From: Wietse Venema <wietse@porcupine.org>
Date: Wed, 9 Feb 2005 05:00:00 +0000 (-0500)
Subject: postfix-2.2-20050209
X-Git-Tag: v2.2.0-RC1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=340bbfff6bfe70479b8e86936f11cde8756a4afa;p=thirdparty%2Fpostfix.git

postfix-2.2-20050209
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 3704a1481..83fe24140 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -10311,8 +10311,30 @@ Apologies for any names omitted.
 	control, based on code by Victor Duchovni. File:
 	smtpd/smtpd_check.c and documentation.
 
-	Sanity check: don't allow unlimited message size with
-	limited mailbox size. File: local/local.c, virtual/virtual.c.
+	Safety: don't allow unlimited message size with limited
+	mailbox size. File: local/local.c, virtual/virtual.c.
+
+	Feature: new smtpd policy attributes ccert_subject,
+	ccert_issuer and ccert_fingerprint, with TLS client
+	certificate information, but only when verification was
+	successful.  Files:  src/smtpd/smtpd_check.c.
+
+	Cleanup: corrected the address verification data flow in
+	the ADDRESS_VERIFICATION_README illustration.
+
+20050209
+
+	Cleanup: the smtp generics mapping did syntax check on the
+	input address instead of the result. These tests were not
+	going to be useful in any case, because mail_addr_map()
+	canonicalizes the lookup result, including @dom1->@dom2
+	mapping. File:  smtp_map11.c.
+
+	Cleanup: made the generics mapping documentation consistent
+	with the implementation.
+
+	Cleanup: documented the myorigin/mydomain address rewriting
+	in canonical, generics and virtual alias maps.
 
 Open problems:
 
@@ -10322,10 +10344,6 @@ Open problems:
 	Med: disable address rewriting after XCLIENT? Introduce a
 	better concept of original submission?
 
-	Med: find out what TLS attributes to export via the policy
-	servicer hooks: peer CN, issuer CN, peer fingerprint,
-	verification status.
-
 	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
 	to limit the total time spent trying to connect.
 
diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README
index c6ff2fee6..5ef9b3758 100644
--- a/postfix/README_FILES/ADDRESS_VERIFICATION_README
+++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README
@@ -47,18 +47,18 @@ itself, or it could be a remote MTA (SMTP interruptus). Probe messages are like
 normal mail, except that they are never delivered, deferred or bounced; probe
 messages are always discarded.
 
-                Postfix      Postfix        Address
-    Internet ->   SMTP   <->  verify  <-> verification
-                 server       server        database
-
-                   |            ^
-                 probe       delivery
-                messages      status
-                   v            |
-
-                Postfix      Postfix
-                 queue   ->  delivery
-                              agents
+                Postfix         Postfix             Address
+    Internet ->  SMTP   <->     verify      <->   verification
+                server          server              database
+
+                                   |    ^
+                               probe    delivery
+                            messages    status
+                                   v    |
+
+                            Postfix     Postfix
+                             queue   -> delivery
+                                         agents
 
 With Postfix address verification turned on, normal mail will suffer only a
 short delay of up to 6 seconds while an address is being verified for the first
diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README
index 2b1b4561f..cf60dbad5 100644
--- a/postfix/README_FILES/SMTPD_POLICY_README
+++ b/postfix/README_FILES/SMTPD_POLICY_README
@@ -52,6 +52,9 @@ a delegated SMTPD access policy request:
     sasl_method=plain
     sasl_username=you
     sasl_sender=
+    ccert_subject=solaris9.porcupine.org
+    ccert_issuer=Wietse Venema
+    ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
     size=12345
     [empty line]
 
@@ -83,6 +86,9 @@ Notes:
     Postfix 2.2 and later, it specifies the actual message size when the client
     sends the END-OF-DATA command.
 
+  * The "sasl_*" attributes specify information about how the client was
+    authenticated via SASL.
+
 The following is specific to SMTPD delegated policy requests:
 
   * Protocol names are ESMTP or SMTP.
@@ -91,7 +97,9 @@ The following is specific to SMTPD delegated policy requests:
     VRFY or ETRN; these are the SMTP protocol states where the Postfix SMTP
     server makes an OK/REJECT/HOLD/etc. decision.
 
-  * The SASL attributes are sent only when SASL support is built into Postfix.
+  * The "ccert_*" attributes specify information from the client TLS
+    certificate. This information is presented only if the client certificate
+    was successfully verified.
 
 The policy server replies with any action that is allowed in a Postfix SMTPD
 access(5) table. Example:
diff --git a/postfix/README_FILES/STANDARD_CONFIGURATION_README b/postfix/README_FILES/STANDARD_CONFIGURATION_README
index 755b939ad..fc4dd6ce8 100644
--- a/postfix/README_FILES/STANDARD_CONFIGURATION_README
+++ b/postfix/README_FILES/STANDARD_CONFIGURATION_README
@@ -23,7 +23,7 @@ in specific environments.
 
   * Delivering some but not all accounts locally
   * Running Postfix behind a firewall
-  * Configuring Postfix as MX host for a remote site
+  * Configuring Postfix as primary or backup MX host for a remote site
   * Postfix on a dialup machine
   * Postfix on hosts without a real Internet hostname
 
@@ -362,7 +362,7 @@ To find out what lookup tables Postfix supports, use the command "ppoossttc
 Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ttrraannssppoorrtt" whenever you edit the
 transport table.
 
-CCoonnffiigguurriinngg PPoossttffiixx aass MMXX hhoosstt ffoorr aa rreemmoottee ssiittee
+CCoonnffiigguurriinngg PPoossttffiixx aass pprriimmaarryy oorr bbaacckkuupp MMXX hhoosstt ffoorr aa rreemmoottee ssiittee
 
 This section presents additional configuration. You need to combine this with
 basic configuration information as discussed the first half of this document.
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 5804c1feb..6a1e12144 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -7,6 +7,13 @@ snapshot release).  Patches are issued for the official release
 and change the patchlevel and the release date. Patches are never
 issued for snapshot releases.
 
+Major changes with snapshot Postfix-2.2-20050209
+================================================
+
+The policy delegation protocol now supplies TLS client certificate
+information after successful verification. The new attribute names
+are ccert_subject, ccert_issuer and cccert_fingerprint.
+
 Major changes with snapshot Postfix-2.2-20050208
 ================================================
 
