-well be obsoleted by quantum computers long
-before then.
-.sp
-The most plausible reason for using this command is when
-system hostname changes, and you'd like the name in the
-certificate to match the new hostname (not required for
-DANE "3 1 1", but some needlessly picky non\-DANE opportunistic
-TLS clients may log warnings or even refuse to communicate).
-.IP "\fBreplace\-key\fR"
-This is like \fBcreate\-key\fR, but immediately deploys
-the new private key and self\-signed server certificate.
-Obsolete keys and certificates may be removed by hand. Files
-created with "\fBpostfix tls\fR" commands are named
-key\-\fIyyyymmdd\-hhmmss\fR.pem and cert\-\fIyyyymmdd\-hhmmss\fR.pem,
-where \fIyyyymmdd\fR is the calendar date and \fIhhmmss\fR
-is the time of day.
-.IP "\fBreplace\-cert\fR"
-This is like \fBreplace\-key\fR, but copies any currently
-deployed private key if one exists, and immediately deploys
-the key and the new self\-signed server certificate.  This
-is safe with DANE TLSA "3 1 1" records.  As noted before,
-replacement of just the certificate is rarely needed.
-.IP "\fBgen\-csr [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-Write to stdout a certificate signing request (CSR) for the
-specified \fIhostname\fR (by default, the value of the
-\fBmyhostname\fR main.cf parameter) and private key file
-\fIkeyfile\fR (by default, the value of the
-\fBsmtpd_tls_key_file\fR main.cf parameter).
-.IP "\fBgen\-tlsa [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-Write to stdout a DANE TLSA record suitable for a port 25
-SMTP server on host \fIhostname\fR (default: the value of
-the \fBmyhostname\fR main.cf parameter) with private key
-file \fIkeyfile\fR (default: the value of the
-\fBsmtpd_tls_key_file\fR main.cf parameter).
 .SH "ENVIRONMENT"
 .na
 .nf
@@ -261,6 +181,10 @@ The location of Postfix dynamically\-linked libraries
 plugins (postfix\-*.so) that have a relative pathname in the
 dynamicmaps.cf file.
 .PP
+Available in Postfix version 3.1 and later:
+.IP "\fBopenssl_path (openssl)\fR"
+The location of the OpenSSL command line program \fBopenssl\fR(1).
+.PP
 Other configuration parameters:
 .IP "\fBimport_environment (see 'postconf -d' output)\fR"
 The list of environment parameters that a Postfix process will
@@ -319,6 +243,7 @@ postalias(1), create/update/query alias database
 postcat(1), examine Postfix queue file
 postconf(1), Postfix configuration utility
 postfix(1), Postfix control program
+postfix\-tls(1), Postfix TLS management
 postkick(1), trigger Postfix daemon
 postlock(1), Postfix\-compatible locking
 postlog(1), Postfix\-compatible logging
@@ -419,6 +344,11 @@ IBM T.J. Watson Research
 P.O. Box 704
 Yorktown Heights, NY 10598, USA
 
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
+
 TLS support by:
 Lutz Jaenicke
 Brandenburg University of Technology
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 3ed8304f8..1f183cc20 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -2525,7 +2525,7 @@ configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 2.8 and later.
 .SH lmtp_address_verify_target (default: rcpt)
-The LMTP\-specific version of the smtp_dns_support_level
+The LMTP\-specific version of the smtp_address_verify_target
 configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 3.0 and later.
diff --git a/postfix/man/man8/cleanup.8 b/postfix/man/man8/cleanup.8
index f59a0da12..18d32beaf 100644
--- a/postfix/man/man8/cleanup.8
+++ b/postfix/man/man8/cleanup.8
@@ -461,3 +461,8 @@ Wietse Venema
 IBM T.J. Watson Research
 P.O. Box 704
 Yorktown Heights, NY 10598, USA
+
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 5e4b86a56..0057c5478 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -1139,6 +1139,11 @@ IBM T.J. Watson Research
 P.O. Box 704
 Yorktown Heights, NY 10598, USA
 