diff --git a/postfix/conf/canonical b/postfix/conf/canonical
index d835107cc..ecfd32dc3 100644
--- a/postfix/conf/canonical
+++ b/postfix/conf/canonical
@@ -96,63 +96,69 @@
 #               Replace other addresses in domain by address.  This
 #               form has the lowest precedence.
 # 
-#        In  all the above forms, when address has the form @other-
-#        domain, the result is the same user in otherdomain.
+# RESULT ADDRESS REWRITING
+#        The lookup result is subject to address rewriting:
+# 
+#        o      When  the  result  has  the  form @otherdomain, the
+#               result becomes the same user in otherdomain.
+# 
+#        o      The  result  is   rewritten   as   specified   with
+#               append_at_myorigin or with append_dot_mydomain.
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
-#        ient  delimiter  (e.g., user+foo@domain), the lookup order
+#        ient delimiter (e.g., user+foo@domain), the  lookup  order
 #        becomes: user+foo@domain, user@domain, user+foo, user, and
 #        @domain.
 # 
-#        The   propagate_unmatched_extensions   parameter  controls
-#        whether an unmatched address extension  (+foo)  is  propa-
+#        The  propagate_unmatched_extensions   parameter   controls
+#        whether  an  unmatched  address extension (+foo) is propa-
 #        gated to the result of table lookup.
 # 
 # REGULAR EXPRESSION TABLES
-#        This  section  describes how the table lookups change when
+#        This section describes how the table lookups  change  when
 #        the table is given in the form of regular expressions. For
-#        a  description  of regular expression lookup table syntax,
+#        a description of regular expression lookup  table  syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each pattern is a regular expression that  is  applied  to
+#        Each  pattern  is  a regular expression that is applied to
 #        the entire address being looked up. Thus, user@domain mail
-#        addresses are not broken up into their  user  and  @domain
+#        addresses  are  not  broken up into their user and @domain
 #        constituent parts, nor is user+foo broken up into user and
 #        foo.
 # 
-#        Patterns are applied in the  order  as  specified  in  the
-#        table,  until  a  pattern is found that matches the search
+#        Patterns  are  applied  in  the  order as specified in the
+#        table, until a pattern is found that  matches  the  search
 #        string.
 # 
-#        Results are the same as with indexed  file  lookups,  with
-#        the  additional feature that parenthesized substrings from
+#        Results  are  the  same as with indexed file lookups, with
+#        the additional feature that parenthesized substrings  from
 #        the pattern can be interpolated as $1, $2 and so on.
 # 
 # TCP-BASED TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        lookups are directed to a TCP-based server. For a descrip-
-#        tion  of  the  TCP  client/server  lookup  protocol,   see
-#        tcp_table(5).   This  feature  is  not available up to and
+#        tion   of  the  TCP  client/server  lookup  protocol,  see
+#        tcp_table(5).  This feature is not  available  up  to  and
 #        including Postfix version 2.2.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
-#        user@domain  mail  addresses  are not broken up into their
+#        user@domain mail addresses are not broken  up  into  their
 #        user and @domain constituent parts, nor is user+foo broken
 #        up into user and foo.
 # 
 #        Results are the same as with indexed file lookups.
 # 
 # BUGS
-#        The  table format does not understand quoting conventions.
+#        The table format does not understand quoting  conventions.
 # 
 # CONFIGURATION PARAMETERS
-#        The following main.cf parameters are especially  relevant.
-#        The  text  below  provides  only  a parameter summary. See
+#        The  following main.cf parameters are especially relevant.
+#        The text below provides  only  a  parameter  summary.  See
 #        postconf(5) for more details including examples.
 # 
 #        canonical_classes
-#               What addresses are  subject  to  canonical  address
+#               What  addresses  are  subject  to canonical address
 #               mapping.
 # 
 #        canonical_maps
@@ -167,16 +173,24 @@
 #               header sender addresses.
 # 
 #        propagate_unmatched_extensions
-#               A  list  of  address rewriting or forwarding mecha-
-#               nisms that propagate an address extension from  the
-#               original  address  to  the result.  Specify zero or
-#               more  of  canonical,   virtual,   alias,   forward,
+#               A list of address rewriting  or  forwarding  mecha-
+#               nisms  that propagate an address extension from the
+#               original address to the result.   Specify  zero  or
+#               more   of   canonical,   virtual,  alias,  forward,
 #               include, or generics.
 # 
 #        Other parameters of interest:
 # 
+#        append_at_myorigin
+#               Do or don't append "@$myorigin" to addresses  with-
+#               out domain.  This must be turned on in Postfix.
+# 
+#        append_dot_mydomain
+#               Do  or don't append ".$mydomain" to addresses with-
+#               out "." on the right-hand side of the @.
+# 
 #        inet_interfaces
-#               The  network  interface  addresses that this system
+#               The network interface addresses  that  this  system
 #               receives mail on.  You need to stop and start Post-
 #               fix when this parameter changes.
 # 
@@ -186,20 +200,20 @@
 #               tor.
 # 
 #        masquerade_classes
-#               List  of  address  classes subject to masquerading:
-#               zero or more of  envelope_sender,  envelope_recipi-
+#               List of address classes  subject  to  masquerading:
+#               zero  or  more of envelope_sender, envelope_recipi-
 #               ent, header_sender, header_recipient.
 # 
 #        masquerade_domains
-#               List  of  domains  that hide their subdomain struc-
+#               List of domains that hide  their  subdomain  struc-
 #               ture.
 # 
 #        masquerade_exceptions
-#               List of user names that are not subject to  address
+#               List  of user names that are not subject to address
 #               masquerading.
 # 
 #        mydestination
-#               List  of  domains  that  this mail system considers
+#               List of domains that  this  mail  system  considers
 #               local.
 # 
 #        myorigin
@@ -216,13 +230,13 @@
 #        virtual(5), virtual aliasing
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        DATABASE_README, Postfix lookup table overview
 #        ADDRESS_REWRITING_README, address rewriting guide
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/conf/generics b/postfix/conf/generics
index 164226a39..05a572ccb 100644
--- a/postfix/conf/generics
+++ b/postfix/conf/generics
@@ -83,99 +83,113 @@
 #               Replace other addresses in domain by address.  This
 #               form has the lowest precedence.
 # 
-#        In all the above forms, the result address must  have  the
-#        form username@domainname.
+# RESULT ADDRESS REWRITING
+#        The lookup result is subject to address rewriting:
+# 
+#        o      When the result  has  the  form  @otherdomain,  the
+#               result becomes the same user in otherdomain.
+# 
+#        o      The   result   is   rewritten   as  specified  with
+#               append_at_myorigin or with append_dot_mydomain.
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
-#        ient delimiter (e.g., user+foo@domain), the  lookup  order
+#        ient  delimiter  (e.g., user+foo@domain), the lookup order
 #        becomes: user+foo@domain, user@domain, user+foo, user, and
 #        @domain.
 # 
-#        The  propagate_unmatched_extensions   parameter   controls
-#        whether  an  unmatched  address extension (+foo) is propa-
+#        The   propagate_unmatched_extensions   parameter  controls
+#        whether an unmatched address extension  (+foo)  is  propa-
 #        gated to the result of table lookup.
 # 
 # REGULAR EXPRESSION TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        the table is given in the form of regular expressions. For
-#        a description of regular expression lookup  table  syntax,
+#        a  description  of regular expression lookup table syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each  pattern  is  a regular expression that is applied to
+#        Each pattern is a regular expression that  is  applied  to
 #        the entire address being looked up. Thus, user@domain mail
-#        addresses  are  not  broken up into their user and @domain
+#        addresses are not broken up into their  user  and  @domain
 #        constituent parts, nor is user+foo broken up into user and
 #        foo.
 # 
-#        Patterns  are  applied  in  the  order as specified in the
-#        table, until a pattern is found that  matches  the  search
+#        Patterns are applied in the  order  as  specified  in  the
+#        table,  until  a  pattern is found that matches the search
 #        string.
 # 
-#        Results  are  the  same as with indexed file lookups, with
-#        the additional feature that parenthesized substrings  from
+#        Results are the same as with indexed  file  lookups,  with
+#        the  additional feature that parenthesized substrings from
 #        the pattern can be interpolated as $1, $2 and so on.
 # 
 # TCP-BASED TABLES
-#        This  section  describes how the table lookups change when
+#        This section describes how the table lookups  change  when
 #        lookups are directed to a TCP-based server. For a descrip-
-#        tion   of  the  TCP  client/server  lookup  protocol,  see
-#        tcp_table(5).  This feature is not  available  up  to  and
+#        tion  of  the  TCP  client/server  lookup  protocol,   see
+#        tcp_table(5).   This  feature  is  not available up to and
 #        including Postfix version 2.2.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
-#        user@domain mail addresses are not broken  up  into  their
+#        user@domain  mail  addresses  are not broken up into their
 #        user and @domain constituent parts, nor is user+foo broken
 #        up into user and foo.
 # 
 #        Results are the same as with indexed file lookups.
 # 
 # EXAMPLE
-#        The following shows a  generic  mapping  with  an  indexed
-#        file.   When  mail is sent to a remote host via SMTP, this
-#        replaces his@localdomain.local by his  ISP  mail  address,
-#        replaces  her@localdomain.local  by  her ISP mail address,
-#        and replaces other local addresses  by  his  ISP  account,
-#        with  an address extension of +local (this example assumes
+#        The  following  shows  a  generic  mapping with an indexed
+#        file.  When mail is sent to a remote host via  SMTP,  this
+#        replaces  his@localdomain.local  by  his ISP mail address,
+#        replaces her@localdomain.local by her  ISP  mail  address,
+#        and  replaces  other  local  addresses by his ISP account,
+#        with an address extension of +local (this example  assumes
 #        that the ISP supports "+" style address extensions).
 # 
 #        /etc/postfix/main.cf:
 #                smtp_generics_maps = hash:/etc/postfix/generics
 # 
 #        /etc/postfix/generics:
-#            his@localdomain.local   hisaccount@hisisp.example
-#            her@localdomain.local   heraccount@herisp.example
-#            @localdomain.local      hisaccount+local@hisisp.example
+#                his@localdomain.local   hisaccount@hisisp.example
+#                her@localdomain.local   heraccount@herisp.example
+#                @localdomain.local      hisaccount+local@hisisp.example
 # 
-#        Execute the command "postmap /etc/postfix/generics"  when-
-#        ever  the table is changed.  Instead of hash, some systems
-#        use dbm database files. To find out what tables your  sys-
+#        Execute  the command "postmap /etc/postfix/generics" when-
+#        ever the table is changed.  Instead of hash, some  systems
+#        use  dbm database files. To find out what tables your sys-
 #        tem supports use the command "postconf -m".
 # 
 # BUGS
-#        The  table format does not understand quoting conventions.
+#        The table format does not understand quoting  conventions.
 # 
 # CONFIGURATION PARAMETERS
-#        The following main.cf parameters are especially  relevant.
-#        The  text  below  provides  only  a parameter summary. See
+#        The  following main.cf parameters are especially relevant.
+#        The text below provides  only  a  parameter  summary.  See
 #        postconf(5) for more details including examples.
 # 
 #        smtp_generics_maps
 #               Address  mapping  lookup  table  for  envelope  and
-#               header  sender and recipient addresses while deliv-
+#               header sender and recipient addresses while  deliv-
 #               ering mail via SMTP.
 # 
 #        propagate_unmatched_extensions
-#               A list of address rewriting  or  forwarding  mecha-
-#               nisms  that propagate an address extension from the
-#               original address to the result.   Specify  zero  or
-#               more   of   canonical,   virtual,  alias,  forward,
+#               A  list  of  address rewriting or forwarding mecha-
+#               nisms that propagate an address extension from  the
+#               original  address  to  the result.  Specify zero or
+#               more  of  canonical,   virtual,   alias,   forward,
 #               include, or generics.
 # 
 #        Other parameters of interest:
 # 
+#        append_at_myorigin
+#               Do  or don't append "@$myorigin" to addresses with-
+#               out domain.  This must be turned on in Postfix.
+# 
+#        append_dot_mydomain
+#               Do or don't append ".$mydomain" to addresses  with-
+#               out "." on the right-hand side of the @.
+# 
 #        inet_interfaces
-#               The network interface addresses  that  this  system
+#               The  network  interface  addresses that this system
 #               receives mail on.  You need to stop and start Post-
 #               fix when this parameter changes.
 # 
@@ -185,7 +199,7 @@
 #               tor.
 # 
 #        mydestination
-#               List of domains that  this  mail  system  considers
+#               List  of  domains  that  this mail system considers
 #               local.
 # 
 #        myorigin
@@ -201,13 +215,13 @@
 #        smtp(8), Postfix SMTP client
 # 
 # README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
+#        Use "postconf readme_directory" or  "postconf  html_direc-
 #        tory" to locate this information.
 #        DATABASE_README, Postfix lookup table overview
 #        ADDRESS_REWRITING_README, address rewriting guide
 # 
 # LICENSE
-#        The Secure Mailer license must be  distributed  with  this
+#        The  Secure  Mailer  license must be distributed with this
 #        software.
 # 
 # HISTORY
diff --git a/postfix/conf/virtual b/postfix/conf/virtual
index 9e8bdf31e..1f33a6815 100644
--- a/postfix/conf/virtual
+++ b/postfix/conf/virtual
@@ -95,9 +95,16 @@
 #               Redirect mail for other users in domain to address.
 #               This form has the lowest precedence.
 # 
-#        In  all the above forms, when address has the form @other-
-#        domain, the result is the same user in otherdomain.   This
-#        works for the first address in the expansion only.
+# RESULT ADDRESS REWRITING
+#        The lookup result is subject to address rewriting:
+# 
+#        o      When  the  result  has  the  form @otherdomain, the
+#               result becomes the same user in otherdomain.   This
+#               works only for the first address in a multi-address
+#               lookup result.
+# 
+#        o      The  result  is   rewritten   as   specified   with
+#               append_at_myorigin or with append_dot_mydomain.
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
@@ -219,6 +226,14 @@
 # 
 #        Other parameters of interest:
 # 
+#        append_at_myorigin
+#               Do  or don't append "@$myorigin" to addresses with-
+#               out domain.  This must be turned on in Postfix.
+# 
+#        append_dot_mydomain
+#               Do or don't append ".$mydomain" to addresses  with-
+#               out "." on the right-hand side of the @.
+# 
 #        inet_interfaces
 #               The  network  interface  addresses that this system
 #               receives mail on.  You need to stop and start Post-
diff --git a/postfix/html/ADDRESS_VERIFICATION_README.html b/postfix/html/ADDRESS_VERIFICATION_README.html
index 6bc260bda..d7fd4b74c 100644
--- a/postfix/html/ADDRESS_VERIFICATION_README.html
+++ b/postfix/html/ADDRESS_VERIFICATION_README.html
@@ -95,31 +95,33 @@ always discarded.  </p>
 	<td bgcolor="#f0f0ff" align="center" valign="middle"> <a
 	href="smtpd.8.html">Postfix<br> SMTP<br> server</a> </td>
 
-    <td align="center" valign="middle"> <tt> &lt;-&gt; </tt> </td>
+    <td colspan="2" align="center" valign="middle"> <tt> &lt;-&gt;
+    </tt> </td>
 
-	<td bgcolor="#f0f0ff" align="center" valign="middle"> <a
-	href="verify.8.html">Postfix<br> verify<br> server</a>
+	<td bgcolor="#f0f0ff" colspan="3" align="center" valign="middle">
+	<a href="verify.8.html">Postfix<br> verify<br> server</a>
 	</td>
 
-    <td align="center" valign="middle"> <tt> &lt;-&gt; </tt> </td>
+    <td colspan="2" align="center" valign="middle"> <tt> &lt;-&gt;
+    </tt> </td>
 
-    <td bgcolor="#f0f0ff" align="center" valign="middle">
-    Address<br> verification<br> database </td>
+    <td bgcolor="#f0f0ff" align="center" valign="middle"> Address<br>
+    verification<br> database </td>
 
 </tr>
 
 <tr>
 
-    <td> </td>
+    <td colspan="3"> </td>
 
-    <td> </td>
+    <td> &nbsp; &nbsp; </td>
 
-    <td align="center" valign="middle"> <tt> |</tt><br> probe<br>
-    messages<br> <tt> v </tt> </td>
+    <td colspan="2" align="right" valign="middle"> <tt> |</tt><br>
+    probe<br> messages<br> <tt> v </tt> </td>
 
     <td> </td>
 
-    <td align="center" valign="middle"> ^<br> delivery<br>
+    <td colspan="2" align="left" valign="middle"> ^<br> delivery<br>
     status<br> <tt> | </tt> </td>
 
     <td> </td>
@@ -134,18 +136,24 @@ always discarded.  </p>
 
     <td> </td>
 
-    <td  bgcolor="#f0f0ff" align="center" valign="middle"> Postfix<br>
-    queue </td>
+    <td> </td>
+
+    <td> </td>
+
+    <td colspan="2" bgcolor="#f0f0ff" align="center" valign="middle">
+    Postfix<br> queue </td>
 
     <td align="center" valign="middle"> <tt> -&gt; </tt> </td>
 
-    <td bgcolor="#f0f0ff" align="center" valign="middle"> Postfix<br>
-    delivery<br> agents </td>
+    <td colspan="2" bgcolor="#f0f0ff" align="center" valign="middle">
+    Postfix<br> delivery<br> agents </td>
 
     <td> </td>
 
     <td> </td>
 
+</tr>
+
 </table>
 
 </blockquote>
diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html
index 8400be659..61afced15 100644
--- a/postfix/html/SMTPD_POLICY_README.html
+++ b/postfix/html/SMTPD_POLICY_README.html
@@ -84,6 +84,9 @@ instance=123.456.7
 sasl_method=plain
 sasl_username=you
 sasl_sender=
+ccert_subject=solaris9.porcupine.org
+ccert_issuer=Wietse Venema
+ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
 size=12345
 [empty line]
 </pre>
@@ -125,6 +128,9 @@ size=12345
     command.
     </p>
 
+    <li> <p> The "sasl_*" attributes specify information about how
+    the client was authenticated via SASL. </p>
+ 
 </ul>
 
 <p> The following is specific to SMTPD delegated policy requests:
@@ -140,8 +146,9 @@ size=12345
     the Postfix SMTP server makes an OK/REJECT/HOLD/etc. decision.
     </p>
 
-    <li> <p> The SASL attributes are sent only when SASL support
-    is built into Postfix. </p>
+    <li> <p> The "ccert_*" attributes specify information from the
+    client TLS certificate. This information is presented only
+    if the client certificate was successfully verified. </p>
 
 </ul>
 
diff --git a/postfix/html/STANDARD_CONFIGURATION_README.html b/postfix/html/STANDARD_CONFIGURATION_README.html
index 5febf7130..9c2aaf454 100644
--- a/postfix/html/STANDARD_CONFIGURATION_README.html
+++ b/postfix/html/STANDARD_CONFIGURATION_README.html
@@ -50,7 +50,7 @@ for hosts in specific environments. </p>
 
 <li><a href="#intranet">Running Postfix behind a firewall</a>
 
-<li><a href="#backup">Configuring Postfix as MX host for a remote
+<li><a href="#backup">Configuring Postfix as primary or backup MX host for a remote
 site</a>
 
 <li><a href="#dialup">Postfix on a dialup machine</a>
@@ -499,7 +499,7 @@ tables Postfix supports, use the command "<b>postconf -m</b>". </p>
 <p> Execute the command "<b>postmap /etc/postfix/transport</b>" whenever
 you edit the transport table. </p>
 
-<h2><a name="backup">Configuring Postfix as MX host for a remote site</a></h2>
+<h2><a name="backup">Configuring Postfix as primary or backup MX host for a remote site</a></h2>
 
 <p> This section presents additional configuration. You need to
 combine this with basic configuration information as discussed the
diff --git a/postfix/html/canonical.5.html b/postfix/html/canonical.5.html
index 6cb0a1b4f..0c1294d9d 100644
--- a/postfix/html/canonical.5.html
+++ b/postfix/html/canonical.5.html
@@ -102,63 +102,69 @@ CANONICAL(5)                                         CANONICAL(5)
               Replace other addresses in <i>domain</i> by <i>address</i>.  This
               form has the lowest precedence.
 