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
+
 SASL support originally by:
 Till Franke
 SuSE Rhein/Main AG
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 9b5bfcd22..a29d0169a 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -361,6 +361,7 @@ while (<>) {
     s;\bnewaliases_path\b;<a href="postconf.5.html#newaliases_path">$&</a>;g;
     s;\bnon_fqdn_reject_code\b;<a href="postconf.5.html#non_fqdn_reject_code">$&</a>;g;
     s;\bnotify_classes\b;<a href="postconf.5.html#notify_classes">$&</a>;g;
+    s;\bopenssl_path\b;<a href="postconf.5.html#openssl_path">$&</a>;g;
     s;\bowner_request_special\b;<a href="postconf.5.html#owner_request_special">$&</a>;g;
     s;\bpar[-</bB>]*\n* *[<bB>]*ent_domain_matches_subdomains\b;<a href="postconf.5.html#parent_domain_matches_subdomains">$&</a>;g;
     s;\bpermit_mx_backup_networks\b;<a href="postconf.5.html#permit_mx_backup_networks">$&</a>;g;
@@ -815,6 +816,7 @@ while (<>) {
     s/[<bB>]*post[-<\/bB>]*\n*[ <bB>]*conf[<\/bB>]*\(1\)/<a href="postconf.1.html">$&<\/a>/g;
     s/[<bB>]*postdrop[<\/bB>]*\(1\)/<a href="postdrop.1.html">$&<\/a>/g;
     s/[<bB>]*post[-<\/bB>]*\n* *[<bB>]*fix[<\/bB>]*\(1\)/<a href="postfix.1.html">$&<\/a>/g;
+    s/[<bB>]*post[-<\/bB>]*\n* *[<bB>]*fix-tls[<\/bB>]*\(1\)/<a href="postfix-tls.1.html">$&<\/a>/g;
     s/[<bB>]*postkick[<\/bB>]*\(1\)/<a href="postkick.1.html">$&<\/a>/g;
     s/[<bB>]*postlock[<\/bB>]*\(1\)/<a href="postlock.1.html">$&<\/a>/g;
     s/[<bB>]*postlog[<\/bB>]*\(1\)/<a href="postlog.1.html">$&<\/a>/g;
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 238d70336..9d10b4788 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -15571,7 +15571,7 @@ SMTP/LMTP servers. </p>
 
 %PARAM lmtp_address_verify_target rcpt
 
-<p> The LMTP-specific version of the smtp_dns_support_level
+<p> The LMTP-specific version of the smtp_address_verify_target
 configuration parameter.  See there for details. </p>
 
 <p> This feature is available in Postfix 3.0 and later.  </p>
diff --git a/postfix/src/cleanup/cleanup.c b/postfix/src/cleanup/cleanup.c
index ffd448bf2..59b29eb97 100644
--- a/postfix/src/cleanup/cleanup.c
+++ b/postfix/src/cleanup/cleanup.c
@@ -419,6 +419,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/cleanup/cleanup_init.c b/postfix/src/cleanup/cleanup_init.c
index 5bae3587b..20e14676c 100644
--- a/postfix/src/cleanup/cleanup_init.c
+++ b/postfix/src/cleanup/cleanup_init.c
@@ -71,6 +71,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c
index fb371222e..b7a279e97 100644
--- a/postfix/src/cleanup/cleanup_milter.c
+++ b/postfix/src/cleanup/cleanup_milter.c
@@ -72,6 +72,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/dns/dns_strrecord.c b/postfix/src/dns/dns_strrecord.c
index 370850917..6b8e9893e 100644
--- a/postfix/src/dns/dns_strrecord.c
+++ b/postfix/src/dns/dns_strrecord.c
@@ -24,6 +24,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/dns/test_dns_lookup.c b/postfix/src/dns/test_dns_lookup.c
index e927eda24..ee5863bda 100644
--- a/postfix/src/dns/test_dns_lookup.c
+++ b/postfix/src/dns/test_dns_lookup.c
@@ -19,6 +19,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/global/conv_time.c b/postfix/src/global/conv_time.c
index 313ac1fdd..78a40b565 100644
--- a/postfix/src/global/conv_time.c
+++ b/postfix/src/global/conv_time.c
@@ -35,6 +35,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/global/mail_conf_time.c b/postfix/src/global/mail_conf_time.c
index 0d9118a36..7829c8929 100644
--- a/postfix/src/global/mail_conf_time.c
+++ b/postfix/src/global/mail_conf_time.c
@@ -78,6 +78,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index ef709a4ba..542d39985 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20160117"
+#define MAIL_RELEASE_DATE	"20160206"
 #define MAIL_VERSION_NUMBER	"3.1"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/smtp_reply_footer.c b/postfix/src/global/smtp_reply_footer.c
index ee3f3bf85..ad41a7793 100644
--- a/postfix/src/global/smtp_reply_footer.c
+++ b/postfix/src/global/smtp_reply_footer.c
@@ -233,7 +233,7 @@ struct test_case {
 #define BAD_SMTP	(-1)
 #define BAD_MACRO	(-2)
 
-static struct test_case test_cases[] = {
+static const struct test_case test_cases[] = {
     {"missing reply", "", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
     {"long smtp_code", "1234 foo", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
     {"short smtp_code", "12 foo", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
diff --git a/postfix/src/milter/milter.c b/postfix/src/milter/milter.c
index 969feef35..64836d463 100644
--- a/postfix/src/milter/milter.c
+++ b/postfix/src/milter/milter.c
@@ -230,6 +230,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/milter/milter.h b/postfix/src/milter/milter.h
index 9ef5d35cb..9ce7f40ae 100644
--- a/postfix/src/milter/milter.h
+++ b/postfix/src/milter/milter.h
@@ -209,6 +209,11 @@ extern void milter_free(MILTERS *);
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 #endif
diff --git a/postfix/src/postconf/Makefile.in b/postfix/src/postconf/Makefile.in
index 27905a62d..8bf5a195a 100644
--- a/postfix/src/postconf/Makefile.in
+++ b/postfix/src/postconf/Makefile.in
@@ -22,6 +22,8 @@ PROG	= postconf
 SAMPLES	= ../../conf/main.cf.default
 INC_DIR	= ../../include
 LIBS	= ../../lib/libxsasl.a \
+	../../lib/lib$(LIB_PREFIX)tls$(LIB_SUFFIX) \
+	../../lib/lib$(LIB_PREFIX)dns$(LIB_SUFFIX) \
 	../../lib/lib$(LIB_PREFIX)global$(LIB_SUFFIX) \
 	../../lib/lib$(LIB_PREFIX)util$(LIB_SUFFIX)
 