-       In  all the above forms, when <i>address</i> has the form @<i>other-</i>
-       <i>domain</i>, the result is the same user in <i>otherdomain</i>.
+<b>RESULT ADDRESS REWRITING</b>
+       The lookup result is subject to address rewriting:
+
+       <b>o</b>      When  the  result  has  the  form @<i>otherdomain</i>, the
+              result becomes the same <i>user</i> in <i>otherdomain</i>.
+
+       <b>o</b>      The  result  is   rewritten   as   specified   with
+              <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b> or with <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>.
 
 <b>ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
-       ient  delimiter  (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
+       ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the  lookup  order
        becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and
        @<i>domain</i>.
 
-       The   <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter  controls
-       whether an unmatched address extension  (<i>+foo</i>)  is  propa-
+       The  <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter   controls
+       whether  an  unmatched  address extension (<i>+foo</i>) is propa-
        gated to the result of table lookup.
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This  section  describes how the table lookups change when
+       This section describes how the table lookups  change  when
        the table is given in the form of regular expressions. For
-       a  description  of regular expression lookup table syntax,
+       a description of regular expression lookup  table  syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each pattern is a regular expression that  is  applied  to
+       Each  pattern  is  a regular expression that is applied to
        the entire address being looked up. Thus, <i>user@domain</i> mail
-       addresses are not broken up into their  <i>user</i>  and  <i>@domain</i>
+       addresses  are  not  broken up into their <i>user</i> and <i>@domain</i>
        constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and
        <i>foo</i>.
 
-       Patterns are applied in the  order  as  specified  in  the
-       table,  until  a  pattern is found that matches the search
+       Patterns  are  applied  in  the  order as specified in the
+       table, until a pattern is found that  matches  the  search
        string.
 
-       Results are the same as with indexed  file  lookups,  with
-       the  additional feature that parenthesized substrings from
+       Results  are  the  same as with indexed file lookups, with
+       the additional feature that parenthesized substrings  from
        the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
 
 <b>TCP-BASED TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        lookups are directed to a TCP-based server. For a descrip-
-       tion  of  the  TCP  client/server  lookup  protocol,   see
-       <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.   This  feature  is  not available up to and
+       tion   of  the  TCP  client/server  lookup  protocol,  see
+       <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.  This feature is not  available  up  to  and
        including Postfix version 2.2.
 
        Each lookup operation uses the entire address once.  Thus,
-       <i>user@domain</i>  mail  addresses  are not broken up into their
+       <i>user@domain</i> mail addresses are not broken  up  into  their
        <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i> broken
        up into <i>user</i> and <i>foo</i>.
 
        Results are the same as with indexed file lookups.
 
 <b>BUGS</b>
-       The  table format does not understand quoting conventions.
+       The table format does not understand quoting  conventions.
 
 <b>CONFIGURATION PARAMETERS</b>
-       The following <b>main.cf</b> parameters are especially  relevant.
-       The  text  below  provides  only  a parameter summary. See
+       The  following <b>main.cf</b> parameters are especially relevant.
+       The text below provides  only  a  parameter  summary.  See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
        <b><a href="postconf.5.html#canonical_classes">canonical_classes</a></b>
-              What addresses are  subject  to  canonical  address
+              What  addresses  are  subject  to canonical address
               mapping.
 
        <b><a href="postconf.5.html#canonical_maps">canonical_maps</a></b>
@@ -173,16 +179,24 @@ CANONICAL(5)                                         CANONICAL(5)
               header sender addresses.
 
        <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>
-              A  list  of  address rewriting or forwarding mecha-
-              nisms that propagate an address extension from  the
-              original  address  to  the result.  Specify zero or
-              more  of  <b>canonical</b>,   <b>virtual</b>,   <b>alias</b>,   <b>forward</b>,
+              A list of address rewriting  or  forwarding  mecha-
+              nisms  that propagate an address extension from the
+              original address to the result.   Specify  zero  or
+              more   of   <b>canonical</b>,   <b>virtual</b>,  <b>alias</b>,  <b>forward</b>,
               <b>include</b>, or <b>generics</b>.
 
        Other parameters of interest:
 
+       <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b>
+              Do or don't append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses  with-
+              out domain.  This must be turned on in Postfix.
+
+       <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>
+              Do  or don't append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>" to addresses with-
+              out "." on the right-hand side of the @.
+
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
-              The  network  interface  addresses that this system
+              The network interface addresses  that  this  system
               receives mail on.  You need to stop and start Post-
               fix when this parameter changes.
 
@@ -192,20 +206,20 @@ CANONICAL(5)                                         CANONICAL(5)
               tor.
 
        <b><a href="postconf.5.html#masquerade_classes">masquerade_classes</a></b>
-              List  of  address  classes subject to masquerading:
-              zero or more of  <b>envelope_sender</b>,  <b>envelope_recipi-</b>
+              List of address classes  subject  to  masquerading:
+              zero  or  more of <b>envelope_sender</b>, <b>envelope_recipi-</b>
               <b>ent</b>, <b>header_sender</b>, <b>header_recipient</b>.
 
        <b><a href="postconf.5.html#masquerade_domains">masquerade_domains</a></b>
-              List  of  domains  that hide their subdomain struc-
+              List of domains that hide  their  subdomain  struc-
               ture.
 
        <b><a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a></b>
-              List of user names that are not subject to  address
+              List  of user names that are not subject to address
               masquerading.
 
        <b><a href="postconf.5.html#mydestination">mydestination</a></b>
-              List  of  domains  that  this mail system considers
+              List of domains that  this  mail  system  considers
               local.
 
        <b><a href="postconf.5.html#myorigin">myorigin</a></b>
@@ -226,7 +240,7 @@ CANONICAL(5)                                         CANONICAL(5)
        <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>, address rewriting guide
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/generics.5.html b/postfix/html/generics.5.html
index 115417b21..e414db163 100644
--- a/postfix/html/generics.5.html
+++ b/postfix/html/generics.5.html
@@ -89,99 +89,113 @@ GENERICS(5)                                           GENERICS(5)
               Replace other addresses in <i>domain</i> by <i>address</i>.  This
               form has the lowest precedence.
 
-       In all the above forms, the result <i>address</i> must  have  the
-       form <i>username@domainname</i>.
+<b>RESULT ADDRESS REWRITING</b>
+       The lookup result is subject to address rewriting:
+
+       <b>o</b>      When the result  has  the  form  @<i>otherdomain</i>,  the
+              result becomes the same <i>user</i> in <i>otherdomain</i>.
+
+       <b>o</b>      The   result   is   rewritten   as  specified  with
+              <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b> or with <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>.
 
 <b>ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
-       ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the  lookup  order
+       ient  delimiter  (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
        becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and
        @<i>domain</i>.
 
-       The  <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter   controls
-       whether  an  unmatched  address extension (<i>+foo</i>) is propa-
+       The   <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter  controls
+       whether an unmatched address extension  (<i>+foo</i>)  is  propa-
        gated to the result of table lookup.
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        the table is given in the form of regular expressions. For
-       a description of regular expression lookup  table  syntax,
+       a  description  of regular expression lookup table syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each  pattern  is  a regular expression that is applied to
+       Each pattern is a regular expression that  is  applied  to
        the entire address being looked up. Thus, <i>user@domain</i> mail
-       addresses  are  not  broken up into their <i>user</i> and <i>@domain</i>
+       addresses are not broken up into their  <i>user</i>  and  <i>@domain</i>
        constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and
        <i>foo</i>.
 
-       Patterns  are  applied  in  the  order as specified in the
-       table, until a pattern is found that  matches  the  search
+       Patterns are applied in the  order  as  specified  in  the
+       table,  until  a  pattern is found that matches the search
        string.
 
-       Results  are  the  same as with indexed file lookups, with
-       the additional feature that parenthesized substrings  from
+       Results are the same as with indexed  file  lookups,  with
+       the  additional feature that parenthesized substrings from
        the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
 
 <b>TCP-BASED TABLES</b>
-       This  section  describes how the table lookups change when
+       This section describes how the table lookups  change  when
        lookups are directed to a TCP-based server. For a descrip-
-       tion   of  the  TCP  client/server  lookup  protocol,  see
-       <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.  This feature is not  available  up  to  and
+       tion  of  the  TCP  client/server  lookup  protocol,   see
+       <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.   This  feature  is  not available up to and
        including Postfix version 2.2.
 
        Each lookup operation uses the entire address once.  Thus,
-       <i>user@domain</i> mail addresses are not broken  up  into  their
+       <i>user@domain</i>  mail  addresses  are not broken up into their
        <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i> broken
        up into <i>user</i> and <i>foo</i>.
 
        Results are the same as with indexed file lookups.
 