@@ -1095,11 +1097,16 @@ postconf_node.o: postconf_node.c
 postconf_other.o: ../../include/argv.h
 postconf_other.o: ../../include/check_arg.h
 postconf_other.o: ../../include/dict.h
+postconf_other.o: ../../include/dns.h
 postconf_other.o: ../../include/htable.h
 postconf_other.o: ../../include/mbox_conf.h
+postconf_other.o: ../../include/myaddrinfo.h
 postconf_other.o: ../../include/myflock.h
 postconf_other.o: ../../include/name_code.h
+postconf_other.o: ../../include/name_mask.h
+postconf_other.o: ../../include/sock_addr.h
 postconf_other.o: ../../include/sys_defs.h
+postconf_other.o: ../../include/tls.h
 postconf_other.o: ../../include/vbuf.h
 postconf_other.o: ../../include/vstream.h
 postconf_other.o: ../../include/vstring.h
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 5fccb20db..36a8dae46 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -60,6 +60,10 @@
 /*	\fBpostconf\fR \fB-t\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR]
 /*	[\fItemplate_file\fR]
 /*
+/*	\fBManaging TLS features:\fR
+/*
+/*	\fBpostconf\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-T \fImode\fR
+/*
 /*	\fBManaging other configuration:\fR
 /*
 /*	\fBpostconf\fR \fB-a\fR|\fB-A\fR|\fB-l\fR|\fB-m\fR [\fB-v\fR]
@@ -411,6 +415,25 @@
 /*	line (in shell language: "").
 /*
 /*	This feature is available with Postfix 2.3 and later.
+/* .IP "\fB-T \fImode\fB"
+/*	If Postfix is compiled without TLS support, the \fB-T\fR option
+/*	produces no output.  Otherwise, if an invalid \fImode\fR is specified,
+/*	the \fB-T\fR option reports an error and exits with a non-zero status
+/*	code. The valid modes are:
+/* .RS
+/* .IP \fBcompile-version\fR
+/*	Output the OpenSSL version that Postfix was compiled with
+/*	(i.e. the OpenSSL version in a header file). The output
+/*	format is the same as with the command "\fBopenssl version\fR".
+/* .IP \fBrun-version\fR
+/*	Output the OpenSSL version that Postfix is linked with at
+/*	runtime (i.e. the OpenSSL version in a shared library).
+/* .IP \fBpublic-key-algorithms\fR
+/*	Output the lower-case names of the supported public-key
+/*	algorithms, one per-line.
+/* .RE
+/* .IP
+/*	This feature is available with Postfix 3.1 and later.
 /* .IP \fB-v\fR
 /*	Enable verbose logging for debugging purposes. Multiple
 /*	\fB-v\fR options make the software increasingly verbose.
@@ -574,7 +597,7 @@ static const int pcf_incompat_options[] = {
     /* Major modes. */
     PCF_SHOW_SASL_SERV | PCF_SHOW_SASL_CLNT | PCF_EXP_DSN_TEMPL \
     |PCF_SHOW_LOCKS | PCF_SHOW_MAPS | PCF_DUMP_DSN_TEMPL | PCF_MAIN_PARAM \
-    |PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM,
+    |PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM | PCF_SHOW_TLS,
     /* Modifiers. */
     PCF_SHOW_DEFS | PCF_EDIT_CONF | PCF_SHOW_NONDEF | PCF_COMMENT_OUT \
     |PCF_EDIT_EXCL,
@@ -599,6 +622,7 @@ static const int pcf_compat_options[][2] = {
     {PCF_EXP_DSN_TEMPL, 0},
     {PCF_SHOW_LOCKS, 0},
     {PCF_SHOW_MAPS, 0,},
+    {PCF_SHOW_TLS, 0,},
     {PCF_DUMP_DSN_TEMPL, 0},
     {PCF_MAIN_PARAM, (PCF_EDIT_CONF | PCF_EDIT_EXCL | PCF_COMMENT_OUT \
 		      |PCF_FOLD_LINE | PCF_HIDE_NAME | PCF_PARAM_CLASS \
@@ -638,6 +662,7 @@ static const NAME_MASK pcf_compat_names[] = {
     "-p", PCF_MAIN_PARAM,
     "-P", PCF_MASTER_PARAM,
     "-t", PCF_DUMP_DSN_TEMPL,
+    "-T", PCF_SHOW_TLS,
     "-x", PCF_SHOW_EVAL,
     "-X", PCF_EDIT_EXCL,
     "-#", PCF_COMMENT_OUT,
@@ -668,6 +693,7 @@ static void usage(const char *progname)
 	      " [-p (main.cf, default)]"
 	      " [-P (master.cf parameters)]"
 	      " [-t (bounce templates)]"
+	      " [-T compile-version|run-version|public-key-algorithms]"
 	      " [-v (verbose)]"
 	      " [-x (expand parameter values)]"
 	      " [-X (exclude)]"
@@ -734,6 +760,7 @@ int     main(int argc, char **argv)
 	0,
     };
     ARGV   *override_params = 0;
+    const char *pcf_tls_arg = 0;
 