 <b>EXAMPLE</b>
-       The following shows a  generic  mapping  with  an  indexed
-       file.   When  mail is sent to a remote host via SMTP, this
-       replaces <i>his@localdomain.local</i> by his  ISP  mail  address,
-       replaces  <i>her@localdomain.local</i>  by  her ISP mail address,
-       and replaces other local addresses  by  his  ISP  account,
-       with  an address extension of <i>+local</i> (this example assumes
+       The  following  shows  a  generic  mapping with an indexed
+       file.  When mail is sent to a remote host via  SMTP,  this
+       replaces  <i>his@localdomain.local</i>  by  his ISP mail address,
+       replaces <i>her@localdomain.local</i> by her  ISP  mail  address,
+       and  replaces  other  local  addresses by his ISP account,
+       with an address extension of <i>+local</i> (this example  assumes
        that the ISP supports "+" style address extensions).
 
        /etc/postfix/main.cf:
                <a href="postconf.5.html#smtp_generics_maps">smtp_generics_maps</a> = hash:/etc/postfix/generics
 
        /etc/postfix/generics:
-           his@localdomain.local   hisaccount@hisisp.example
-           her@localdomain.local   heraccount@herisp.example
-           @localdomain.local      hisaccount+local@hisisp.example
+               his@localdomain.local   hisaccount@hisisp.example
+               her@localdomain.local   heraccount@herisp.example
+               @localdomain.local      hisaccount+local@hisisp.example
 
-       Execute the command "<b>postmap /etc/postfix/generics</b>"  when-
-       ever  the table is changed.  Instead of <b>hash</b>, some systems
-       use <b>dbm</b> database files. To find out what tables your  sys-
+       Execute  the command "<b>postmap /etc/postfix/generics</b>" when-
+       ever the table is changed.  Instead of <b>hash</b>, some  systems
+       use  <b>dbm</b> database files. To find out what tables your sys-
        tem supports use the command "<b>postconf -m</b>".
 
 <b>BUGS</b>
-       The  table format does not understand quoting conventions.
+       The table format does not understand quoting  conventions.
 
 <b>CONFIGURATION PARAMETERS</b>
-       The following <b>main.cf</b> parameters are especially  relevant.
-       The  text  below  provides  only  a parameter summary. See
+       The  following <b>main.cf</b> parameters are especially relevant.
+       The text below provides  only  a  parameter  summary.  See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
        <b><a href="postconf.5.html#smtp_generics_maps">smtp_generics_maps</a></b>
               Address  mapping  lookup  table  for  envelope  and
-              header  sender and recipient addresses while deliv-
+              header sender and recipient addresses while  deliv-
               ering mail via SMTP.
 
        <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>
-              A list of address rewriting  or  forwarding  mecha-
-              nisms  that propagate an address extension from the
-              original address to the result.   Specify  zero  or
-              more   of   <b>canonical</b>,   <b>virtual</b>,  <b>alias</b>,  <b>forward</b>,
+              A  list  of  address rewriting or forwarding mecha-
+              nisms that propagate an address extension from  the
+              original  address  to  the result.  Specify zero or
+              more  of  <b>canonical</b>,   <b>virtual</b>,   <b>alias</b>,   <b>forward</b>,
               <b>include</b>, or <b>generics</b>.
 
        Other parameters of interest:
 
+       <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b>
+              Do  or don't append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses with-
+              out domain.  This must be turned on in Postfix.
+
+       <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>
+              Do or don't append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>" to addresses  with-
+              out "." on the right-hand side of the @.
+
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
-              The network interface addresses  that  this  system
+              The  network  interface  addresses that this system
               receives mail on.  You need to stop and start Post-
               fix when this parameter changes.
 
@@ -191,7 +205,7 @@ GENERICS(5)                                           GENERICS(5)
               tor.
 
        <b><a href="postconf.5.html#mydestination">mydestination</a></b>
-              List of domains that  this  mail  system  considers
+              List  of  domains  that  this mail system considers
               local.
 
        <b><a href="postconf.5.html#myorigin">myorigin</a></b>
@@ -211,7 +225,7 @@ GENERICS(5)                                           GENERICS(5)
        <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>, address rewriting guide
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>HISTORY</b>
diff --git a/postfix/html/virtual.5.html b/postfix/html/virtual.5.html
index f52f11623..4b9f30bb5 100644
--- a/postfix/html/virtual.5.html
+++ b/postfix/html/virtual.5.html
@@ -101,9 +101,16 @@ VIRTUAL(5)                                             VIRTUAL(5)
               Redirect mail for other users in <i>domain</i> to <i>address</i>.
               This form has the lowest precedence.
 
-       In  all the above forms, when <i>address</i> has the form @<i>other-</i>
-       <i>domain</i>, the result is the same user in <i>otherdomain</i>.   This
-       works for the first address in the expansion only.
+<b>RESULT ADDRESS REWRITING</b>
+       The lookup result is subject to address rewriting:
+
+       <b>o</b>      When  the  result  has  the  form @<i>otherdomain</i>, the
+              result becomes the same <i>user</i> in <i>otherdomain</i>.   This
+              works only for the first address in a multi-address
+              lookup result.
+
+       <b>o</b>      The  result  is   rewritten   as   specified   with
+              <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b> or with <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>.
 
 <b>ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
@@ -225,6 +232,14 @@ VIRTUAL(5)                                             VIRTUAL(5)
 
        Other parameters of interest:
 
+       <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b>
+              Do  or don't append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses with-
+              out domain.  This must be turned on in Postfix.
+
+       <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>
+              Do or don't append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>" to addresses  with-
+              out "." on the right-hand side of the @.
+
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
               The  network  interface  addresses that this system
               receives mail on.  You need to stop and start Post-
diff --git a/postfix/man/man5/canonical.5 b/postfix/man/man5/canonical.5
index 19ec6c26b..fb7163057 100644
--- a/postfix/man/man5/canonical.5
+++ b/postfix/man/man5/canonical.5
@@ -94,9 +94,18 @@ This form is useful for replacing login names by
 .IP "@\fIdomain address\fR"
 Replace other addresses in \fIdomain\fR by \fIaddress\fR.
 This form has the lowest precedence.
-.PP
-In all the above forms, when \fIaddress\fR has the form
-@\fIotherdomain\fR, the result is the same user in \fIotherdomain\fR.
+.SH "RESULT ADDRESS REWRITING"
+.na
+.nf
+.ad
+.fi
+The lookup result is subject to address rewriting:
+.IP \(bu
+When the result has the form @\fIotherdomain\fR, the
+result becomes the same \fIuser\fR in \fIotherdomain\fR.
+.IP \(bu
+The result is rewritten as specified with \fBappend_at_myorigin\fR
+or with \fBappend_dot_mydomain\fR.
 .SH "ADDRESS EXTENSION"
 .na
 .nf
@@ -176,6 +185,12 @@ Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
 \fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 .PP
 Other parameters of interest:
+.IP \fBappend_at_myorigin\fR
+Do or don't append "\fB@$myorigin\fR" to addresses without domain.
+This must be turned on in Postfix.
+.IP \fBappend_dot_mydomain\fR
+Do or don't append "\fB.$mydomain\fR" to addresses without "." on
+the right-hand side of the @.
 .IP \fBinet_interfaces\fR
 The network interface addresses that this system receives mail on.
 You need to stop and start Postfix when this parameter changes.
diff --git a/postfix/man/man5/generics.5 b/postfix/man/man5/generics.5
index 486d8ed1c..881ec4716 100644
--- a/postfix/man/man5/generics.5
+++ b/postfix/man/man5/generics.5
@@ -84,9 +84,18 @@ or $\fBproxy_interfaces\fR.
 .IP "@\fIdomain address\fR"
 Replace other addresses in \fIdomain\fR by \fIaddress\fR.
 This form has the lowest precedence.
-.PP
-In all the above forms, the result \fIaddress\fR must have
-the form \fIusername@domainname\fR.
+.SH "RESULT ADDRESS REWRITING"
+.na
+.nf
+.ad
+.fi
+The lookup result is subject to address rewriting:
+.IP \(bu
+When the result has the form @\fIotherdomain\fR, the
+result becomes the same \fIuser\fR in \fIotherdomain\fR.
+.IP \(bu
+The result is rewritten as specified with \fBappend_at_myorigin\fR
+or with \fBappend_dot_mydomain\fR.
 .SH "ADDRESS EXTENSION"
 .na
 .nf
@@ -159,9 +168,9 @@ that the ISP supports "+" style address extensions).
 
 /etc/postfix/generics:
 .in +4
-his@localdomain.local   hisaccount@hisisp.example
-her@localdomain.local   heraccount@herisp.example
-@localdomain.local      hisaccount+local@hisisp.example
+    his@localdomain.local   hisaccount@hisisp.example
+    her@localdomain.local   heraccount@herisp.example
+    @localdomain.local      hisaccount+local@hisisp.example
 .in -4
 
 .ad
@@ -193,6 +202,12 @@ Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
 \fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 .PP
 Other parameters of interest:
+.IP \fBappend_at_myorigin\fR
+Do or don't append "\fB@$myorigin\fR" to addresses without domain.
+This must be turned on in Postfix.
+.IP \fBappend_dot_mydomain\fR
+Do or don't append "\fB.$mydomain\fR" to addresses without "." on
+the right-hand side of the @.
 .IP \fBinet_interfaces\fR
 The network interface addresses that this system receives mail on.
 You need to stop and start Postfix when this parameter changes.
diff --git a/postfix/man/man5/virtual.5 b/postfix/man/man5/virtual.5
index 92786a6dc..2f6b868a8 100644
--- a/postfix/man/man5/virtual.5
+++ b/postfix/man/man5/virtual.5
@@ -90,10 +90,20 @@ mapping can be applied to non-local addresses.
 .IP "@\fIdomain address, address, ...\fR"
 Redirect mail for other users in \fIdomain\fR to \fIaddress\fR.
 This form has the lowest precedence.
-.PP
-In all the above forms, when \fIaddress\fR has the form
-@\fIotherdomain\fR, the result is the same user in \fIotherdomain\fR.
-This works for the first address in the expansion only.
+.SH "RESULT ADDRESS REWRITING"
+.na
+.nf
+.ad
+.fi
+The lookup result is subject to address rewriting:
+.IP \(bu
+When the result has the form @\fIotherdomain\fR, the
+result becomes the same \fIuser\fR in \fIotherdomain\fR.
+This works only for the first address in a multi-address
+lookup result.
+.IP \(bu
+The result is rewritten as specified with \fBappend_at_myorigin\fR
+or with \fBappend_dot_mydomain\fR.
 .SH "ADDRESS EXTENSION"
 .na
 .nf
@@ -228,6 +238,12 @@ Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
 \fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 .PP
 Other parameters of interest:
+.IP \fBappend_at_myorigin\fR
+Do or don't append "\fB@$myorigin\fR" to addresses without domain.
+This must be turned on in Postfix.
+.IP \fBappend_dot_mydomain\fR
+Do or don't append "\fB.$mydomain\fR" to addresses without "." on
+the right-hand side of the @.
 .IP \fBinet_interfaces\fR
 The network interface addresses that this system receives mail on.
 You need to stop and start Postfix when this parameter changes.
diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html
index dc3cdd29d..8d30c611d 100644
--- a/postfix/proto/ADDRESS_VERIFICATION_README.html
+++ b/postfix/proto/ADDRESS_VERIFICATION_README.html
@@ -95,31 +95,33 @@ always discarded.  </p>
 	<td bgcolor="#f0f0ff" align="center" valign="middle"> <a
 	href="smtpd.8.html">Postfix<br> SMTP<br> server</a> </td>
 
-    <td align="center" valign="middle"> <tt> &lt;-&gt; </tt> </td>
+    <td colspan="2" align="center" valign="middle"> <tt> &lt;-&gt;
+    </tt> </td>
 
-	<td bgcolor="#f0f0ff" align="center" valign="middle"> <a
-	href="verify.8.html">Postfix<br> verify<br> server</a>
+	<td bgcolor="#f0f0ff" colspan="3" align="center" valign="middle">
+	<a href="verify.8.html">Postfix<br> verify<br> server</a>
 	</td>
 
-    <td align="center" valign="middle"> <tt> &lt;-&gt; </tt> </td>
+    <td colspan="2" align="center" valign="middle"> <tt> &lt;-&gt;
+    </tt> </td>
 
-    <td bgcolor="#f0f0ff" align="center" valign="middle">
-    Address<br> verification<br> database </td>
+    <td bgcolor="#f0f0ff" align="center" valign="middle"> Address<br>
+    verification<br> database </td>
 
 </tr>
 
 <tr>
 
-    <td> </td>
+    <td colspan="3"> </td>
 
-    <td> </td>
+    <td> &nbsp; &nbsp; </td>
 
-    <td align="center" valign="middle"> <tt> |</tt><br> probe<br>
-    messages<br> <tt> v </tt> </td>
+    <td colspan="2" align="right" valign="middle"> <tt> |</tt><br>
+    probe<br> messages<br> <tt> v </tt> </td>
 
     <td> </td>
 
-    <td align="center" valign="middle"> ^<br> delivery<br>
+    <td colspan="2" align="left" valign="middle"> ^<br> delivery<br>
     status<br> <tt> | </tt> </td>
 
     <td> </td>
@@ -134,18 +136,24 @@ always discarded.  </p>
 
     <td> </td>
 
-    <td  bgcolor="#f0f0ff" align="center" valign="middle"> Postfix<br>
-    queue </td>
+    <td> </td>
+
+    <td> </td>
+
+    <td colspan="2" bgcolor="#f0f0ff" align="center" valign="middle">
+    Postfix<br> queue </td>
 
     <td align="center" valign="middle"> <tt> -&gt; </tt> </td>
 
-    <td bgcolor="#f0f0ff" align="center" valign="middle"> Postfix<br>
-    delivery<br> agents </td>
+    <td colspan="2" bgcolor="#f0f0ff" align="center" valign="middle">
+    Postfix<br> delivery<br> agents </td>
 
     <td> </td>
 
     <td> </td>
 
+</tr>
+
 </table>
 
 </blockquote>
diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html
index 8ba7c9c26..a6573ad72 100644
--- a/postfix/proto/SMTPD_POLICY_README.html
+++ b/postfix/proto/SMTPD_POLICY_README.html
@@ -84,6 +84,9 @@ instance=123.456.7
 sasl_method=plain
 sasl_username=you
 sasl_sender=
+ccert_subject=solaris9.porcupine.org
+ccert_issuer=Wietse Venema
+ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
 size=12345
 [empty line]
 </pre>
@@ -125,6 +128,9 @@ size=12345
     command.
     </p>
 
+    <li> <p> The "sasl_*" attributes specify information about how
+    the client was authenticated via SASL. </p>
+ 
 </ul>
 
 <p> The following is specific to SMTPD delegated policy requests:
@@ -140,8 +146,9 @@ size=12345
     the Postfix SMTP server makes an OK/REJECT/HOLD/etc. decision.
     </p>
 
-    <li> <p> The SASL attributes are sent only when SASL support
-    is built into Postfix. </p>
+    <li> <p> The "ccert_*" attributes specify information from the
+    client TLS certificate. This information is presented only
+    if the client certificate was successfully verified. </p>
 
 </ul>
 
diff --git a/postfix/proto/STANDARD_CONFIGURATION_README.html b/postfix/proto/STANDARD_CONFIGURATION_README.html
index efb35e6c3..eb7c5f58b 100644
--- a/postfix/proto/STANDARD_CONFIGURATION_README.html
+++ b/postfix/proto/STANDARD_CONFIGURATION_README.html
@@ -50,7 +50,7 @@ for hosts in specific environments. </p>
 
 <li><a href="#intranet">Running Postfix behind a firewall</a>
 
-<li><a href="#backup">Configuring Postfix as MX host for a remote
+<li><a href="#backup">Configuring Postfix as primary or backup MX host for a remote
 site</a>
 
 <li><a href="#dialup">Postfix on a dialup machine</a>
@@ -499,7 +499,7 @@ tables Postfix supports, use the command "<b>postconf -m</b>". </p>
 <p> Execute the command "<b>postmap /etc/postfix/transport</b>" whenever
 you edit the transport table. </p>
 
-<h2><a name="backup">Configuring Postfix as MX host for a remote site</a></h2>
+<h2><a name="backup">Configuring Postfix as primary or backup MX host for a remote site</a></h2>
 