     /*
      * Fingerprint executables and core dumps.
@@ -763,7 +790,7 @@ int     main(int argc, char **argv)
     /*
      * Parse JCL.
      */
-    while ((ch = GETOPT(argc, argv, "aAbc:C:deEfFhHlmMno:pPtvxX#")) > 0) {
+    while ((ch = GETOPT(argc, argv, "aAbc:C:deEfFhHlmMno:pPtT:vxX#")) > 0) {
 	switch (ch) {
 	case 'a':
 	    pcf_cmd_mode |= PCF_SHOW_SASL_SERV;
@@ -838,6 +865,12 @@ int     main(int argc, char **argv)
 	    ext_argv = argv_alloc(2);
 	    argv_add(ext_argv, "bounce", "-SVndump_templates", (char *) 0);
 	    break;
+	case 'T':
+	    if (pcf_cmd_mode & PCF_SHOW_TLS)
+		msg_fatal("At most one -T <mode> option may be specified");
+	    pcf_cmd_mode |= PCF_SHOW_TLS;
+	    pcf_tls_arg = optarg;
+	    break;
 	case 'x':
 	    pcf_cmd_mode |= PCF_SHOW_EVAL;
 	    break;
@@ -943,6 +976,13 @@ int     main(int argc, char **argv)
 	pcf_show_sasl(PCF_SHOW_SASL_CLNT);
     }
 
+    /*
+     * Show TLS info and exit.
+     */
+    else if (pcf_cmd_mode & PCF_SHOW_TLS) {
+	pcf_show_tls(pcf_tls_arg);
+    }
+
     /*
      * Edit main.cf or master.cf.
      */
diff --git a/postfix/src/postconf/postconf.h b/postfix/src/postconf/postconf.h
index 06b53d1a8..124c6bdfd 100644
--- a/postfix/src/postconf/postconf.h
+++ b/postfix/src/postconf/postconf.h
@@ -45,6 +45,7 @@
 #define PCF_DUMP_DSN_TEMPL	(1<<18)	/* show bounce templates */
 #define PCF_MASTER_PARAM	(1<<19)	/* manage master.cf -o name=value */
 #define PCF_HIDE_VALUE		(1<<20)	/* hide main.cf/master.cf =value */
+#define PCF_SHOW_TLS		(1<<21)	/* TLS support introspection */
 
 #define PCF_DEF_MODE	0
 
@@ -303,6 +304,7 @@ extern void pcf_flag_unused_master_parameters(void);
 extern void pcf_show_maps(void);
 extern void pcf_show_locks(void);
 extern void pcf_show_sasl(int);
+extern void pcf_show_tls(const char *);
 
 /* LICENSE
 /* .ad
diff --git a/postfix/src/postconf/postconf_other.c b/postfix/src/postconf/postconf_other.c
index e93dfabbe..0c4c0c452 100644
--- a/postfix/src/postconf/postconf_other.c
+++ b/postfix/src/postconf/postconf_other.c
@@ -12,6 +12,9 @@
 /*
 /*	void	pcf_show_sasl(mode)
 /*	int	mode;
+/*
+/*	void	pcf_show_tls(what)
+/*	const char *what;
 /* DESCRIPTION
 /*	pcf_show_maps() lists the available map (lookup table)
 /*	types.
@@ -21,10 +24,16 @@
 /*	pcf_show_sasl() shows the available SASL authentication
 /*	plugin types.
 /*
+/*	pcf_show_tls() reports the "compile-version" or "run-version"
+/*	of the TLS library, or the supported public-key algorithms.
+/*
 /*	Arguments:
 /* .IP mode
 /*	Show server information if the PCF_SHOW_SASL_SERV flag is
 /*	set, otherwise show client information.
+/* .IP what
+/*	One of the literals "compile-version", "run-version" or
+/*	"public-key-algorithms".
 /* DIAGNOSTICS
 /*	Problems are reported to the standard error stream.
 /* LICENSE
@@ -36,6 +45,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
@@ -47,6 +61,7 @@
 #include <vstream.h>
 #include <argv.h>
 #include <dict.h>
+#include <msg.h>
 
 /* Global library. */
 
@@ -56,6 +71,10 @@
 
 #include <xsasl.h>
 
+/* TLS library. */
+
+#include <tls.h>
+
 /* Application-specific. */
 
 #include <postconf.h>
@@ -99,3 +118,24 @@ void    pcf_show_sasl(int what)
 	vstream_printf("%s\n", sasl_argv->argv[i]);
     argv_free(sasl_argv);
 }
+
+/* pcf_show_tls - show TLS support */
+
+void    pcf_show_tls(const char *what)
+{
+#ifdef USE_TLS
+    if (strcmp(what, "compile-version") == 0)
+	vstream_printf("%s\n", tls_compile_version());
+    else if (strcmp(what, "run-version") == 0)
+	vstream_printf("%s\n", tls_run_version());
+    else if (strcmp(what, "public-key-algorithms") == 0) {
+	const char **cpp;
+
+	for (cpp = tls_pkey_algorithms(); *cpp; cpp++)
+	    vstream_printf("%s\n", *cpp);
+    } else {
+	msg_warn("unknown 'postconf -T' mode: %s", what);
+	exit(1);
+    }
+#endif						/* USE_TLS */
+}
diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c
index e4b524369..d4bcbc409 100644
--- a/postfix/src/postfix/postfix.c
+++ b/postfix/src/postfix/postfix.c
@@ -54,7 +54,7 @@
 /*	earliest convenience.
 /* .IP \fBstatus\fR
 /*	Indicate if the Postfix mail system is currently running.
-/* .IP "\fBset-permissions\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+/* .IP "\fBset-permissions\fR [\fIname\fR=\fIvalue ...\fR]
 /*	Set the ownership and permissions of Postfix related files and
 /*	directories, as specified in the \fBpostfix-files\fR file.
 /* .sp
@@ -66,13 +66,13 @@
 /*	This feature is available in Postfix 2.1 and later.  With
 /*	Postfix 2.0 and earlier, use "\fB$config_directory/post-install
 /*	set-permissions\fR".
-/* .IP "\fBtls\fR \fIsubcommand...\fB\fR
-/*	Enable opportunistic TLS in the Postfix SMTP client or server,
-/*	or generate or replace Postfix SMTP server TLS private keys
-/*	and certificates.  See the section "TLS SUBCOMMANDS" below.
+/* .IP "\fBtls\fR \fIsubcommand\fB ...\fR
+/*	Enable opportunistic TLS in the Postfix SMTP client or
+/*	server, and manage Postfix SMTP server TLS private keys and
+/*	certificates.  See postfix-tls(1) for documentation.
 /* .sp
 /*	This feature is available in Postfix 3.1 and later.
-/* .IP "\fBupgrade-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+/* .IP "\fBupgrade-configuration\fR [\fIname\fR=\fIvalue ...\fR]
 /*	Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
 /*	that Postfix needs in order to run: add or update services, and add
 /*	or update configuration parameter settings.
@@ -101,84 +101,6 @@
 /* .IP \fB-v\fR
 /*	Enable verbose logging for debugging purposes. Multiple \fB-v\fR
 /*	options make the software increasingly verbose.
-/* TLS SUBCOMMANDS
-/* .ad
-/* .fi
-/*	The "\fBpostfix tls \fIsubcommand...\fR" feature implements the
-/*	following subcommands:
-/* .IP "\fBenable-client\fR"
-/*	Enable opportunistic TLS in the Postfix SMTP client, if all SMTP
-/*	client TLS settings are at their default values. Otherwise,
-/*	suggest parameter settings without making any changes.
-/* .IP "\fBenable-server\fR"
-/*	Create a new private key and self-signed server certificate.
-/*	Enable opportunistic TLS in the Postfix SMTP server, if all
-/*	SMTP server TLS settings are at their default values. Otherwise,
-/*	suggest parameter settings without making any changes.
-/* .IP "\fBcreate-key\fR"
-/*	Create a new 2048-bit RSA private key and self-signed server
-/*	certificate, but do not deploy them. Log and display suggested
-/*	main.cf settings to deploy the new key and certificate in
-/*	the Postfix SMTP server.
-/* .sp
-/*	Before deploying the new key and certificate with DANE, use the
-/*	command "\fBpostfix tls gen-tlsa \fIhostname keyfile\fR"
-/*	to write recommended TLSA records to stdout.
-/*	Update the DNS with new DANE TLSA records, then wait for
-/*	secondary nameservers to update, and wait for stale records in
-/*	remote DNS caches to expire.
-/* .sp
-/*	Before deploying the new key and certificate with PKI in
-/*	the Postfix SMTP server, use the command "\fBpostfix tls
-/*	gen-csr\fR" to obtain a certificate signing request (CSR)
-/*	for the new key, and replace the self-signed certificate
-/*	with a CA-issued one before deployment.
-/* .IP
-/*	After taking zero or more of the above step(s), deploy the
-/*	new key and certificate using the suggested main.cf settings
-/*	mentioned above.
-/* .IP "\fBcreate-cert\fR"
-/*	This is just like \fBcreate-key\fR except that, rather than
-/*	generating a new private key, any currently deployed private
-/*	key is copied to the new key file.  Thus if you're publishing