 <p> This section presents additional configuration. You need to
 combine this with basic configuration information as discussed the
diff --git a/postfix/proto/canonical b/postfix/proto/canonical
index 0a8051161..71fb2b2e0 100644
--- a/postfix/proto/canonical
+++ b/postfix/proto/canonical
@@ -84,9 +84,16 @@
 # .IP "@\fIdomain address\fR"
 #	Replace other addresses in \fIdomain\fR by \fIaddress\fR.
 #	This form has the lowest precedence.
-# .PP
-#	In all the above forms, when \fIaddress\fR has the form
-#	@\fIotherdomain\fR, the result is the same user in \fIotherdomain\fR.
+# RESULT ADDRESS REWRITING
+# .ad
+# .fi
+#	The lookup result is subject to address rewriting:
+# .IP \(bu
+#	When the result has the form @\fIotherdomain\fR, the
+#	result becomes the same \fIuser\fR in \fIotherdomain\fR.
+# .IP \(bu
+#	The result is rewritten as specified with \fBappend_at_myorigin\fR
+#	or with \fBappend_dot_mydomain\fR.
 # ADDRESS EXTENSION
 # .fi
 # .ad
@@ -156,6 +163,12 @@
 #	\fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 # .PP
 #	Other parameters of interest:
+# .IP \fBappend_at_myorigin\fR
+#	Do or don't append "\fB@$myorigin\fR" to addresses without domain.
+#	This must be turned on in Postfix.
+# .IP \fBappend_dot_mydomain\fR
+#	Do or don't append "\fB.$mydomain\fR" to addresses without "." on
+#	the right-hand side of the @.
 # .IP \fBinet_interfaces\fR
 #	The network interface addresses that this system receives mail on.
 #	You need to stop and start Postfix when this parameter changes.
diff --git a/postfix/proto/generics b/postfix/proto/generics
index cc5684ad7..b63b5383b 100644
--- a/postfix/proto/generics
+++ b/postfix/proto/generics
@@ -74,9 +74,16 @@
 # .IP "@\fIdomain address\fR"
 #	Replace other addresses in \fIdomain\fR by \fIaddress\fR.
 #	This form has the lowest precedence.
-# .PP
-#	In all the above forms, the result \fIaddress\fR must have
-#	the form \fIusername@domainname\fR.
+# RESULT ADDRESS REWRITING
+# .ad
+# .fi
+#	The lookup result is subject to address rewriting:
+# .IP \(bu
+#	When the result has the form @\fIotherdomain\fR, the
+#	result becomes the same \fIuser\fR in \fIotherdomain\fR.
+# .IP \(bu
+#	The result is rewritten as specified with \fBappend_at_myorigin\fR
+#	or with \fBappend_dot_mydomain\fR.
 # ADDRESS EXTENSION
 # .fi
 # .ad
@@ -139,11 +146,11 @@
 #	    smtp_generics_maps = hash:/etc/postfix/generics
 # .in -4
 #
-#       /etc/postfix/generics:
+#	/etc/postfix/generics:
 # .in +4
-#           his@localdomain.local   hisaccount@hisisp.example
-#           her@localdomain.local   heraccount@herisp.example
-#           @localdomain.local      hisaccount+local@hisisp.example
+#	    his@localdomain.local   hisaccount@hisisp.example
+#	    her@localdomain.local   heraccount@herisp.example
+#	    @localdomain.local      hisaccount+local@hisisp.example
 # .in -4
 #
 # .ad
@@ -171,6 +178,12 @@
 #	\fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 # .PP
 #	Other parameters of interest:
+# .IP \fBappend_at_myorigin\fR
+#	Do or don't append "\fB@$myorigin\fR" to addresses without domain.
+#	This must be turned on in Postfix.
+# .IP \fBappend_dot_mydomain\fR
+#	Do or don't append "\fB.$mydomain\fR" to addresses without "." on 
+#	the right-hand side of the @.
 # .IP \fBinet_interfaces\fR
 #	The network interface addresses that this system receives mail on.
 #	You need to stop and start Postfix when this parameter changes.
diff --git a/postfix/proto/virtual b/postfix/proto/virtual
index 03759f435..987c7e650 100644
--- a/postfix/proto/virtual
+++ b/postfix/proto/virtual
@@ -80,10 +80,18 @@
 # .IP "@\fIdomain address, address, ...\fR"
 #	Redirect mail for other users in \fIdomain\fR to \fIaddress\fR.
 #	This form has the lowest precedence.
-# .PP
-#	In all the above forms, when \fIaddress\fR has the form
-#	@\fIotherdomain\fR, the result is the same user in \fIotherdomain\fR.
-#	This works for the first address in the expansion only.
+# RESULT ADDRESS REWRITING
+# .ad
+# .fi
+#	The lookup result is subject to address rewriting:
+# .IP \(bu
+#	When the result has the form @\fIotherdomain\fR, the
+#	result becomes the same \fIuser\fR in \fIotherdomain\fR.
+#	This works only for the first address in a multi-address
+#	lookup result.
+# .IP \(bu
+#	The result is rewritten as specified with \fBappend_at_myorigin\fR
+#	or with \fBappend_dot_mydomain\fR.
 # ADDRESS EXTENSION
 # .fi
 # .ad
@@ -206,6 +214,12 @@
 #	\fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 # .PP
 #	Other parameters of interest:
+# .IP \fBappend_at_myorigin\fR
+#	Do or don't append "\fB@$myorigin\fR" to addresses without domain.
+#	This must be turned on in Postfix.
+# .IP \fBappend_dot_mydomain\fR
+#	Do or don't append "\fB.$mydomain\fR" to addresses without "." on
+#	the right-hand side of the @.
 # .IP \fBinet_interfaces\fR
 #	The network interface addresses that this system receives mail on.
 #	You need to stop and start Postfix when this parameter changes.
diff --git a/postfix/src/global/mail_proto.h b/postfix/src/global/mail_proto.h
index cb58fdf30..2bd40025e 100644
--- a/postfix/src/global/mail_proto.h
+++ b/postfix/src/global/mail_proto.h
@@ -131,6 +131,9 @@ extern char *mail_pathname(const char *, const char *);
 #define MAIL_ATTR_TTL		"ttl"
 #define MAIL_ATTR_LABEL		"label"
 #define MAIL_ATTR_PROP		"property"
+#define MAIL_ATTR_CCERT_SUBJECT	"ccert_subject"
+#define MAIL_ATTR_CCERT_ISSSUER	"ccert_issuer"
+#define MAIL_ATTR_CCERT_FINGERPRINT "ccert_fingerprint"
 
  /*
   * Suffixes for sender_name, sender_domain etc.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 6990a2dcc..a5b3b3755 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only.
   */
-#define MAIL_RELEASE_DATE	"20050208"
+#define MAIL_RELEASE_DATE	"20050209"
 #define MAIL_VERSION_NUMBER	"2.2"
 
 #define VAR_MAIL_VERSION	"mail_version"
diff --git a/postfix/src/master/multi_server.c b/postfix/src/master/multi_server.c
index 52cfbdb26..2b1c72767 100644
--- a/postfix/src/master/multi_server.c
+++ b/postfix/src/master/multi_server.c
@@ -161,6 +161,7 @@
 #ifdef STRCASECMP_IN_STRINGS_H
 #include <strings.h>
 #endif
+#include <time.h>
 
 /* Utility library. */
 
@@ -741,6 +742,9 @@ NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...)
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
+#ifdef SNAPSHOT
+    tzset();
+#endif
     chroot_uid(root_dir, user_name);
 
     /*
diff --git a/postfix/src/master/single_server.c b/postfix/src/master/single_server.c
index f3bb80a6e..410fd7d47 100644
--- a/postfix/src/master/single_server.c
+++ b/postfix/src/master/single_server.c
@@ -144,6 +144,7 @@
 #ifdef STRCASECMP_IN_STRINGS_H
 #include <strings.h>
 #endif
+#include <time.h>
 
 /* Utility library. */
 
@@ -647,6 +648,9 @@ NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...)
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
+#ifdef SNAPSHOT
+    tzset();
+#endif
     chroot_uid(root_dir, user_name);
 
     /*
diff --git a/postfix/src/master/trigger_server.c b/postfix/src/master/trigger_server.c
index 7c86be76f..c0731c1c8 100644
--- a/postfix/src/master/trigger_server.c
+++ b/postfix/src/master/trigger_server.c
@@ -152,6 +152,7 @@
 #ifdef STRCASECMP_IN_STRINGS_H
 #include <strings.h>
 #endif
+#include <time.h>
 
 /* Utility library. */
 
@@ -667,6 +668,9 @@ NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,..
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
+#ifdef SNAPSHOT
+    tzset();
+#endif
     chroot_uid(root_dir, user_name);
 
     /*
diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in
index a9ea4cf50..79b8aeead 100644
--- a/postfix/src/smtp/Makefile.in
+++ b/postfix/src/smtp/Makefile.in
@@ -9,7 +9,7 @@ HDRS	= smtp.h smtp_sasl.h smtp_addr.h smtp_reuse.h
 TESTSRC	= 
 DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
 CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
-TESTPROG= smtp_unalias
+TESTPROG= smtp_unalias smtp_map11
 PROG	= smtp
 INC_DIR	= ../../include
 LIBS	= ../../lib/libmaster.a ../../lib/libtls.a ../../lib/libdns.a \
@@ -25,7 +25,7 @@ Makefile: Makefile.in
 
 test:	$(TESTPROG)
 
-tests:	test
+tests:	smtp_map11_test
 
 update: ../../libexec/$(PROG)
 
@@ -52,6 +52,19 @@ tidy:	clean
 smtp_unalias: smtp_unalias.c $(LIBS)
 	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS) $(SYSLIBS)
 