-/*	DANE TLSA "3 1 1" records, there is no need to update DNS records.
-/* .sp
-/*	This command is rarely needed, because the certificates generated
-/*	have a 100-year nominal expiration time.  The RSA algorithm may
-/*	well be obsoleted by quantum computers long
-/*	before then.
-/* .sp
-/*	The most plausible reason for using this command is when
-/*	system hostname changes, and you'd like the name in the
-/*	certificate to match the new hostname (not required for
-/*	DANE "3 1 1", but some needlessly picky non-DANE opportunistic
-/*	TLS clients may log warnings or even refuse to communicate).
-/* .IP "\fBreplace-key\fR"
-/*	This is like \fBcreate-key\fR, but immediately deploys
-/*	the new private key and self-signed server certificate.
-/*	Obsolete keys and certificates may be removed by hand. Files
-/*	created with "\fBpostfix tls\fR" commands are named
-/*	key-\fIyyyymmdd-hhmmss\fR.pem and cert-\fIyyyymmdd-hhmmss\fR.pem,
-/*	where \fIyyyymmdd\fR is the calendar date and \fIhhmmss\fR
-/*	is the time of day.
-/* .IP "\fBreplace-cert\fR"
-/*	This is like \fBreplace-key\fR, but copies any currently
-/*	deployed private key if one exists, and immediately deploys
-/*	the key and the new self-signed server certificate.  This
-/*	is safe with DANE TLSA "3 1 1" records.  As noted before,
-/*	replacement of just the certificate is rarely needed.
-/* .IP "\fBgen-csr [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-/*	Write to stdout a certificate signing request (CSR) for the
-/*	specified \fIhostname\fR (by default, the value of the
-/*	\fBmyhostname\fR main.cf parameter) and private key file
-/*	\fIkeyfile\fR (by default, the value of the
-/*	\fBsmtpd_tls_key_file\fR main.cf parameter).
-/* .IP "\fBgen-tlsa [\fIhostname\fB] [\fIkeyfile\fB]\fR"
-/*	Write to stdout a DANE TLSA record suitable for a port 25
-/*	SMTP server on host \fIhostname\fR (default: the value of
-/*	the \fBmyhostname\fR main.cf parameter) with private key
-/*	file \fIkeyfile\fR (default: the value of the
-/*	\fBsmtpd_tls_key_file\fR main.cf parameter).
 /* ENVIRONMENT
 /* .ad
 /* .fi
@@ -249,6 +171,10 @@
 /*	plugins (postfix-*.so) that have a relative pathname in the
 /*	dynamicmaps.cf file.
 /* .PP
+/*	Available in Postfix version 3.1 and later:
+/* .IP "\fBopenssl_path (openssl)\fR"
+/*	The location of the OpenSSL command line program \fBopenssl\fR(1).
+/* .PP
 /*	Other configuration parameters:
 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
 /*	The list of environment parameters that a Postfix process will
@@ -303,6 +229,7 @@
 /*	postcat(1), examine Postfix queue file
 /*	postconf(1), Postfix configuration utility
 /*	postfix(1), Postfix control program
+/*	postfix-tls(1), Postfix TLS management
 /*	postkick(1), trigger Postfix daemon
 /*	postlock(1), Postfix-compatible locking
 /*	postlog(1), Postfix-compatible logging
@@ -397,6 +324,11 @@
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
+/*
 /*	TLS support by:
 /*	Lutz Jaenicke
 /*	Brandenburg University of Technology
diff --git a/postfix/src/postscreen/postscreen.h b/postfix/src/postscreen/postscreen.h
index ceb2a2571..2e4585b5c 100644
--- a/postfix/src/postscreen/postscreen.h
+++ b/postfix/src/postscreen/postscreen.h
@@ -582,4 +582,9 @@ extern void psc_endpt_lookup(VSTREAM *, PSC_ENDPT_LOOKUP_FN);
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
diff --git a/postfix/src/postscreen/postscreen_early.c b/postfix/src/postscreen/postscreen_early.c
index c4e1a80d7..36c3d5cd6 100644
--- a/postfix/src/postscreen/postscreen_early.c
+++ b/postfix/src/postscreen/postscreen_early.c
@@ -25,6 +25,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index e19a586bf..c34ab633a 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -1073,6 +1073,11 @@
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
 /*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
+/*
 /*	SASL support originally by:
 /*	Till Franke
 /*	SuSE Rhein/Main AG
diff --git a/postfix/src/smtpd/smtpd_milter.c b/postfix/src/smtpd/smtpd_milter.c
index bd0fb2c13..5e421e9ca 100644
--- a/postfix/src/smtpd/smtpd_milter.c
+++ b/postfix/src/smtpd/smtpd_milter.c
@@ -25,6 +25,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/smtpd/smtpd_sasl_glue.c b/postfix/src/smtpd/smtpd_sasl_glue.c
index b536e82c6..3dcd18fe6 100644
--- a/postfix/src/smtpd/smtpd_sasl_glue.c
+++ b/postfix/src/smtpd/smtpd_sasl_glue.c
@@ -115,6 +115,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index 17c461386..346f4e850 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -89,11 +89,10 @@ extern const char *str_tls_level(int);
 #endif
 
  /* Backwards compatibility with OpenSSL < 1.1.0 */
-#ifdef SSLEAY_VERSION_NUMBER
-#define OpenSSL_version_num SSLeay
-#endif
-
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define OpenSSL_version_num SSLeay
+#define OpenSSL_version SSLeay_version
+#define OPENSSL_VERSION SSLEAY_VERSION
 #define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
 #endif
 
@@ -308,7 +307,6 @@ extern void tls_free_app_context(TLS_APPL_STATE *);
  /*
   * tls_misc.c
   */
-
 extern void tls_param_init(void);
 
  /*
@@ -535,6 +533,13 @@ extern TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *);
   */
 extern void tls_session_stop(TLS_APPL_STATE *, VSTREAM *, int, int, TLS_SESS_STATE *);
 
+ /*
+  * tls_misc.c
+  */
+extern const char *tls_compile_version(void);
+extern const char *tls_run_version(void);
+extern const char **tls_pkey_algorithms(void);
+
 #ifdef TLS_INTERNAL
 
 #include <vstring.h>
diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index 6cb39559d..24a4fc558 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -364,6 +364,11 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
 	return (0);
     }
 
+#ifdef SSL_SECOP_PEER
+    /* Backwards compatible security as a base for opportunistic TLS. */
+    SSL_CTX_set_security_level(client_ctx, 0);
+#endif
+
     /*
      * See the verify callback in tls_verify.c
      */
@@ -946,6 +951,12 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
     if (protomask != 0)
 	SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask));
 
+#ifdef SSL_SECOP_PEER
+    /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+    if (TLS_MUST_MATCH(props->tls_level))
+	SSL_set_security_level(TLScontext->con, 1);
+#endif
+
     /*
      * XXX To avoid memory leaks we must always call SSL_SESSION_free() after
      * calling SSL_set_session(), regardless of whether or not the session
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 3c7ad5db9..0407b3c79 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -82,10 +82,16 @@
 /*
 /*	void	 tls_update_app_logmask(app_ctx, log_mask)
 /*	TLS_APPL_STATE *app_ctx;
-/*	int      log_mask;
+/*	int	log_mask;
 /*
 /*	int	tls_validate_digest(dgst)
 /*	const char *dgst;
+/*
+/*	const char *tls_compile_version(void)
+/*
+/*	const char *tls_run_version(void)
+/*
+/*	const char **tls_pkey_algorithms(void)
 /* DESCRIPTION
 /*	This module implements routines that support the TLS client
 /*	and server internals.
@@ -156,6 +162,16 @@
 /*
 /*	tls_validate_digest() returns non-zero if the named digest
 /*	is usable and zero otherwise.
+/*
+/*	tls_compile_version() returns a text string description of
+/*	the compile-time TLS library.
+/*
+/*	tls_run_version() is just tls_compile_version() but with the runtime
+/*	version instead of the compile-time version.
+/*
+/*	tls_pkey_algorithms() returns a pointer to null-terminated
+/*	array of string constants with the names of the supported
+/*	public-key algorithms.
 /* LICENSE
 /* .ad
 /* .fi
@@ -870,7 +886,7 @@ void    tls_free_context(TLS_SESS_STATE *TLScontext)
 
 /* tls_version_split - Split OpenSSL version number into major, minor, ... */
 
-static void tls_version_split(long version, TLS_VINFO *info)
+static void tls_version_split(unsigned long version, TLS_VINFO *info)
 {
 
     /*
@@ -954,6 +970,43 @@ void    tls_check_version(void)
 		 hdr_info.major, hdr_info.minor, hdr_info.micro);
 }
 
+/* tls_compile_version - compile-time OpenSSL version */
+
+const char *tls_compile_version(void)
+{
+    return (OPENSSL_VERSION_TEXT);
+}
+
+/* tls_run_version - run-time version "major.minor.micro" */
+
+const char *tls_run_version(void)
+{
+    return (OpenSSL_version(OPENSSL_VERSION));
+}
+
+const char **tls_pkey_algorithms(void)
+{
+
+    /*
+     * Return an array, not string, so that the result can be inspected
+     * without parsing. Sort the result alphabetically, not chronologically.
+     */
+    static const char *algs[] = {
+#ifndef OPENSSL_NO_DSA
+	"dsa",
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_ECDSA)
+	"ecdsa",
+#endif
+#ifndef OPENSSL_NO_RSA
+	"rsa",
+#endif
+	0,
+    };
+
+    return (algs);
+}
+
 /* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */
 
 long    tls_bug_bits(void)
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 0a78ae653..44146bbbc 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -446,6 +446,11 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
 	return (0);
     }
 
+#ifdef SSL_SECOP_PEER
+    /* Backwards compatible security as a base for opportunistic TLS. */
+    SSL_CTX_set_security_level(server_ctx, 0);
+#endif
+
     /*
      * See the verify callback in tls_verify.c
      */
@@ -754,6 +759,12 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
 	return (0);
     }
 