+smtp_map11: smtp_map11.c $(LIBS)
+	$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS) $(SYSLIBS)
+
+# This needs trivial-rewrite service and myorigin==mydomain
+smtp_map11_test: smtp_map11 map11_map smtp_map11.ref
+	../postmap/postmap map11_map
+	./smtp_map11 hash:map11_map foo@example.com bar@example.com \
+	    baz@example.com foo@example.net >smtp_map11.tmp 2>&1
+	sed -e "s/MYDOMAIN/`postconf -h mydomain`/" \
+	    -e "s/MYHOSTNAME/`postconf -h myhostname`/" smtp_map11.ref | \
+	    diff - smtp_map11.tmp
+	rm -f smtp_map11.tmp map11_map.db
+
 depend: $(MAKES)
 	(sed '1,/^# do not edit/!d' Makefile.in; \
 	set -e; for i in [a-z][a-z0-9]*.c; do \
diff --git a/postfix/src/smtp/map11_map b/postfix/src/smtp/map11_map
new file mode 100644
index 000000000..5b35f1e54
--- /dev/null
+++ b/postfix/src/smtp/map11_map
@@ -0,0 +1,3 @@
+foo@example.com	bar@com.example
+bar@example.com	bar
+baz@example.com	@com.example
diff --git a/postfix/src/smtp/smtp_map11.c b/postfix/src/smtp/smtp_map11.c
index 93932a7c1..11ec50d03 100644
--- a/postfix/src/smtp/smtp_map11.c
+++ b/postfix/src/smtp/smtp_map11.c
@@ -83,22 +83,24 @@
 
 int     smtp_map11_external(VSTRING *addr, MAPS *maps, int propagate)
 {
+    const char *myname = "smtp_map11_external";
     ARGV   *new_addr;
-    const char *at;
+    const char *result;
 
     if ((new_addr = mail_addr_map(maps, STR(addr), propagate)) != 0) {
 	if (new_addr->argc > 1)
-	    msg_fatal("multi-valued %s entry for %s", maps->title, STR(addr));
-	if ((at = strrchr(STR(addr), '@')) == 0
-	    || !valid_hostname(at + 1, DO_GRIPE))
-	    msg_fatal("invalid domain information in %s entry for %s",
-		      maps->title, STR(addr));
-	vstring_strcpy(addr, new_addr->argv[0]);
+	    msg_warn("multi-valued %s result for %s", maps->title, STR(addr));
+	result = new_addr->argv[0];
+	if (msg_verbose)
+	    msg_info("%s: %s -> %s", myname, STR(addr), result);
+	vstring_strcpy(addr, result);
 	argv_free(new_addr);
 	return (1);
     } else {
 	if (dict_errno != 0)
 	    msg_fatal("%s map lookup problem for %s", maps->title, STR(addr));
+	if (msg_verbose)
+	    msg_info("%s: %s not found", myname, STR(addr));
 	return (0);
     }
 }
@@ -131,3 +133,36 @@ int     smtp_map11_internal(VSTRING *addr, MAPS *maps, int propagate)
     vstring_free(temp);
     return (ret);
 }
+
+#ifdef TEST
+
+#include <msg_vstream.h>
+#include <stringops.h>
+#include <mail_params.h>
+
+int     main(int argc, char **argv)
+{
+    VSTRING *buf = vstring_alloc(100);
+    MAPS   *maps;
+
+    msg_vstream_init(basename(argv[0]), VSTREAM_ERR);
+    if (argc < 3)
+	msg_fatal("usage: %s maptype:mapname address...", argv[0]);
+
+    maps = maps_create(argv[1], argv[1], 0);
+    mail_params_init();
+    if (chdir(var_queue_dir) < 0)
+	msg_fatal("chdir(%s): %m", var_queue_dir);
+    argv += 1;
+
+    msg_verbose = 1;
+    while (--argc && *++argv) {
+	msg_info("-- start %s --", *argv);
+	smtp_map11_external(vstring_strcpy(buf, *argv), maps, 1);
+	msg_info("-- end %s --", *argv);
+    }
+    vstring_free(buf);
+    return (0);
+}
+
+#endif
diff --git a/postfix/src/smtp/smtp_map11.ref b/postfix/src/smtp/smtp_map11.ref
new file mode 100644
index 000000000..7407d6532
--- /dev/null
+++ b/postfix/src/smtp/smtp_map11.ref
@@ -0,0 +1,66 @@
+smtp_map11: -- start foo@example.com --
+smtp_map11: maps_find: hash:map11_map: hash:map11_map(0,0): foo@example.com = bar@com.example
+smtp_map11: mail_addr_find: foo@example.com -> bar@com.example
+smtp_map11: connect to subsystem private/rewrite
+smtp_map11: send attr request = rewrite
+smtp_map11: send attr rule = local
+smtp_map11: send attr address = bar@com.example
+smtp_map11: private/rewrite socket: wanted attribute: flags
+smtp_map11: input attribute name: flags
+smtp_map11: input attribute value: 0
+smtp_map11: private/rewrite socket: wanted attribute: address
+smtp_map11: input attribute name: address
+smtp_map11: input attribute value: bar@com.example
+smtp_map11: private/rewrite socket: wanted attribute: (list terminator)
+smtp_map11: input attribute name: (end)
+smtp_map11: rewrite_clnt: local: bar@com.example -> bar@com.example
+smtp_map11: mail_addr_map: foo@example.com -> 0: bar@com.example
+smtp_map11: smtp_map11_external: foo@example.com -> bar@com.example
+smtp_map11: -- end foo@example.com --
+smtp_map11: -- start bar@example.com --
+smtp_map11: maps_find: hash:map11_map: hash:map11_map(0,0): bar@example.com = bar
+smtp_map11: mail_addr_find: bar@example.com -> bar
+smtp_map11: send attr request = rewrite
+smtp_map11: send attr rule = local
+smtp_map11: send attr address = bar
+smtp_map11: private/rewrite socket: wanted attribute: flags
+smtp_map11: input attribute name: flags
+smtp_map11: input attribute value: 0
+smtp_map11: private/rewrite socket: wanted attribute: address
+smtp_map11: input attribute name: address
+smtp_map11: input attribute value: bar@MYDOMAIN
+smtp_map11: private/rewrite socket: wanted attribute: (list terminator)
+smtp_map11: input attribute name: (end)
+smtp_map11: rewrite_clnt: local: bar -> bar@MYDOMAIN
+smtp_map11: mail_addr_map: bar@example.com -> 0: bar@MYDOMAIN
+smtp_map11: smtp_map11_external: bar@example.com -> bar@MYDOMAIN
+smtp_map11: -- end bar@example.com --
+smtp_map11: -- start baz@example.com --
+smtp_map11: maps_find: hash:map11_map: hash:map11_map(0,0): baz@example.com = @com.example
+smtp_map11: mail_addr_find: baz@example.com -> @com.example
+smtp_map11: send attr request = rewrite
+smtp_map11: send attr rule = local
+smtp_map11: send attr address = baz@com.example
+smtp_map11: private/rewrite socket: wanted attribute: flags
+smtp_map11: input attribute name: flags
+smtp_map11: input attribute value: 0
+smtp_map11: private/rewrite socket: wanted attribute: address
+smtp_map11: input attribute name: address
+smtp_map11: input attribute value: baz@com.example
+smtp_map11: private/rewrite socket: wanted attribute: (list terminator)
+smtp_map11: input attribute name: (end)
+smtp_map11: rewrite_clnt: local: baz@com.example -> baz@com.example
+smtp_map11: mail_addr_map: baz@example.com -> 0: baz@com.example
+smtp_map11: smtp_map11_external: baz@example.com -> baz@com.example
+smtp_map11: -- end baz@example.com --
+smtp_map11: -- start foo@example.net --
+smtp_map11: maps_find: hash:map11_map: foo@example.net: not found
+smtp_map11: match_string: example.net ~? MYHOSTNAME
+smtp_map11: match_string: example.net ~? localhost.MYDOMAIN
+smtp_map11: match_string: example.net ~? localhost
+smtp_map11: match_list_match: example.net: no match
+smtp_map11: maps_find: hash:map11_map: @example.net: not found
+smtp_map11: mail_addr_find: foo@example.net -> (not found)
+smtp_map11: mail_addr_map: foo@example.net -> (not found)
+smtp_map11: smtp_map11_external: foo@example.net not found
+smtp_map11: -- end foo@example.net --
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 7875146b0..1b7543701 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3045,6 +3045,17 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
 			  ATTR_TYPE_STR, MAIL_ATTR_SASL_SENDER,
 			  var_smtpd_sasl_enable && state->sasl_sender ?
 			  state->sasl_sender : "",
+#endif
+#ifdef USE_TLS
+			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_SUBJECT,
+			  state->tls_info.peer_verified ?
+			  state->tls_info.peer_CN : "",
+			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_ISSSUER,
+			  state->tls_info.peer_verified ?
+			  state->tls_info.issuer_CN : "",
+			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_FINGERPRINT,
+			  state->tls_info.peer_verified ?
+			  state->tls_info.peer_fingerprint : "",
 #endif
 			  ATTR_TYPE_END,
 			  ATTR_FLAG_MISSING,	/* Reply attributes. */