+#ifdef SSL_SECOP_PEER
+    /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+    if (props->requirecert)
+	SSL_set_security_level(TLScontext->con, 1);
+#endif
+
     /*
      * Before really starting anything, try to seed the PRNG a little bit
      * more.
@@ -883,6 +894,22 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
 		     TLScontext->peer_pkey_fprint);
 	}
 	X509_free(peer);
+
+	/*
+	 * Give them a clue. Problems with trust chain verification are logged
+	 * when the session is first negotiated, before the session is stored
+	 * into the cache. We don't want mystery failures, so log the fact the
+	 * real problem is to be found in the past.
+	 */
+	if (!TLS_CERT_IS_TRUSTED(TLScontext)
+	    && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
+	    if (TLScontext->session_reused == 0)
+		tls_log_verify_error(TLScontext);
+	    else
+		msg_info("%s: re-using session with untrusted certificate, "
+			 "look for details earlier in the log",
+			 TLScontext->namaddr);
+	}
     } else {
 	TLScontext->peer_CN = mystrdup("");
 	TLScontext->issuer_CN = mystrdup("");
diff --git a/postfix/src/trivial-rewrite/resolve.c b/postfix/src/trivial-rewrite/resolve.c
index 2c65c2caf..70c3fdcaa 100644
--- a/postfix/src/trivial-rewrite/resolve.c
+++ b/postfix/src/trivial-rewrite/resolve.c
@@ -44,6 +44,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/util/attr_print0.c b/postfix/src/util/attr_print0.c
index a916bca7b..27fb7beac 100644
--- a/postfix/src/util/attr_print0.c
+++ b/postfix/src/util/attr_print0.c
@@ -80,6 +80,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/util/attr_print64.c b/postfix/src/util/attr_print64.c
index fc3442ec9..b2181d740 100644
--- a/postfix/src/util/attr_print64.c
+++ b/postfix/src/util/attr_print64.c
@@ -80,6 +80,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/util/attr_print_plain.c b/postfix/src/util/attr_print_plain.c
index 12cde7235..fef0def3d 100644
--- a/postfix/src/util/attr_print_plain.c
+++ b/postfix/src/util/attr_print_plain.c
@@ -80,6 +80,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/util/mac_expand.h b/postfix/src/util/mac_expand.h
index 5efc3965b..f65e63cc6 100644
--- a/postfix/src/util/mac_expand.h
+++ b/postfix/src/util/mac_expand.h
@@ -8,8 +8,8 @@
 /*	expand macro references in string
 /* SYNOPSIS
 /*	#include <mac_expand.h>
- DESCRIPTION
- .nf
+/* DESCRIPTION
+/* .nf
 
  /*
   * Utility library.
diff --git a/postfix/src/util/mac_parse.h b/postfix/src/util/mac_parse.h
index e016ea792..2d7b4ad48 100644
--- a/postfix/src/util/mac_parse.h
+++ b/postfix/src/util/mac_parse.h
@@ -8,8 +8,8 @@
 /*	locate macro references in string
 /* SYNOPSIS
 /*	#include <mac_parse.h>
- DESCRIPTION
- .nf
+/* DESCRIPTION
+/* .nf
 
  /*
   * Utility library.
diff --git a/postfix/src/util/scan_dir.c b/postfix/src/util/scan_dir.c
index 432c9f4f6..d94c67469 100644
--- a/postfix/src/util/scan_dir.c
+++ b/postfix/src/util/scan_dir.c
@@ -58,6 +58,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/util/strcasecmp_utf8.c b/postfix/src/util/strcasecmp_utf8.c
index 07e576a55..e3f20dfb4 100644
--- a/postfix/src/util/strcasecmp_utf8.c
+++ b/postfix/src/util/strcasecmp_utf8.c
@@ -59,6 +59,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
  /*
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index ff8180caf..a33fa94fe 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -1375,6 +1375,14 @@ extern int inet_pton(int, const char *, void *);
   */
 #ifndef NO_WATCHDOG_PIPE
 #define USE_WATCHDOG_PIPE
+#endif
+
+ /*
+  * If we don't have defined a preferred random device above, but the system
+  * has /dev/urandom, then we use that.
+  */
+#if !defined(PREFERRED_RAND_SOURCE) && defined(HAS_DEV_URANDOM)
+#define PREFERRED_RAND_SOURCE	"dev:/dev/urandom"
 #endif
 
  /*
diff --git a/postfix/src/xsasl/xsasl.h b/postfix/src/xsasl/xsasl.h
index ead9a9b3e..976a676ae 100644
--- a/postfix/src/xsasl/xsasl.h
+++ b/postfix/src/xsasl/xsasl.h
@@ -132,6 +132,11 @@ extern ARGV *xsasl_client_types(void);
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 #endif
diff --git a/postfix/src/xsasl/xsasl_cyrus_server.c b/postfix/src/xsasl/xsasl_cyrus_server.c
index 4d61b457c..95c470d32 100644
--- a/postfix/src/xsasl/xsasl_cyrus_server.c
+++ b/postfix/src/xsasl/xsasl_cyrus_server.c
@@ -47,6 +47,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */
diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c
index 643c84349..226cf11a6 100644
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@@ -41,6 +41,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System library. */